Date: Sun, 19 Jun 2011 17:04:13 GMT From: Ryan Steinmetz <rpsfa@rit.edu> To: freebsd-gnats-submit@FreeBSD.org Subject: ports/158031: [patch] security/snort to add SSL support to MySQL connections Message-ID: <201106191704.p5JH4D9G045698@red.freebsd.org> Resent-Message-ID: <201106191710.p5JHACwj045261@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 158031 >Category: ports >Synopsis: [patch] security/snort to add SSL support to MySQL connections >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: update >Submitter-Id: current-users >Arrival-Date: Sun Jun 19 17:10:12 UTC 2011 >Closed-Date: >Last-Modified: >Originator: Ryan Steinmetz >Release: >Organization: Rochester Institute of Technology >Environment: >Description: -Add WITH_MYSQLSSL option, to require SSL when communicating with MySQL databases -Add LICENSE At present, snort is unable to log via SSL to a MySQL database. Whenever WITH_MYSQLSSL=yes is defined at build time, snort will require SSL whenever communicating with MySQL databases. The certificates must be located under ${ETCDIR}/certs/ and must be named as follows: -ca.pem: The CA's public key -cert.pem: The client's public key -key.pem: The client's private key Notes for when chrooting snort: -devfs must be mounted within the root for /dev/urandom use -The certificates must also be present under the root >How-To-Repeat: >Fix: Patch attached with submission follows: Index: Makefile =================================================================== RCS file: /home/ncvs/ports/security/snort/Makefile,v retrieving revision 1.134 diff -u -r1.134 Makefile --- Makefile 12 Apr 2011 04:31:21 -0000 1.134 +++ Makefile 19 Jun 2011 16:55:25 -0000 @@ -32,6 +32,7 @@ PERFPROFILE "Enable Performance Profiling" on \ FLEXRESP3 "Flexible response to events (version 3)" on \ MYSQL "Enable MySQL support" off \ + MYSQLSSL "Require SSL for MySQL connections" off \ ODBC "Enable ODBC support" off \ POSTGRESQL "Enable PostgreSQL support" off \ PRELUDE "Enable Prelude NIDS integration" off \ @@ -45,6 +46,8 @@ CONFIGURE_ENV= LDFLAGS="${LDFLAGS}" MAKE_JOBS_UNSAFE= yes +LICENSE= GPLv2 + CONFIG_DIR?= ${PREFIX}/etc/snort CONFIG_FILES= classification.config gen-msg.map reference.config \ snort.conf threshold.conf unicode.map @@ -86,6 +89,9 @@ .if defined(WITH_MYSQL) USE_MYSQL= yes CONFIGURE_ARGS+= --with-mysql=${LOCALBASE} +.if defined(WITH_MYSQLSSL) +EXTRA_PATCHES= ${PATCHDIR}/extra-patch-mysql_ssl +.endif .else CONFIGURE_ARGS+= --with-mysql=no .endif @@ -163,6 +169,9 @@ .if defined(NOPORTDOCS) @${REINPLACE_CMD} '/SUBDIRS = /s/doc//' ${WRKSRC}/Makefile.in .endif +.if defined(WITH_MYSQLSSL) + @${REINPLACE_CMD} -e 's|%%ETCDIR%%|${ETCDIR}|g' ${WRKSRC}/src/output-plugins/spo_database.c +.endif pre-configure: ${FIND} ${WRKSRC} -name 'Makefile.in' | ${XARGS} ${REINPLACE_CMD} -e 's|lib/snort_|lib/snort/|g' @@ -231,6 +240,14 @@ fi .endfor .endif +.if defined(WITH_MYSQL) && defined(WITH_MYSQLSSL) + ${ECHO_MSG} "NOTE: ${PORTNAME} was compiled WITH_MYSQLSSL=yes and now requires SSL for MySQL connections." + ${ECHO_MSG} " Before attempting to log to a MySQL database, you must ensure that ${ETCDIR}/certs contains the following files:" + ${ECHO_MSG} " ca.pem: The CA's public key" + ${ECHO_MSG} " cert.pem: The client's public key" + ${ECHO_MSG} " key.pem: The client's private key" + ${ECHO_MSG} "If you are chrooting ${PORTNAME}, you must ensure that devfs is mounted and that the certificates directory exists within the new root" +.endif @${CAT} ${PKGMESSAGE} .include <bsd.port.mk> >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201106191704.p5JH4D9G045698>