Date: Sun, 19 Jun 2011 17:04:13 GMT From: Ryan Steinmetz <rpsfa@rit.edu> To: freebsd-gnats-submit@FreeBSD.org Subject: ports/158031: [patch] security/snort to add SSL support to MySQL connections Message-ID: <201106191704.p5JH4D9G045698@red.freebsd.org> Resent-Message-ID: <201106191710.p5JHACwj045261@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 158031
>Category: ports
>Synopsis: [patch] security/snort to add SSL support to MySQL connections
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: update
>Submitter-Id: current-users
>Arrival-Date: Sun Jun 19 17:10:12 UTC 2011
>Closed-Date:
>Last-Modified:
>Originator: Ryan Steinmetz
>Release:
>Organization:
Rochester Institute of Technology
>Environment:
>Description:
-Add WITH_MYSQLSSL option, to require SSL when communicating with MySQL databases
-Add LICENSE
At present, snort is unable to log via SSL to a MySQL database. Whenever WITH_MYSQLSSL=yes is defined at build time, snort will require SSL whenever communicating with MySQL databases. The certificates must be located under ${ETCDIR}/certs/ and must be named as follows:
-ca.pem: The CA's public key
-cert.pem: The client's public key
-key.pem: The client's private key
Notes for when chrooting snort:
-devfs must be mounted within the root for /dev/urandom use
-The certificates must also be present under the root
>How-To-Repeat:
>Fix:
Patch attached with submission follows:
Index: Makefile
===================================================================
RCS file: /home/ncvs/ports/security/snort/Makefile,v
retrieving revision 1.134
diff -u -r1.134 Makefile
--- Makefile 12 Apr 2011 04:31:21 -0000 1.134
+++ Makefile 19 Jun 2011 16:55:25 -0000
@@ -32,6 +32,7 @@
PERFPROFILE "Enable Performance Profiling" on \
FLEXRESP3 "Flexible response to events (version 3)" on \
MYSQL "Enable MySQL support" off \
+ MYSQLSSL "Require SSL for MySQL connections" off \
ODBC "Enable ODBC support" off \
POSTGRESQL "Enable PostgreSQL support" off \
PRELUDE "Enable Prelude NIDS integration" off \
@@ -45,6 +46,8 @@
CONFIGURE_ENV= LDFLAGS="${LDFLAGS}"
MAKE_JOBS_UNSAFE= yes
+LICENSE= GPLv2
+
CONFIG_DIR?= ${PREFIX}/etc/snort
CONFIG_FILES= classification.config gen-msg.map reference.config \
snort.conf threshold.conf unicode.map
@@ -86,6 +89,9 @@
.if defined(WITH_MYSQL)
USE_MYSQL= yes
CONFIGURE_ARGS+= --with-mysql=${LOCALBASE}
+.if defined(WITH_MYSQLSSL)
+EXTRA_PATCHES= ${PATCHDIR}/extra-patch-mysql_ssl
+.endif
.else
CONFIGURE_ARGS+= --with-mysql=no
.endif
@@ -163,6 +169,9 @@
.if defined(NOPORTDOCS)
@${REINPLACE_CMD} '/SUBDIRS = /s/doc//' ${WRKSRC}/Makefile.in
.endif
+.if defined(WITH_MYSQLSSL)
+ @${REINPLACE_CMD} -e 's|%%ETCDIR%%|${ETCDIR}|g' ${WRKSRC}/src/output-plugins/spo_database.c
+.endif
pre-configure:
${FIND} ${WRKSRC} -name 'Makefile.in' | ${XARGS} ${REINPLACE_CMD} -e 's|lib/snort_|lib/snort/|g'
@@ -231,6 +240,14 @@
fi
.endfor
.endif
+.if defined(WITH_MYSQL) && defined(WITH_MYSQLSSL)
+ ${ECHO_MSG} "NOTE: ${PORTNAME} was compiled WITH_MYSQLSSL=yes and now requires SSL for MySQL connections."
+ ${ECHO_MSG} " Before attempting to log to a MySQL database, you must ensure that ${ETCDIR}/certs contains the following files:"
+ ${ECHO_MSG} " ca.pem: The CA's public key"
+ ${ECHO_MSG} " cert.pem: The client's public key"
+ ${ECHO_MSG} " key.pem: The client's private key"
+ ${ECHO_MSG} "If you are chrooting ${PORTNAME}, you must ensure that devfs is mounted and that the certificates directory exists within the new root"
+.endif
@${CAT} ${PKGMESSAGE}
.include <bsd.port.mk>
>Release-Note:
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201106191704.p5JH4D9G045698>