174
Chapter 5 Using Snort with MySQL
5.2 Secure Logging to Remote Databases Securely
Using Stunnel
The MySQL database server is listening to port number 3306. If your database
server is not on the same machine where Snort is running, you have to log messages on
a remote database server. From a security point of view, you may want to encrypt traffic
between Snort and the database server. Stunnel or Secure Tunnel is an open source
package available from http://www.stunnel.org that provides you a secure tunnel
between two hosts.
Get the latest version from the web site and install it on both the Snort machine and
the database server. You have to run it on both the Snort machine (client) and the database
server to establish a tunnel. On the database server, use the following command:
stunnel P/tmp/ p stunnel.pem d 3307 r localhost:3306
If the stunnel directory is not present in the PATH variable, use the full path
name with the command. The command will redirect all incoming connections on port
3307 to port 3306 where MySQL server is listening.
On the Snort machine, use the following command:
stunnel P/tmp/ c d 3306 r SERVER_NAME:3307
Replace SERVER_NAME with the name or IP address of the server. This com
mand will redirect all connection on local port 3306 (where MySQL database server is
supposed to listen to) to port number 3307 on the remote server.
The net effect is that Stunnel is getting all packets on local port 3306 and forward
ing them to port 3306 on the remote host by using port number 3307 in a secure way.
Make sure that MySQL server is not running on the hosts where Snort is running
because MySQL server may already have occupied port 3306 and Stunnel will not be
able to bind to it.
After creating this setup, you can configure Snort so that it assumes that MySQL
database server is running on the local machine. In fact, Snort will think that MySQL
server is running locally but Stunnel will transfer all the communication to the remote
database server.
This setup is also very useful when you have many sensors logging to a central
database server.
N O T E You can log to a remote MySQL database without using Stunnel. Single or
multiple sensors can log to a central database server without the requirement of any
secure tunnel. Stunnel just provides security of your data while it goes from sensors
to the database server.
footer
Our partners:
PHP: Hypertext Preprocessor Cheap Web Hosting
JSP Web Hosting
Ontario Web Hosting
Jsp Web Hosting
Cheapest Web Hosting
Java Hosting
Cheapest Hosting
Visionwebhosting.net Business web hosting division of Vision Web Hosting Inc.. All rights reserved