From nobody@FreeBSD.org  Sun Jun 19 17:04:14 2011
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 48BA21065675
	for <freebsd-gnats-submit@FreeBSD.org>; Sun, 19 Jun 2011 17:04:14 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from red.freebsd.org (red.freebsd.org [IPv6:2001:4f8:fff6::22])
	by mx1.freebsd.org (Postfix) with ESMTP id 2EA128FC0C
	for <freebsd-gnats-submit@FreeBSD.org>; Sun, 19 Jun 2011 17:04:14 +0000 (UTC)
Received: from red.freebsd.org (localhost [127.0.0.1])
	by red.freebsd.org (8.14.4/8.14.4) with ESMTP id p5JH4E8C045726
	for <freebsd-gnats-submit@FreeBSD.org>; Sun, 19 Jun 2011 17:04:14 GMT
	(envelope-from nobody@red.freebsd.org)
Received: (from nobody@localhost)
	by red.freebsd.org (8.14.4/8.14.4/Submit) id p5JH4D9G045698;
	Sun, 19 Jun 2011 17:04:13 GMT
	(envelope-from nobody)
Message-Id: <201106191704.p5JH4D9G045698@red.freebsd.org>
Date: Sun, 19 Jun 2011 17:04:13 GMT
From: Ryan Steinmetz <rpsfa@rit.edu>
To: freebsd-gnats-submit@FreeBSD.org
Subject: [patch] security/snort to add SSL support to MySQL connections
X-Send-Pr-Version: www-3.1
X-GNATS-Notify: wfreeman@sourcefire.com

>Number:         158031
>Category:       ports
>Synopsis:       [patch] security/snort to add SSL support to MySQL connections
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    wxs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          update
>Submitter-Id:   current-users
>Arrival-Date:   Sun Jun 19 17:10:12 UTC 2011
>Closed-Date:    Sat Jun 25 13:06:07 UTC 2011
>Last-Modified:  Sat Jun 25 13:06:07 UTC 2011
>Originator:     Ryan Steinmetz
>Release:        
>Organization:
Rochester Institute of Technology
>Environment:
>Description:
-Add WITH_MYSQLSSL option, to require SSL when communicating with MySQL databases
-Add LICENSE

At present, snort is unable to log via SSL to a MySQL database.  Whenever WITH_MYSQLSSL=yes is defined at build time, snort will require SSL whenever communicating with MySQL databases.  The certificates must be located under ${ETCDIR}/certs/ and must be named as follows:
-ca.pem: The CA's public key
-cert.pem: The client's public key
-key.pem: The client's private key

Notes for when chrooting snort:
-devfs must be mounted within the root for /dev/urandom use
-The certificates must also be present under the root
>How-To-Repeat:

>Fix:


Patch attached with submission follows:

Index: Makefile
===================================================================
RCS file: /home/ncvs/ports/security/snort/Makefile,v
retrieving revision 1.134
diff -u -r1.134 Makefile
--- Makefile	12 Apr 2011 04:31:21 -0000	1.134
+++ Makefile	19 Jun 2011 16:55:25 -0000
@@ -32,6 +32,7 @@
 		PERFPROFILE "Enable Performance Profiling" on \
 		FLEXRESP3 "Flexible response to events (version 3)" on \
 		MYSQL "Enable MySQL support" off \
+		MYSQLSSL "Require SSL for MySQL connections" off \
 		ODBC "Enable ODBC support" off \
 		POSTGRESQL "Enable PostgreSQL support" off \
 		PRELUDE "Enable Prelude NIDS integration" off \
@@ -45,6 +46,8 @@
 CONFIGURE_ENV=	LDFLAGS="${LDFLAGS}"
 MAKE_JOBS_UNSAFE=	yes
 
+LICENSE=	GPLv2
+
 CONFIG_DIR?=	${PREFIX}/etc/snort
 CONFIG_FILES=	classification.config gen-msg.map reference.config \
 		snort.conf threshold.conf unicode.map
@@ -86,6 +89,9 @@
 .if defined(WITH_MYSQL)
 USE_MYSQL=		yes
 CONFIGURE_ARGS+=	--with-mysql=${LOCALBASE}
+.if defined(WITH_MYSQLSSL)
+EXTRA_PATCHES=		${PATCHDIR}/extra-patch-mysql_ssl
+.endif
 .else
 CONFIGURE_ARGS+=	--with-mysql=no
 .endif
@@ -163,6 +169,9 @@
 .if defined(NOPORTDOCS)
 	@${REINPLACE_CMD} '/SUBDIRS = /s/doc//' ${WRKSRC}/Makefile.in
 .endif
+.if defined(WITH_MYSQLSSL)
+	@${REINPLACE_CMD} -e 's|%%ETCDIR%%|${ETCDIR}|g' ${WRKSRC}/src/output-plugins/spo_database.c
+.endif
 
 pre-configure:
 	${FIND} ${WRKSRC} -name 'Makefile.in' | ${XARGS} ${REINPLACE_CMD} -e 's|lib/snort_|lib/snort/|g'
@@ -231,6 +240,14 @@
 	fi
 .endfor
 .endif
+.if defined(WITH_MYSQL) && defined(WITH_MYSQLSSL)
+	${ECHO_MSG} "NOTE: ${PORTNAME} was compiled WITH_MYSQLSSL=yes and now requires SSL for MySQL connections."
+	${ECHO_MSG} " Before attempting to log to a MySQL database, you must ensure that ${ETCDIR}/certs contains the following files:"
+	${ECHO_MSG} " ca.pem: The CA's public key"
+	${ECHO_MSG} " cert.pem: The client's public key"
+	${ECHO_MSG} " key.pem: The client's private key"
+	${ECHO_MSG} "If you are chrooting ${PORTNAME}, you must ensure that devfs is mounted and that the certificates directory exists within the new root"
+.endif
 	@${CAT} ${PKGMESSAGE}
 
 .include <bsd.port.mk>


>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->feedback 
State-Changed-By: edwin 
State-Changed-When: Sun Jun 19 17:10:22 UTC 2011 
State-Changed-Why:  
Awaiting maintainers feedback (via the GNATS Auto Assign Tool) 

http://www.freebsd.org/cgi/query-pr.cgi?pr=158031 

From: Edwin Groothuis <edwin@FreeBSD.org>
To: wfreeman@sourcefire.com
Cc: bug-followup@FreeBSD.org
Subject: Re: ports/158031: [patch] security/snort to add SSL support to MySQL connections
Date: Sun, 19 Jun 2011 17:10:20 UT

 Maintainer of security/snort,
 
 Please note that PR ports/158031 has just been submitted.
 
 If it contains a patch for an upgrade, an enhancement or a bug fix
 you agree on, reply to this email stating that you approve the patch
 and a committer will take care of it.
 
 The full text of the PR can be found at:
     http://www.freebsd.org/cgi/query-pr.cgi?pr=ports/158031
 
 -- 
 Edwin Groothuis via the GNATS Auto Assign Tool
 edwin@FreeBSD.org

From: Ryan Steinmetz <rpsfa@rit.edu>
To: bug-followup@freebsd.org
Cc:  
Subject: Re: ports/158031: [patch] security/snort to add SSL support to MySQL
 connections
Date: Sun, 19 Jun 2011 13:11:54 -0400

 --huq684BweRXVnRxX
 Content-Type: text/plain; charset=us-ascii
 Content-Disposition: inline
 
 Attached is the new EXTRA_PATCH required by this PR.
 
 --huq684BweRXVnRxX
 Content-Type: text/plain; charset=us-ascii
 Content-Disposition: attachment; filename="patch.shar.txt"
 
 # This is a shell archive.  Save it in a file, remove anything before
 # this line, and then unpack it by entering "sh file".  Note, it may
 # create directories; files and directories will be owned by you and
 # have default permissions.
 #
 # This archive contains:
 #
 #	files/extra-patch-mysql_ssl
 #
 echo x - files/extra-patch-mysql_ssl
 sed 's/^X//' >files/extra-patch-mysql_ssl << '626cb1d028b27d7ebe674cf9f03007bc'
 X--- src/output-plugins/spo_database.c	2011-06-19 10:59:59.000000000 -0400
 X+++ src/output-plugins/spo_database.c	2011-06-19 11:08:58.000000000 -0400
 X@@ -3000,6 +3000,8 @@
 X             FatalError("database: Failed to set reconnect option: %s\n", mysql_error(data->m_sock));
 X #endif  /* !MYSQL_HAS_OPT_RECONNECT_BUG */
 X 
 X+	mysql_ssl_set(data->m_sock, "%%ETCDIR%%/certs/key.pem", "%%ETCDIR%%/certs/cert.pem", "%%ETCDIR%%/certs/ca.pem", NULL, NULL);
 X+
 X         if(mysql_real_connect(data->m_sock, data->shared->host, data->user,
 X                               data->password, data->shared->dbname,
 X                               data->port == NULL ? 0 : atoi(data->port), NULL, 0) == NULL)
 626cb1d028b27d7ebe674cf9f03007bc
 exit
 
 
 --huq684BweRXVnRxX--
Responsible-Changed-From-To: freebsd-ports-bugs->wxs 
Responsible-Changed-By: wxs 
Responsible-Changed-When: Fri Jun 24 19:46:37 UTC 2011 
Responsible-Changed-Why:  
I'll take it. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=158031 
State-Changed-From-To: feedback->closed 
State-Changed-By: wxs 
State-Changed-When: Sat Jun 25 13:06:05 UTC 2011 
State-Changed-Why:  
Per the discussion at 
http://marc.info/?l=snort-users&m=130900468419018&w=2, this PR can be 
closed according to the submitter. This functionality is already present 
in another port and will be removed from snort in the future. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=158031 
>Unformatted:
