Index: Makefile =================================================================== RCS file: /ncvs/ports/security/snort/Makefile,v retrieving revision 1.134 diff -u -r1.134 Makefile --- Makefile 12 Apr 2011 04:31:21 -0000 1.134 +++ Makefile 25 Jun 2011 12:52:58 -0000 @@ -32,6 +32,7 @@ PERFPROFILE "Enable Performance Profiling" on \ FLEXRESP3 "Flexible response to events (version 3)" on \ MYSQL "Enable MySQL support" off \ + MYSQLSSL "Require SSL for MySQL connections" off \ ODBC "Enable ODBC support" off \ POSTGRESQL "Enable PostgreSQL support" off \ PRELUDE "Enable Prelude NIDS integration" off \ @@ -45,6 +46,8 @@ CONFIGURE_ENV= LDFLAGS="${LDFLAGS}" MAKE_JOBS_UNSAFE= yes +LICENSE= GPLv2 + CONFIG_DIR?= ${PREFIX}/etc/snort CONFIG_FILES= classification.config gen-msg.map reference.config \ snort.conf threshold.conf unicode.map @@ -86,6 +89,9 @@ .if defined(WITH_MYSQL) USE_MYSQL= yes CONFIGURE_ARGS+= --with-mysql=${LOCALBASE} +.if defined(WITH_MYSQLSSL) +EXTRA_PATCHES= ${PATCHDIR}/extra-patch-mysql_ssl +.endif .else CONFIGURE_ARGS+= --with-mysql=no .endif @@ -159,10 +165,18 @@ PATCHFILES+= snortsam-2.9.0.3.diff.gz:snortsam .endif +.if defined(WITH_MYSQLSSL) && !defined(WITH_MYSQL) + @${ECHO_MSG} "MYSQL SSL support requires MYSQL option." + @${ECHO_MSG} "Ignoring MYSQL SSL option." +.endif + post-patch: .if defined(NOPORTDOCS) @${REINPLACE_CMD} '/SUBDIRS = /s/doc//' ${WRKSRC}/Makefile.in .endif +.if defined(WITH_MYSQL) && defined(WITH_MYSQLSSL) + @${REINPLACE_CMD} -e 's|%%ETCDIR%%|${ETCDIR}|g' ${WRKSRC}/src/output-plugins/spo_database.c +.endif pre-configure: ${FIND} ${WRKSRC} -name 'Makefile.in' | ${XARGS} ${REINPLACE_CMD} -e 's|lib/snort_|lib/snort/|g' @@ -231,6 +245,14 @@ fi .endfor .endif +.if defined(WITH_MYSQL) && defined(WITH_MYSQLSSL) + ${ECHO_MSG} "NOTE: ${PORTNAME} was compiled WITH_MYSQLSSL=yes and now requires SSL for MySQL connections." + ${ECHO_MSG} " Before attempting to log to a MySQL database, you must ensure that ${ETCDIR}/certs contains the following files:" + ${ECHO_MSG} " ca.pem: The CA's public key" + ${ECHO_MSG} " cert.pem: The client's public key" + ${ECHO_MSG} " key.pem: The client's private key" + ${ECHO_MSG} "If you are chrooting ${PORTNAME}, you must ensure that devfs is mounted and that the certificates directory exists within the new root" +.endif @${CAT} ${PKGMESSAGE} .include Index: files/extra-patch-mysql_ssl =================================================================== RCS file: files/extra-patch-mysql_ssl diff -N files/extra-patch-mysql_ssl --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ files/extra-patch-mysql_ssl 25 Jun 2011 12:49:39 -0000 @@ -0,0 +1,11 @@ +--- src/output-plugins/spo_database.c 2011-06-19 10:59:59.000000000 -0400 ++++ src/output-plugins/spo_database.c 2011-06-19 11:08:58.000000000 -0400 +@@ -3000,6 +3000,8 @@ + FatalError("database: Failed to set reconnect option: %s\n", mysql_error(data->m_sock)); + #endif /* !MYSQL_HAS_OPT_RECONNECT_BUG */ + ++ mysql_ssl_set(data->m_sock, "%%ETCDIR%%/certs/key.pem", "%%ETCDIR%%/certs/cert.pem", "%%ETCDIR%%/certs/ca.pem", NULL, NULL); ++ + if(mysql_real_connect(data->m_sock, data->shared->host, data->user, + data->password, data->shared->dbname, + data->port == NULL ? 0 : atoi(data->port), NULL, 0) == NULL)