Snort mailing list archives
Re: custom ruletype (to mysql DB) is broken in snort 2.8.0.1
From: Agent Smith <news8080 () yahoo com>
Date: Thu, 3 Jan 2008 12:51:06 -0800 (PST)
so it works in 2.7 then? I am sorry but I spend a good day fighting this and gave up. I went back to snort 2.6 and saw the same kind of things (little different in that the ruletype redalert DB was also accepting 'normal' alerts that are suppose to go to generic DB that stores everything else) and I ended up with two copies of same alert in two different DB instances. haven't tried 2.7 yet but will give it a shot now... --- Jason Brvenik <jasonb () sourcefire com> wrote:
It is a know issue. If you need custom alert type functionality you will either need to revert to 2.7.x or wait for it to be resolved in an upcoming 2.8.x release. Agent Smith wrote:OK: As I stare at these damn BASE screens I am getting crazy. I finally managed to get alerts in the test database (originally intended for customsignaturesonly) Now the problem is that it logs ALL alerts in both test DB AND snort DB. thats just weird. There islike6 lines of documentation all together in faq.pdf,nota word in any READMEs about ruletype (and now I am posting a reply to myself in the group) Have NOONE else ran into this?? really??? The alertype crap doesn't work and I may just needtowrite my on SQL statements to extract things Iwantstored seperately in another DB --- Agent Smith <news8080 () yahoo com> wrote:I've been at this all freaking day today andcan'tget anywhere so I am hoping that some snortprogrammerwill chime in and either point me to a doc or something. All I am trying to do is use 'ruletype' to logallof ssh hackers. I have the following in snort.confandthen in local.rules I have a custom alert defined which starts with 'redalert tcp blah blah...' I have two different mysql databases test(for redalerts) and snort (for the rest of them) onlocalmachine. If I change the redalert to alert and remove the redalert defination from snort.conf all worksfine,no segfaults there and I can read the DB using BASE ---- from snort.conf ----- output database: log, mysql, user=snort password=pass dbname=snort28 host=localhost .. .. ruletype redalert { type alert output output database: log, mysql, user=snortdbname=testhost=localhost password=pass } -------- ---------- and whenever I start snort with /usr/local/snort-2.8.0.1/bin/snort -v -c /etc/snort-2.8.0.1/etc/snort.conf --pid-path /var/run1 -i eth2 it segfaults. I read the snort2.0 book and found that youactuallyhave to do 'type alert output' and NOT 'typealert'only like documented in snort.conf.sample file I've tried changing type alert output to logoutput,output database to alert instead of log to noavail.I thought maybe this functionality is broken inthisrelease so I downgraded to 2.6 and it still segfaults so I moved the snort from fc6 to a fresh installoffc7 on a new machine - same damn thing. so I am clueless, it seems like a simple thingthata lot of people would be using so I am hoping I'llgetsome pointers here. - Agent Smith.
____________________________________________________________________________________
Never miss a thing. Make Yahoo your home page. http://www.yahoo.com/r/hs
-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
____________________________________________________________________________________
Looking for last minute shopping deals? Find them fast with Yahoo! Search.
http://tools.search.yahoo.com/newsearch/category.php?category=shopping
-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options orunsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
____________________________________________________________________________________ Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- custom ruletype (to mysql DB) is broken in snort 2.8.0.1 Agent Smith (Jan 02)
- Re: custom ruletype (to mysql DB) is broken in snort 2.8.0.1 Todd Wease (Jan 02)
- Re: custom ruletype (to mysql DB) is broken in snort 2.8.0.1 Agent Smith (Jan 02)
- Re: custom ruletype (to mysql DB) is broken in snort 2.8.0.1 Jason Brvenik (Jan 03)
- Re: custom ruletype (to mysql DB) is broken in snort 2.8.0.1 Agent Smith (Jan 03)
- Re: custom ruletype (to mysql DB) is broken in snort 2.8.0.1 Agent Smith (Jan 03)
- Re: custom ruletype (to mysql DB) is broken in snort 2.8.0.1 Todd Wease (Jan 04)
- Re: custom ruletype (to mysql DB) is broken in snort 2.8.0.1 Jason Brvenik (Jan 03)