Re: [Snort-users] custom ruletype (to mysql DB) is broken in snort

so it works in 2.7 then? I am sorry but I spend a good
day fighting this and gave up. I went back to snort
2.6 and saw the same kind of things (little different
in that the ruletype redalert DB was also accepting
'normal' alerts that are suppose to go to generic DB
that stores everything else) and I ended up with two
copies of same alert in two different DB instances.

haven't tried 2.7 yet but will give it a shot now...


--- Jason Brvenik <jasonb@sourcefire.com> wrote:

> It is a know issue. If you need custom alert type
> functionality you will
> either need to revert to 2.7.x or wait for it to be
> resolved in an
> upcoming 2.8.x release.
>
> Agent Smith wrote:
> > OK:
> >
> > As I stare at these damn BASE screens I am getting
> > crazy. I finally managed to get alerts in the test
> > database (originally intended for custom
> signatures
> > only)
> >
> > Now the problem is that it logs ALL alerts in both
> > test DB AND snort DB. thats just weird. There is
> like
> > 6 lines of documentation all together in faq.pdf,
> not
> > a word in any READMEs about ruletype (and now I am
> > posting a reply to myself in the group)
> >
> > Have NOONE else ran into this?? really???
> >
> > The alertype crap doesn't work and I may just need
> to
> > write my on SQL statements to extract things I
> want
> > stored seperately in another DB
> >
> > --- Agent Smith <news8080@yahoo.com> wrote:
> >
> >> I've been at this all freaking day today and
> can't
> >> get
> >> anywhere so I am hoping that some snort
> programmer
> >> will chime in and either point me to a doc or
> >> something.
> >>
> >> All I am trying to do is use 'ruletype' to log
> all
> >> of
> >> ssh hackers. I have the following in snort.conf
> and
> >> then in local.rules I have a custom alert defined
> >> which starts with 'redalert tcp blah blah...'
> >>
> >> I have two different mysql databases test(for
> >> redalerts) and snort (for the rest of them) on
> local
> >> machine.
> >>
> >> If I change the redalert to alert and remove the
> >> redalert defination from snort.conf all works
> fine,
> >> no
> >> segfaults there and I can read the DB using BASE
> >>
> >> ---- from snort.conf -----
> >> output database: log, mysql, user=snort
> >> password=pass
> >> dbname=snort28 host=localhost
> >> ..
> >> ..
> >> ruletype redalert
> >> {
> >> type alert output
> >> output database: log, mysql, user=snort
> dbname=test
> >> host=localhost password=pass
> >> }
> >> -------- ----------
> >>
> >>
> >> and whenever I start snort with
> >> /usr/local/snort-2.8.0.1/bin/snort -v -c
> >> /etc/snort-2.8.0.1/etc/snort.conf --pid-path
> >> /var/run1 -i eth2
> >>
> >> it segfaults.
> >>
> >> I read the snort2.0 book and found that you
> actually
> >> have to do 'type alert output' and NOT 'type
> alert'
> >> only like documented in snort.conf.sample file
> >>
> >> I've tried changing type alert output to log
> output,
> >> output database to alert instead of log to no
> avail.
> >>
> >> I thought maybe this functionality is broken in
> this
> >> release so I downgraded to 2.6 and it still
> >> segfaults
> >> so I moved the snort from fc6 to a fresh install
> of
> >> fc7 on a new machine - same damn thing.
> >>
> >> so I am clueless, it seems like a simple thing
> that
> >> a
> >> lot of people would be using so I am hoping I'll
> get
> >> some pointers here.
> >>
> >> - Agent Smith.
> >>
> >>
> >>
> >>
> >>
> >
>
__________________________________________________ __________________________________
> >> Never miss a thing. Make Yahoo your home page.
> >> http://www.yahoo.com/r/hs
> >>
> >>
> >
>
-------------------------------------------------------------------------
> >> This SF.net email is sponsored by: Microsoft
> >> Defy all challenges. Microsoft(R) Visual Studio
> >> 2005.
> >>
> >
>
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
> >> _______________________________________________
> >> Snort-users mailing list
> >> Snort-users@lists.sourceforge.net
> >> Go to this URL to change user options or
> >> unsubscribe:
> >>
> >
>
https://lists.sourceforge.net/lists/...fo/snort-users
> >> Snort-users list archive:
> >>
> >
>
http://www.geocrawler.com/redir-sf.p...st=snort-users
> >
> >
> >
> >
>
__________________________________________________ __________________________________
> > Looking for last minute shopping deals?
> > Find them fast with Yahoo! Search.
>
http://tools.search.yahoo.com/newsea...egory=shopping
> >
> >
>
-------------------------------------------------------------------------
> > This SF.net email is sponsored by: Microsoft
> > Defy all challenges. Microsoft(R) Visual Studio
> 2005.
> >
>
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users@lists.sourceforge.net
> > Go to this URL to change user options or
> unsubscribe:
> >
>
https://lists.sourceforge.net/lists/...fo/snort-users
> > Snort-users list archive:
> >
>
http://www.geocrawler.com/redir-sf.p...st=snort-users
> >
>



__________________________________________________ __________________________________
Be a better friend, newshound, and
know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i...Dypao8Wcj9tAcJ


-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/...fo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.p...st=snort-users