Re: custom ruletype (to mysql DB) is broken in snort 2.8.0.1

[Agent Smith <news8080 () yahoo com>]

OK: 

As I stare at these damn BASE screens I am getting
crazy. I finally managed to get alerts in the test
database (originally intended for custom signatures
only)

Now the problem is that it logs ALL alerts in both
test DB AND snort DB. thats just weird. There is like
6 lines of documentation all together in faq.pdf, not
a word in any READMEs about ruletype (and now I am
posting a reply to myself in the group)

Have NOONE else ran into this?? really???

The alertype crap doesn't work and I may just need to
write my on SQL statements to extract things  I want
stored seperately in another DB

--- Agent Smith <news8080 () yahoo com> wrote:

> I've been at this all freaking day today and can't
> get
> anywhere so I am hoping that some snort programmer
> will chime in and either point me to a doc or
> something.
>
> All I am trying to do is use 'ruletype' to log all
> of
> ssh hackers. I have the following in snort.conf and
> then in local.rules I have a custom alert defined
> which starts with 'redalert tcp blah blah...' 
>
> I have two different mysql databases test(for
> redalerts) and snort (for the rest of them) on local
> machine. 
>
> If I change the redalert to alert and remove the
> redalert defination from snort.conf all works fine,
> no
> segfaults there and I can read the DB using BASE
>
> ---- from snort.conf -----
> output database: log, mysql, user=snort
> password=pass
> dbname=snort28 host=localhost
> ..
> ..
> ruletype redalert
> {
>  type alert output
>  output database: log, mysql, user=snort dbname=test
> host=localhost password=pass
> }
> -------- ----------
>
>
> and whenever I start snort with
> /usr/local/snort-2.8.0.1/bin/snort -v -c
> /etc/snort-2.8.0.1/etc/snort.conf   --pid-path
> /var/run1  -i eth2
>
> it segfaults.
>
> I read the snort2.0 book and found that you actually
> have to do 'type alert output' and NOT 'type alert'
> only like documented in snort.conf.sample file
>
> I've tried changing type alert output to log output,
> output database to alert instead of log to no avail.
>
> I thought maybe this functionality is broken in this
> release so I downgraded to 2.6 and it still
> segfaults
> so I moved the snort from fc6 to a fresh install of
> fc7 on a new machine - same damn thing. 
>
> so I am clueless, it seems like a simple thing that
> a
> lot of people would be using so I am hoping I'll get
> some pointers here.
>
> - Agent Smith.
>
>
>
>      
____________________________________________________________________________________
> Never miss a thing.  Make Yahoo your home page. 
> http://www.yahoo.com/r/hs
-------------------------------------------------------------------------
> This SF.net email is sponsored by: Microsoft
> Defy all challenges. Microsoft(R) Visual Studio
> 2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or
> unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
>



      ____________________________________________________________________________________
Looking for last minute shopping deals?  
Find them fast with Yahoo! Search.  http://tools.search.yahoo.com/newsearch/category.php?category=shopping

-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users