[Snort-users] Mysql output plugin not working for custom ruletype

Johnathan Corgan jcorgan at ...1638...
Sun Apr 15 11:32:35 EDT 2001


Snort has been successfully working for a few weeks now logging alerts to 
both a flat text file as well as a tcpdump binary log file.  I've defined 
a custom ruletype to have alert rules that trigger only *after* the rest 
of the standard rules have had a chance.  This is how probes to ports that 
aren't running services are detected; after the usual rule order, traffic 
to known ports are 'passed', and any remaining traffic is 'alerted'.  
Again this is working well. (Thanks go to Andrew Baker <andrewb at ...1150...> 
for suggesting this.)

I recently installed and configured the mysql output plugin.  Now, alerts 
generated by the standard rules go to the flat file, a binary tcpdump log, 
and into the mysql database, which is what I want.  However, alerts 
generated by the custom ruletype are only going to the flat file and to the 
tcpdump log; mysql isn't getting them.

Is what I'm trying to accomplish here possible, or is there some limitation 
to the mysql output plugin I've run up against?

Here is the config file and command line:

snort.conf:

var INTERNAL xx.xx.xx.xx/xx
var EXTERNAL !$INTERNAL
preprocessor defrag
preprocessor http_decode: 80
preprocessor portscan: $INTERNAL 4 3 portscan.log

output database: alert, mysql, dbname=snort host=localhost user=snort password=xxxx sensor_name=xxxx  

ruletype secondalert {
    type alert
    output database: alert, mysql, dbname=snort host=localhost user=snort password=xxxx sensor_name=xxxx  
}

config order: activation dynamic alert log pass secondalert

include vision.rules
include local.rules

Startup command:

snort 	-A fast \
	-c /etc/snort/snort.conf \
	-D \
	-g snort \
	-h xx.xx.xx.xx/xx \
	-i eth0 \
	-l /var/log/snort \
	-L snort.log \
	-p \
	-u snort >/dev/null

Thanks,

Johnathan Corgan
Atlas Enterprises Internet




More information about the Snort-users mailing list