[Snort-users] custom ruletype (to mysql DB) is broken in snort 2.8.0.1

Todd Wease twease at ...1935...
Wed Jan 2 19:22:25 EST 2008


This is known to be broken in 2.8.0.1.  It will be fixed in the next
release.

By the way, the Snort 2.0 book is most likely outdated.  'type alert' is
the correct syntax, not 'type alert output'.

Todd

Agent Smith wrote:
> I've been at this all freaking day today and can't get
> anywhere so I am hoping that some snort programmer
> will chime in and either point me to a doc or
> something.
> 
> All I am trying to do is use 'ruletype' to log all of
> ssh hackers. I have the following in snort.conf and
> then in local.rules I have a custom alert defined
> which starts with 'redalert tcp blah blah...' 
> 
> I have two different mysql databases test(for
> redalerts) and snort (for the rest of them) on local
> machine. 
> 
> If I change the redalert to alert and remove the
> redalert defination from snort.conf all works fine, no
> segfaults there and I can read the DB using BASE
> 
> ---- from snort.conf -----
> output database: log, mysql, user=snort password=pass
> dbname=snort28 host=localhost
> ..
> ..
> ruletype redalert
> {
>  type alert output
>  output database: log, mysql, user=snort dbname=test
> host=localhost password=pass
> }
> -------- ----------
> 
> 
> and whenever I start snort with
> /usr/local/snort-2.8.0.1/bin/snort -v -c
> /etc/snort-2.8.0.1/etc/snort.conf   --pid-path
> /var/run1  -i eth2
> 
> it segfaults.
> 
> I read the snort2.0 book and found that you actually
> have to do 'type alert output' and NOT 'type alert'
> only like documented in snort.conf.sample file
> 
> I've tried changing type alert output to log output,
> output database to alert instead of log to no avail.
> 
> I thought maybe this functionality is broken in this
> release so I downgraded to 2.6 and it still segfaults
> so I moved the snort from fc6 to a fresh install of
> fc7 on a new machine - same damn thing. 
> 
> so I am clueless, it seems like a simple thing that a
> lot of people would be using so I am hoping I'll get
> some pointers here.
> 
> - Agent Smith.
> 
> 
> 
>       ____________________________________________________________________________________
> Never miss a thing.  Make Yahoo your home page. 
> http://www.yahoo.com/r/hs
> 
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Microsoft
> Defy all challenges. Microsoft(R) Visual Studio 2005.
> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users





More information about the Snort-users mailing list