[Snort-users] custom ruletype (to mysql DB) is broken in snort 2.8.0.1

Todd Wease twease at ...1935...
Fri Jan 4 10:26:24 EST 2008


Thanks for bringing this to our attention.  The segfault you spoke of
initially will be fixed in the next release.  The current issue you are
experiencing apparently has been broken for quite some time.  A bug has
been created, but the fix will most likely not make it into the next
release.

Thanks,
Todd

Agent Smith wrote:
> nope, still doesn't work. it does the same thing it
> did with snort 2.6 where 'redalerts' are not the only
> once that gets logged into its DB but other stuff goes
> in there too.
> 
> I only have one rule that I changed from alert to
> redalert and I don't understand why others are logging
> into the DB meant for the redalert even on snort 2.7
> 
> 
> 
> == from snort.conf ==
> output database: log, mysql, user=snort password=pass
> dbname=snort host=localhost
> ..
> ..
> ..
> ruletype redalert
> {
>    type alert
>    output alert_syslog: LOG_AUTH LOG_ALERT
>    output database: log, mysql, user=snort
> dbname=redalert host=localhost password=pass
> }
> 
> 
> --- Agent Smith <news8080 at ...131...> wrote:
> 
>> so it works in 2.7 then? I am sorry but I spend a
>> good
>> day fighting this and gave up. I went back to snort
>> 2.6 and saw the same kind of things (little
>> different
>> in that the ruletype redalert DB was also accepting
>> 'normal' alerts that are suppose to go to generic DB
>> that stores everything else) and I ended up with two
>> copies of same alert in two different DB instances. 
>>
>> haven't tried 2.7 yet but will give it a shot now...
>>
>>
>> --- Jason Brvenik <jasonb at ...1935...> wrote:
>>
>>> It is a know issue. If you need custom alert type
>>> functionality you will
>>> either need to revert to 2.7.x or wait for it to
>> be
>>> resolved in an
>>> upcoming 2.8.x release.
>>>
>>> Agent Smith wrote:
>>>> OK: 
>>>>
>>>> As I stare at these damn BASE screens I am
>> getting
>>>> crazy. I finally managed to get alerts in the
>> test
>>>> database (originally intended for custom
>>> signatures
>>>> only)
>>>>
>>>> Now the problem is that it logs ALL alerts in
>> both
>>>> test DB AND snort DB. thats just weird. There is
>>> like
>>>> 6 lines of documentation all together in
>> faq.pdf,
>>> not
>>>> a word in any READMEs about ruletype (and now I
>> am
>>>> posting a reply to myself in the group)
>>>>
>>>> Have NOONE else ran into this?? really???
>>>>
>>>> The alertype crap doesn't work and I may just
>> need
>>> to
>>>> write my on SQL statements to extract things  I
>>> want
>>>> stored seperately in another DB
>>>>
>>>> --- Agent Smith <news8080 at ...131...> wrote:
>>>>
>>>>> I've been at this all freaking day today and
>>> can't
>>>>> get
>>>>> anywhere so I am hoping that some snort
>>> programmer
>>>>> will chime in and either point me to a doc or
>>>>> something.
>>>>>
>>>>> All I am trying to do is use 'ruletype' to log
>>> all
>>>>> of
>>>>> ssh hackers. I have the following in snort.conf
>>> and
>>>>> then in local.rules I have a custom alert
>> defined
>>>>> which starts with 'redalert tcp blah blah...' 
>>>>>
>>>>> I have two different mysql databases test(for
>>>>> redalerts) and snort (for the rest of them) on
>>> local
>>>>> machine. 
>>>>>
>>>>> If I change the redalert to alert and remove
>> the
>>>>> redalert defination from snort.conf all works
>>> fine,
>>>>> no
>>>>> segfaults there and I can read the DB using
>> BASE
>>>>> ---- from snort.conf -----
>>>>> output database: log, mysql, user=snort
>>>>> password=pass
>>>>> dbname=snort28 host=localhost
>>>>> ..
>>>>> ..
>>>>> ruletype redalert
>>>>> {
>>>>>  type alert output
>>>>>  output database: log, mysql, user=snort
>>> dbname=test
>>>>> host=localhost password=pass
>>>>> }
>>>>> -------- ----------
>>>>>
>>>>>
>>>>> and whenever I start snort with
>>>>> /usr/local/snort-2.8.0.1/bin/snort -v -c
>>>>> /etc/snort-2.8.0.1/etc/snort.conf   --pid-path
>>>>> /var/run1  -i eth2
>>>>>
>>>>> it segfaults.
>>>>>
>>>>> I read the snort2.0 book and found that you
>>> actually
>>>>> have to do 'type alert output' and NOT 'type
>>> alert'
>>>>> only like documented in snort.conf.sample file
>>>>>
>>>>> I've tried changing type alert output to log
>>> output,
>>>>> output database to alert instead of log to no
>>> avail.
>>>>> I thought maybe this functionality is broken in
>>> this
>>>>> release so I downgraded to 2.6 and it still
>>>>> segfaults
>>>>> so I moved the snort from fc6 to a fresh
>> install
>>> of
>>>>> fc7 on a new machine - same damn thing. 
>>>>>
>>>>> so I am clueless, it seems like a simple thing
>>> that
>>>>> a
>>>>> lot of people would be using so I am hoping
>> I'll
>>> get
>>>>> some pointers here.
>>>>>
>>>>> - Agent Smith.
>>>>>
>>>>>
>>>>>
>>>>>      
>>>>>
> ____________________________________________________________________________________
>>>>> Never miss a thing.  Make Yahoo your home page.
>>>>> http://www.yahoo.com/r/hs
>>>>>
>>>>>
> -------------------------------------------------------------------------
>>>>> This SF.net email is sponsored by: Microsoft
>>>>> Defy all challenges. Microsoft(R) Visual Studio
>>>>> 2005.
>>>>>
> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
>>>>> _______________________________________________
>>>>> Snort-users mailing list
>>>>> Snort-users at lists.sourceforge.net
>>>>> Go to this URL to change user options or
>>>>> unsubscribe:
>>>>>
> https://lists.sourceforge.net/lists/listinfo/snort-users
>>>>> Snort-users list archive:
>>>>>
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>>
>>>>
>>>>      
> ____________________________________________________________________________________
>>>> Looking for last minute shopping deals?  
>>>> Find them fast with Yahoo! Search. 
> http://tools.search.yahoo.com/newsearch/category.php?category=shopping
>>>>
> -------------------------------------------------------------------------
>>>> This SF.net email is sponsored by: Microsoft
>>>> Defy all challenges. Microsoft(R) Visual Studio
>>> 2005.
> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
>>>> _______________________________________________
>>>> Snort-users mailing list
>>>> Snort-users at lists.sourceforge.net
>>>> Go to this URL to change user options or
>>> unsubscribe:
> === message truncated ===
> 
> 
> 
>       ____________________________________________________________________________________
> Never miss a thing.  Make Yahoo your home page. 
> http://www.yahoo.com/r/hs
> 
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Microsoft
> Defy all challenges. Microsoft(R) Visual Studio 2005.
> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users





More information about the Snort-users mailing list