Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Snort-Users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Snort-users] custom ruletype (to mysql DB) is broken in snort 2.8.0

from [Jason Brvenik] Network Security [Permanent Link]
Subject: Re: [Snort-users] custom ruletype (to mysql DB) is broken in snort 2.8.0.1
Date: Thu, 03 Jan 2008 10:55:16 -0500 
It is a know issue. If you need custom alert type functionality you will
either need to revert to 2.7.x or wait for it to be resolved in an
upcoming 2.8.x release.

Agent Smith wrote:

OK: 

As I stare at these damn BASE screens I am getting
crazy. I finally managed to get alerts in the test
database (originally intended for custom signatures
only)

Now the problem is that it logs ALL alerts in both
test DB AND snort DB. thats just weird. There is like
6 lines of documentation all together in faq.pdf, not
a word in any READMEs about ruletype (and now I am
posting a reply to myself in the group)

Have NOONE else ran into this?? really???

The alertype crap doesn't work and I may just need to
write my on SQL statements to extract things  I want
stored seperately in another DB

--- Agent Smith <news8080@yahoo.com> wrote:


I've been at this all freaking day today and can't
get
anywhere so I am hoping that some snort programmer
will chime in and either point me to a doc or
something.

All I am trying to do is use 'ruletype' to log all
of
ssh hackers. I have the following in snort.conf and
then in local.rules I have a custom alert defined
which starts with 'redalert tcp blah blah...' 

I have two different mysql databases test(for
redalerts) and snort (for the rest of them) on local
machine. 

If I change the redalert to alert and remove the
redalert defination from snort.conf all works fine,
no
segfaults there and I can read the DB using BASE

---- from snort.conf -----
output database: log, mysql, user=snort
password=pass
dbname=snort28 host=localhost
..
..
ruletype redalert
{
 type alert output
 output database: log, mysql, user=snort dbname=test
host=localhost password=pass
}
-------- ----------


and whenever I start snort with
/usr/local/snort-2.8.0.1/bin/snort -v -c
/etc/snort-2.8.0.1/etc/snort.conf   --pid-path
/var/run1  -i eth2

it segfaults.

I read the snort2.0 book and found that you actually
have to do 'type alert output' and NOT 'type alert'
only like documented in snort.conf.sample file

I've tried changing type alert output to log output,
output database to alert instead of log to no avail.

I thought maybe this functionality is broken in this
release so I downgraded to 2.6 and it still
segfaults
so I moved the snort from fc6 to a fresh install of
fc7 on a new machine - same damn thing. 

so I am clueless, it seems like a simple thing that
a
lot of people would be using so I am hoping I'll get
some pointers here.

- Agent Smith.



     


____________________________________________________________________________________

Never miss a thing.  Make Yahoo your home page. 
http://www.yahoo.com/r/hs



-------------------------------------------------------------------------

This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio
2005.


http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or
unsubscribe:


https://lists.sourceforge.net/lists/listinfo/snort-users

Snort-users list archive:


http://www.geocrawler.com/redir-sf.php3?list=snort-users



      
____________________________________________________________________________________
Looking for last minute shopping deals?  
Find them fast with Yahoo! Search.  
http://tools.search.yahoo.com/newsearch/category.php?category=shopping

-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Snort-users] Port Negation not working?, Todd Wease
Next by Date:  [Snort-users] Flexresp2 appears broken in 2.8.0.1, James Lay
Previous by Thread:  Re: [Snort-users] custom ruletype (to mysql DB) is broken in snort 2.8.0.1, Agent Smith
Next by Thread:  Re: [Snort-users] custom ruletype (to mysql DB) is broken in snort 2.8.0.1, Agent Smith
Indexes:  [Date] [Thread] [Top] [All Lists]