nope, still doesn't work. it does the same thing it
did with snort 2.6 where 'redalerts' are not the only
once that gets logged into its DB but other stuff goes
in there too.
I only have one rule that I changed from alert to
redalert and I don't understand why others are logging
into the DB meant for the redalert even on snort 2.7
== from snort.conf ==
output database: log, mysql, user=snort password=pass
dbname=snort host=localhost
..
..
..
ruletype redalert
{
type alert
output alert_syslog: LOG_AUTH LOG_ALERT
output database: log, mysql, user=snort
dbname=redalert host=localhost password=pass
}
--- Agent Smith <news8080@yahoo.com> wrote:
so it works in 2.7 then? I am sorry but I spend a
good
day fighting this and gave up. I went back to snort
2.6 and saw the same kind of things (little
different
in that the ruletype redalert DB was also accepting
'normal' alerts that are suppose to go to generic DB
that stores everything else) and I ended up with two
copies of same alert in two different DB instances.
haven't tried 2.7 yet but will give it a shot now...
--- Jason Brvenik <jasonb@sourcefire.com> wrote:
It is a know issue. If you need custom alert type
functionality you will
either need to revert to 2.7.x or wait for it to
be
resolved in an
upcoming 2.8.x release.
Agent Smith wrote:
OK:
As I stare at these damn BASE screens I am
getting
crazy. I finally managed to get alerts in the
test
database (originally intended for custom
signatures
only)
Now the problem is that it logs ALL alerts in
both
test DB AND snort DB. thats just weird. There is
like
6 lines of documentation all together in
faq.pdf,
not
a word in any READMEs about ruletype (and now I
am
posting a reply to myself in the group)
Have NOONE else ran into this?? really???
The alertype crap doesn't work and I may just
need
to
write my on SQL statements to extract things I
want
stored seperately in another DB
--- Agent Smith <news8080@yahoo.com> wrote:
I've been at this all freaking day today and
can't
get
anywhere so I am hoping that some snort
programmer
will chime in and either point me to a doc or
something.
All I am trying to do is use 'ruletype' to log
all
of
ssh hackers. I have the following in snort.conf
and
then in local.rules I have a custom alert
defined
which starts with 'redalert tcp blah blah...'
I have two different mysql databases test(for
redalerts) and snort (for the rest of them) on
local
machine.
If I change the redalert to alert and remove
the
redalert defination from snort.conf all works
fine,
no
segfaults there and I can read the DB using
BASE
---- from snort.conf -----
output database: log, mysql, user=snort
password=pass
dbname=snort28 host=localhost
..
..
ruletype redalert
{
type alert output
output database: log, mysql, user=snort
dbname=test
host=localhost password=pass
}
-------- ----------
and whenever I start snort with
/usr/local/snort-2.8.0.1/bin/snort -v -c
/etc/snort-2.8.0.1/etc/snort.conf --pid-path
/var/run1 -i eth2
it segfaults.
I read the snort2.0 book and found that you
actually
have to do 'type alert output' and NOT 'type
alert'
only like documented in snort.conf.sample file
I've tried changing type alert output to log
output,
output database to alert instead of log to no
avail.
I thought maybe this functionality is broken in
this
release so I downgraded to 2.6 and it still
segfaults
so I moved the snort from fc6 to a fresh
install
of
fc7 on a new machine - same damn thing.
so I am clueless, it seems like a simple thing
that
a
lot of people would be using so I am hoping
I'll
get
some pointers here.
- Agent Smith.
____________________________________________________________________________________
Never miss a thing. Make Yahoo your home page.
http://www.yahoo.com/r/hs
-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio
2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or
unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
____________________________________________________________________________________
Looking for last minute shopping deals?
Find them fast with Yahoo! Search.
http://tools.search.yahoo.com/newsearch/category.php?category=shopping
-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio
2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or
unsubscribe:
=== message truncated ===
____________________________________________________________________________________
Never miss a thing. Make Yahoo your home page.
http://www.yahoo.com/r/hs
-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
