[Snort-inline-users] snort_inline + clamav database problem

[<kia...@gb...>]

Hi list,

I successfully installed snort_inline with clamav, and able to detect
virus and report it to text log files (snort_full and snort_fast) like this

[**] [122:1:1] (spp_clamav) Virus Found: Eicar-Test-Signature [**]
12/09-16:51:10.858004 81.3.3.133:80 -> 192.168.1.56:4719
TCP TTL:41 TOS:0x0 ID:11189 IpLen:20 DgmLen:466 DF
***AP*** Seq: 0x3778E12C  Ack: 0x95BC1602  Win: 0x1920  TcpLen: 20

I also config snort to store log into database, but snort didn't log virus
alert it found to database (it didn't show in ACID) .So how could I fix
this problem?

Thanks in advance for you help

here is snort.conf file

var HOME_NET any
var EXTERNAL_NET any
var AIM_SERVERS $HOME_NET
var HTTP_SERVERS $HOME_NET
var SMTP_SERVERS $HOME_NET
var TELNET_SERVERS $HOME_NET
var SQL_SERVERS $HOME_NET
var DNS_SERVERS $HOME_NET

var HTTP_PORTS 80
var SHELLCODE_PORTS !80
var ORACLE_PORTS 1521

preprocessor frag2
preprocessor stream4: detect_scans
preprocessor stream4_reassemble
preprocessor clamav: ports all !22 !443, action-reset, dbdir
/usr/local/share/clamav
preprocessor rpc_decode: 111 32771

var RULE_PATH /usr/local/etc/snort/rules
preprocessor http_inspect: global \
     iis_unicode_map $RULE_PATH/unicode.map 1252

preprocessor http_inspect_server: server default \
     profile all ports { 80 8080 8180 } oversize_dir_length 500 \
     no_alerts

preprocessor telnet_decode
preprocessor bo: -nobrute
preprocessor flow: stats_interval 0 hash 2

output database: log, mysql, user=snort password=snort dbname=snort
host=localhost sensor_name=sensor1 detail=fast
output alert_full: snort_full
output alert_fast: snort_fast
output log_tcpdump: snort.log

##### Log everything
log ip any any <> any any (msg: "Snort Unmatched"; session: printable;)

var RULE_PATH /usr/local/etc/snort/rules

# Include classification & priority settings
# Include reference config

include $RULE_PATH/classification.config
include $RULE_PATH/reference.config


####################################################################
# Step #4: Customize your rule set

#include $RULE_PATH/bad-traffic.rules
include $RULE_PATH/exploit.rules
include $RULE_PATH/scan.rules
include $RULE_PATH/finger.rules
include $RULE_PATH/ftp.rules
include $RULE_PATH/telnet.rules
include $RULE_PATH/rpc.rules
include $RULE_PATH/rservices.rules
include $RULE_PATH/dos.rules
include $RULE_PATH/ddos.rules
include $RULE_PATH/dns.rules
include $RULE_PATH/tftp.rules
include $RULE_PATH/web-cgi.rules
include $RULE_PATH/web-coldfusion.rules
include $RULE_PATH/web-iis.rules
include $RULE_PATH/web-frontpage.rules
#include $RULE_PATH/web-misc.rules
include $RULE_PATH/web-client.rules
include $RULE_PATH/web-php.rules
include $RULE_PATH/sql.rules
include $RULE_PATH/x11.rules
include $RULE_PATH/icmp.rules
include $RULE_PATH/netbios.rules
include $RULE_PATH/misc.rules
include $RULE_PATH/attack-responses.rules
include $RULE_PATH/oracle.rules
include $RULE_PATH/mysql.rules
include $RULE_PATH/snmp.rules
include $RULE_PATH/smtp.rules
include $RULE_PATH/imap.rules
include $RULE_PATH/pop3.rules
include $RULE_PATH/nntp.rules
include $RULE_PATH/other-ids.rules
include $RULE_PATH/web-attacks.rules
include $RULE_PATH/backdoor.rules
include $RULE_PATH/shellcode.rules
include $RULE_PATH/policy.rules
include $RULE_PATH/porn.rules
include $RULE_PATH/info.rules
include $RULE_PATH/icmp-info.rules
include $RULE_PATH/virus.rules
include $RULE_PATH/chat.rules
include $RULE_PATH/multimedia.rules
include $RULE_PATH/p2p.rules
include $RULE_PATH/experimental.rules
include $RULE_PATH/local.rules
# bleeding rules
#include $RULE_PATH/bleeding/bleeding-inappropriate.rules
#include $RULE_PATH/bleeding/bleeding-p2p.rules
#include $RULE_PATH/bleeding/bleeding.rules
include $RULE_PATH/bleeding/bleeding-malware.rules
#include $RULE_PATH/bleeding/bleeding-policy.rules
include $RULE_PATH/bleeding/bleeding-virus.rules