For the record, I've found the root cause of the problem: "-t /var/snort" argument, which runs snort in chroot jail.
I guess something about chroot jail implementation in snort has been changed going from 2.4.5 to 2.6.x.x. Because previously on 2.4.5 I was able to jail snort and it wouldn't complain that it could not connect to mysql through its socket. So now, I'm running snort in chroot jail, but instead of its socket, I use its port, 3306, as I should have been doing since 2.4.5. However, with 2.6.x.x now, I need to use 127.0.0.1 instead of localhost in snort.conf mysql line, which would not cause any problem on 2.4.5 again. Otherwise, it insists on using the socket instead of the port, thus fails in chroot jail. Looking at the source code, the new behaviour is in accordance with mysql_real_connect() documentation, hence also correct. So mysql plugin on snort 2.6.x.x is not broken (sorry, my bad, I should have noticed this from the error output). On the contrary, I think a couple things have been fixed, if it's correct to say so. (Are these differences/fixes mentioned in some documentation though?) Hmm, down to one problem only: the "any" interface.
