Snort mailing list archives

Re: Snort 2.9.3.1, Barnyard2 2.9.1 and Mysql issue

From: Eric Biederman <Eric.Biederman () mrsassociates com>
Date: Fri, 31 Aug 2012 15:53:09 +0000

Found an error in my barnyard config.... I inadvertently left the mssql as output and not mysql. I mad the change and 
Barnyard has started and is showing waiting for new data. One error/warning left.  When Barnyard starts I get WARNING: 
Ignoring corrupt/truncated waldofile '/var/log/snort/barnyard.waldo'





Running in Continuous mode



        --== Initializing Barnyard2 ==--

Initializing Input Plugins!

Initializing Output Plugins!

Parsing config file "/etc/snort/barnyard2.conf"

Log directory = /var/log/barnyard2

database: compiled support for (mysql)

database: configured to use mysql

database: schema version = 107

database:           host = localhost

database:           user = snort

database:  database name = snort

database:    sensor name = localhost:p2p1

database:      sensor id = 1

database:     sensor cid = 1

database:  data encoding = hex

database:   detail level = full

database:     ignore_bpf = no

database: using the "log" facility



        --== Initialization Complete ==--



  ______   -*> Barnyard2 <*-

/ ,,_  \  Version 2.1.9 (Build 263)

|o"  )~|  By the SecurixLive.com Team: http://www.securixlive.com/about.php

+ '''' +  (C) Copyright 2008-2010 SecurixLive.



           Snort by Martin Roesch & The Snort Team: http://www.snort.org/team.html

           (C) Copyright 1998-2007 Sourcefire Inc., et al.



WARNING: Ignoring corrupt/truncated waldofile '/var/log/snort/barnyard.waldo'

Opened spool file '/var/log/snort/snort.log.1346340409'

Closing spool file '/var/log/snort/snort.log.1346340409'. Read 0 records

Opened spool file '/var/log/snort/snort.log.1346343654'

Closing spool file '/var/log/snort/snort.log.1346343654'. Read 0 records

Opened spool file '/var/log/snort/snort.log.1346352702'

Closing spool file '/var/log/snort/snort.log.1346352702'. Read 0 records

Opened spool file '/var/log/snort/snort.log.1346352718'

Closing spool file '/var/log/snort/snort.log.1346352718'. Read 0 records

Opened spool file '/var/log/snort/snort.log.1346358724'

Closing spool file '/var/log/snort/snort.log.1346358724'. Read 0 records

Opened spool file '/var/log/snort/snort.log.1346417767'

Closing spool file '/var/log/snort/snort.log.1346417767'. Read 0 records

Opened spool file '/var/log/snort/snort.log.1346421567'

Waiting for new data



-----Original Message-----
From: Eric Biederman
Sent: Friday, August 31, 2012 10:10 AM
To: 'beenph'; Jeremy Hoel
Cc: snort-users () lists sourceforge net
Subject: RE: [Snort-users] Snort 2.9.3.1, Barnyard2 2.9.1 and Mysql issue



I just performed the clean and reconfig/install for both Snort and Barnyard. I am still getting the same error with 
Barnyard2. I have included my two configs as txt files. The error that mysql support is not compiled into this build of 
snort that I get when attempting to start barnyard confuses me. I took a pass at this on a different system a few days 
ago and was unable to pass the --with-mysql  with my config of snort because it was an unknown argument. After reading 
I found a mention that snort no longer outputss to mysql so I assumed I was ok and Barnyard2 would handle the output. 
Am I wrong in this assumption? By the way thanks for the help.



-----Original Message-----

From: beenph [mailto:beenph () gmail com]<mailto:[mailto:beenph () gmail com]>

Sent: Friday, August 31, 2012 9:27 AM

To: Jeremy Hoel

Cc: Eric Biederman; snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net>

Subject: Re: [Snort-users] Snort 2.9.3.1, Barnyard2 2.9.1 and Mysql issue



On Fri, Aug 31, 2012 at 9:19 AM, Jeremy Hoel <jthoel () gmail com<mailto:jthoel () gmail com>> wrote:

Can you copy and paste the ./configure command and it's output for

barnyard and put that in a text file or on pastebin?  Maybe we can see

what the problem is there.


Oh and i just tought of something, if you did rerun ./configure before running make did you do a make clean?



Because even if you rerun ./configure and make if there is an object

(.o) file existing  even if it updates compile flags for the linked executable, it might not rebuild 
src/output/spo_database thus you are getting the same result.



So just do a make clean && make then retry.



-elz

On Fri, Aug 31, 2012 at 12:37 PM, Eric Biederman

<Eric.Biederman () mrsassociates com<mailto:Eric.Biederman () mrsassociates com>> wrote:

I am using mysql. I have updated the library and rerun the configure, make, install with the same results.

-----Original Message-----

From: beenph [mailto:beenph () gmail com]<mailto:[mailto:beenph () gmail com]>

Sent: Thursday, August 30, 2012 5:38 PM

To: Eric Biederman

Cc: snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net>

Subject: Re: [Snort-users] Snort 2.9.3.1, Barnyard2 2.9.1 and Mysql

issue

On Thu, Aug 30, 2012 at 2:30 PM, Eric Biederman <Eric.Biederman () mrsassociates com<mailto:Eric.Biederman () 
mrsassociates com>> wrote:

Yes I did.

./configure --with-mysql-libraries=/usr/lib64/mysql/

Try --with-mysql and technically if you add your library path to /etc/ld.so.conf , run ldconfig and then rerun the 
./configure --with-mysql you should be fine.

-elz

-----Original Message-----

From: beenph [mailto:beenph () gmail com]<mailto:[mailto:beenph () gmail com]>

Sent: Thursday, August 30, 2012 2:16 PM

To: Eric Biederman

Subject: Re: [Snort-users] Snort 2.9.3.1, Barnyard2 2.9.1 and Mysql

issue

On Thu, Aug 30, 2012 at 1:24 PM, Eric Biederman <Eric.Biederman () mrsassociates com<mailto:Eric.Biederman () 
mrsassociates com>> wrote:

I am having a problem where when I try to start my Barnyard2 system

I am getting notified that my version of snort was not configured

with mysql support and to recompile with this support. My

understanding is that Snort

2.9.3.1 no longer handles mysql and leaves it to 3rd parties to deal with.

My snort install runs fine to logs and I can start Barnyard without

the mysql call with no apparent problems but once I add the mysql

output back into my barnyard.conf file I am unable to start it

Greeting Eric,

Did you install barnyard2 from source?

if so did you run configure with ./configure --with-mysql?

-elz

This email and any files transmitted with it are confidential and

intended solely for the use of the individual or entity to whom they

are addressed. If you have received this email in error please

notify the system manager. This message contains confidential

information and is intended only for the individual named. If you

are not the named addressee you should not disseminate, distribute or copy this e-mail.

Please notify the sender immediately by e-mail if you have received

this e-mail by mistake and delete this e-mail from your system. If

you are not the intended recipient you are notified that disclosing,

copying, distributing or taking any action in reliance on the

contents of this information is strictly prohibited.

This email and any files transmitted with it are confidential and

intended solely for the use of the individual or entity to whom they

are addressed. If you have received this email in error please notify

the system manager. This message contains confidential information

and is intended only for the individual named. If you are not the

named addressee you should not disseminate, distribute or copy this

e-mail. Please notify the sender immediately by e-mail if you have

received this e-mail by mistake and delete this e-mail from your

system. If you are not the intended recipient you are notified that

disclosing, copying, distributing or taking any action in reliance on

the contents of this information is strictly prohibited.

---------------------------------------------------------------------

---------

Live Security Virtual Conference

Exclusive live event will cover all the ways today's security and

threat landscape has changed and how IT managers can respond.

Discussions will include endpoint security, mobile security and the

latest in malware threats.

http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

_______________________________________________

Snort-users mailing list

Snort-users () lists sourceforge net<mailto:Snort-users () lists sourceforge net>

Go to this URL to change user options or unsubscribe:

https://lists.sourceforge.net/lists/listinfo/snort-users

Snort-users list archive:

http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!



This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please
notify the system manager. This message contains confidential
information and is intended only for the individual named. If you
are not the named addressee you should not disseminate,
distribute or copy this e-mail. Please notify the sender
immediately by e-mail if you have received this e-mail by mistake
and delete this e-mail from your system. If you are not the
intended recipient you are notified that disclosing, copying,
distributing or taking any action in reliance on the contents of this
information is strictly prohibited.

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Snort 2.9.3.1, Barnyard2 2.9.1 and Mysql issue Eric Biederman (Aug 30)
- Message not available
  - Message not available
    - Re: Snort 2.9.3.1, Barnyard2 2.9.1 and Mysql issue Jeremy Hoel (Aug 30)
    - Re: Snort 2.9.3.1, Barnyard2 2.9.1 and Mysql issue Joel Esler (Aug 31)
    - Re: Snort 2.9.3.1, Barnyard2 2.9.1 and Mysql issue Joel Esler (Aug 31)
- Message not available
  - Message not available
    - Re: Snort 2.9.3.1, Barnyard2 2.9.1 and Mysql issue beenph (Aug 30)
    - Re: Snort 2.9.3.1, Barnyard2 2.9.1 and Mysql issue Eric Biederman (Aug 31)
    - Re: Snort 2.9.3.1, Barnyard2 2.9.1 and Mysql issue beenph (Aug 31)
    - Re: Snort 2.9.3.1, Barnyard2 2.9.1 and Mysql issue Jeremy Hoel (Aug 31)
    - Re: Snort 2.9.3.1, Barnyard2 2.9.1 and Mysql issue beenph (Aug 31)
    - Message not available
    - Re: Snort 2.9.3.1, Barnyard2 2.9.1 and Mysql issue Eric Biederman (Aug 31)