Snort mailing list archives
Re: Daq not getting installed.
From: Jeremy Hoel <jthoel () gmail com>
Date: Fri, 23 Nov 2012 22:55:58 +0000
are you running by2 in continuous mode? whats the startup script/command/options you are using and what outputs do you have in by2? you should see it, when it starts, listing that it's running in Continios and deamon mode. Nov 23 22:40:58 st001 barnyard2[25881]: Running in Continuous mode Nov 23 22:40:58 st001 barnyard2[25881]: Nov 23 22:40:58 st001 barnyard2[25881]: --== Initializing Barnyard2 ==-- Nov 23 22:40:58 st001 barnyard2[25881]: Initializing Input Plugins! Nov 23 22:40:58 st001 barnyard2[25881]: Initializing Output Plugins! Nov 23 22:40:58 st001 barnyard2[25881]: Parsing config file "/etc/snort/barnyard2.conf" Nov 23 22:41:14 st001 barnyard2[25881]: Log directory = /var/log/snort/ Nov 23 22:41:14 st001 barnyard2[25881]: Initializing daemon mode Nov 23 22:41:14 st001 barnyard2[25881]: Daemon parent exiting Nov 23 22:41:14 st001 barnyard2[25883]: Daemon initialized, signaled parent pid: 25881 Nov 23 22:41:14 st001 barnyard2[25883]: PID path stat checked out ok, PID path set to /var/run/ Nov 23 22:41:14 st001 barnyard2[25883]: Writing PID "25883" to file "/var/run//barnyard2_eth1.pid" On Fri, Nov 23, 2012 at 10:52 PM, k vijay sai prashanth <vijaysaiprashanth () gmail com> wrote:
so get this. I have snort installed and functioning. My test rule generates traffic. Barnyard2 also did read files and show on the screen. --== Initialization Complete ==-- ______ -*> Barnyard2 <*- / ,,_ \ Version 2.1.9 (Build 263) |o" )~| By the SecurixLive.com Team: http://www.securixlive.com/about.php + '''' + (C) Copyright 2008-2010 SecurixLive. Snort by Martin Roesch & The Snort Team: http://www.snort.org/team.html (C) Copyright 1998-2007 Sourcefire Inc., et al. Using waldo file '/etc/snort/bylog.waldo': spool directory = /var/log/snort spool filebase = snort.log time_stamp = 1353533911 record_idx = 40 Opened spool file '/var/log/snort/snort.log.1353533911' Closing spool file '/var/log/snort/snort.log.1353533911'. Read 40 records Opened spool file '/var/log/snort/snort.log.1353688568' Closing spool file '/var/log/snort/snort.log.1353688568'. Read 0 records Opened spool file '/var/log/snort/snort.log.1353698765' Closing spool file '/var/log/snort/snort.log.1353698765'. Read 0 records Opened spool file '/var/log/snort/snort.log.1353699211' Closing spool file '/var/log/snort/snort.log.1353699211'. Read 0 records Opened spool file '/var/log/snort/snort.log.1353699244' ***showed some output onto the screen here *** Closing spool file '/var/log/snort/snort.log.1353699244'. Read 206 records Opened spool file '/var/log/snort/snort.log.1353699581' Closing spool file '/var/log/snort/snort.log.1353699581'. Read 0 records Opened spool file '/var/log/snort/snort.log.1353705065' Closing spool file '/var/log/snort/snort.log.1353705065'. Read 0 records Opened spool file '/var/log/snort/snort.log.1353707845' Closing spool file '/var/log/snort/snort.log.1353707845'. Read 0 records Opened spool file '/var/log/snort/snort.log.1353709641' Closing spool file '/var/log/snort/snort.log.1353709641'. Read 0 records Opened spool file '/var/log/snort/snort.log.1353709666' Waiting for new data =============================================================================== Record Totals: Records: 246 Events: 107 (43.496%) Packets: 136 (55.285%) =============================================================================== Packet breakdown by protocol (includes rebuilt packets): ETH: 136 (100.000%) ETHdisc: 0 (0.000%) VLAN: 0 (0.000%) IPV6: 0 (0.000%) IP6 EXT: 0 (0.000%) IP6opts: 0 (0.000%) IP6disc: 0 (0.000%) IP4: 136 (100.000%) IP4disc: 0 (0.000%) TCP 6: 0 (0.000%) UDP 6: 0 (0.000%) ICMP6: 0 (0.000%) ICMP-IP: 0 (0.000%) TCP: 33 (24.265%) UDP: 0 (0.000%) ICMP: 103 (75.735%) TCPdisc: 0 (0.000%) UDPdisc: 0 (0.000%) ICMPdis: 0 (0.000%) FRAG: 0 (0.000%) FRAG 6: 0 (0.000%) ARP: 0 (0.000%) EAPOL: 0 (0.000%) ETHLOOP: 0 (0.000%) IPX: 0 (0.000%) OTHER: 0 (0.000%) DISCARD: 0 (0.000%) InvChkSum: 0 (0.000%) S5 G 1: 0 (0.000%) S5 G 2: 0 (0.000%) Total: 136 =============================================================================== But I see that the events in mysql database are not increasing. What's the situation. I have a continual ping going on in the background which should trigger my test rule. Why is the database not increasing?? Regards, Prashanth On Sat, Nov 24, 2012 at 4:14 AM, Jeremy Hoel <jthoel () gmail com> wrote:basically yes.. but they are two different apps and you can choose to run either, both or none in daemon mode. They don't depend on each other for that. snort in daemon mode, if the unified2 output is used, will write u2 files using the file structure you specify in the snort.conf for the unified2 output. by2 will read the files you tell it too and when a new one gets written, it will close the old one and archive if (if desired) and then continue reading and acting on the u2 files, updating it's waldo file as it goes. On Fri, Nov 23, 2012 at 10:38 PM, k vijay sai prashanth <vijaysaiprashanth () gmail com> wrote:Jeremy, So if I run snort and barnyard2 running in daemon mode snort will keep alerting and Barnyard2 will keep feeding the alerts to the database right? Regards, Prashanth On Sat, Nov 24, 2012 at 2:45 AM, Jeremy Hoel <jthoel () gmail com> wrote:Good deal. On Fri, Nov 23, 2012 at 8:09 PM, k vijay sai prashanth <vijaysaiprashanth () gmail com> wrote:ran ldconfig got it installed thanks a lot mate. :) appreciate the help. Regards, Prashanth On Sat, Nov 24, 2012 at 1:31 AM, k vijay sai prashanth <vijaysaiprashanth () gmail com> wrote:I don't get anything doing ldconfig -p | grep libpcap How do I get it libpcap installed? Regards, Prashanth On Fri, Nov 23, 2012 at 11:41 PM, Jeremy Hoel <jthoel () gmail com> wrote:Quick note.. that should be 'ldconfig -p |grep libpcap' libpcap.. not lubpcap. :-) On Fri, Nov 23, 2012 at 5:52 PM, Jeremy Hoel <jthoel () gmail com> wrote:After you installed libpcap did you run ldconifg? 'ldconfig -p |grep lubpcap' should return at least one result. On Fri, Nov 23, 2012 at 5:46 PM, k vijay sai prashanth <vijaysaiprashanth () gmail com> wrote:Hello All, I have two IDS servers with RHEL 5 installed on each. I have installed libpcap-1.3.0, daq-1.1.1 and snort-2.9.3.1 on one while on the other I was able to install libpcap-1.3.0 from source but when I try to install daq-1.1.1 by ./configure I get exited with the below error message. checking for pcap.h... (cached) yes checking for pcap_lib_version... checking for pcap_lib_version in -lpcap... (cached) yes checking for libpcap version >= "1.0.0"... no ERROR! Libpcap library version >= 1.0.0 not found. Get it from http://www.tcpdump.org I did install libpcap-1.3.0 but when I give the below command I got nothing: "rpm -qa | grep libpcap" When I do a "locate pcap.h" its not found. But I am able to manually navigate to the file at /usr/local/src/libpcap-1.3.0. It seems to have no execute rights. Does this matter? Why is this failing. What can I do to get daq-1.1.1 installed. Are there any other dependencies which I am missing to fully install libpcap-1.3.0. Please advise. Regards, Prashanth ------------------------------------------------------------------------------ Monitor your physical, virtual and cloud infrastructure from a single web console. Get in-depth insight into apps, servers, databases, vmware, SAP, cloud infrastructure, etc. Download 30-day Free Trial. Pricing starts from $795 for 25 servers or applications! http://p.sf.net/sfu/zoho_dev2dev_nov _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Monitor your physical, virtual and cloud infrastructure from a single web console. Get in-depth insight into apps, servers, databases, vmware, SAP, cloud infrastructure, etc. Download 30-day Free Trial. Pricing starts from $795 for 25 servers or applications! http://p.sf.net/sfu/zoho_dev2dev_nov _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Daq not getting installed. k vijay sai prashanth (Nov 23)
- Re: Daq not getting installed. Jeremy Hoel (Nov 23)
- Re: Daq not getting installed. Jeremy Hoel (Nov 23)
- Re: Daq not getting installed. k vijay sai prashanth (Nov 23)
- Re: Daq not getting installed. k vijay sai prashanth (Nov 23)
- Re: Daq not getting installed. Jeremy Hoel (Nov 23)
- Re: Daq not getting installed. k vijay sai prashanth (Nov 23)
- Re: Daq not getting installed. Jeremy Hoel (Nov 23)
- Re: Daq not getting installed. k vijay sai prashanth (Nov 23)
- Re: Daq not getting installed. Jeremy Hoel (Nov 23)
- Re: Daq not getting installed. k vijay sai prashanth (Nov 26)
- Re: Daq not getting installed. k vijay sai prashanth (Nov 27)
- Re: Daq not getting installed. k vijay sai prashanth (Nov 27)
- Re: Daq not getting installed. beenph (Nov 27)
- Re: Daq not getting installed. Jeremy Hoel (Nov 27)
- Re: Daq not getting installed. Jeremy Hoel (Nov 23)
- Re: Daq not getting installed. Jeremy Hoel (Nov 23)