Re: Barnyard2 configure/compile problems and startup error: "Snort not compiled to use mysql" message followup - 1st time barnyard user

["Lars" <technicalfriend () yahoo com>]

Hello,

 

A quick update, moving down to what we hope may be the last issue with our
install of the Snort 2.9.4.5 with Unified2 use to Barnyard piece.  Here is
where we are now:

 

We rebuilt Barnyard2 and use the instructions from someone at UMUC to
configure Barnyard2, the config files, and Snort.conf compiling Barnyard2 to
run with MYSql support as you specified.  So far so good on that.

http://polaris.umuc.edu/~sgantz/Barnyard.html

 

Now our Barnyard install runs and appears to begin processing, but we get a
repeating "Can't extract timestamp" error line that just keeps repeating. We
have not been able to find a solution to that yet.

 

More importantly however we have found out that our Snort build in IDS mode
does not send anything out to our "merged.log" file.  It will even create a
new merged.log file in /var/log/snort if we delete one but all the files
ever do is stay at 0B size.


It's odd as if we use -v switch when starting Snort we can see traffic on
the screen, and lots whenever we intense scan (or other types of scans)
against this target system with Zenmap.  We have been able to run test mode
just fine, with a "success" statement after that.  We have gone back over
your "Snort-setup" guide, and online details about how to setup snort.conf
many times by now and while we have corrected a few misnomers here and there
in our .conf files or their location etc. nonetheless unified2 is not
collecting / sending output to merged.log or anywhere as far as we can tell.
Solutions?

 

Thanks!

 

KJ / team

 

 

From: Lars [mailto:technicalfriend () yahoo com] 
Sent: Thursday, April 25, 2013 11:39 AM
To: 'snort-users () lists sourceforge net'; 'barnyard2-users () googlegroups com'
Subject: Barnyard2 configure/compile problems and startup error: "Snort not
compiled to use mysql" message followup - 1st time barnyard user

 

Hi this is a follow-up after trying some of the steps recommended from the
other day to get my first build of Barnyard working with Snort so  we can
write Snort output to mysql, as a Snorby sensor.  There is a little progress
but sadly Barnyard2 is still not working, here is where we are now:

 

Joel said "Snort's support to directly write to a database is no longer an
option since Snort 2.9.2, if I recall correctly." 

We definitely agree and had read and expected that, however when we tried to
build Barnyard2 the error message Barnyard gave us then said "Snort was not
compiled to use mysql" and directed us to some steps to try and do that, so
it appears that message needs updated, so we got off-track a little while
with that, fyi.  We had started trying the -with-mysql option with barnyard
instead, leading to the following:

"Instead, you compile MySQL support with Barnyard2:

./configure --with-mysql --with-mysql-libraries=<path to the mysql libs>

In Snort, you would use unified2 as an output plugin to write unified2 logs
and have Barnyard2 parse these into the database. In the docs section on
Snort's website you will find step by step documentation on how to do that
on SuSE, 12.x as well as other OSs."

QUESTION:  Is "unified" required also to do this?  We had not seen that one
listed and have not added, it seemed like all we needed was what was listed
under the Snort requirements and Barnyard (knowing we had added mysql with
-dev libraries/header files..?  Sorry we are a bit lost with the big picture
of this larger process, there have been lots and lots of packages to go back
and add.

 

Also we followed this one other recommendation sent over:  "Then you will
need to make sure you have installed mysql client libraries and headers
(this is generaly mysql-dev package on most distro).

 

> From there you will need to make sure your mysql libraries are in your
libaries dynamic path.

 

ex: ldconfig -v | grep mysql"  

 

Our results here seem mixed, we are not sure it worked.  When first trying
it we had a lot of "graphviz" objects that it could not find.  We had
graphviz and its dev headers but we went ahead and added all those objects,
and it found mysql but there were keyring and some other items ldconfig had
trouble with - we are not sure how any of these applied or mattered, not
using?  We just wanted to send Snort log data over to mysql so Snorby could
read it, lost?  Our team at the college appreciates your help.   I plan on
making sure our entire process and all these requirements are documented
when all this is done, there has been so many steps.

 

 

------------------------------------------------------------------------------
Introducing AppDynamics Lite, a free troubleshooting tool for Java/.NET
Get 100% visibility into your production application - at no cost.
Code-level diagnostics for performance bottlenecks with <2% overhead
Download for free and get started troubleshooting in minutes.
http://p.sf.net/sfu/appdyn_d2d_ap1

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!