[Snort-users] undefined symbol: LibVersion error

JJ Cummings cummingsj at ...11827...
Fri Apr 16 12:10:02 EDT 2010


David,

A few things:


   1. did you compile snort with --with-mysql
   2. if so, you still will not see any data in the database until a snort
   event occurs
   3. it is considered sub-optimal to log directly to the database using
   snort, you should log to unified2 and then use a tool such as barnyard2 to
   read this unified data and insert into mysql
   4. you can tell if snort has produced alerts by sending a USR1 signal to
   the pid and then reviewing the output in /var/log/messages
      1. There will be a section in the output that looks like the
      following:

Action Stats:

ALERTS: 0

LOGGED: 0

PASSED: 0

Of course if any alerts have been produced, then the ALERTS field will have
the numeric value that represents the number of alerts that snort has
generated.

JJC
On Fri, Apr 16, 2010 at 9:58 AM, David Holder <david.holder at ...11827...>wrote:

> Hi JJ,
>
> Thanks for your reply, I can now run it.
>
> However, I've come across a different problem now. Everything seems to
> indicate that snort is working fine, but nothing is being logged into the
> MYSQL database. I've added the following into my snort.conf:
>
> output database: log, mysql, user=snort password=MyDBPassword dbname=snort
> host=localhost
>
> Base is reporting no information:
>
> Sensors/Total: 0 / 1
> Unique Alerts: 0
> Categories: 0
> Total Number of Alerts: 0
>
>     * Src IP addrs: 0
>     * Dest. IP addrs: 0
>     * Unique IP links 0
>
> If I try and run snort without Daemon mode I get the following output:
>
> Initializing Network Interface eth0
> Decoding Ethernet on interface eth0
> database: compiled support for (mysql)
> database: configured to use mysql
> database: schema version = 107
> database:           host = localhost
> database:           user = snort
> database:  database name = snort
> database:    sensor name = 192.168.202.239
> database:      sensor id = 1
> database:  data encoding = hex
> database:   detail level = full
> database:     ignore_bpf = no
> database: using the "log" facility
>
> eth0 is the correct name. Although the last thing to come from terminal is:
>
> Not Using PCAP_FRAMES.
>
> I've run snort -DEV and I can see the traffic being analysed, so there is
> something there to log.
>
> Any help would be appreciated.
>
> Thanks,
>
> On Fri, Apr 16, 2010 at 4:19 PM, JJ Cummings <cummingsj at ...11827...> wrote:
>
>> Delete all of the *example* rules that are in
>> /usr/local/lib/snort_dynamicrules/
>>
>>
>>
>> On Fri, Apr 16, 2010 at 9:14 AM, David Holder <david.holder at ...11827...>wrote:
>>
>>> Hi all,
>>>
>>> I installed Snort yesterday and configured it based on the guide provided
>>> on the ubuntu forums : http://ubuntuforums.org/showthread.php?t=919472
>>>
>>> I'm running ubuntu 9.10 server edition and the latest version of Snort
>>> and BASE.
>>>
>>> I've managed to configure the database, permissions, snort.conf but when
>>> I try and launch snort like so:
>>>
>>> snort -c /etc/snort/snort.conf
>>>
>>> I get the following:
>>>
>>> root at ...2306...:~# snort -c /etc/snort/snort.conf
>>> Running in IDS mode
>>>
>>>         --== Initializing Snort ==--
>>> Initializing Output Plugins!
>>> Initializing Preprocessors!
>>> Initializing Plug-ins!
>>> Parsing Rules file "/etc/snort/snort.conf"
>>> PortVar 'HTTP_PORTS' defined :  [ 80 1220 2301 3128 7777 7779 8000 8008
>>> 8028 8080 8180 8888 9999 ]
>>> PortVar 'SHELLCODE_PORTS' defined :  [ 0:79 81:65535 ]
>>> PortVar 'ORACLE_PORTS' defined :  [ 1521 ]
>>> Detection:
>>>    Search-Method = AC-BNFA-Q
>>> Tagged Packet Limit: 256
>>> Loading dynamic engine
>>> /usr/local/lib/snort_dynamicengine/libsf_engine.so... done
>>> Loading all dynamic detection libs from
>>> /usr/local/lib/snort_dynamicrules...
>>>   Loading dynamic detection library
>>> /usr/local/lib/snort_dynamicrules/lib_sfdynamic_example_rule.so... ERROR:
>>> Failed to find LibVersion() function in
>>> /usr/local/lib/snort_dynamicrules/lib_sfdynamic_example_rule.so:
>>> /usr/local/lib/snort_dynamicrules/lib_sfdynamic_example_rule.so: undefined
>>> symbol: LibVersion
>>> Fatal Error, Quitting..
>>>
>>> Does anyone have any idea how I can resolve this issue?
>>>
>>> Thanks,
>>>
>>> David
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> Download Intel® Parallel Studio Eval
>>> Try the new software tools for yourself. Speed compiling, find bugs
>>> proactively, and fine-tune applications for parallel performance.
>>> See why Intel Parallel Studio got high marks during beta.
>>> http://p.sf.net/sfu/intel-sw-dev
>>> _______________________________________________
>>> Snort-users mailing list
>>> Snort-users at lists.sourceforge.net
>>> Go to this URL to change user options or unsubscribe:
>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>> Snort-users list archive:
>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>
>>
>>
>>
>>
>>
>
>
> ------------------------------------------------------------------------------
> Download Intel® Parallel Studio Eval
> Try the new software tools for yourself. Speed compiling, find bugs
> proactively, and fine-tune applications for parallel performance.
> See why Intel Parallel Studio got high marks during beta.
> http://p.sf.net/sfu/intel-sw-dev
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20100416/2705681a/attachment.html>


More information about the Snort-users mailing list