[Snort-users] undefined symbol: LibVersion error

JJ Cummings cummingsj at ...11827...
Sun Apr 18 20:02:21 EDT 2010


As Richard said, perhaps you should produce some alerts at the command line
level to verify that you can, in fact, generate alerts.  I might suggest the
creation of an IP any -> any any type rule... (google can help you with
this).  Can you provide the command that you are using to start snort?
 Often people will include an -A option at runtime, and this can cause issue
with various output plugins.  If, however, you want to output for TEST
purposes.. -A console is a good option, but completely remove this option
if/when you are wanting to write to mysql / unified etc...

JJC

On Sun, Apr 18, 2010 at 10:19 AM, David Holder <david.holder at ...11827...>wrote:

> Hi JJC,
>
> 1. Yes I did
> 2. Fair enough, however I would rather get basic functionality working
> first, and then proceed to refine my Snort deployment.
> 3. I've done a test and received the following output:
>
>
> Action Stats:
> ALERTS: 0
> LOGGED: 0
> PASSED: 0
>
> I assume nothing has been logged into the Database. Can you please tell me
> how I can configure snort to log all traffic, I've gone through various
> tutorials online, completed everything that was listed but alas, nothing is
> going into my DB.
>
> Thanks,
>
>
> On Fri, Apr 16, 2010 at 5:10 PM, JJ Cummings <cummingsj at ...11827...> wrote:
>
>> David,
>>
>> A few things:
>>
>>
>>    1. did you compile snort with --with-mysql
>>    2. if so, you still will not see any data in the database until a
>>    snort event occurs
>>    3. it is considered sub-optimal to log directly to the database using
>>    snort, you should log to unified2 and then use a tool such as barnyard2 to
>>    read this unified data and insert into mysql
>>    4. you can tell if snort has produced alerts by sending a USR1 signal
>>    to the pid and then reviewing the output in /var/log/messages
>>       1. There will be a section in the output that looks like the
>>       following:
>>
>> Action Stats:
>>
>> ALERTS: 0
>>
>> LOGGED: 0
>>
>> PASSED: 0
>>
>> Of course if any alerts have been produced, then the ALERTS field will
>> have the numeric value that represents the number of alerts that snort has
>> generated.
>>
>> JJC
>>
>> On Fri, Apr 16, 2010 at 9:58 AM, David Holder <david.holder at ...11827...>wrote:
>>
>>> Hi JJ,
>>>
>>> Thanks for your reply, I can now run it.
>>>
>>> However, I've come across a different problem now. Everything seems to
>>> indicate that snort is working fine, but nothing is being logged into the
>>> MYSQL database. I've added the following into my snort.conf:
>>>
>>> output database: log, mysql, user=snort password=MyDBPassword
>>> dbname=snort host=localhost
>>>
>>> Base is reporting no information:
>>>
>>> Sensors/Total: 0 / 1
>>> Unique Alerts: 0
>>> Categories: 0
>>> Total Number of Alerts: 0
>>>
>>>     * Src IP addrs: 0
>>>     * Dest. IP addrs: 0
>>>     * Unique IP links 0
>>>
>>> If I try and run snort without Daemon mode I get the following output:
>>>
>>> Initializing Network Interface eth0
>>> Decoding Ethernet on interface eth0
>>> database: compiled support for (mysql)
>>> database: configured to use mysql
>>> database: schema version = 107
>>> database:           host = localhost
>>> database:           user = snort
>>> database:  database name = snort
>>> database:    sensor name = 192.168.202.239
>>> database:      sensor id = 1
>>> database:  data encoding = hex
>>> database:   detail level = full
>>> database:     ignore_bpf = no
>>> database: using the "log" facility
>>>
>>> eth0 is the correct name. Although the last thing to come from terminal
>>> is:
>>>
>>> Not Using PCAP_FRAMES.
>>>
>>> I've run snort -DEV and I can see the traffic being analysed, so there is
>>> something there to log.
>>>
>>> Any help would be appreciated.
>>>
>>> Thanks,
>>>
>>> On Fri, Apr 16, 2010 at 4:19 PM, JJ Cummings <cummingsj at ...11827...>wrote:
>>>
>>>> Delete all of the *example* rules that are in
>>>> /usr/local/lib/snort_dynamicrules/
>>>>
>>>>
>>>>
>>>> On Fri, Apr 16, 2010 at 9:14 AM, David Holder <david.holder at ...11827...>wrote:
>>>>
>>>>> Hi all,
>>>>>
>>>>> I installed Snort yesterday and configured it based on the guide
>>>>> provided on the ubuntu forums :
>>>>> http://ubuntuforums.org/showthread.php?t=919472
>>>>>
>>>>> I'm running ubuntu 9.10 server edition and the latest version of Snort
>>>>> and BASE.
>>>>>
>>>>> I've managed to configure the database, permissions, snort.conf but
>>>>> when I try and launch snort like so:
>>>>>
>>>>> snort -c /etc/snort/snort.conf
>>>>>
>>>>> I get the following:
>>>>>
>>>>> root at ...2306...:~# snort -c /etc/snort/snort.conf
>>>>> Running in IDS mode
>>>>>
>>>>>         --== Initializing Snort ==--
>>>>> Initializing Output Plugins!
>>>>> Initializing Preprocessors!
>>>>> Initializing Plug-ins!
>>>>> Parsing Rules file "/etc/snort/snort.conf"
>>>>> PortVar 'HTTP_PORTS' defined :  [ 80 1220 2301 3128 7777 7779 8000 8008
>>>>> 8028 8080 8180 8888 9999 ]
>>>>> PortVar 'SHELLCODE_PORTS' defined :  [ 0:79 81:65535 ]
>>>>> PortVar 'ORACLE_PORTS' defined :  [ 1521 ]
>>>>> Detection:
>>>>>    Search-Method = AC-BNFA-Q
>>>>> Tagged Packet Limit: 256
>>>>> Loading dynamic engine
>>>>> /usr/local/lib/snort_dynamicengine/libsf_engine.so... done
>>>>> Loading all dynamic detection libs from
>>>>> /usr/local/lib/snort_dynamicrules...
>>>>>   Loading dynamic detection library
>>>>> /usr/local/lib/snort_dynamicrules/lib_sfdynamic_example_rule.so... ERROR:
>>>>> Failed to find LibVersion() function in
>>>>> /usr/local/lib/snort_dynamicrules/lib_sfdynamic_example_rule.so:
>>>>> /usr/local/lib/snort_dynamicrules/lib_sfdynamic_example_rule.so: undefined
>>>>> symbol: LibVersion
>>>>> Fatal Error, Quitting..
>>>>>
>>>>> Does anyone have any idea how I can resolve this issue?
>>>>>
>>>>> Thanks,
>>>>>
>>>>> David
>>>>>
>>>>>
>>>>> ------------------------------------------------------------------------------
>>>>> Download Intel® Parallel Studio Eval
>>>>> Try the new software tools for yourself. Speed compiling, find bugs
>>>>> proactively, and fine-tune applications for parallel performance.
>>>>> See why Intel Parallel Studio got high marks during beta.
>>>>> http://p.sf.net/sfu/intel-sw-dev
>>>>> _______________________________________________
>>>>> Snort-users mailing list
>>>>> Snort-users at lists.sourceforge.net
>>>>> Go to this URL to change user options or unsubscribe:
>>>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>>>> Snort-users list archive:
>>>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> Download Intel® Parallel Studio Eval
>>> Try the new software tools for yourself. Speed compiling, find bugs
>>> proactively, and fine-tune applications for parallel performance.
>>> See why Intel Parallel Studio got high marks during beta.
>>> http://p.sf.net/sfu/intel-sw-dev
>>> _______________________________________________
>>> Snort-users mailing list
>>> Snort-users at lists.sourceforge.net
>>> Go to this URL to change user options or unsubscribe:
>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>> Snort-users list archive:
>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>
>>
>>
>>
>>
>>
>>
>
>
> ------------------------------------------------------------------------------
> Download Intel® Parallel Studio Eval
> Try the new software tools for yourself. Speed compiling, find bugs
> proactively, and fine-tune applications for parallel performance.
> See why Intel Parallel Studio got high marks during beta.
> http://p.sf.net/sfu/intel-sw-dev
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>



--
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20100418/ee135c88/attachment.html>


More information about the Snort-users mailing list