[Snort-users] Snort 2.9.3.1, Barnyard2 2.9.1 and Mysql issue

Eric Biederman Eric.Biederman at ...15792...
Fri Aug 31 11:53:09 EDT 2012


Found an error in my barnyard config.... I inadvertently left the mssql as output and not mysql. I mad the change and Barnyard has started and is showing waiting for new data. One error/warning left.  When Barnyard starts I get WARNING: Ignoring corrupt/truncated waldofile '/var/log/snort/barnyard.waldo'





Running in Continuous mode



        --== Initializing Barnyard2 ==--

Initializing Input Plugins!

Initializing Output Plugins!

Parsing config file "/etc/snort/barnyard2.conf"

Log directory = /var/log/barnyard2

database: compiled support for (mysql)

database: configured to use mysql

database: schema version = 107

database:           host = localhost

database:           user = snort

database:  database name = snort

database:    sensor name = localhost:p2p1

database:      sensor id = 1

database:     sensor cid = 1

database:  data encoding = hex

database:   detail level = full

database:     ignore_bpf = no

database: using the "log" facility



        --== Initialization Complete ==--



  ______   -*> Barnyard2 <*-

/ ,,_  \  Version 2.1.9 (Build 263)

|o"  )~|  By the SecurixLive.com Team: http://www.securixlive.com/about.php

+ '''' +  (C) Copyright 2008-2010 SecurixLive.



           Snort by Martin Roesch & The Snort Team: http://www.snort.org/team.html

           (C) Copyright 1998-2007 Sourcefire Inc., et al.



WARNING: Ignoring corrupt/truncated waldofile '/var/log/snort/barnyard.waldo'

Opened spool file '/var/log/snort/snort.log.1346340409'

Closing spool file '/var/log/snort/snort.log.1346340409'. Read 0 records

Opened spool file '/var/log/snort/snort.log.1346343654'

Closing spool file '/var/log/snort/snort.log.1346343654'. Read 0 records

Opened spool file '/var/log/snort/snort.log.1346352702'

Closing spool file '/var/log/snort/snort.log.1346352702'. Read 0 records

Opened spool file '/var/log/snort/snort.log.1346352718'

Closing spool file '/var/log/snort/snort.log.1346352718'. Read 0 records

Opened spool file '/var/log/snort/snort.log.1346358724'

Closing spool file '/var/log/snort/snort.log.1346358724'. Read 0 records

Opened spool file '/var/log/snort/snort.log.1346417767'

Closing spool file '/var/log/snort/snort.log.1346417767'. Read 0 records

Opened spool file '/var/log/snort/snort.log.1346421567'

Waiting for new data



-----Original Message-----
From: Eric Biederman
Sent: Friday, August 31, 2012 10:10 AM
To: 'beenph'; Jeremy Hoel
Cc: snort-users at lists.sourceforge.net
Subject: RE: [Snort-users] Snort 2.9.3.1, Barnyard2 2.9.1 and Mysql issue



I just performed the clean and reconfig/install for both Snort and Barnyard. I am still getting the same error with Barnyard2. I have included my two configs as txt files. The error that mysql support is not compiled into this build of snort that I get when attempting to start barnyard confuses me. I took a pass at this on a different system a few days ago and was unable to pass the --with-mysql  with my config of snort because it was an unknown argument. After reading I found a mention that snort no longer outputss to mysql so I assumed I was ok and Barnyard2 would handle the output. Am I wrong in this assumption? By the way thanks for the help.



-----Original Message-----

From: beenph [mailto:beenph at ...11827...]<mailto:[mailto:beenph at ...11827...]>

Sent: Friday, August 31, 2012 9:27 AM

To: Jeremy Hoel

Cc: Eric Biederman; snort-users at lists.sourceforge.net<mailto:snort-users at ...6193...sts.sourceforge.net>

Subject: Re: [Snort-users] Snort 2.9.3.1, Barnyard2 2.9.1 and Mysql issue



On Fri, Aug 31, 2012 at 9:19 AM, Jeremy Hoel <jthoel at ...11827...<mailto:jthoel at ...11827...>> wrote:

> Can you copy and paste the ./configure command and it's output for

> barnyard and put that in a text file or on pastebin?  Maybe we can see

> what the problem is there.

>

Oh and i just tought of something, if you did rerun ./configure before running make did you do a make clean?



Because even if you rerun ./configure and make if there is an object

(.o) file existing  even if it updates compile flags for the linked executable, it might not rebuild src/output/spo_database thus you are getting the same result.



So just do a make clean && make then retry.



-elz





>

> On Fri, Aug 31, 2012 at 12:37 PM, Eric Biederman

> <Eric.Biederman at ...15792...<mailto:Eric.Biederman at ...15792...>> wrote:

>> I am using mysql. I have updated the library and rerun the configure, make, install with the same results.

>>

>> -----Original Message-----

>> From: beenph [mailto:beenph at ...11827...]<mailto:[mailto:beenph at ...14459.....]>

>> Sent: Thursday, August 30, 2012 5:38 PM

>> To: Eric Biederman

>> Cc: snort-users at lists.sourceforge.net<mailto:snort-users at ...3471...ge.net>

>> Subject: Re: [Snort-users] Snort 2.9.3.1, Barnyard2 2.9.1 and Mysql

>> issue

>>

>> On Thu, Aug 30, 2012 at 2:30 PM, Eric Biederman <Eric.Biederman at ...15796......<mailto:Eric.Biederman at ...15792...>> wrote:

>>> Yes I did.

>>> ./configure --with-mysql-libraries=/usr/lib64/mysql/

>>>

>>

>> Try --with-mysql and technically if you add your library path to /etc/ld.so.conf , run ldconfig and then rerun the ./configure --with-mysql you should be fine.

>>

>> -elz

>>

>>

>>> -----Original Message-----

>>> From: beenph [mailto:beenph at ...11827...]<mailto:[mailto:beenph at ...13704......]>

>>> Sent: Thursday, August 30, 2012 2:16 PM

>>> To: Eric Biederman

>>> Subject: Re: [Snort-users] Snort 2.9.3.1, Barnyard2 2.9.1 and Mysql

>>> issue

>>>

>>> On Thu, Aug 30, 2012 at 1:24 PM, Eric Biederman <Eric.Biederman at ...15797...2...<mailto:Eric.Biederman at ...15792...>> wrote:

>>>> I am having a problem where when I try to start my Barnyard2 system

>>>> I am getting notified that my version of snort was not configured

>>>> with mysql support and to recompile with this support. My

>>>> understanding is that Snort

>>>> 2.9.3.1 no longer handles mysql and leaves it to 3rd parties to deal with.

>>>>

>>>> My snort install runs fine to logs and I can start Barnyard without

>>>> the mysql call with no apparent problems but once I add the mysql

>>>> output back into my barnyard.conf file I am unable to start it

>>>>

>>>>

>>>>

>>> Greeting Eric,

>>>

>>> Did you install barnyard2 from source?

>>> if so did you run configure with ./configure --with-mysql?

>>>

>>> -elz

>>>

>>> This email and any files transmitted with it are confidential and

>>> intended solely for the use of the individual or entity to whom they

>>> are addressed. If you have received this email in error please

>>> notify the system manager. This message contains confidential

>>> information and is intended only for the individual named. If you

>>> are not the named addressee you should not disseminate, distribute or copy this e-mail.

>>> Please notify the sender immediately by e-mail if you have received

>>> this e-mail by mistake and delete this e-mail from your system. If

>>> you are not the intended recipient you are notified that disclosing,

>>> copying, distributing or taking any action in reliance on the

>>> contents of this information is strictly prohibited.

>>

>> This email and any files transmitted with it are confidential and

>> intended solely for the use of the individual or entity to whom they

>> are addressed. If you have received this email in error please notify

>> the system manager. This message contains confidential information

>> and is intended only for the individual named. If you are not the

>> named addressee you should not disseminate, distribute or copy this

>> e-mail. Please notify the sender immediately by e-mail if you have

>> received this e-mail by mistake and delete this e-mail from your

>> system. If you are not the intended recipient you are notified that

>> disclosing, copying, distributing or taking any action in reliance on

>> the contents of this information is strictly prohibited.

>>

>> ---------------------------------------------------------------------

>> ---------

>> Live Security Virtual Conference

>> Exclusive live event will cover all the ways today's security and

>> threat landscape has changed and how IT managers can respond.

>> Discussions will include endpoint security, mobile security and the

>> latest in malware threats.

>> http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

>> _______________________________________________

>> Snort-users mailing list

>> Snort-users at lists.sourceforge.net<mailto:Snort-users at ...973...et>

>> Go to this URL to change user options or unsubscribe:

>> https://lists.sourceforge.net/lists/listinfo/snort-users

>> Snort-users list archive:

>> http://www.geocrawler.com/redir-sf.php3?list=snort-users

>>

>> Please visit http://blog.snort.org to stay current on all the latest Snort news!


This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please
notify the system manager. This message contains confidential
information and is intended only for the individual named. If you
are not the named addressee you should not disseminate,
distribute or copy this e-mail. Please notify the sender
immediately by e-mail if you have received this e-mail by mistake
and delete this e-mail from your system. If you are not the
intended recipient you are notified that disclosing, copying,
distributing or taking any action in reliance on the contents of this
information is strictly prohibited.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20120831/70c9640f/attachment.html>


More information about the Snort-users mailing list