Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: undefined symbol: LibVersion error

From: JJ Cummings <cummingsj () gmail com>
Date: Fri, 16 Apr 2010 10:10:02 -0600
David,

A few things:


   1. did you compile snort with --with-mysql
   2. if so, you still will not see any data in the database until a snort
   event occurs
   3. it is considered sub-optimal to log directly to the database using
   snort, you should log to unified2 and then use a tool such as barnyard2 to
   read this unified data and insert into mysql
   4. you can tell if snort has produced alerts by sending a USR1 signal to
   the pid and then reviewing the output in /var/log/messages
      1. There will be a section in the output that looks like the
      following:

Action Stats:

ALERTS: 0

LOGGED: 0

PASSED: 0

Of course if any alerts have been produced, then the ALERTS field will have
the numeric value that represents the number of alerts that snort has
generated.

JJC
On Fri, Apr 16, 2010 at 9:58 AM, David Holder <david.holder () gmail com>wrote:


Hi JJ,

Thanks for your reply, I can now run it.

However, I've come across a different problem now. Everything seems to
indicate that snort is working fine, but nothing is being logged into the
MYSQL database. I've added the following into my snort.conf:

output database: log, mysql, user=snort password=MyDBPassword dbname=snort
host=localhost

Base is reporting no information:

Sensors/Total: 0 / 1
Unique Alerts: 0
Categories: 0
Total Number of Alerts: 0

    * Src IP addrs: 0
    * Dest. IP addrs: 0
    * Unique IP links 0

If I try and run snort without Daemon mode I get the following output:

Initializing Network Interface eth0
Decoding Ethernet on interface eth0
database: compiled support for (mysql)
database: configured to use mysql
database: schema version = 107
database:           host = localhost
database:           user = snort
database:  database name = snort
database:    sensor name = 192.168.202.239
database:      sensor id = 1
database:  data encoding = hex
database:   detail level = full
database:     ignore_bpf = no
database: using the "log" facility

eth0 is the correct name. Although the last thing to come from terminal is:

Not Using PCAP_FRAMES.

I've run snort -DEV and I can see the traffic being analysed, so there is
something there to log.

Any help would be appreciated.

Thanks,

On Fri, Apr 16, 2010 at 4:19 PM, JJ Cummings <cummingsj () gmail com> wrote:


Delete all of the *example* rules that are in
/usr/local/lib/snort_dynamicrules/



On Fri, Apr 16, 2010 at 9:14 AM, David Holder <david.holder () gmail com>wrote:


Hi all,

I installed Snort yesterday and configured it based on the guide provided
on the ubuntu forums : http://ubuntuforums.org/showthread.php?t=919472

I'm running ubuntu 9.10 server edition and the latest version of Snort
and BASE.

I've managed to configure the database, permissions, snort.conf but when
I try and launch snort like so:

snort -c /etc/snort/snort.conf

I get the following:

root@snort:~# snort -c /etc/snort/snort.conf
Running in IDS mode

        --== Initializing Snort ==--
Initializing Output Plugins!
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file "/etc/snort/snort.conf"
PortVar 'HTTP_PORTS' defined :  [ 80 1220 2301 3128 7777 7779 8000 8008
8028 8080 8180 8888 9999 ]
PortVar 'SHELLCODE_PORTS' defined :  [ 0:79 81:65535 ]
PortVar 'ORACLE_PORTS' defined :  [ 1521 ]
Detection:
   Search-Method = AC-BNFA-Q
Tagged Packet Limit: 256
Loading dynamic engine
/usr/local/lib/snort_dynamicengine/libsf_engine.so... done
Loading all dynamic detection libs from
/usr/local/lib/snort_dynamicrules...
  Loading dynamic detection library
/usr/local/lib/snort_dynamicrules/lib_sfdynamic_example_rule.so... ERROR:
Failed to find LibVersion() function in
/usr/local/lib/snort_dynamicrules/lib_sfdynamic_example_rule.so:
/usr/local/lib/snort_dynamicrules/lib_sfdynamic_example_rule.so: undefined
symbol: LibVersion
Fatal Error, Quitting..

Does anyone have any idea how I can resolve this issue?

Thanks,

David


------------------------------------------------------------------------------
Download Intel&#174; Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users










------------------------------------------------------------------------------
Download Intel&#174; Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


------------------------------------------------------------------------------
Download Intel&#174; Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: