Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: undefined symbol: LibVersion error

From: JJ Cummings <cummingsj () gmail com>
Date: Sun, 18 Apr 2010 18:02:21 -0600
As Richard said, perhaps you should produce some alerts at the command line
level to verify that you can, in fact, generate alerts.  I might suggest the
creation of an IP any -> any any type rule... (google can help you with
this).  Can you provide the command that you are using to start snort?
 Often people will include an -A option at runtime, and this can cause issue
with various output plugins.  If, however, you want to output for TEST
purposes.. -A console is a good option, but completely remove this option
if/when you are wanting to write to mysql / unified etc...

JJC

On Sun, Apr 18, 2010 at 10:19 AM, David Holder <david.holder () gmail com>wrote:


Hi JJC,

1. Yes I did
2. Fair enough, however I would rather get basic functionality working
first, and then proceed to refine my Snort deployment.
3. I've done a test and received the following output:


Action Stats:
ALERTS: 0
LOGGED: 0
PASSED: 0

I assume nothing has been logged into the Database. Can you please tell me
how I can configure snort to log all traffic, I've gone through various
tutorials online, completed everything that was listed but alas, nothing is
going into my DB.

Thanks,


On Fri, Apr 16, 2010 at 5:10 PM, JJ Cummings <cummingsj () gmail com> wrote:


David,

A few things:


   1. did you compile snort with --with-mysql
   2. if so, you still will not see any data in the database until a
   snort event occurs
   3. it is considered sub-optimal to log directly to the database using
   snort, you should log to unified2 and then use a tool such as barnyard2 to
   read this unified data and insert into mysql
   4. you can tell if snort has produced alerts by sending a USR1 signal
   to the pid and then reviewing the output in /var/log/messages
      1. There will be a section in the output that looks like the
      following:

Action Stats:

ALERTS: 0

LOGGED: 0

PASSED: 0

Of course if any alerts have been produced, then the ALERTS field will
have the numeric value that represents the number of alerts that snort has
generated.

JJC

On Fri, Apr 16, 2010 at 9:58 AM, David Holder <david.holder () gmail com>wrote:


Hi JJ,

Thanks for your reply, I can now run it.

However, I've come across a different problem now. Everything seems to
indicate that snort is working fine, but nothing is being logged into the
MYSQL database. I've added the following into my snort.conf:

output database: log, mysql, user=snort password=MyDBPassword
dbname=snort host=localhost

Base is reporting no information:

Sensors/Total: 0 / 1
Unique Alerts: 0
Categories: 0
Total Number of Alerts: 0

    * Src IP addrs: 0
    * Dest. IP addrs: 0
    * Unique IP links 0

If I try and run snort without Daemon mode I get the following output:

Initializing Network Interface eth0
Decoding Ethernet on interface eth0
database: compiled support for (mysql)
database: configured to use mysql
database: schema version = 107
database:           host = localhost
database:           user = snort
database:  database name = snort
database:    sensor name = 192.168.202.239
database:      sensor id = 1
database:  data encoding = hex
database:   detail level = full
database:     ignore_bpf = no
database: using the "log" facility

eth0 is the correct name. Although the last thing to come from terminal
is:

Not Using PCAP_FRAMES.

I've run snort -DEV and I can see the traffic being analysed, so there is
something there to log.

Any help would be appreciated.

Thanks,

On Fri, Apr 16, 2010 at 4:19 PM, JJ Cummings <cummingsj () gmail com>wrote:


Delete all of the *example* rules that are in
/usr/local/lib/snort_dynamicrules/



On Fri, Apr 16, 2010 at 9:14 AM, David Holder <david.holder () gmail com>wrote:


Hi all,

I installed Snort yesterday and configured it based on the guide
provided on the ubuntu forums :
http://ubuntuforums.org/showthread.php?t=919472

I'm running ubuntu 9.10 server edition and the latest version of Snort
and BASE.

I've managed to configure the database, permissions, snort.conf but
when I try and launch snort like so:

snort -c /etc/snort/snort.conf

I get the following:

root@snort:~# snort -c /etc/snort/snort.conf
Running in IDS mode

        --== Initializing Snort ==--
Initializing Output Plugins!
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file "/etc/snort/snort.conf"
PortVar 'HTTP_PORTS' defined :  [ 80 1220 2301 3128 7777 7779 8000 8008
8028 8080 8180 8888 9999 ]
PortVar 'SHELLCODE_PORTS' defined :  [ 0:79 81:65535 ]
PortVar 'ORACLE_PORTS' defined :  [ 1521 ]
Detection:
   Search-Method = AC-BNFA-Q
Tagged Packet Limit: 256
Loading dynamic engine
/usr/local/lib/snort_dynamicengine/libsf_engine.so... done
Loading all dynamic detection libs from
/usr/local/lib/snort_dynamicrules...
  Loading dynamic detection library
/usr/local/lib/snort_dynamicrules/lib_sfdynamic_example_rule.so... ERROR:
Failed to find LibVersion() function in
/usr/local/lib/snort_dynamicrules/lib_sfdynamic_example_rule.so:
/usr/local/lib/snort_dynamicrules/lib_sfdynamic_example_rule.so: undefined
symbol: LibVersion
Fatal Error, Quitting..

Does anyone have any idea how I can resolve this issue?

Thanks,

David


------------------------------------------------------------------------------
Download Intel&#174; Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users










------------------------------------------------------------------------------
Download Intel&#174; Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users











------------------------------------------------------------------------------
Download Intel&#174; Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users





--

------------------------------------------------------------------------------
Download Intel&#174; Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: