Snort mailing list archives
Re: Daq not getting installed.
From: k vijay sai prashanth <vijaysaiprashanth () gmail com>
Date: Tue, 27 Nov 2012 23:47:25 +0530
This is the exiting message in the other server: [root@inblrlxsnrt01 snort]# /usr/local/bin/barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.log -w /etc/snort/bylog.waldo -G /etc/snort/gen-msg.map -S /etc/snort/sid-msg.map -C /etc/snort/classification.config Running in Continuous mode --== Initializing Barnyard2 ==-- Initializing Input Plugins! Initializing Output Plugins! Parsing config file "/etc/snort/barnyard2.conf" Log directory = /var/log/barnyard2 database: compiled support for (mysql) database: configured to use mysql database: schema version = 107 database: host = localhost database: user = snort database: database name = snort database: sensor name = localhost:eth2 database: sensor id = 1 database: sensor cid = 104 database: data encoding = hex database: detail level = full database: ignore_bpf = no database: using the "log" facility --== Initialization Complete ==-- ______ -*> Barnyard2 <*- / ,,_ \ Version 2.1.9 (Build 263) |o" )~| By the SecurixLive.com Team: http://www.securixlive.com/about.php + '''' + (C) Copyright 2008-2010 SecurixLive. Snort by Martin Roesch & The Snort Team: http://www.snort.org/team.html (C) Copyright 1998-2007 Sourcefire Inc., et al. Using waldo file '/etc/snort/bylog.waldo': spool directory = /var/log/snort spool filebase = snort.log time_stamp = 1353699244 record_idx = 206 Opened spool file '/var/log/snort/snort.log.1353699244' Closing spool file '/var/log/snort/snort.log.1353699244'. Read 206 records Opened spool file '/var/log/snort/snort.log.1353699581' Closing spool file '/var/log/snort/snort.log.1353699581'. Read 0 records Opened spool file '/var/log/snort/snort.log.1353705065' Closing spool file '/var/log/snort/snort.log.1353705065'. Read 0 records Opened spool file '/var/log/snort/snort.log.1353707845' Closing spool file '/var/log/snort/snort.log.1353707845'. Read 0 records Opened spool file '/var/log/snort/snort.log.1353709641' Closing spool file '/var/log/snort/snort.log.1353709641'. Read 0 records Opened spool file '/var/log/snort/snort.log.1353709666' ERROR: Unable to allocate memory! (4008636399 requested) Fatal Error, Quitting.. What does it mean by unable to allocate memory? Is any of the log files too large? Please advice. Regards, Prashanth On Tue, Nov 27, 2012 at 11:46 PM, k vijay sai prashanth < vijaysaiprashanth () gmail com> wrote:
It did run in continuous mode. Find the below logs and let me know if there is anything that's not in place. [root@usrhsnort snort]# /usr/local/bin/barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.log -w /etc/snort/bylog.waldo -G /etc/snort/gen-msg.map -S /etc/snort/sid-msg.map -C /etc/snort/classification.config Running in Continuous mode --== Initializing Barnyard2 ==-- Initializing Input Plugins! Initializing Output Plugins! Parsing config file "/etc/snort/barnyard2.conf" Log directory = /var/log/barnyard2 database: compiled support for (mysql) database: configured to use mysql database: schema version = 107 database: host = localhost database: user = snort database: database name = snort database: sensor name = localhost:eth2 database: sensor id = 2 database: sensor cid = 1 database: data encoding = hex database: detail level = full database: ignore_bpf = no database: using the "log" facility --== Initialization Complete ==-- ______ -*> Barnyard2 <*- / ,,_ \ Version 2.1.9 (Build 263) |o" )~| By the SecurixLive.com Team: http://www.securixlive.com/about.php + '''' + (C) Copyright 2008-2010 SecurixLive. Snort by Martin Roesch & The Snort Team: http://www.snort.org/team.html (C) Copyright 1998-2007 Sourcefire Inc., et al. WARNING: Unable to open waldo file '/etc/snort/bylog.waldo' (No such file or directory) Opened spool file '/var/log/snort/snort.log.1353617809' Closing spool file '/var/log/snort/snort.log.1353617809'. Read 0 records Opened spool file '/var/log/snort/snort.log.1353697635' Closing spool file '/var/log/snort/snort.log.1353697635'. Read 0 records Opened spool file '/var/log/snort/snort.log.1353707432' Closing spool file '/var/log/snort/snort.log.1353707432'. Read 0 records Opened spool file '/var/log/snort/snort.log.1353710475' Closing spool file '/var/log/snort/snort.log.1353710475'. Read 0 records Opened spool file '/var/log/snort/snort.log.1353710547' Closing spool file '/var/log/snort/snort.log.1353710547'. Read 0 records Opened spool file '/var/log/snort/snort.log.1353965598' Closing spool file '/var/log/snort/snort.log.1353965598'. Read 0 records Opened spool file '/var/log/snort/snort.log.1353965787' Closing spool file '/var/log/snort/snort.log.1353965787'. Read 0 records Opened spool file '/var/log/snort/snort.log.1353969012' Closing spool file '/var/log/snort/snort.log.1353969012'. Read 0 records Opened spool file '/var/log/snort/snort.log.1354036147' Closing spool file '/var/log/snort/snort.log.1354036147'. Read 0 records Opened spool file '/var/log/snort/snort.log.1354039300' Waiting for new data I get the above kind of message in one sensor. On Tue, Nov 27, 2012 at 2:15 AM, k vijay sai prashanth < vijaysaiprashanth () gmail com> wrote:could you tell me whats the command to start barnyard in continuous mode and Daemon mode? This is the command that I've used which I got from a installation guide. usr/local/bin/barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.log -w /etc/snort/bylog.waldo -G /etc/snort/gen-msg.map -S /etc/snort/sid-msg.map -C /etc/snort/classification.config Regards, Prashanth On Sat, Nov 24, 2012 at 4:25 AM, Jeremy Hoel <jthoel () gmail com> wrote:are you running by2 in continuous mode? whats the startup script/command/options you are using and what outputs do you have in by2? you should see it, when it starts, listing that it's running in Continios and deamon mode. Nov 23 22:40:58 st001 barnyard2[25881]: Running in Continuous mode Nov 23 22:40:58 st001 barnyard2[25881]: Nov 23 22:40:58 st001 barnyard2[25881]: --== Initializing Barnyard2 ==-- Nov 23 22:40:58 st001 barnyard2[25881]: Initializing Input Plugins! Nov 23 22:40:58 st001 barnyard2[25881]: Initializing Output Plugins! Nov 23 22:40:58 st001 barnyard2[25881]: Parsing config file "/etc/snort/barnyard2.conf" Nov 23 22:41:14 st001 barnyard2[25881]: Log directory = /var/log/snort/ Nov 23 22:41:14 st001 barnyard2[25881]: Initializing daemon mode Nov 23 22:41:14 st001 barnyard2[25881]: Daemon parent exiting Nov 23 22:41:14 st001 barnyard2[25883]: Daemon initialized, signaled parent pid: 25881 Nov 23 22:41:14 st001 barnyard2[25883]: PID path stat checked out ok, PID path set to /var/run/ Nov 23 22:41:14 st001 barnyard2[25883]: Writing PID "25883" to file "/var/run//barnyard2_eth1.pid" On Fri, Nov 23, 2012 at 10:52 PM, k vijay sai prashanth <vijaysaiprashanth () gmail com> wrote:so get this. I have snort installed and functioning. My test rulegeneratestraffic. Barnyard2 also did read files and show on the screen. --== Initialization Complete ==-- ______ -*> Barnyard2 <*- / ,,_ \ Version 2.1.9 (Build 263) |o" )~| By the SecurixLive.com Team:http://www.securixlive.com/about.php+ '''' + (C) Copyright 2008-2010 SecurixLive. Snort by Martin Roesch & The Snort Team: http://www.snort.org/team.html (C) Copyright 1998-2007 Sourcefire Inc., et al. Using waldo file '/etc/snort/bylog.waldo': spool directory = /var/log/snort spool filebase = snort.log time_stamp = 1353533911 record_idx = 40 Opened spool file '/var/log/snort/snort.log.1353533911' Closing spool file '/var/log/snort/snort.log.1353533911'. Read 40recordsOpened spool file '/var/log/snort/snort.log.1353688568' Closing spool file '/var/log/snort/snort.log.1353688568'. Read 0recordsOpened spool file '/var/log/snort/snort.log.1353698765' Closing spool file '/var/log/snort/snort.log.1353698765'. Read 0recordsOpened spool file '/var/log/snort/snort.log.1353699211' Closing spool file '/var/log/snort/snort.log.1353699211'. Read 0recordsOpened spool file '/var/log/snort/snort.log.1353699244' ***showed some output onto the screen here *** Closing spool file '/var/log/snort/snort.log.1353699244'. Read 206recordsOpened spool file '/var/log/snort/snort.log.1353699581' Closing spool file '/var/log/snort/snort.log.1353699581'. Read 0recordsOpened spool file '/var/log/snort/snort.log.1353705065' Closing spool file '/var/log/snort/snort.log.1353705065'. Read 0recordsOpened spool file '/var/log/snort/snort.log.1353707845' Closing spool file '/var/log/snort/snort.log.1353707845'. Read 0recordsOpened spool file '/var/log/snort/snort.log.1353709641' Closing spool file '/var/log/snort/snort.log.1353709641'. Read 0recordsOpened spool file '/var/log/snort/snort.log.1353709666' Waiting for new data===============================================================================Record Totals: Records: 246 Events: 107 (43.496%) Packets: 136 (55.285%)===============================================================================Packet breakdown by protocol (includes rebuilt packets): ETH: 136 (100.000%) ETHdisc: 0 (0.000%) VLAN: 0 (0.000%) IPV6: 0 (0.000%) IP6 EXT: 0 (0.000%) IP6opts: 0 (0.000%) IP6disc: 0 (0.000%) IP4: 136 (100.000%) IP4disc: 0 (0.000%) TCP 6: 0 (0.000%) UDP 6: 0 (0.000%) ICMP6: 0 (0.000%) ICMP-IP: 0 (0.000%) TCP: 33 (24.265%) UDP: 0 (0.000%) ICMP: 103 (75.735%) TCPdisc: 0 (0.000%) UDPdisc: 0 (0.000%) ICMPdis: 0 (0.000%) FRAG: 0 (0.000%) FRAG 6: 0 (0.000%) ARP: 0 (0.000%) EAPOL: 0 (0.000%) ETHLOOP: 0 (0.000%) IPX: 0 (0.000%) OTHER: 0 (0.000%) DISCARD: 0 (0.000%) InvChkSum: 0 (0.000%) S5 G 1: 0 (0.000%) S5 G 2: 0 (0.000%) Total: 136===============================================================================But I see that the events in mysql database are not increasing. What'sthesituation. I have a continual ping going on in the background whichshouldtrigger my test rule. Why is the database not increasing?? Regards, Prashanth On Sat, Nov 24, 2012 at 4:14 AM, Jeremy Hoel <jthoel () gmail com> wrote:basically yes.. but they are two different apps and you can choose to run either, both or none in daemon mode. They don't depend on each other for that. snort in daemon mode, if the unified2 output is used, will write u2 files using the file structure you specify in the snort.conf for the unified2 output. by2 will read the files you tell it too and when a new one gets written, it will close the old one and archive if (if desired) and then continue reading and acting on the u2 files, updating it's waldo file as it goes. On Fri, Nov 23, 2012 at 10:38 PM, k vijay sai prashanth <vijaysaiprashanth () gmail com> wrote:Jeremy, So if I run snort and barnyard2 running in daemon mode snort willkeepalerting and Barnyard2 will keep feeding the alerts to the database right? Regards, Prashanth On Sat, Nov 24, 2012 at 2:45 AM, Jeremy Hoel <jthoel () gmail com>wrote:Good deal. On Fri, Nov 23, 2012 at 8:09 PM, k vijay sai prashanth <vijaysaiprashanth () gmail com> wrote:ran ldconfig got it installed thanks a lot mate. :) appreciatethehelp. Regards, Prashanth On Sat, Nov 24, 2012 at 1:31 AM, k vijay sai prashanth <vijaysaiprashanth () gmail com> wrote:I don't get anything doing ldconfig -p | grep libpcap How do I get it libpcap installed? Regards, Prashanth On Fri, Nov 23, 2012 at 11:41 PM, Jeremy Hoel <jthoel () gmail comwrote:Quick note.. that should be 'ldconfig -p |grep libpcap' libpcap.. not lubpcap. :-) On Fri, Nov 23, 2012 at 5:52 PM, Jeremy Hoel <jthoel () gmail comwrote:After you installed libpcap did you run ldconifg? 'ldconfig -p |grep lubpcap' should return at least oneresult.On Fri, Nov 23, 2012 at 5:46 PM, k vijay sai prashanth <vijaysaiprashanth () gmail com> wrote:Hello All, I have two IDS servers with RHEL 5 installed on each. I have installed libpcap-1.3.0, daq-1.1.1 and snort-2.9.3.1 on one while ontheother I was able to install libpcap-1.3.0 from source but when I try to install daq-1.1.1 by ./configure I get exited with the below error message. checking for pcap.h... (cached) yes checking for pcap_lib_version... checking forpcap_lib_versionin -lpcap... (cached) yes checking for libpcap version >= "1.0.0"... no ERROR! Libpcap library version >= 1.0.0 not found. Get it from http://www.tcpdump.org I did install libpcap-1.3.0 but when I give the belowcommand Igot nothing: "rpm -qa | grep libpcap" When I do a "locate pcap.h" its not found. But I am able to manually navigate to the file at /usr/local/src/libpcap-1.3.0. Itseemsto have no execute rights. Does this matter? Why is this failing. What can I do to get daq-1.1.1installed.Are there any other dependencies which I am missing to fully install libpcap-1.3.0. Please advise. Regards, Prashanth------------------------------------------------------------------------------Monitor your physical, virtual and cloud infrastructurefrom asingle web console. Get in-depth insight into apps, servers,databases,vmware, SAP, cloud infrastructure, etc. Download 30-day Free Trial. Pricing starts from $795 for 25 servers or applications! http://p.sf.net/sfu/zoho_dev2dev_nov _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive:http://sourceforge.net/mailarchive/forum.php?forum_name=snort-usersPlease visit http://blog.snort.org to stay current on allthelatest Snort news!
------------------------------------------------------------------------------ Monitor your physical, virtual and cloud infrastructure from a single web console. Get in-depth insight into apps, servers, databases, vmware, SAP, cloud infrastructure, etc. Download 30-day Free Trial. Pricing starts from $795 for 25 servers or applications! http://p.sf.net/sfu/zoho_dev2dev_nov
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Re: Daq not getting installed., (continued)
- Re: Daq not getting installed. Jeremy Hoel (Nov 23)
- Re: Daq not getting installed. k vijay sai prashanth (Nov 23)
- Re: Daq not getting installed. k vijay sai prashanth (Nov 23)
- Re: Daq not getting installed. Jeremy Hoel (Nov 23)
- Re: Daq not getting installed. k vijay sai prashanth (Nov 23)
- Re: Daq not getting installed. Jeremy Hoel (Nov 23)
- Re: Daq not getting installed. k vijay sai prashanth (Nov 23)
- Re: Daq not getting installed. Jeremy Hoel (Nov 23)
- Re: Daq not getting installed. k vijay sai prashanth (Nov 26)
- Re: Daq not getting installed. k vijay sai prashanth (Nov 27)
- Re: Daq not getting installed. k vijay sai prashanth (Nov 27)
- Re: Daq not getting installed. beenph (Nov 27)
- Re: Daq not getting installed. Jeremy Hoel (Nov 27)
- Re: Daq not getting installed. Jeremy Hoel (Nov 23)