Snort mailing list archives
Re: Barnyard2 configure/compile problems and startup error: "Snort not compiled to use mysql" message followup - 1st time barnyard user
From: "Lars" <technicalfriend () yahoo com>
Date: Thu, 2 May 2013 13:45:30 -0400
Hi, yes that sounds REALLY helpful, thanks beenph! We had done the first two all but for deleting and recreating the waldo file itself, but have not tried the other suggestions yet, we will. You definitely hit that barnyard2 error exactly too as the epoch words and all you discussed are there, sounds promising. We had tried toggled the timestamp option on and off already but by itself that one step did not fix it. Will do the other steps you suggested and get back with results maybe later tonight. KJ / team -----Original Message----- From: beenph [mailto:beenph () gmail com] Sent: Thursday, May 02, 2013 1:13 PM To: Lars; snort-users () lists sourceforge net; barnyard2-users () googlegroups com Subject: Re: [Snort-users] Barnyard2 configure/compile problems and startup error: "Snort not compiled to use mysql" message followup - 1st time barnyard user On Thu, May 2, 2013 at 12:41 PM, Lars <technicalfriend () yahoo com> wrote:
Hello, A quick update, moving down to what we hope may be the last issue with our install of the Snort 2.9.4.5 with Unified2 use to Barnyard piece. Here is where we are now: We rebuilt Barnyard2 and use the instructions from someone at UMUC to configure Barnyard2, the config files, and Snort.conf compiling Barnyard2 to run with MYSql support as you specified. So far so good on
that.
http://polaris.umuc.edu/~sgantz/Barnyard.html Now our Barnyard install runs and appears to begin processing, but we get a repeating "Can't extract timestamp" error line that just keeps repeating. We have not been able to find a solution to that yet. More importantly however we have found out that our Snort build in IDS mode does not send anything out to our "merged.log" file. It will even create a new merged.log file in /var/log/snort if we delete one but all the files ever do is stay at 0B size. It's odd as if we use -v switch when starting Snort we can see traffic on the screen, and lots whenever we intense scan (or other types of scans) against this target system with Zenmap. We have been able to run test mode just fine, with a "success" statement after that. We have gone back over your "Snort-setup" guide, and online details about how to setup snort.conf many times by now and while we have corrected a few misnomers here and there in our .conf files or their location etc. nonetheless unified2 is not collecting / sending output to merged.log
or anywhere as far as we can tell.
Solutions? Thanks! KJ / team
In your snort.conf at the line where you have output unified2: xxxxxxxxxx and remove the nostamp option from the command line and delete your merged.log file and barnyard2 waldo file if it was created. Also make sure that you are using output unified2 for barnyard2 and not output log_unified2 or output alert_unified2. Barnyard2 in continuous mode will only process files that are named PREFIX.timestamp where timestamp is the number of second since epoch, so this is why you are getting the "Can't extract timestamp" message. As for snort not logging anything if you are running in virtual machine you might want to add -k none to snort command line, this disable checksuming on packets which can sometimes cause issue under certain environement. Hope this helps. -elz ---------------------------------------------------------------------------- -- Introducing AppDynamics Lite, a free troubleshooting tool for Java/.NET Get 100% visibility into your production application - at no cost. Code-level diagnostics for performance bottlenecks with <2% overhead Download for free and get started troubleshooting in minutes. http://p.sf.net/sfu/appdyn_d2d_ap1 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news! ------------------------------------------------------------------------------ Introducing AppDynamics Lite, a free troubleshooting tool for Java/.NET Get 100% visibility into your production application - at no cost. Code-level diagnostics for performance bottlenecks with <2% overhead Download for free and get started troubleshooting in minutes. http://p.sf.net/sfu/appdyn_d2d_ap1 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Barnyard2 configure/compile problems and startup error: "Snort not compiled to use mysql" message followup - 1st time barnyard user Lars (Apr 29)
- Re: Barnyard2 configure/compile problems and startup error: "Snort not compiled to use mysql" message followup - 1st time barnyard user Y M (Apr 29)
- Re: Barnyard2 configure/compile problems and startup error: "Snort not compiled to use mysql" message followup - 1st time barnyard user Y M (Apr 29)
- Re: Barnyard2 configure/compile problems and startup error: "Snort not compiled to use mysql" message followup - 1st time barnyard user Lars (May 07)
- Re: Barnyard2 configure/compile problems and startup error: "Snort not compiled to use mysql" message followup - 1st time barnyard user waldo kitty (May 07)
- Re: Barnyard2 configure/compile problems and startup error: "Snort not compiled to use mysql" message followup - 1st time barnyard user Y M (Apr 29)
- Re: Barnyard2 configure/compile problems and startup error: "Snort not compiled to use mysql" message followup - 1st time barnyard user Y M (Apr 29)
- <Possible follow-ups>
- Re: Barnyard2 configure/compile problems and startup error: "Snort not compiled to use mysql" message followup - 1st time barnyard user Kurt Jensen (Apr 30)
- Re: Barnyard2 configure/compile problems and startup error: "Snort not compiled to use mysql" message followup - 1st time barnyard user Lars (May 02)
- Re: Barnyard2 configure/compile problems and startup error: "Snort not compiled to use mysql" message followup - 1st time barnyard user beenph (May 02)
- Re: Barnyard2 configure/compile problems and startup error: "Snort not compiled to use mysql" message followup - 1st time barnyard user Lars (May 02)
- Re: Barnyard2 configure/compile problems and startup error: "Snort not compiled to use mysql" message followup - 1st time barnyard user Lars (May 02)
- Re: Barnyard2 configure/compile problems and startup error: "Snort not compiled to use mysql" message followup - 1st time barnyard user beenph (May 02)
- Re: Barnyard2 configure/compile problems and startup error: "Snort not compiled to use mysql" message followup - 1st time barnyard user Lars (May 02)
- Re: Barnyard2 configure/compile problems and startup error: "Snort not compiled to use mysql" message followup - 1st time barnyard user Kurt J (May 02)
- Re: Barnyard2 configure/compile problems and startup error: "Snort not compiled to use mysql" message followup - 1st time barnyard user Kurt J (May 02)
- Re: Barnyard2 configure/compile problems and startup error: "Snort not compiled to use mysql" message followup - 1st time barnyard user Lars (May 03)
- Re: Barnyard2 configure/compile problems and startup error: "Snort not compiled to use mysql" message followup - 1st time barnyard user beenph (May 03)
- Re: Barnyard2 configure/compile problems and startup error: "Snort not compiled to use mysql" message followup - 1st time barnyard user beenph (May 02)