Re: Barnyard2 configure/compile problems and startup error: "Snort not compiled to use mysql" message followup - 1st time barnyard user

["Lars" <technicalfriend () yahoo com>]

My apologies I guess I never sent you these config files, or at least copies
of the text.

 

While it appears we have snort doing unified logging now as long as we use
the -k in the snort startup command I am not sure what the reason is for
that or if we may still have something wrong in one of these files we could
do better with?

 

The environment is just a test Linux VM right now running in VMWare player
running on Windows 7 or a Windows 2008 server, either one is the same VM.
It scans and is accessible to our tools with the SuSE firewall turned off.
If you get a chance to peruse these our config files and let us know if you
spot anything out of the ordinary or that should be corrected we really
welcome and appreciate that!

 

KJ / team

 

From: Y M [mailto:snort () outlook com] 
Sent: Monday, April 29, 2013 11:22 AM
To: Lars; snort-users () lists sourceforge net;
barnyard2-users () googlegroups com
Subject: Re: [Snort-users] Barnyard2 configure/compile problems and startup
error: "Snort not compiled to use mysql" message followup - 1st time
barnyard user

 

Correction, sorry for the noise.

  _____  

From: snort () outlook com
To: technicalfriend () yahoo com; snort-users () lists sourceforge net;
barnyard2-users () googlegroups com
Date: Mon, 29 Apr 2013 15:00:29 +0000
Subject: Re: [Snort-users] Barnyard2 configure/compile problems and startup
error: "Snort not compiled to use mysql" message followup - 1st time
barnyard user

inline.

  _____  

From: technicalfriend () yahoo com
To: snort-users () lists sourceforge net; barnyard2-users () googlegroups com
Date: Thu, 25 Apr 2013 11:38:38 -0400
Subject: [Snort-users] Barnyard2 configure/compile problems and startup
error: "Snort not compiled to use mysql" message followup - 1st time
barnyard user

Hi this is a follow-up after trying some of the steps recommended from the
other day to get my first build of Barnyard working with Snort so  we can
write Snort output to mysql, as a Snorby sensor.  There is a little progress
but sadly Barnyard2 is still not working, here is where we are now:

 

Joel said "Snort's support to directly write to a database is no longer an
option since Snort 2.9.2, if I recall correctly." 

 

Joel did not say that, I did. Joel simply corrected me with which version.

 

We definitely agree and had read and expected that, however when we tried to
build Barnyard2 the error message Barnyard gave us then said "Snort was not
compiled to use mysql" and directed us to some steps to try and do that, so
it appears that message needs updated, so we got off-track a little while
with that, fyi.  We had started trying the -with-mysql option with barnyard
instead, leading to the following:

"Instead, you compile MySQL support with Barnyard2:

./configure --with-mysql --with-mysql-libraries=<path to the mysql libs>

 

Thats also me; the two lines above. Another user in the list corrected me
that you may not necessarily need to use --with-my-sql-libraries, if your
MySQL libraries are already in the dynamic libraries path.

In Snort, you would use unified2 as an output plugin to write unified2 logs
and have Barnyard2 parse these into the database. In the docs section on
Snort's website you will find step by step documentation on how to do that
on SuSE, 12.x as well as other OSs."

 

Again, the above two lines are also me.

 

QUESTION:  Is "unified" required also to do this?  We had not seen that one
listed and have not added, it seemed like all we needed was what was listed
under the Snort requirements and Barnyard (knowing we had added mysql with
-dev libraries/header files..?  Sorry we are a bit lost with the big picture
of this larger process, there have been lots and lots of packages to go back
and add.

 

Which output plugin are you using in your snort.conf file? If you use the
unified2 output plugin in snort.conf, snort will generate unified2 logs and
store them in log directory you setup, or the default, during installation.
Barnyard2 will parse the unified2 logs and store the data into the database

 

Also we followed this one other recommendation sent over:  "Then you will
need to make sure you have installed mysql client libraries and headers
(this is generaly mysql-dev package on most distro).

 

> From there you will need to make sure your mysql libraries are in your
libaries dynamic path.

 

ex: ldconfig -v | grep mysql"  

 

Our results here seem mixed, we are not sure it worked.  When first trying
it we had a lot of "graphviz" objects that it could not find.  We had
graphviz and its dev headers but we went ahead and added all those objects,
and it found mysql but there were keyring and some other items ldconfig had
trouble with - we are not sure how any of these applied or mattered, not
using?  We just wanted to send Snort log data over to mysql so Snorby could
read it, lost?  Our team at the college appreciates your help.   I plan on
making sure our entire process and all these requirements are documented
when all this is done, there has been so many steps.

 

 I am not sure I completely understand whats said above, what is "graphviz"?


----------------------------------------------------------------------------
-- Try New Relic Now & We'll Send You this Cool Shirt New Relic is the only
SaaS-based application performance monitoring service that delivers powerful
full stack analytics. Optimize and monitor your browser, app, & servers with
just a few lines of code. Try New Relic and get this awesome Nerd Life
shirt! http://p.sf.net/sfu/newrelic_d2d_apr
_______________________________________________ Snort-users mailing list
Snort-users () lists sourceforge net Go to this URL to change user options or
unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please
visit http://blog.snort.org to stay current on all the latest Snort news!


----------------------------------------------------------------------------
-- Try New Relic Now & We'll Send You this Cool Shirt New Relic is the only
SaaS-based application performance monitoring service that delivers powerful
full stack analytics. Optimize and monitor your browser, app, & servers with
just a few lines of code. Try New Relic and get this awesome Nerd Life
shirt! http://p.sf.net/sfu/newrelic_d2d_apr
_______________________________________________ Snort-users mailing list
Snort-users () lists sourceforge net Go to this URL to change user options or
unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please
visit http://blog.snort.org to stay current on all the latest Snort news!

Attachment: barnyard2.txt.conf
Description:

Attachment: snort.conf
Description:

------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and 
their applications. This 200-page book is written by three acclaimed 
leaders in the field. The early access version is available now. 
Download your free book today! http://p.sf.net/sfu/neotech_d2d_may

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!