Barnyard2 trouble…
-
Hi,
First i downloaded "pfSense-2.0.1-RELEASE-4g-i386-nanobsd.img.gz" and installed on alix2d3. Then installed the Snort package (2.9.1 pkg v. 2.1.1 ). Snort works, but Barnyard didn't start so i tried to fix it like this:
Downloaded http://files.pfsense.com/packages/8/All/barnyard2 -> /tmp/barnyard2
[2.0.1-RELEASE][admin@pfSense.localdomain]/tmp(2): /etc/rc.conf_mount_rw
[2.0.1-RELEASE][admin@pfSense.localdomain]/tmp(3): cp /tmp/barnyard2 /usr/local/bin/
[2.0.1-RELEASE][admin@pfSense.localdomain]/tmp(4): chmod u+x /usr/local/bin/barnyard2
[2.0.1-RELEASE][admin@pfSense.localdomain]/tmp(5): /etc/rc.conf_mount_roreboot, but barnyard still didn't start. Tried this:
[2.0.1-RELEASE][admin@pfSense.localdomain]/root(2): pkg_add -r ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-8-stable/Latest/barnyard2.tbz
Fetching ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-8-stable/Latest/barnyard2.tbz… Done.
Fetching ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-8-stable/All/mysql-client-5.5.20.tbz... Done.
pkg_add: package 'mysql-client-5.5.20' conflicts with mysql-client-5.1.53
pkg_add: please use pkg_delete first to remove conflicting package(s) or -f to force installation
pkg_add: pkg_add of dependency 'mysql-client-5.5.20' failed!
[2.0.1-RELEASE][admin@pfSense.localdomain]/root(3): pkg_delete mysql-client-5.1.53
pkg_delete: unable to completely remove directory '/usr/local/include/mysql'
pkg_delete: unable to completely remove directory '/usr/local/lib/mysql'
pkg_delete: unable to completely remove directory '/usr/local/share/mysql'
pkg_delete: couldn't entirely delete package (perhaps the packing list is
incorrectly specified?)
override rwxr-xr-x root/wheel for /var/db/pkg/mysql-client-5.1.53? n:'(
Any tips?
-
I'd like help on this same issue.
pfSense 2.0.1-RELEASE (i386)
Snort package 2.9.1 pkg v.2.1.1Did a fresh install and tried to configure barnyard2 but the interface appears as red.
Tried to investigate the logs directory for clues. The following file is 0 bytes
/var/log/snort/barnyard2/6898_pppoe0.waldo*I have no clue on how to get this running. Please will somebody post a tip.
-
After some reading I take it that there should be a binary here /usr/local/bin/barnyard2
The file is missing.
I read some posts about installing the binary manually but there is no clear indication that it works. I am afraid to screw things up on my pfSense.
-
To use Barnyard:
Setup in Snort:
–-------------
output database: alert, mysql, dbname=*** user=*** host=*** password=***Replace the *** to your setup
Start the console in pfSense:
Install Barnyard2 on amd64:/usr/bin/fetch -o /usr/local/bin/barnyard2 http://files.pfsense.org/packages/amd64/8/All/barnyard2 && /bin/chmod 0755 /usr/local/bin/barnyard2
Install Barnyard2 on i386:
/usr/bin/fetch -o /usr/local/bin/barnyard2 http://files.pfsense.org/packages/8/All/barnyard2 && /bin/chmod 0755 /usr/local/bin/barnyard2
-
Thanks digdug, I have a bit of progress.
I installed the barnyard2 binary and rebooted. Initially I saw the baryard2 tab go to green and it stayed like that for a few minutes. Now when I reboot I never see the tab turn green but still notice activity in the system logs.
Jun 9 13:57:54 barnyard2[59007]: FATAL ERROR: database: mysql_error: Can't connect to MySQL server on '192.168.1.225' (61) Jun 9 13:57:54 barnyard2[59007]: FATAL ERROR: database: mysql_error: Can't connect to MySQL server on '192.168.1.225' (61) Jun 9 13:57:54 barnyard2[59007]: PID path stat checked out ok, PID path set to /var/log/snort/run Jun 9 13:57:54 barnyard2[59007]: PID path stat checked out ok, PID path set to /var/log/snort/run Jun 9 13:57:54 barnyard2[58805]: Daemon parent exiting Jun 9 13:57:54 barnyard2[58805]: Daemon parent exiting Jun 9 13:57:54 barnyard2[59007]: Daemon initialized, signaled parent pid: 58805 Jun 9 13:57:54 barnyard2[59007]: Daemon initialized, signaled parent pid: 58805 Jun 9 13:57:54 barnyard2[58805]: Initializing daemon mode Jun 9 13:57:54 barnyard2[58805]: Initializing daemon mode Jun 9 13:57:54 barnyard2[58805]: Log directory = /var/log/snort Jun 9 13:57:54 barnyard2[58805]: Log directory = /var/log/snort Jun 9 13:57:54 barnyard2[58805]: Found pid path directive (/var/log/snort/run) Jun 9 13:57:54 barnyard2[58805]: Found pid path directive (/var/log/snort/run)
I have not had the chance to troubleshoot from the sql side and to be honest I am new to databases and LAMP servers in general. This is a learning project for myself to get snorby up and running. I do have an Ubuntu 12.04 LAMP and was able to get the Snorby interface up and running although I have the error, "The Snorby worker is not currently running".
Back to the point. Would the failure to connect to the MySQL cause the daemon to abort? I don't see anywhere in the logs where a connection to host 192.168.1.225 is even attempted. I will verify later by running a TCPDUMP. I figured I would see something in /var/log/snort/barnyard2 but the .waldo file is still at 0 bytes.
-
Hi HiTekRedNek,
In Interfaces -> If Settings set "Log Alerts to a snort unified2 file".
Did you create a user and prepared a database for Barnyard2 in MySQL?
-
what is the output when your type barnyard2 from the command prompt?
-
Hi,
can you telnet into mysql remotely?
either mysql is not configured to login remotely or firewall is blocking the connection attempt.