Snort & Barnyard2
-
Hello,
i have a problem with my fresh installation of snort and barnyard2. The problem is that barnyard2 after every reboot of the system doesn't work any more. I have to deinstall the whole snort package and install it again. Than barnyard2 will work until the next reboot.
I have tried to start the service from the shell with this command:
/usr/local/bin/barnyard2 -r "id" -f snort_"id"lagg0.u2 –pid-path /var/run --nolock-pidfile -c /usr/local/etc/snort/snort"id"_lagg0/barnyard2.conf -d /var/log/snort/snort_lagg0"id" -D -q
Output:
/libexec/ld-elf.so.1: Shared object "libmysqlclient.so.18" not foundBut under /usr/local/lib/mysql it is everything there:
-rw-r--r-- 1 root wheel 4735094 Mar 21 21:10 libmysqlclient.a
lrwxr-xr-x 1 root wheel 20 Mar 21 21:10 libmysqlclient.so -> libmysqlclient.so.18
-rwxr-xr-x 1 root wheel 3345176 Mar 21 21:10 libmysqlclient.so.18
lrwxr-xr-x 1 root wheel 16 Mar 21 21:10 libmysqlclient_r.a -> libmysqlclient.a
lrwxr-xr-x 1 root wheel 17 Mar 21 21:10 libmysqlclient_r.so -> libmysqlclient.so
lrwxr-xr-x 1 root wheel 17 Mar 21 21:10 libmysqlclient_r.so.18 -> libmysqlclient.so
-rw-r--r-- 1 root wheel 4150 Mar 21 21:10 libmysqlservices.apkg_info:
barnyard2-1.12 Interpreter for Snort unified2 binary output files
bsdinstaller-2.0.2013.0412 BSD Installer mega-package
daq-2.0.0 Data Acquisition abstraction library for snort 2.9+
gettext-0.18.1.1 GNU gettext package
iftop-0.17 Display bandwidth usage on an interface by host
libdnet-1.11_3 A simple interface to low level networking routines
libiconv-1.14 A character set conversion library
libnet11-1.1.2.1_4,1 A C library for creating IP packets
libnet11-1.1.6,1 A C library for creating IP packets
libpcap-1.3.0 Ubiquitous network traffic capture library
mtr-nox11-0.82 Traceroute and ping in a single graphical network diagnosti
mysql-client-5.5.30 Multithreaded SQL database (client)
nano-2.2.4_1 Nano's ANOther editor, an enhanced free Pico clone
pcre-8.32 Perl Compatible Regular Expressions library
snort-2.9.4.6 Lightweight network intrusion detection systemSo have anybody an idea how to fix this?
-
Hello,
i have a problem with my fresh installation of snort and barnyard2. The problem is that barnyard2 after every reboot of the system doesn't work any more. I have to deinstall the whole snort package and install it again. Than barnyard2 will work until the next reboot.
I have tried to start the service from the shell with this command:
/usr/local/bin/barnyard2 -r "id" -f snort_"id"lagg0.u2 –pid-path /var/run --nolock-pidfile -c /usr/local/etc/snort/snort"id"_lagg0/barnyard2.conf -d /var/log/snort/snort_lagg0"id" -D -q
Output:
/libexec/ld-elf.so.1: Shared object "libmysqlclient.so.18" not foundBut under /usr/local/lib/mysql it is everything there:
-rw-r--r-- 1 root wheel 4735094 Mar 21 21:10 libmysqlclient.a
lrwxr-xr-x 1 root wheel 20 Mar 21 21:10 libmysqlclient.so -> libmysqlclient.so.18
-rwxr-xr-x 1 root wheel 3345176 Mar 21 21:10 libmysqlclient.so.18
lrwxr-xr-x 1 root wheel 16 Mar 21 21:10 libmysqlclient_r.a -> libmysqlclient.a
lrwxr-xr-x 1 root wheel 17 Mar 21 21:10 libmysqlclient_r.so -> libmysqlclient.so
lrwxr-xr-x 1 root wheel 17 Mar 21 21:10 libmysqlclient_r.so.18 -> libmysqlclient.so
-rw-r--r-- 1 root wheel 4150 Mar 21 21:10 libmysqlservices.apkg_info:
barnyard2-1.12 Interpreter for Snort unified2 binary output files
bsdinstaller-2.0.2013.0412 BSD Installer mega-package
daq-2.0.0 Data Acquisition abstraction library for snort 2.9+
gettext-0.18.1.1 GNU gettext package
iftop-0.17 Display bandwidth usage on an interface by host
libdnet-1.11_3 A simple interface to low level networking routines
libiconv-1.14 A character set conversion library
libnet11-1.1.2.1_4,1 A C library for creating IP packets
libnet11-1.1.6,1 A C library for creating IP packets
libpcap-1.3.0 Ubiquitous network traffic capture library
mtr-nox11-0.82 Traceroute and ping in a single graphical network diagnosti
mysql-client-5.5.30 Multithreaded SQL database (client)
nano-2.2.4_1 Nano's ANOther editor, an enhanced free Pico clone
pcre-8.32 Perl Compatible Regular Expressions library
snort-2.9.4.6 Lightweight network intrusion detection systemSo have anybody an idea how to fix this?
Every time similar things have happened to other users, it's been some other package stepping on (as in overwriting and changing the version) of a shared library. Re-installing Barnyard2 is putting back the correct version until that other package changes it again. pfSense 2.1 fixes this problem for good by using PBI packaging. On 2.0.x pfSense, you are stuck with the problem unless you find the package that is messing with the library and remove it.
Bill
-
Not sure this was the right way to fix it but what worked for me was:
ln -s /usr/local/lib/mysql/libmysqlclient.so.18 /lib/libmysqlclient.so.18
Result:
ldd /usr/local/bin/barnyard2 /usr/local/bin/barnyard2: libmysqlclient.so.18 => /lib/libmysqlclient.so.18 (0x280d8000) libz.so.5 => /lib/libz.so.5 (0x283e7000) libpcap.so.7 => /lib/libpcap.so.7 (0x283f9000) libm.so.5 => /lib/libm.so.5 (0x28427000) libc.so.7 => /lib/libc.so.7 (0x28441000) libstdc++.so.6 => /usr/lib/libstdc++.so.6 (0x2854a000) libgcc_s.so.1 => /lib/libgcc_s.so.1 (0x2863e000) libthr.so.3 => /lib/libthr.so.3 (0x28649000)
Both snort and barnyard2 start on reboot. (The symlink persists on reboot, so barnyard2 starts normally.)
I don't know how permanent this fix is. I've always had some kind of issue with barnyard2 since pfSense v1.x. I will keep my eye on it, probably with a cron job.
Hope this helps.
Update: I also had to update the sensor.last_cid value or barnyard2 would die with a fatal error about that table and field, complaining about duplicate values in a unique primary key field? Something like that.
At first I tried a value that was 1 greater than the largest value in event.cid but that choked, and barnyard2 died again – same error, just different field value reported as duplicate.
What did work was I decided to add 10 to the highest value from event.cid to update sensor.last_cid value.
Warning: Your mileage may vary with these hackish fixes.