CANNOT START BARNYARD..please help me!
-
Hey guys! Forgive my ignorance in the *nix world as I am still new. I recently installed Snort from the packages and want to use Barnyard so I can run BASE on a CentOS machine. I have my MySQL server running on the other box as well. My Barnyard2 output is
output database: alert, mysql, dbname=snort user=root password=xxxxxx host=192.168.1.222
The X never turns green…inspection of the barnyard.conf at /usr/local/etc does not show my config above that was inserted in the gui.
Simply running the program returned a error about missing libpcap.so.8. I removed snort and reinstalled the packages through both the GUI and the pkg_add to avail. I created a sym link for libpcap.so.8 to libpcap.so.1 and now running barnyard says:
/libexec/ld-elf.so.1: /usr/local/bin/barnyard2: Undefined symbol "_ThreadRuneLocale"
Googles of the that tell me FreeBSD needs to be updated which doesn't help PFSense at all..
Any light you could shine on this would be MOST helpful as this is a Network Security 1 project at school. Please don't shun me because I don't know what else to check.
Should I reinstall the entire platform and then cross my fingers???? HELP!!
System logs do not show errors..only these two lines per attempt:
php: /snort/snort_interfaces.php: Toggle (barnyard starting) for WAN(WAN)...
php: /snort/snort_interfaces.php: [Snort] Barnyard2 START for WAN(em0)…FYI: When I run barnyard in the shell I'm merely typing barnyard2 without any additional info...I know there has to be some but again forgive my ignorance.
I think you are suffering from the dreaded "shared library version mismatch" problem… :D. This happened frequently on 2.0.x pfSense. You don't say, but are you still running a version older than 2.1 of pfSense? This should not happen in the new 2.1 code as it uses the PBI package manager that is designed to combat just this situation (shared library conflicts, that is).
Tell me what version of pfSense you are using, and what other packages are currently installed besides Snort.
Bill
-
I only have Snort and PFBlocker installed through the package section of the GUI. I had previously installed and ran Squid but recently removed it.
I am currently running 2.1 that was upgraded from 2.0.3 (I believe anyway)
My pkg_info output:
adodb-5.18 Database library for PHP
barnyard2-1.12 Interpreter for Snort unified2 binary output files
bsdinstaller-2.0.2012.1207 BSD Installer mega-package
freetype2-2.4.12_1 A free and portable TrueType font rendering engine
gettext-0.18.1.1 GNU gettext package
jpeg-8_4 IJG's jpeg compression utilities
kbproto-1.0.6 KB extension headers
libICE-1.0.8,1 Inter Client Exchange library for X11
libSM-1.2.1,1 Session Management library for X11
libX11-1.6.0,1 X11 library
libXau-1.0.8 Authentication Protocol library for X11
libXaw-1.0.11,2 X Athena Widgets library
libXdmcp-1.1.1 X Display Manager Control Protocol library
libXext-1.3.2,1 X11 Extension library
libXmu-1.1.1,1 X Miscellaneous Utilities libraries
libXp-1.0.2,1 X print library
libXpm-3.5.10 X Pixmap library
libXt-1.1.4,1 X Toolkit library
libdnet-1.11_3 A simple interface to low level networking routines
libiconv-1.14 A character set conversion library
libnet-1.1.6_1,1 A C library for creating IP packets
libnet11-1.1.6,1 A C library for creating IP packets
libpcap-1.4.0 Ubiquitous network traffic capture library
libpthread-stubs-0.3_3 This library provides weak aliases for pthread functions
libxcb-1.9.1 The X protocol C-language Binding (XCB) library
libxml2-2.8.0_2 XML parser library for GNOME
mysql-client-5.6.13 Multithreaded SQL database (client)
mysql-server-5.6.13 Multithreaded SQL database (server)
pcre-8.33 Perl Compatible Regular Expressions library
pear-1.9.4_2 PEAR framework for PHP
perl-5.14.4 Practical Extraction and Report Language
php5-5.4.17 PHP Scripting Language
php5-ctype-5.4.17 The ctype shared extension for php
php5-gd-5.4.17 The gd shared extension for php
php5-gettext-5.4.17 The gettext shared extension for php
php5-session-5.4.17 The session shared extension for php
php5-xml-5.4.17 The xml shared extension for php
php5-zlib-5.4.17 The zlib shared extension for php
pkgconf-0.9.2_1 Utility to help to configure compiler and linker flags
png-1.5.17 Library for manipulating PNG images
printproto-1.0.5 Print extension headers
t1lib-5.1.2_2,1 Type 1 font rasterization library for Unix/X11
xextproto-7.2.1 XExt extension headers
xproto-7.0.24 X11 protocol headersThank you so much for replying and attempting to assist me.
Let me know what other logs or info you need.
-Mike
-
OK, with that pkg_info output, I think we have a lot of work ahead to correct this. It does appear this was an upgrade from 2.0.3, and lots of old package libraries remain.
The very easiest thing to do, if you are willing, is a type of "wipe and reload" of pfSense 2.1. In other words, perform a backup of the configuration using the Diagnostics menu option, and then wipe the disk and install pfSense 2.1 from scratch. After the new install, restore your configuration using the Diagnostics menu option.
If that is not an option, then we have to play "whack-a-mole" with pkg_delete and other utilities see if we can remove all the offending libraries. The extra hassle here is each time a library or old package is removed, Snort will have to be removed and re-installed as well. Lots of work.
My suggestion, if you are game, is to do the wipe and reload process. That's what I did. I saved off my config.xml file using Diagnostics…Backup/Restore. In my case I was installing on replacement hardware, but in your case you would just install from a USB stick of CD and overwrite the old installation. Once you configure at least the LAN interface manually during the install, you can restore the saved config.xml file, reboot, and you will be good to go.
Bill
-
Bill,
Thanks for your input. I figured I would have to go that route. I'll back up my config and start over with a fresh build of 2.1…..Kinda figured that was the issue. I'll knock that out when I get home tonight and post my results.
Should I go with the x64 package? I'm running this on a dual E2160 Xeons in a 2U.... or should I stick with x86 for compatibility?? I know its overkill for pfsense but with Snort running it might task the processor(s) a little.
Thanks again!!!
-
Bill,
Thanks for your input. I figured I would have to go that route. I'll back up my config and start over with a fresh build of 2.1…..Kinda figured that was the issue. I'll knock that out when I get home tonight and post my results.
Should I go with the x64 package? I'm running this on a dual E2160 Xeons in a 2U.... or should I stick with x86 for compatibility?? I know its overkill for pfsense but with Snort running it might task the processor(s) a little.
Thanks again!!!
I changed to the x64 build when I replaced my hardware. It has been solid for me. I recommend x64 (or amd64 in the pfSense naming convention). By the way, if you are changing from i386 to x64, when you do the backup of the config.xml file, DO NOT save the RRD data from the 32-bit install. 32-bit RRD data is incompatible with the x64 code. All this means is that you just will start over with accumulated RRD stats. Not really a big deal.
Bill
-
MUAHAAAHH HAAAA HAAAAA
Bill….You rock! A fresh build and some MySQL changes and I'm now running.
I cannot express my gratitude for your guidance. I created the MySQL server on my centos box out of exhaustion with PFsense......with that said, is it feasible to run MySQL server on PF alongside it as well as an httpd server? I'm not sure if the PF crew is looking to add ACID or BASE to the packages and I would prefer to keep my power bill lower and avoid having another machine run 24/7
-
MUAHAAAHH HAAAA HAAAAA
Bill….You rock! A fresh build and some MySQL changes and I'm now running.
I cannot express my gratitude for your guidance. I created the MySQL server on my centos box out of exhaustion with PFsense......with that said, is it feasible to run MySQL server on PF alongside it as well as an httpd server? I'm not sure if the PF crew is looking to add ACID or BASE to the packages and I would prefer to keep my power bill lower and avoid having another machine run 24/7
I do not recommend putting MySQL server on your firewall. Generally you want as small an attack surface area as possible for firewalls. This means very few add-on packages. If you are worried about the power bill, how about using the free license for VMware ESXi and use virtual machines for your MySQL server? That's what I do. I have ESXi hosting a number of virtual machines, and one of them is a Snorby install with MySQL as well. You could even host pfSense itself on ESXi as a virtual machine.
Bill
-
I kind figured that…I'll just leave that machine on running Apache and MySQL...its only a Dell Optiplex 745.
Now I have new issue that you've dealt with reading through the forums but I can't find a resolve.
My block list clears itself (no restarts on either Snort or PF..) I read something about the filter reload but didn't quite understand. How can I keep my blocklist persistent? It makes me happy when it gets large or is that not advisable?
-
I kind figured that…I'll just leave that machine on running Apache and MySQL...its only a Dell Optiplex 745.
Now I have new issue that you've dealt with reading through the forums but I can't find a resolve.
My block list clears itself (no restarts on either Snort or PF..) I read something about the filter reload but didn't quite understand. How can I keep my blocklist persistent? It makes me happy when it gets large or is that not advisable?
Right now you can't do anything about the block list periodically clearing. That is a bug (or feature) that popped up in 2.1 of pfSense. I think the pfSense devs are going to address it, but it will be a while. There is no problem with the list clearing. As I have said in several threads on this topic, just like Snort detected and blocked the host the first time, so it will the next time the host sends an offending packet. Think of it this way, the first time you fired up Snort the block list was empty and Snort blocked the host on detecting an offending packet. The same thing will happen next time a host (any host) sends an offending packet: even with the block list empty.
Bill
-
Yeah, I read through all of your other posts. Would be cool if the devs made a feature to allow us to add that src IP to the firewall rules section..
Again, thanks for all of your help!!!
-
Yeah, I read through all of your other posts. Would be cool if the devs made a feature to allow us to add that src IP to the firewall rules section..
Again, thanks for all of your help!!!
I might be able to do that from the Snort side by copying some functionality available from the Firewall Log page. Not sure, as I have not investigated in detail; just thinking off the top of my head.
Of course something like that might have limited usefulness because many times "bad actor host IP addresses" frequently change, so an IP block today may well be worthless tomorrow. Or worse yet, if it was a dynamically assigned IP and now a "good guy" has it, he will be permanently blocked from your network. Better in my view to use the automatic 1-hour clearing of Snort-blocked IPs. You can set this on the Global Settings tab. Right now, with the random early clearing of the block table, you may not see a true 1-hour interval, though.
Bill
