Snort borked again! Barnyard2!

wolfsden3 · Dec 13, 2018, 2:46 AM

I saw similar things in posts 6 years ago.

Anyone know how to fix this error in SNORT?

clog /var/log/system.log

'Shared object "libmysqlclient.so.18" not found, required by "barnyard2"

It won't let me start barnyard2 on all my upgraded machines because the libmysqlclient.so is missing even though I'm not using mysql to log, I'm using the local logger.

Technically the entire error is:

Dec 12 21:43:58 pfsense2 php: /tmp/snort_em161120_startcmd.php: The command '/usr/local/bin/barnyard2 -r 61120 -f "snort_61120_em1.u2" --pid-path /var/run --nolock-pidfile -c /usr/local/etc/snort/snort_61120_em1/barnyard2.conf -d /var/log/snort/snort_em161120 -D -q' returned exit code '1', the output was 'Shared object "libmysqlclient.so.18" not found, required by "barnyard2"'

PFSense: 2.4.4-RELEASE-p1 (amd64)
16 GB RAM
8 GB SSD

Thanks.

bmeeks · Dec 13, 2018, 2:54 AM

@wolfsden3, try this command. I'm working with the pfSense team to get this sorted out. It's mostly because Barnyard2 is so old and is no longer actively maintained.

Run this command from a firewall CLI session:

pkg install -fy mysql56-client

wolfsden3 · Dec 13, 2018, 2:59 AM

Woot! FASTEST REPLY EVER!

That fixed it. Here is what I did and my output > logged into the web interface and started barnyard!

pkg install -fy mysql56-client
Updating pfSense-core repository catalogue...
pfSense-core repository is up to date.
Updating pfSense repository catalogue...
pfSense repository is up to date.
All repositories are up to date.
The following 1 package(s) will be affected (of 0 checked):

Installed packages to be REINSTALLED:
        mysql56-client-5.6.41 [pfSense]

Number of packages to be reinstalled: 1

1 MiB to be downloaded.
[1/1] Fetching mysql56-client-5.6.41.txz: 100%    1 MiB 725.5kB/s    00:02
Checking integrity... done (0 conflicting)
[1/1] Reinstalling mysql56-client-5.6.41...
[1/1] Extracting mysql56-client-5.6.41: 100%
Message from mysql56-client-5.6.41:

* * * * * * * * * * * * * * * * * * * * * * * *

Please be aware the database client is vulnerable
to CVE-2015-3152 - SSL Downgrade aka "BACKRONYM".
You may find more information at the following URL:

http://www.vuxml.org/freebsd/36bd352d-299b-11e5-86ff-14dae9d210b8.html

Although this database client is not listed as
"affected", it is vulnerable and will not be
receiving a patch. Please take note of this when
deploying this software.

* * * * * * * * * * * * * * * * * * * * * * * *

rpholt76 · Apr 16, 2019, 7:20 PM

@bmeeks Hey thanks bmeeks! Barnyard2 wouldn't start after upgrading to 2.4.4-RELEASE-p2 but this fixed it right away.

wolfsden3 · Jul 16, 2020, 6:40 PM

@bmeeks Well...I'm here again with SNORT BORKED AGAIN! LOL.

2.4.5-RELEASE-p1 (amd64)
built on Tue Jun 02 17:51:54 EDT 2020
FreeBSD 11.3-STABLE

Log:

Jul 16 14:08:42 	php-fpm 		/snort/snort_interfaces.php: The command '/usr/local/bin/barnyard2 -r 19450 -f
"snort_19450_igb0.u2" --pid-path /var/run --nolock-pidfile -c /usr/local/etc/snort/snort_19450_igb0/barnyard2.conf -d /var/log/snort/snort_igb019450 -D -q' returned exit code '1', the output was 'Shared object "libmysqlclient.so.20" not found, required by "barnyard2"'

Fix Command:

pkg install -fy mysql56-client

No worky :(

Updating pfSense-core repository catalogue...
pfSense-core repository is up to date.
Updating pfSense repository catalogue...
pfSense repository is up to date.
All repositories are up to date.
pkg: No packages available to install matching 'mysql56-client' have been found in the repositories

So...then I'm like, huh...OK, how about I go and download the mysql56 client manuallyl > then install it right?

fetch https://pkg.freebsd.org/FreeBSD:11:amd64/quarterly/All/mysql56-client-5.6.49.txz

pkg add ./mysql56-client-5.6.49.txz

Installing mysql56-client-5.6.49...
pkg: mysql56-client-5.6.49 conflicts with mysql57-client-5.7.30_1 (installs files into the same place).  Problematic file: /usr/local/bin/mysql

Failed to install the following 1 package(s): ./mysql56-client-5.6.49.txz

Yowza...now I'm getting knee deep. Is it "safe" to delete the mysql57 client? I want to keep using SNORT but barnyard can't run it would seem. Can I change barnyard to use the 57 client rather than 56 client?

What's our approach here?

Thanks for any help. This is the de-facto post about this IMHO :-)

bmeeks · Jul 16, 2020, 6:54 PM

@wolfsden3:
Something is corrupt with your pkg database and/or your shared library subsytem on your firewall.

The current Snort version on pfSense-2.4.5 RELEASE uses the mysql57-client-5.7.30_1 library. That library is already installed on your system (see the error message you received when you attempted to install the 5.6 MySQL client), however the library subsystem is not recognizing it is there. Thus Barnyard2 is failing.

Did you by chance update Snort recently BEFORE you updated pfSense to 2.4.5? If you did, that can really mess up the shared library system for all packages since each new pfSense version needs new libraries for the packages, so all the packages were compiled with new library dependencies when the new pfSense update was released.

At this point I suggest you follow the troubleshooting tips here: https://docs.netgate.com/pfsense/en/latest/packages/fixing-a-broken-pkg-database.html.

Or it might just be easier to perform a configuration backup, save the config.xml file on a PC someplace, and then reinstall pfSense from scratch and restore the configuration during the install. The instructions for doing that are here: https://docs.netgate.com/pfsense/en/latest/backup/automatically-restore-during-install.html.

FYI: the next Snort package update will remove Barnyard2 support from Snort.

wolfsden3 · Jul 16, 2020, 7:10 PM

@bmeeks said in Snort borked again! Barnyard2!:

mysql57-client-5.7.30_1

I mended it! LOL

pkg install -f mysql57-client-5.7.30_1
Updating pfSense-core repository catalogue...
pfSense-core repository is up to date.
Updating pfSense repository catalogue...
pfSense repository is up to date.
All repositories are up to date.
Checking integrity... done (0 conflicting)
The following 1 package(s) will be affected (of 0 checked):

Installed packages to be REINSTALLED:
        mysql57-client-5.7.30_1 [pfSense]

Number of packages to be reinstalled: 1

Proceed with this action? [y/N]: y
[1/1] Reinstalling mysql57-client-5.7.30_1...
[1/1] Extracting mysql57-client-5.7.30_1: 100%

I just reinstalled the client and got lucky. It fired right up after doing that.

Hopes this helps someone else too!

bmeeks · Jul 16, 2020, 7:24 PM

@wolfsden3 said in Snort borked again! Barnyard2!:

@bmeeks said in Snort borked again! Barnyard2!:

mysql57-client-5.7.30_1

I mended it! LOL

pkg install -f mysql57-client-5.7.30_1
Updating pfSense-core repository catalogue...
pfSense-core repository is up to date.
Updating pfSense repository catalogue...
pfSense repository is up to date.
All repositories are up to date.
Checking integrity... done (0 conflicting)
The following 1 package(s) will be affected (of 0 checked):

Installed packages to be REINSTALLED:
        mysql57-client-5.7.30_1 [pfSense]

Number of packages to be reinstalled: 1

Proceed with this action? [y/N]: y
[1/1] Reinstalling mysql57-client-5.7.30_1...
[1/1] Extracting mysql57-client-5.7.30_1: 100%

I just reinstalled the client and got lucky. It fired right up after doing that.

Hopes this helps someone else too!

Glad that fixed it for you, but as you said -- "you got lucky". Your system is broken someplace or it would not have thrown that error. You may continue to have difficulties with packge updates in the future if your pkg database is somehow corrupt.