Pfsense 2.0 snort 2.9.5 Barnyard2 binary not exist
I have installed snort package on pfsense 2.0, configured it and everything is working except barnyard2.
It doesn't start cause there is no binary in /usr/local/bin/.
I see some bugs in tracking system, http://redmine.pfsense.org/issues/1853.
Is there any solution or progress in fixing this isuue?
Please do this at your own risk.
If you get pkg_add: package 'barnyard2-1.9_2' or its older version already installed (ignored)
Then rerun the install.
This may break other packages and may break much more. Only do this at you own risk I will not accept responsibility for any issues caused.
marcelloc last edited by
download it from Files.pfsense.com
Ok, thanks, resolved.
There was no barnyard2 package installed at all, so It has complain only about mysql, I've deleted it and rerun pkg_add.
All is working perfect now! I hope it will not affect the system cause only snort uses mysql client and barnyard2…
I have put this on redmine as I have always had this issue.
marcelloc last edited by
The binary at files.pfsense.org is not enough to fix it?
Do we realy need to do this package instalation?
If your talking about barnyan2 within the package install depends on how many people need it. Maybe it is worth adding into the Package list as a separate item.
Thanks for the fix.
I copied the file from files.pfsense.com to /usr/local/bin and barnyard2 has started running. Would be good if either this binary is included in the package or at least there is a note mentioning where to copy barnyard2 from for the users who wish to use.
I was a little hurry, after reboot barnyard2 doesn't start with snort, maybe because its own init script…
So I just did second option as codemarauder noted above, and it's working now.
Also have added execution attribute to file
chmod u+x /usr/local/bin/barnyard2
So to fix issue barnyard binary is only needed. Yes, It would be good to add it to package.
Although barnyard2 has started, but I don't see anything in mysql database.
Tried running it in batch mode as well and there is nothing in the database. tcpdump also did not show any traffic for port 3306.
This was the command output:
barnyard2 -v -v -v -v -v -v -c /usr/local/etc/snort/snort_52854_re0/barnyard2.conf -o /var/log/snort/snort_52854_re0.u2.1318867001 Running in Batch mode --== Initializing Barnyard2 ==-- Initializing Input Plugins! Initializing Output Plugins! Parsing config file "/usr/local/etc/snort/snort_52854_re0/barnyard2.conf" Log directory = /var/log/snort --== Initialization Complete ==-- ______ -*> Barnyard2 <*- / ,,_ \ Version 2.1.9-beta1 (Build 251) IPv6 |o" )~| By the SecurixLive.com Team: http://www.securixlive.com/about.php + '''' + (C) Copyright 2008-2010 SecurixLive. Snort by Martin Roesch & The Snort Team: http://www.snort.org/team.html (C) Copyright 1998-2007 Sourcefire Inc., et al. ___ Built Date for Barnyard2 on Pfsense 2.0, x86 is August 24, 2010. ___/ f \ Orion IPS Output Code Copyright (C) 2009-2010 Robert Zelaya. / p \___/Sense \___/ \ \___/ Built with Mysql SSL support. Using waldo file '/var/log/snort/barnyard2/52854_re0.waldo': spool directory = /var/log/snort spool filebase = snort_52854_re0.u2 time_stamp = 1318867001 record_idx = 14 Opened spool file '/var/log/snort/snort_52854_re0.u2.1318867001' Closing spool file '/var/log/snort/snort_52854_re0.u2.1318867001'. Read 14 records =============================================================================== Record Totals: Records: 14 Events: 7 (50.000%) Packets: 7 (50.000%) =============================================================================== Packet breakdown by protocol (includes rebuilt packets): ETH: 7 (100.000%) ETHdisc: 0 (0.000%) VLAN: 0 (0.000%) IPV6: 0 (0.000%) IP6 EXT: 0 (0.000%) IP6opts: 0 (0.000%) IP6disc: 0 (0.000%) IP4: 7 (100.000%) IP4disc: 0 (0.000%) TCP 6: 0 (0.000%) UDP 6: 0 (0.000%) ICMP6: 0 (0.000%) ICMP-IP: 0 (0.000%) TCP: 6 (85.714%) UDP: 0 (0.000%) ICMP: 0 (0.000%) TCPdisc: 0 (0.000%) UDPdisc: 0 (0.000%) ICMPdis: 0 (0.000%) FRAG: 0 (0.000%) FRAG 6: 0 (0.000%) ARP: 0 (0.000%) EAPOL: 0 (0.000%) ETHLOOP: 0 (0.000%) IPX: 0 (0.000%) IPv4/IPv4: 0 (0.000%) IPv4/IPv6: 0 (0.000%) IPv6/IPv4: 0 (0.000%) IPv6/IPv6: 0 (0.000%) GRE: 0 (0.000%) GRE ETH: 0 (0.000%) GRE VLAN: 0 (0.000%) GRE IPv4: 0 (0.000%) GRE IPv6: 0 (0.000%) GRE IP6 E: 0 (0.000%) GRE PPTP: 0 (0.000%) GRE ARP: 0 (0.000%) GRE IPX: 0 (0.000%) GRE LOOP: 0 (0.000%) MPLS: 0 (0.000%) OTHER: 1 (14.286%) DISCARD: 0 (0.000%) InvChkSum: 0 (0.000%) S5 G 1: 0 (0.000%) S5 G 2: 0 (0.000%) Total: 7 ===============================================================================
And this is how my config file looks like:
config reference_file: /usr/local/etc/snort/snort_52854_re0/reference.config config classification_file: /usr/local/etc/snort/snort_52854_re0/classification.config config gen_file: /usr/local/etc/snort/snort_52854_re0/gen-msg.map config sid_file: /usr/local/etc/snort/snort_52854_re0/sid-msg.map config hostname: hopbox.noc.unmukti.in config interface: 52854_re0 config decode_data_link config waldo_file: /var/log/snort/barnyard2/52854_re0.waldo ## START user pass through ## ## END user pass through ## # Step 2: setup the input plugins input unified2 config logdir: /var/log/snort # database: log to a variety of databases # output database: log, mysql, user=xxxx password=xxxxxx dbname=xxxx host=xxx.xxx.xxx.xxxx alert, mysql, user=xxxxxxx dbname=xxxxxxxx password=xxxxxx host=xx.xx.xx.xx
Snorby is waiting to crunch the data but there is nothing :(
Any help is appreciated.
I have such string to start barnyard:
/usr/local/bin/barnyard2 -f snort_46139_le1.u2 -u snort -g snort –pid-path /var/log/snort/run -c /usr/local/etc/snort/snort_46139_le1/barnyard2.conf -d /var/log/snort -D -q
I suppose it's not needed to run it in batch mode.
Thanks for the information here. i've now successfully got pfsense snort sending the logs via barnyard2 to security onion where i have snorby running.