Barnyard2 trouble…

DavideNL

Hi,

First i downloaded "pfSense-2.0.1-RELEASE-4g-i386-nanobsd.img.gz" and installed on alix2d3. Then installed the Snort package (2.9.1 pkg v. 2.1.1 ). Snort works, but Barnyard didn't start so i tried to fix it like this:

Downloaded http://files.pfsense.com/packages/8/All/barnyard2 -> /tmp/barnyard2

[2.0.1-RELEASE][admin@pfSense.localdomain]/tmp(2): /etc/rc.conf_mount_rw
[2.0.1-RELEASE][admin@pfSense.localdomain]/tmp(3): cp /tmp/barnyard2 /usr/local/bin/
[2.0.1-RELEASE][admin@pfSense.localdomain]/tmp(4): chmod u+x /usr/local/bin/barnyard2
[2.0.1-RELEASE][admin@pfSense.localdomain]/tmp(5): /etc/rc.conf_mount_ro

reboot, but barnyard still didn't start. Tried this:

[2.0.1-RELEASE][admin@pfSense.localdomain]/root(2): pkg_add -r ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-8-stable/Latest/barnyard2.tbz
Fetching ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-8-stable/Latest/barnyard2.tbz… Done.
Fetching ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-8-stable/All/mysql-client-5.5.20.tbz... Done.
pkg_add: package 'mysql-client-5.5.20' conflicts with mysql-client-5.1.53
pkg_add: please use pkg_delete first to remove conflicting package(s) or -f to force installation
pkg_add: pkg_add of dependency 'mysql-client-5.5.20' failed!
[2.0.1-RELEASE][admin@pfSense.localdomain]/root(3): pkg_delete mysql-client-5.1.53
pkg_delete: unable to completely remove directory '/usr/local/include/mysql'
pkg_delete: unable to completely remove directory '/usr/local/lib/mysql'
pkg_delete: unable to completely remove directory '/usr/local/share/mysql'
pkg_delete: couldn't entirely delete package (perhaps the packing list is
incorrectly specified?)
override rwxr-xr-x  root/wheel for /var/db/pkg/mysql-client-5.1.53? n

:'(

Any tips?

HiTekRedNek

I'd like help on this same issue.

pfSense 2.0.1-RELEASE (i386)
Snort package 2.9.1 pkg v.2.1.1

Did a fresh install and tried to configure barnyard2 but the interface appears as red.

Tried to investigate the logs directory for clues. The following file is 0 bytes
/var/log/snort/barnyard2/6898_pppoe0.waldo*

I have no clue on how to get this running. Please will somebody post a tip.

HiTekRedNek

After some reading I take it that there should be a binary here /usr/local/bin/barnyard2

The file is missing.

I read some posts about installing the binary manually but there is no clear indication that it works. I am afraid to screw things up on my pfSense.

digdug3

To use Barnyard:

Setup in Snort:
–-------------
output database: alert, mysql, dbname=*** user=*** host=*** password=***

Replace the *** to your setup

Start the console in pfSense:
Install Barnyard2 on amd64:

/usr/bin/fetch -o /usr/local/bin/barnyard2 http://files.pfsense.org/packages/amd64/8/All/barnyard2 && /bin/chmod 0755 /usr/local/bin/barnyard2

Install Barnyard2 on i386:

/usr/bin/fetch -o /usr/local/bin/barnyard2 http://files.pfsense.org/packages/8/All/barnyard2 && /bin/chmod 0755 /usr/local/bin/barnyard2

HiTekRedNek

Thanks digdug, I have a bit of progress.

I installed the barnyard2 binary and rebooted. Initially I saw the baryard2 tab go to green and it stayed like that for a few minutes. Now when I reboot I never see the tab turn green but still notice activity in the system logs.

Jun 9 13:57:54 	barnyard2[59007]: FATAL ERROR: database: mysql_error: Can't connect to MySQL server on '192.168.1.225' (61)
Jun 9 13:57:54 	barnyard2[59007]: FATAL ERROR: database: mysql_error: Can't connect to MySQL server on '192.168.1.225' (61)
Jun 9 13:57:54 	barnyard2[59007]: PID path stat checked out ok, PID path set to /var/log/snort/run
Jun 9 13:57:54 	barnyard2[59007]: PID path stat checked out ok, PID path set to /var/log/snort/run
Jun 9 13:57:54 	barnyard2[58805]: Daemon parent exiting
Jun 9 13:57:54 	barnyard2[58805]: Daemon parent exiting
Jun 9 13:57:54 	barnyard2[59007]: Daemon initialized, signaled parent pid: 58805
Jun 9 13:57:54 	barnyard2[59007]: Daemon initialized, signaled parent pid: 58805
Jun 9 13:57:54 	barnyard2[58805]: Initializing daemon mode
Jun 9 13:57:54 	barnyard2[58805]: Initializing daemon mode
Jun 9 13:57:54 	barnyard2[58805]: Log directory = /var/log/snort
Jun 9 13:57:54 	barnyard2[58805]: Log directory = /var/log/snort
Jun 9 13:57:54 	barnyard2[58805]: Found pid path directive (/var/log/snort/run)
Jun 9 13:57:54 	barnyard2[58805]: Found pid path directive (/var/log/snort/run)

I have not had the chance to troubleshoot from the sql side and to be honest I am new to databases and LAMP servers in general. This is a learning project for myself to get snorby up and running. I do have an Ubuntu 12.04 LAMP and was able to get the Snorby interface up and running although I have the error, "The Snorby worker is not currently running".

Back to the point. Would the failure to connect to the MySQL cause the daemon to abort? I don't see anywhere in the logs where a connection to host 192.168.1.225 is even attempted. I will verify later by running a TCPDUMP. I figured I would see something in /var/log/snort/barnyard2 but the .waldo file is still at 0 bytes.

digdug3

Hi HiTekRedNek,

In Interfaces -> If Settings set "Log Alerts to a snort unified2 file".

Did you create a user and prepared a database for Barnyard2 in MySQL?

Cino

what is the output when your type barnyard2 from the command prompt?

packeteer

Hi,

can you telnet into mysql remotely?

either mysql is not configured to login remotely or firewall is blocking the connection attempt.