Snort & Barnyard2



  • Hello,

    i have a problem with my fresh installation of snort and barnyard2. The problem is that barnyard2 after every reboot of the system doesn't work any more. I have to deinstall the whole snort package and install it again. Than barnyard2 will work until the next reboot.

    I have tried to start the service from the shell with this command:

    /usr/local/bin/barnyard2 -r "id" -f snort_"id"lagg0.u2 –pid-path /var/run --nolock-pidfile -c /usr/local/etc/snort/snort"id"_lagg0/barnyard2.conf -d /var/log/snort/snort_lagg0"id" -D -q

    Output:
    /libexec/ld-elf.so.1: Shared object "libmysqlclient.so.18" not found

    But under /usr/local/lib/mysql it is everything there:

    -rw-r--r--  1 root  wheel  4735094 Mar 21 21:10 libmysqlclient.a
    lrwxr-xr-x  1 root  wheel      20 Mar 21 21:10 libmysqlclient.so -> libmysqlclient.so.18
    -rwxr-xr-x  1 root  wheel  3345176 Mar 21 21:10 libmysqlclient.so.18
    lrwxr-xr-x  1 root  wheel      16 Mar 21 21:10 libmysqlclient_r.a -> libmysqlclient.a
    lrwxr-xr-x  1 root  wheel      17 Mar 21 21:10 libmysqlclient_r.so -> libmysqlclient.so
    lrwxr-xr-x  1 root  wheel      17 Mar 21 21:10 libmysqlclient_r.so.18 -> libmysqlclient.so
    -rw-r--r--  1 root  wheel    4150 Mar 21 21:10 libmysqlservices.a

    pkg_info:

    barnyard2-1.12      Interpreter for Snort unified2 binary output files
    bsdinstaller-2.0.2013.0412 BSD Installer mega-package
    daq-2.0.0          Data Acquisition abstraction library for snort 2.9+
    gettext-0.18.1.1    GNU gettext package
    iftop-0.17          Display bandwidth usage on an interface by host
    libdnet-1.11_3      A simple interface to low level networking routines
    libiconv-1.14      A character set conversion library
    libnet11-1.1.2.1_4,1 A C library for creating IP packets
    libnet11-1.1.6,1    A C library for creating IP packets
    libpcap-1.3.0      Ubiquitous network traffic capture library
    mtr-nox11-0.82      Traceroute and ping in a single graphical network diagnosti
    mysql-client-5.5.30 Multithreaded SQL database (client)
    nano-2.2.4_1        Nano's ANOther editor, an enhanced free Pico clone
    pcre-8.32          Perl Compatible Regular Expressions library
    snort-2.9.4.6      Lightweight network intrusion detection system

    So have anybody an idea how to fix this?



  • @crashi102:

    Hello,

    i have a problem with my fresh installation of snort and barnyard2. The problem is that barnyard2 after every reboot of the system doesn't work any more. I have to deinstall the whole snort package and install it again. Than barnyard2 will work until the next reboot.

    I have tried to start the service from the shell with this command:

    /usr/local/bin/barnyard2 -r "id" -f snort_"id"lagg0.u2 –pid-path /var/run --nolock-pidfile -c /usr/local/etc/snort/snort"id"_lagg0/barnyard2.conf -d /var/log/snort/snort_lagg0"id" -D -q

    Output:
    /libexec/ld-elf.so.1: Shared object "libmysqlclient.so.18" not found

    But under /usr/local/lib/mysql it is everything there:

    -rw-r--r--  1 root  wheel  4735094 Mar 21 21:10 libmysqlclient.a
    lrwxr-xr-x  1 root  wheel       20 Mar 21 21:10 libmysqlclient.so -> libmysqlclient.so.18
    -rwxr-xr-x  1 root  wheel  3345176 Mar 21 21:10 libmysqlclient.so.18
    lrwxr-xr-x  1 root  wheel       16 Mar 21 21:10 libmysqlclient_r.a -> libmysqlclient.a
    lrwxr-xr-x  1 root  wheel       17 Mar 21 21:10 libmysqlclient_r.so -> libmysqlclient.so
    lrwxr-xr-x  1 root  wheel       17 Mar 21 21:10 libmysqlclient_r.so.18 -> libmysqlclient.so
    -rw-r--r--  1 root  wheel     4150 Mar 21 21:10 libmysqlservices.a

    pkg_info:

    barnyard2-1.12      Interpreter for Snort unified2 binary output files
    bsdinstaller-2.0.2013.0412 BSD Installer mega-package
    daq-2.0.0           Data Acquisition abstraction library for snort 2.9+
    gettext-0.18.1.1    GNU gettext package
    iftop-0.17          Display bandwidth usage on an interface by host
    libdnet-1.11_3      A simple interface to low level networking routines
    libiconv-1.14       A character set conversion library
    libnet11-1.1.2.1_4,1 A C library for creating IP packets
    libnet11-1.1.6,1    A C library for creating IP packets
    libpcap-1.3.0       Ubiquitous network traffic capture library
    mtr-nox11-0.82      Traceroute and ping in a single graphical network diagnosti
    mysql-client-5.5.30 Multithreaded SQL database (client)
    nano-2.2.4_1        Nano's ANOther editor, an enhanced free Pico clone
    pcre-8.32           Perl Compatible Regular Expressions library
    snort-2.9.4.6       Lightweight network intrusion detection system

    So have anybody an idea how to fix this?

    Every time similar things have happened to other users, it's been some other package stepping on (as in overwriting and changing the version) of a shared library.  Re-installing Barnyard2 is putting back the correct version until that other package changes it again.  pfSense 2.1 fixes this problem for good by using PBI packaging.  On 2.0.x pfSense, you are stuck with the problem unless you find the package that is messing with the library and remove it.

    Bill



  • Not sure this was the right way to fix it but what worked for me was:

    ln -s /usr/local/lib/mysql/libmysqlclient.so.18 /lib/libmysqlclient.so.18
    

    Result:

    ldd /usr/local/bin/barnyard2
    /usr/local/bin/barnyard2:
            libmysqlclient.so.18 => /lib/libmysqlclient.so.18 (0x280d8000)
            libz.so.5 => /lib/libz.so.5 (0x283e7000)
            libpcap.so.7 => /lib/libpcap.so.7 (0x283f9000)
            libm.so.5 => /lib/libm.so.5 (0x28427000)
            libc.so.7 => /lib/libc.so.7 (0x28441000)
            libstdc++.so.6 => /usr/lib/libstdc++.so.6 (0x2854a000)
            libgcc_s.so.1 => /lib/libgcc_s.so.1 (0x2863e000)
            libthr.so.3 => /lib/libthr.so.3 (0x28649000)
    
    

    Both snort and barnyard2 start on reboot. (The symlink persists on reboot, so barnyard2 starts normally.)

    I don't know how permanent this fix is. I've always had some kind of issue with barnyard2 since pfSense v1.x. I will keep my eye on it, probably with a cron job.

    Hope this helps.

    Update: I also had to update the sensor.last_cid value or barnyard2 would die with a fatal error about that table and field, complaining about duplicate values in a unique primary key field? Something like that.

    At first I tried a value that was 1 greater than the largest value in event.cid but that choked, and barnyard2 died again – same error, just different field value reported as duplicate.

    What did work was I decided to add 10 to the highest value from event.cid to update sensor.last_cid value.

    Warning: Your mileage may vary with these hackish fixes.