Problem with Barnyard2

carlossdossantos

hello everybody!!
i have a problem with mine barnyard2 when I run command:
barnyard2 -c /etc/snort/barnyard2.conf

NOTE: I have installed snort with barnyard2 in Virtual Machine.

i get this error:
carlos@carlos-VirtualBox:~$ barnyard2 -c /etc/snort/barnyard2.conf
Running in Continuous mode

–== Initializing Barnyard2 ==--
Initializing Input Plugins!
Initializing Output Plugins!
Parsing config file "/etc/snort/barnyard2.conf"
Log directory = /var/log/barnyard2
database: 'mysql' support is not compiled into this build of snort

ERROR: If this build of snort was obtained as a binary distribution (e.g., rpm,
or Windows), then check for alternate builds that contains the necessary
'mysql' support.

If this build of snort was compiled by you, then re-run the
the ./configure script using the '--with-mysql' switch.
For non-standard installations of a database, the '--with-mysql=DIR'
syntax may need to be used to specify the base directory of the DB install.

See the database documentation for cursory details (doc/README.database).
and the URL to the most recent database plugin documentation.
Fatal Error, Quitting..

bmeeks

Have you also installed the Snort package into the VM?  That directory path of /etc/snort/barnyard2.conf" is not correct for a properly configured Snort installation.  On pfSense, Barnyard2 is really a support package for Snort; so Snort must also be installed and configured.  In fact, Snort installs Barnyard2 during its own installation.

Bill

carlossdossantos

Sorry for not giving details, but I'm doing a job monograph on intrusion detection, is a work of completion, only that I will simulate an attack on the virtual machine operating system is installed ubuntu 12.04 snort already installed, I'm having problems when I boot the barnyard2, I've looked at other forums the answer to the problem but it seems that does not have an exact answer, I find only parts of the discussion of the problem.

bmeeks

@carlossdossantos:

Sorry for not giving details, but I'm doing a job monograph on intrusion detection, is a work of completion, only that I will simulate an attack on the virtual machine operating system is installed ubuntu 12.04 snort already installed, I'm having problems when I boot the barnyard2, I've looked at other forums the answer to the problem but it seems that does not have an exact answer, I find only parts of the discussion of the problem.

Your response is a little difficult for me to follow due to the translation, but it sounds like you are trying to run Snort on Ubuntu 12.04 along with Barnyard2.  If that is true, then that has nothing to do with Snort on pfSense.  Am I misunderstanding your post?

Bill

carlossdossantos

@bmeeks:

@carlossdossantos:

Sorry for not giving details, but I'm doing a job monograph on intrusion detection, is a work of completion, only that I will simulate an attack on the virtual machine operating system is installed ubuntu 12.04 snort already installed, I'm having problems when I boot the barnyard2, I've looked at other forums the answer to the problem but it seems that does not have an exact answer, I find only parts of the discussion of the problem.

Your response is a little difficult for me to follow due to the translation, but it sounds like you are trying to run Snort on Ubuntu 12.04 along with Barnyard2.  If that is true, then that has nothing to do with Snort on pfSense.  Am I misunderstanding your post?

Bill

Yes, I am trying to run the barnyard2 with Snort in ubuntu 12.04 you do not misunderstand my post, to make my project I need to use the barnyard2 with snort .. I'm still looking for an answer to this problem in barnyard2

carlossdossantos

You can close the topic could solve the problem … the path of mysql was not directed corretamento was right. / Configure - with-mysql-libraries = / usr/lib/i386-linux-gnu / .. I appreciate the responses and thank you for your attention ..

carlossdossantos

I solved this problem but appeared other problem with waldo file

I run command:
carlos@carlos-VirtualBox:~$ barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.u2 -w /var/log/barnyard2/barnyard2.waldo
Running in Continuous mode

–== Initializing Barnyard2 ==--
Initializing Input Plugins!
Initializing Output Plugins!
Parsing config file "/etc/snort/barnyard2.conf"
Log directory = /var/log/barnyard2
database: compiled support for (mysql)
database: configured to use mysql
database: schema version = 107
database: host = localhost
database: user = root
database: database name = snort
database: sensor name = snort:eth0
database: sensor id = 3
database: sensor cid = 1
database: data encoding = hex
database: detail level = full
database: ignore_bpf = no
database: using the "log" facility

--== Initialization Complete ==--

______ -> Barnyard2 <-
/ ,,_ \ Version 2.1.9 (Build 263)
|o" )~| By the SecurixLive.com Team: http://www.securixlive.com/about.php

• '''' + (C) Copyright 2008-2010 SecurixLive.

Snort by Martin Roesch & The Snort Team: http://www.snort.org/team.html
(C) Copyright 1998-2007 Sourcefire Inc., et al.

WARNING: Ignoring corrupt/truncated waldofile '/var/log/barnyard2/barnyard2.waldo'
Waiting for new spool file

snort conf >>> http://pastebin.ca/2469866

barnyard2.conf>>> http://pastebin.ca/2469868

bmeeks

The waldo file message is basically harmless.  Barnyard2 will complain about that file, but still work from my experience.

Bill

carlossdossantos

seems like I solved the problem he is using the file waldo, he just is waiting for new data 'waiting for new data', is that really how it works?

root@carlos-VirtualBox:~# barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.u2 -w /var/log/snort/barnyard2.waldo
Running in Continuous mode

–== Initializing Barnyard2 ==--
Initializing Input Plugins!
Initializing Output Plugins!
Parsing config file "/etc/snort/barnyard2.conf"
Log directory = /var/log/barnyard2
database: compiled support for (mysql)
database: configured to use mysql
database: schema version = 107
database:          host = localhost
database:          user = root
database:  database name = snort
database:    sensor name = snort:eth0
database:      sensor id = 3
database:    sensor cid = 11
database:  data encoding = hex
database:  detail level = full
database:    ignore_bpf = no
database: using the "log" facility

--== Initialization Complete ==--

______  -> Barnyard2 <-
/ ,,_  \  Version 2.1.9 (Build 263)
|o"  )~|  By the SecurixLive.com Team: http://www.securixlive.com/about.php

• '''' +  (C) Copyright 2008-2010 SecurixLive.

Snort by Martin Roesch & The Snort Team: http://www.snort.org/team.html
          (C) Copyright 1998-2007 Sourcefire Inc., et al.

Using waldo file '/var/log/snort/barnyard2.waldo':
    spool directory = /var/log/snort
    spool filebase  = snort.u2
    time_stamp      = 1382474203
    record_idx      = 20
Opened spool file '/var/log/snort/snort.u2.1382474203'
Closing spool file '/var/log/snort/snort.u2.1382474203'. Read 20 records
Opened spool file '/var/log/snort/snort.u2.1382479354'
Waiting for new data

bmeeks

@carlossdossantos:

seems like I solved the problem he is using the file waldo, he just is waiting for new data 'waiting for new data', is that really how it works?

Yep, just waiting for something to come in so he can log it to the database.

Bill

carlossdossantos

thanks for the replies, served much help