Snort Barnyard2 MSSQL support

mitja.gti

Hi,

I've just tried barnyard2 with mssql and got the error posted below.

I already have mssql running on my server and really want to use it for Barnyard2.
Is there a snort package available with mssql support?

Jan 16 14:52:21 barnyard2[47017]: FATAL ERROR: If this build of snort was obtained as a binary distribution (e.g., rpm, or Windows), then check for alternate builds that contains the necessary 'mssql' support. If this build of snort was compiled by you, then re-run the the ./configure script using the '–with-mssql' switch. For non-standard installations of a database, the '--with-mssql=DIR' syntax may need to be used to specify the base directory of the DB install. See the database documentation for cursory details (doc/README.database). and the URL to the most recent database plugin documentation.
Jan 16 14:52:21 barnyard2[47017]: ERROR database: 'mssql' support is not compiled into this build of snort

Thank you

fragged

Looking at Barnyard 2 github it looks like it has support for the following databases:

`–with-mysql-includes=DIR'
    Specify location for mysql header files.

`--with-odbc=DIR'
    Support for ODBC databases, turn this on if you want to use ACID/BASE with
    a non-listed DB.

`--with-postgresql=DIR'
    Support for Postgresql databases, turn this on if you want to use ACID/BASE
    with PostgreSQL.

`--with-oracle=DIR'
    Support for Oracle databases, turn this on if you want to use ACID/BASE
    with Oracle.

The version on pfSense most likely only supports MySQL.

mitja.gti

I know that it should support if you compile it with '–with-mssql' switch. Unfortunately who ever compiled the package for pfsense didn't use that switch. Therefore it doesn't support mssql as seen in my logs I have posted, so I'm asking if anyone is aware of a package that is. I'm not too keen about making a package myself.

fragged

Ah. I didn't do a thorough enough search on the Barnyard2 github earlier. The build settings for the snort / barnyard2 package would have to be changed for pfSense to include support for more than MySQL which seems to be the only one enabled currently (if I read the pkgconfig file correctly). Maybe bmeeks can look into it? He was going to update barnyard2 to a new version with the next Snort update (http://forum.pfsense.org/index.php/topic,71342.msg389769.html#msg389769).

bmeeks

@mitja.gti:

I know that it should support if you compile it with '–with-mssql' switch. Unfortunately who ever compiled the package for pfsense didn't use that switch. Therefore it doesn't support mssql as seen in my logs I have posted, so I'm asking if anyone is aware of a package that is. I'm not too keen about making a package myself.

I think it still requires a "SQL client" on pfSense, and so far as I know there is not one of those for MS-SQL.  Barnyard2 is compiled with the MySQL switch as you said, but that also requires the inclusion of the MySQL-Client on pfSense as well.  It gets installed as a dependency when you install the Snort package.

I have not gone looking for one, but I am not aware of a Microsoft SQL Server client for FreeBSD.  If you know of one, I can look at what it would take to include it in the package.

Bill

mitja.gti

I looked at both source codes and it's really confusing. I think that in old days Snort was doing the logging to a database. Now that is a job of Barnyard2. Snort logs to a file and Barnyard2 parses that file and logs to a database. So the focus should be on that package and not Snort. Unfortunately I don't have the time to go trough the code in depth and I could be wrong.

I don't think there's a need for "SQL client" because one should use ODBC. How to configure Barnyard2 to use mssql trough ODBC is still a mystery to me. Can you check that and try to compile the latest version with required switches? If you don't have mssql server, send me the package and I'll run it in my test environment.

Thank you both for your replies.

bmeeks

@mitja.gti:

I looked at both source codes and it's really confusing. I think that in old days Snort was doing the logging to a database. Now that is a job of Barnyard2. Snort logs to a file and Barnyard2 parses that file and logs to a database. So the focus should be on that package and not Snort. Unfortunately I don't have the time to go trough the code in depth and I could be wrong.

I don't think there's a need for "SQL client" because one should use ODBC. How to configure Barnyard2 to use mssql trough ODBC is still a mystery to me. Can you check that and try to compile the latest version with required switches? If you don't have mssql server, send me the package and I'll run it in my test environment.

Thank you both for your replies.

You are correct that Barnyard2 does the database writes now.  The Snort Team removed the database output plugin from Snort.  Even for ODBC, though, you still need a suitable "client driver" on the source machine.  You need a suitable ODBC driver that understands the communication format for the target database.  So you would need a Microsoft SQL Server compatible client/driver on pfSense that Barnyard2 could use.  Just like the current setup requires the MySQL client driver so it can talk to the MySQL database.

ODBC is "open" on the input side.  That is, it has a common methodology for applications that want to write to a database.  The application (Barnyard2 in this case) can then be somewhat database agnostic.  However, there still must exist within the ODBC framework a native driver that translates the open ODBC calls into a form the native database (SQL Server in your example) can understand and process.  I do not know of a suitable ODBC driver for SQL Server that runs on FreeBSD.

Even if one exists, there is still the issue of Barnyard2's support of ODBC.

Bill

mitja.gti

Hmm… Let me look into it and I'll get back to you.