Clicky

Hi I have configured snort in ubuntu 10.0.4. snort port (eth0) is able to listen the traffic. checked by
tcpdump -i eth0 -n snort is showing me traffic.  below is the error i am getting.

root@xss-240:~# sudo /usr/local/snort/bin/snort -u snort -g snort -c /usr/local/snort/etc/snort.conf -i eth0
Running in IDS mode

        --== Initializing Snort ==--
Initializing Output Plugins!
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file "/usr/local/snort/etc/snort.conf"
PortVar 'HTTP_PORTS' defined :  [ 80:81 311 591 593 901 1220 1414 1830 2301 2381 2809 3128 3702 4343 5250 7001 7145 7510 7777 7779 8000 8008 8014 8028 8080 8088 8118 8123 8180:8181 8243 8280 8800 8888 8899 9080 9090:9091 9443 9999 11371 55555 ]
PortVar 'SHELLCODE_PORTS' defined :  [ 0:79 81:65535 ]
PortVar 'ORACLE_PORTS' defined :  [ 1024:65535 ]
PortVar 'SSH_PORTS' defined :  [ 22 ]
PortVar 'FTP_PORTS' defined :  [ 21 2100 3535 ]
PortVar 'SIP_PORTS' defined :  [ 5060:5061 5600 ]
Detection:
   Search-Method = AC-Full-Q
    Split Any/Any group = enabled
    Search-Method-Optimizations = enabled
    Maximum pattern length = 20
Tagged Packet Limit: 256
Loading dynamic engine /usr/local/snort/lib/snort_dynamicengine/libsf_engine.so... done
Loading all dynamic detection libs from /usr/local/snort/lib/snort_dynamicrules...
  Loading dynamic detection library /usr/local/snort/lib/snort_dynamicrules/dos.so... done
  Loading dynamic detection library /usr/local/snort/lib/snort_dynamicrules/icmp.so... done
  Loading dynamic detection library /usr/local/snort/lib/snort_dynamicrules/p2p.so... done
  Loading dynamic detection library /usr/local/snort/lib/snort_dynamicrules/smtp.so... done
  Loading dynamic detection library /usr/local/snort/lib/snort_dynamicrules/misc.so... done
  Loading dynamic detection library /usr/local/snort/lib/snort_dynamicrules/web-client.so... done
  Loading dynamic detection library /usr/local/snort/lib/snort_dynamicrules/web-activex.so... done
  Loading dynamic detection library /usr/local/snort/lib/snort_dynamicrules/specific-threats.so... done
  Loading dynamic detection library /usr/local/snort/lib/snort_dynamicrules/snmp.so... done
  Loading dynamic detection library /usr/local/snort/lib/snort_dynamicrules/netbios.so... done
  Loading dynamic detection library /usr/local/snort/lib/snort_dynamicrules/nntp.so... done
  Loading dynamic detection library /usr/local/snort/lib/snort_dynamicrules/multimedia.so... done
  Loading dynamic detection library /usr/local/snort/lib/snort_dynamicrules/web-misc.so... done
  Loading dynamic detection library /usr/local/snort/lib/snort_dynamicrules/web-iis.so... done
  Loading dynamic detection library /usr/local/snort/lib/snort_dynamicrules/bad-traffic.so... done
  Loading dynamic detection library /usr/local/snort/lib/snort_dynamicrules/exploit.so... done
  Loading dynamic detection library /usr/local/snort/lib/snort_dynamicrules/chat.so... done
  Loading dynamic detection library /usr/local/snort/lib/snort_dynamicrules/imap.so... done
  Finished Loading all dynamic detection libs from /usr/local/snort/lib/snort_dynamicrules
Loading all dynamic preprocessor libs from /usr/local/snort/lib/snort_dynamicpreprocessor/...
  Loading dynamic preprocessor library /usr/local/snort/lib/snort_dynamicpreprocessor//libsf_smtp_preproc.so... done
  Loading dynamic preprocessor library /usr/local/snort/lib/snort_dynamicpreprocessor//libsf_ssl_preproc.so... done
  Loading dynamic preprocessor library /usr/local/snort/lib/snort_dynamicpreprocessor//libsf_reputation_preproc.so... done
  Loading dynamic preprocessor library /usr/local/snort/lib/snort_dynamicpreprocessor//libsf_sdf_preproc.so... done
  Loading dynamic preprocessor library /usr/local/snort/lib/snort_dynamicpreprocessor//libsf_dns_preproc.so... done
  Loading dynamic preprocessor library /usr/local/snort/lib/snort_dynamicpreprocessor//libsf_dce2_preproc.so... done
  Loading dynamic preprocessor library /usr/local/snort/lib/snort_dynamicpreprocessor//libsf_pop_preproc.so... done
  Loading dynamic preprocessor library /usr/local/snort/lib/snort_dynamicpreprocessor//libsf_ftptelnet_preproc.so... done
  Loading dynamic preprocessor library /usr/local/snort/lib/snort_dynamicpreprocessor//libsf_imap_preproc.so... done
  Loading dynamic preprocessor library /usr/local/snort/lib/snort_dynamicpreprocessor//libsf_ssh_preproc.so... done
  Loading dynamic preprocessor library /usr/local/snort/lib/snort_dynamicpreprocessor//libsf_sip_preproc.so... done
  Finished Loading all dynamic preprocessor libs from /usr/local/snort/lib/snort_dynamicpreprocessor/
Log directory = /var/log/snort
database: 'mysql' support is not compiled into this build of snort

ERROR: If this build of snort was obtained as a binary distribution (e.g., rpm,
or Windows), then check for alternate builds that contains the necessary
'mysql' support.

If this build of snort was compiled by you, then re-run the
the ./configure script using the '--with-mysql' switch.
For non-standard installations of a database, the '--with-mysql=DIR'
syntax may need to be used to specify the base directory of the DB install.

See the database documentation for cursory details (doc/README.database).
and the URL to the most recent database plugin documentation.
Fatal Error, Quitting..


Thanks

asked 11/18/2011 01:56

Mbhushan's gravatar image

Mbhushan ♦♦


12 Answers:
Did you compile from source or install a binary distribution?

The error messages are pretty clear about what the issue is and how to fix it, what are you uncertain about?
link

answered

Papertrip's gravatar image

Papertrip

i configured snort from this link which is attached. plz help me out to fix this error. help will be highly appreciated.
link

answered 2011-11-18 at 10:07:21

Mbhushan's gravatar image

Mbhushan

Do you have unified logging setup to go through barnyard, and then have barnyard output to mysql?  Did you configure barnyard with --with-mysql ?

Double check the output settings on snort.conf and barnyard2.conf, make sure they match to what the PDF says.
link

answered 2011-11-18 at 10:16:24

Papertrip's gravatar image

Papertrip

i have configured snort as it is guided in pdf. and what do u mean by

Double check the output settings on snort.conf and barnyard2.conf, make sure they match to what the PDF says.
link

answered 2011-11-18 at 10:28:55

Mbhushan's gravatar image

Mbhushan

In your conf files there should be an option for output, like the following:

snort.conf:
1:
output unified2: filename snort.u2, limit 128

barnyard2.conf:
1:
output database: log, mysql, user=snort password=YOURPASSWORD dbname=snort host=localhost


Make sure those are set, check for any other conflicting output options.

Did you configure barnyard with --with-mysql ?
link

answered 2011-11-18 at 11:40:51

Papertrip's gravatar image

Papertrip

yes i configured barnyard with --mysql.
link

answered 2011-11-18 at 11:43:55

Mbhushan's gravatar image

Mbhushan

sorry for asking again what do u mean by this

In your conf files there should be an option for output, like the following:
Make sure those are set, check for any other conflicting output options.
link

answered 2011-11-18 at 11:50:24

Mbhushan's gravatar image

Mbhushan

yes i configured barnyard with --mysql.

--mysql or --with-mysql ?

In your conf files there should be an option for output, like the following:
Make sure those are set, check for any other conflicting output options.

I mean look in your conf files for those lines, the PDF gives instructions about adding those into your configs.
link

answered 2011-11-18 at 11:57:25

Papertrip's gravatar image

Papertrip

working on it.
link

answered 2011-11-18 at 12:05:41

Mbhushan's gravatar image

Mbhushan

papertip according to pdf its saying to download snortrules-snapshot-2912.tar.gz in snort.org i am having registered user a/c but now i am not finding snortrules-snapshot-2912.tar.gz

earlier when i configured snort i was able to download snortrules-snapshot-2912.tar.gz  but now snort.org is not showing it.

any help will be highly appreciated.
link

answered 2011-11-18 at 12:33:41

Mbhushan's gravatar image

Mbhushan

Hey Papertip,

now i am not getting that error which i was getting earlier but hers some different error. wheni run this command.

/usr/local/snort/bin/snort -u snort -g snort -c /usr/local/snort/etc/snort.conf -i eth1


Commencing packet processing (pid=1610)
*** Caught Signal: 'Rotate Perfmonitor Stats'
!!! Cannot rotate stats - Perfmonitor is not configured !!!



and in snort.conf i have done this.

vi /usr/local/snort/etc/snort.conf

# Setup the network addresses you are protecting
ipvar HOME_NET 10.0.0.0/8


any help will be highly appreciated.

link

answered 2011-11-20 at 02:41:38

Mbhushan's gravatar image

Mbhushan

Do you want perfmonitor configured?  Does snort still run after that error?

Perhaps you have it turned on but not fully configured?  Check out this link from the snort manual.
link

answered 2011-11-21 at 11:43:35

Papertrip's gravatar image

Papertrip

Your answer
[hide preview]

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Tags:

×1

Asked: 11/18/2011 01:56

Seen: 237 times

Last updated: 11/21/2011 04:21