I am trying to setup Snort to send logs to mySQL database via barnyard2 using this guide but am having trouble with its installation. (Ubuntu 22.04 with AMD CPU)
I first ran the command ./configure --with-mysql --with-mysql-libraries=/usr/lib/x86_64-linux-gnu which resulted in no errors. I then ran make which resulted in the atrocity below.
Can anyone guide me to the root issue? it seems the problems seem to be syntax related but am confused on how to approach troubleshooting this.
make all-recursive
make[1]: Entering directory '/home/faygo/Downloads/barnyard2-2-1.13'
Making all in src
make[2]: Entering directory '/home/faygo/Downloads/barnyard2-2-1.13/src'
Making all in sfutil
make[3]: Entering directory '/home/faygo/Downloads/barnyard2-2-1.13/src/sfutil'
gcc -DHAVE_CONFIG_H -I. -I../.. -I.. -I/usr/include//mysql -DENABLE_MYSQL -g -O2 -Wall -c -o getopt_long.o getopt_long.c
gcc -DHAVE_CONFIG_H -I. -I../.. -I.. -I/usr/include//mysql -DENABLE_MYSQL -g -O2 -Wall -c -o sfmemcap.o sfmemcap.c
gcc -DHAVE_CONFIG_H -I. -I../.. -I.. -I/usr/include//mysql -DENABLE_MYSQL -g -O2 -Wall -c -o sfprimetable.o sfprimetable.c
gcc -DHAVE_CONFIG_H -I. -I../.. -I.. -I/usr/include//mysql -DENABLE_MYSQL -g -O2 -Wall -c -o sfxhash.o sfxhash.c
gcc -DHAVE_CONFIG_H -I. -I../.. -I.. -I/usr/include//mysql -DENABLE_MYSQL -g -O2 -Wall -c -o sf_ip.o sf_ip.c
gcc -DHAVE_CONFIG_H -I. -I../.. -I.. -I/usr/include//mysql -DENABLE_MYSQL -g -O2 -Wall -c -o sf_iph.o sf_iph.c
gcc -DHAVE_CONFIG_H -I. -I../.. -I.. -I/usr/include//mysql -DENABLE_MYSQL -g -O2 -Wall -c -o sf_ipvar.o sf_ipvar.c
gcc -DHAVE_CONFIG_H -I. -I../.. -I.. -I/usr/include//mysql -DENABLE_MYSQL -g -O2 -Wall -c -o sf_textlog.o sf_textlog.c
gcc -DHAVE_CONFIG_H -I. -I../.. -I.. -I/usr/include//mysql -DENABLE_MYSQL -g -O2 -Wall -c -o sf_vartable.o sf_vartable.c
rm -f libsfutil.a
ar cru libsfutil.a getopt_long.o sfmemcap.o sfprimetable.o sfxhash.o sf_ip.o sf_iph.o sf_ipvar.o sf_textlog.o sf_vartable.o
ar: `u' modifier ignored since `D' is the default (see `U')
ranlib libsfutil.a
make[3]: Leaving directory '/home/faygo/Downloads/barnyard2-2-1.13/src/sfutil'
Making all in output-plugins
make[3]: Entering directory '/home/faygo/Downloads/barnyard2-2-1.13/src/output-plugins'
gcc -DHAVE_CONFIG_H -I. -I../.. -I.. -I ../sfutil -I/usr/include//mysql -DENABLE_MYSQL -g -O2 -Wall -c -o spo_alert_arubaaction.o spo_alert_arubaaction.c
In file included from /usr/include/string.h:535,
from spo_alert_arubaaction.c:64:
In function ‘strncpy’,
inlined from ‘ParseAlertArubaActionArgs’ at spo_alert_arubaaction.c:592:2:
/usr/include/x86_64-linux-gnu/bits/string_fortified.h:95:10: warning: ‘__builtin_strncpy’ specified bound depends on the length of the source argument [-Wstringop-truncation]
95 | return __builtin___strncpy_chk (__dest, __src, __len,
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
96 | __glibc_objsize (__dest));
| ~~~~~~~~~~~~~~~~~~~~~~~~~
spo_alert_arubaaction.c: In function ‘ParseAlertArubaActionArgs’:
spo_alert_arubaaction.c:592:9: note: length computed here
592 | strncpy(data->secret, toks[2], strlen(toks[2]));
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
In file included from /usr/include/string.h:535,
from spo_alert_arubaaction.c:64:
In function ‘strncpy’,
inlined from ‘ParseAlertArubaActionArgs’ at spo_alert_arubaaction.c:621:3:
/usr/include/x86_64-linux-gnu/bits/string_fortified.h:95:10: warning: ‘__builtin_strncpy’ specified bound depends on the length of the source argument [-Wstringop-truncation]
95 | return __builtin___strncpy_chk (__dest, __src, __len,
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
96 | __glibc_objsize (__dest));
| ~~~~~~~~~~~~~~~~~~~~~~~~~
spo_alert_arubaaction.c: In function ‘ParseAlertArubaActionArgs’:
spo_alert_arubaaction.c:621:17: note: length computed here
621 | strncpy(data->role_name, action_toks[1],
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
622 | strlen(action_toks[1]));
| ~~~~~~~~~~~~~~~~~~~~~~~
gcc -DHAVE_CONFIG_H -I. -I../.. -I.. -I ../sfutil -I/usr/include//mysql -DENABLE_MYSQL -g -O2 -Wall -c -o spo_alert_bro.o spo_alert_bro.c
gcc -DHAVE_CONFIG_H -I. -I../.. -I.. -I ../sfutil -I/usr/include//mysql -DENABLE_MYSQL -g -O2 -Wall -c -o spo_alert_cef.o spo_alert_cef.c
spo_alert_cef.c: In function ‘AlertCEF’:
spo_alert_cef.c:500:42: warning: variable ‘cn’ set but not used [-Wunused-but-set-variable]
500 | ClassType *cn;
| ^~
gcc -DHAVE_CONFIG_H -I. -I../.. -I.. -I ../sfutil -I/usr/include//mysql -DENABLE_MYSQL -g -O2 -Wall -c -o spo_alert_csv.o spo_alert_csv.c
gcc -DHAVE_CONFIG_H -I. -I../.. -I.. -I ../sfutil -I/usr/include//mysql -DENABLE_MYSQL -g -O2 -Wall -c -o spo_alert_fast.o spo_alert_fast.c
gcc -DHAVE_CONFIG_H -I. -I../.. -I.. -I ../sfutil -I/usr/include//mysql -DENABLE_MYSQL -g -O2 -Wall -c -o spo_alert_full.o spo_alert_full.c
gcc -DHAVE_CONFIG_H -I. -I../.. -I.. -I ../sfutil -I/usr/include//mysql -DENABLE_MYSQL -g -O2 -Wall -c -o spo_alert_fwsam.o spo_alert_fwsam.c
In file included from /usr/include/pcap/pcap.h:130,
from /usr/include/pcap.h:43,
from ../barnyard2.h:46,
from spo_alert_fwsam.c:91:
spo_alert_fwsam.c:118:13: error: two or more data types in declaration specifiers
118 | typedef int SOCKET;
| ^~~~~~
spo_alert_fwsam.c:118:1: warning: useless type name in empty declaration
118 | typedef int SOCKET;
| ^~~~~~~
spo_alert_fwsam.c: In function ‘FWsamReadLine’:
spo_alert_fwsam.c:620:9: warning: this ‘if’ clause does not guard... [-Wmisleading-indentation]
620 | if(p>buf);
| ^~
spo_alert_fwsam.c:621:13: note: ...this statement, but the latter is misleadingly indented as if it were guarded by the ‘if’
621 | strcpy(buf,p);
| ^~~~~~
spo_alert_fwsam.c: In function ‘AlertFWsam’:
spo_alert_fwsam.c:979:18: warning: variable ‘cn’ set but not used [-Wunused-but-set-variable]
979 | ClassType *cn = NULL;
| ^~
spo_alert_fwsam.c:978:18: warning: variable ‘sn’ set but not used [-Wunused-but-set-variable]
978 | SigNode *sn = NULL;
| ^~
spo_alert_fwsam.c:971:27: warning: variable ‘lastbsp’ set but not used [-Wunused-but-set-variable]
971 | static unsigned short lastbsp[FWSAM_REPET_BLOCKS];
| ^~~~~~~
make[3]: *** [Makefile:391: spo_alert_fwsam.o] Error 1
make[3]: Leaving directory '/home/faygo/Downloads/barnyard2-2-1.13/src/output-plugins'
make[2]: *** [Makefile:497: all-recursive] Error 1
make[2]: Leaving directory '/home/faygo/Downloads/barnyard2-2-1.13/src'
make[1]: *** [Makefile:416: all-recursive] Error 1
make[1]: Leaving directory '/home/faygo/Downloads/barnyard2-2-1.13'
make: *** [Makefile:348: all] Error 2
Can anyone guide me to the root issue?
The root issue is that both libpcap and spo_alert_fwsam.c from barnyard2 both define SOCKET as a data type, and those two definitions collide (even though they're both defining it as an int, due to libpcap #defining it as int, so that, if spo_alert_fwsam.c does
typedef int SOCKET;
after including pcap/pcap.h, that statement becomes
typedef int int;
which is not legal C.
See barnyard2 issue #245.
Libpcap should probably define PCAP_SOCKET as int on UN*Xes and as SOCKET on Windows, and use PCAP_SOCKET rather than SOCKET in its declarations and code, so that they don't collide.
(That would introduce an API breakage in libpcap, but only on UN*Xes (on Windows, the two libpcap APIs that currently use SOCKET would be used in code that includes the Windows SDK headers that define SOCKET, and the libpcap header would define PCAP_SOCKET as SOCKET, meaning code that uses SOCKET variables to hold the return values of those APIs will work on Windows); on UN*Xes, those APIs are declared in the headers but not provided in the library by default (you have to build the library with a special configuration option to get the remote capture support), and they're weird enough that few programs use them (neither tcpdump nor Wireshark, which are two of the most significant users of of libpcap, use them), so that breakage will probably inconvenience few if any developers.)
But fixing that won't fix the immediate problem. Applying the change from barnyard2 pull request #254 to the barnyard2 source should work around the problem.