Barnyard2

From aldeid
Jump to navigation Jump to search

Description

Barnyard2 is an open source interpreter for Snort unified2 binary output files. Its primary use is allowing Snort to write to disk in an efficient manner and leaving the task of parsing binary data into various formats to a separate process that will not cause Snort to miss network traffic.

Installation

$ cd /data/src/
$ wget http://www.securixlive.com/download/barnyard2/barnyard2-1.9.tar.gz
$ tar xzvf barnyard2-1.9.tar.gz
$ cd barnyard2-1.9/
$ ./configure --with-mysql
$ make
# make install

Configuration

Move barnyard2 configuration file from its default location to the /etc/snort/: 

# mv /usr/local/etc/barnyard2.conf /usr/local/etc/snort/

Then edit it to specify the database where events will be written: 

# vim /usr/local/etc/snort/barnyard2.conf

Adapt the lines following your configuration: 

config reference_file:      /usr/local/etc/snort/reference.config
config classification_file: /usr/local/etc/snort/classification.config
config gen_file:            /usr/local/etc/snort/gen-msg.map
config sid_file:            /usr/local/etc/snort/sid-msg.map

Change this line: 

output alert_fast: stdout

to this: 

output alert_fast

In addition, add following line at the end of the file (adapt the password) 

output database: log, mysql, user=snort password=snort_password dbname=snort host=localhost

Test Snort with Barnyard2

Start Snort: 

# /usr/local/bin/snort -q\
  -u snort -g snort \
  -c /etc/snort/snort.conf \
  -i eth0 &

Then start Barnyard2: 

# /usr/local/bin/barnyard2 \
  -c /etc/snort/barnyard2.conf \
  -d /var/log/snort \
  -f snort.log \
  -w /etc/snort/barnyard2.waldo \
  -G /etc/snort/gen-msg.map \
  -S /etc/snort/sid-msg.map \
  -C /etc/snort/classification.config &

Check that events are properly added to the table "event", either by using phpmyadmin, or manually: 

$ mysql -u snort -p snort -e 'select * from event'
Enter password: <<snort_password>>
+-----+-----+-----------+---------------------+
| sid | cid | signature | timestamp           |
+-----+-----+-----------+---------------------+
|   1 |   1 |         1 | 2011-03-11 15:38:40 | 
|   1 |   2 |         1 | 2011-03-11 15:38:43 | 
|   1 |   3 |         1 | 2011-03-11 15:38:45 | 
|   1 |   4 |         1 | 2011-03-11 15:38:47 | 
|   1 |   5 |         1 | 2011-03-11 15:38:48 | 
+-----+-----+-----------+---------------------+
Retrieved from "https://www.aldeid.com/w/index.php?title=Barnyard2&oldid=15549"