102. Barnyard Installation on Ubuntu

Tested On

OS: Ubuntu 12.04 x86_64 LTS, Ubuntu 11.10 i386, Ubuntu 11.10 x86_64, Ubuntu 10.04 x86_64 LTS, Ubuntu 10.04 i386 LTS, CentOS
Snort Version: 2.9.2.2 IPv6 GRE (Build 121)
Hardware: VirtualBox 4.1.12

About

Barnyard is an addon for snort. Barnyard let snort to write its log and alert data very fast in a binary files and then Barnyard read those files and send them to whatever output you configure it, here we will configure to output the data to a mysql database in oreder to watch the data using php application called BASE.

Prerequisite

Install Barnyard

  • Install MySQL
apt-get install mysql-client libmysqlclient-dev mysql-server git autoconf2.13 libtool -y
  • Create MySQL DB and Set permission
mysqladmin create snort -p
mysql -p
grant ALL PRIVILEGES on snort.* to snort@localhost with GRANT option;
SET PASSWORD FOR snort@localhost=PASSWORD('snort');
\q
  • Download Barnyard and run autogen
cd /usr/local/src/snort
git clone https://github.com/firnsy/barnyard2.git barnyard2
cd barnyard2
./autogen.sh
  • Configure Barnyard
    • On i386 system
./configure --with-mysql
    • On x86_64 system
./configure --with-mysql --with-mysql-libraries=/usr/lib/x86_64-linux-gnu
  • Install Barnyard
make && make install
  • Create MySQL DB and Set permission
mysqladmin create snort -p
mysql -p
grant ALL PRIVILEGES on snort.* to snort@localhost with GRANT option;
SET PASSWORD FOR snort@localhost=PASSWORD('snort');
\q
cd /usr/local/src/snort/barnyard2/schemas
mysql -p < create_mysql snort
  • Create Barnyard2 start script
vi /etc/init.d/barnyard2
#!/bin/sh
#
# Init file for Barnyard2
#
#
# chkconfig: 2345 40 60
# description:  Barnyard2 is an output processor for snort.
#
# processname: barnyard2
# config: /etc/sysconfig/barnyard2
# config: /etc/snort/barnyard.conf
# pidfile: /var/lock/subsys/barnyard2.pid


[ -x /usr/sbin/snort ] || exit 1
[ -r /etc/snort/snort.conf ] || exit 1

### Default variables
SYSCONFIG="/etc/default/barnyard2"

### Read configuration
[ -r "$SYSCONFIG" ] && . "$SYSCONFIG"

RETVAL=0
prog="barnyard2"
desc="Snort Output Processor"

start() {
        echo -n $"Starting $desc ($prog): "
        for INT in $INTERFACES; do
                PIDFILE="/var/lock/barnyard2-$INT.pid"
                ARCHIVEDIR="$SNORTDIR/$INT/archive"
                WALDO_FILE="$SNORTDIR/$INT/barnyard2.waldo"
                BARNYARD_OPTS="-D -c $CONF -d $SNORTDIR/${INT} -w $WALDO_FILE -l $SNORTDIR/${INT} -a $ARCHIVEDIR -f $LOG_FILE -X $PIDFILE $EXTRA_ARGS"
                $prog $BARNYARD_OPTS
        done
        RETVAL=$?
        echo
        [ $RETVAL -eq 0 ] && touch /var/lock/$prog
        return $RETVAL
}

stop() {
        echo -n $"Shutting down $desc ($prog): "
        killall $prog
        RETVAL=$?
        echo
        [ $RETVAL -eq 0 ] && rm -f /var/lock/$prog
        return $RETVAL
}

restart() {
        stop
        start
}


reload() {
        echo -n $"Reloading $desc ($prog): "
        killall $prog -HUP
        RETVAL=$?
        echo
        return $RETVAL
}


case "$1" in
  start)
        start
        ;;
  stop)
        stop
        ;;
  restart)
        restart
        ;;
  reload)
        reload
        ;;
  condrestart)
        [ -e /var/lock/$prog ] && restart
        RETVAL=$?
        ;;
  status)
        status $prog
        RETVAL=$?
        ;;
  dump)
        dump
        ;;
  *)
        echo $"Usage: $0 {start|stop|restart|reload|condrestart|status|dump}"
        RETVAL=1
esac

exit $RETVAL
  • Configure Barnyard start script to run at startup
cd /usr/local/src/snort/barnyard2
chmod +x /etc/init.d/barnyard2
cp rpm/barnyard2.config /etc/default/barnyard2
update-rc.d barnyard2 defaults 98
  • Create links for Barnyard files and directory for archive files
ln -s /usr/local/etc/barnyard2.conf /etc/snort/barnyard.conf
ln -s /usr/local/bin/barnyard2 /usr/bin/
mkdir -p /var/log/snort/eth0/archive/
  • Edit LOG_FILE variable in Barnyard default config file
vi /etc/default/barnyard2
...
LOG_FILE="snort.log"
...
  • Edit Barnyard config file and change the output line to
vi /usr/local/etc/barnyard2.conf
...
output database: log, mysql, user=snort password=snort dbname=snort host=localhost
...
  • Start Snort and Barnyard
service snortd start
service barnyard2 start

Barnyard installation completed. Now that we have Snort server and Barnyard writing Snort logs and alerts to a MySQL database we can install frontend application like BASE to see and analyze snort data in aconvenient web application.

Here is a link forBASE Installation.

This entry was posted in Snort. Bookmark the permalink.