102. Barnyard Installation on Ubuntu

Disclaimer: The following information is provided with no representation or warranty of any kind either express or implied. You may use it freely at your own risk, and no one else will be liable for any damages arising out of such usage.

Tested On

OS: Ubuntu 12.04 x86_64 LTS, Ubuntu 11.10 i386, Ubuntu 11.10 x86_64, Ubuntu 10.04 x86_64 LTS, Ubuntu 10.04 i386 LTS, CentOS
Snort Version: 2.9.2.2 IPv6 GRE (Build 121)
Hardware: VirtualBox 4.1.12

About

Barnyard is an addon for snort. Barnyard let snort to write its log and alert data very fast in a binary files and then Barnyard read those files and send them to whatever output you configure it, here we will configure to output the data to a mysql database in oreder to watch the data using php application called BASE.

Prerequisite

Install Barnyard

  • Install MySQL
apt-get install mysql-client libmysqlclient-dev mysql-server git autoconf2.13 libtool -y
  • Create MySQL DB and Set permission
mysqladmin create snort -p
mysql -p
grant ALL PRIVILEGES on snort.* to snort@localhost with GRANT option;
SET PASSWORD FOR snort@localhost=PASSWORD('snort');
\q
  • Download Barnyard and run autogen
cd /usr/local/src/snort
git clone https://github.com/firnsy/barnyard2.git barnyard2
cd barnyard2
./autogen.sh
  • Configure Barnyard
    • On i386 system
./configure --with-mysql
    • On x86_64 system
./configure --with-mysql --with-mysql-libraries=/usr/lib/x86_64-linux-gnu
  • Install Barnyard
make && make install
  • Create MySQL DB and Set permission
mysqladmin create snort -p
mysql -p
grant ALL PRIVILEGES on snort.* to snort@localhost with GRANT option;
SET PASSWORD FOR snort@localhost=PASSWORD('snort');
\q
cd /usr/local/src/snort/barnyard2/schemas
mysql -p < create_mysql snort
  • Create Barnyard2 start script
vi /etc/init.d/barnyard2
#!/bin/sh
#
# Init file for Barnyard2
#
#
# chkconfig: 2345 40 60
# description:  Barnyard2 is an output processor for snort.
#
# processname: barnyard2
# config: /etc/sysconfig/barnyard2
# config: /etc/snort/barnyard.conf
# pidfile: /var/lock/subsys/barnyard2.pid


[ -x /usr/sbin/snort ] || exit 1
[ -r /etc/snort/snort.conf ] || exit 1

### Default variables
SYSCONFIG="/etc/default/barnyard2"

### Read configuration
[ -r "$SYSCONFIG" ] && . "$SYSCONFIG"

RETVAL=0
prog="barnyard2"
desc="Snort Output Processor"

start() {
        echo -n $"Starting $desc ($prog): "
        for INT in $INTERFACES; do
                PIDFILE="/var/lock/barnyard2-$INT.pid"
                ARCHIVEDIR="$SNORTDIR/$INT/archive"
                WALDO_FILE="$SNORTDIR/$INT/barnyard2.waldo"
                BARNYARD_OPTS="-D -c $CONF -d $SNORTDIR/${INT} -w $WALDO_FILE -l $SNORTDIR/${INT} -a $ARCHIVEDIR -f $LOG_FILE -X $PIDFILE $EXTRA_ARGS"
                $prog $BARNYARD_OPTS
        done
        RETVAL=$?
        echo
        [ $RETVAL -eq 0 ] && touch /var/lock/$prog
        return $RETVAL
}

stop() {
        echo -n $"Shutting down $desc ($prog): "
        killall $prog
        RETVAL=$?
        echo
        [ $RETVAL -eq 0 ] && rm -f /var/lock/$prog
        return $RETVAL
}

restart() {
        stop
        start
}


reload() {
        echo -n $"Reloading $desc ($prog): "
        killall $prog -HUP
        RETVAL=$?
        echo
        return $RETVAL
}


case "$1" in
  start)
        start
        ;;
  stop)
        stop
        ;;
  restart)
        restart
        ;;
  reload)
        reload
        ;;
  condrestart)
        [ -e /var/lock/$prog ] && restart
        RETVAL=$?
        ;;
  status)
        status $prog
        RETVAL=$?
        ;;
  dump)
        dump
        ;;
  *)
        echo $"Usage: $0 {start|stop|restart|reload|condrestart|status|dump}"
        RETVAL=1
esac

exit $RETVAL
  • Configure Barnyard start script to run at startup
cd /usr/local/src/snort/barnyard2
chmod +x /etc/init.d/barnyard2
cp rpm/barnyard2.config /etc/default/barnyard2
update-rc.d barnyard2 defaults 98
  • Create links for Barnyard files and directory for archive files
ln -s /usr/local/etc/barnyard2.conf /etc/snort/barnyard.conf
ln -s /usr/local/bin/barnyard2 /usr/bin/
mkdir -p /var/log/snort/eth0/archive/
  • Edit LOG_FILE variable in Barnyard default config file
vi /etc/default/barnyard2
...
LOG_FILE="snort.log"
...
  • Edit Barnyard config file and change the output line to
vi /usr/local/etc/barnyard2.conf
...
output database: log, mysql, user=snort password=snort dbname=snort host=localhost
...
  • Start Snort and Barnyard
service snortd start
service barnyard2 start

Barnyard installation completed. Now that we have Snort server and Barnyard writing Snort logs and alerts to a MySQL database we can install frontend application like BASE to see and analyze snort data in aconvenient web application.

Here is a link forBASE Installation.

This entry was posted in Snort. Bookmark the permalink.