(This is the Part III of my Snort+Barnyard+MySQL+BASE installation guide. Intro part can be found here)
Barnyard2 runs in background along whit Snort. It is in charge to parse and process Snort's unified2 logs/alerts and send them to a different destination (where they will be used for security analysis and monitoring) such as, a database server. As Barnyard2 runs independently of Snort, it doesn't need to process the logs/alert in real time, that is, at the same time that Snort generates them. Barnyard2 only needs to keep track of how many logs/alerts it has process at a given time. For this purpose, Barnyard2 uses a "waldo" file, where it saves the name of the log/alert file being process, and the offset within the log/alert file.
Barnyard is available in two milestone versions:
- Barnyard: Aimed to process Snort unified log/alert files
- Barnyard2: Capable of processing Snort unified2 log/alert files. In this guide, I'll use this version
- I'll configure Barnyard2 to send processed data to a MySQL database server. Using another data handler (output plug-in) is straightforward. Besides, I will set up Barnyard2 to process Snort's unified files and send the processed data to a database backend (MySQL server). In this guide, I'll use Snort alerts; using Snort logs is exactly the same.
- Satisfy Barnyard2 compilation dependencies:
- # yum install mysql-dev
- Download Barnyard2 from http://www.securixlive.com/barnyard2/download.php and install it:
# ./configure --bindir=/usr/bin --sysconfdir=/etc/barnyard2 --with-mysql
# make && make install
This will create a Barnyard2 binary file in /usr/bin and a configuration file in /etc/barnyard2
- Make the default log directory:
# mkdir /var/log/barny
To send logs to another location, use "-l" in the command line. This is the default location.
- In barnyard2.conf find "config hostname" and set it to your hostname or whatever name you want Barnyard2 identifies your Snort sensor (if leave commented, the hostname will be used anyway).
- In barnyard2.conf find "config interface" and set it to "eth1".
- In barnyard2.conf find "output database" and set it according to the settings in MySQL. To specify a password, append the argument "password" and place the DB password after it. I used (according to the steps taken when installing MySQL in this guide – see HERE):
"output database: alert, mysql, user=root password=test dbname=snortdb host=localhost"
NOTE: As Snort, Barnyard2 is capable to simultaneously output many data formats (Database, syslog, plain text, etc.). You can enable them in this file (see the doc included in the file)
- Configure Snort's unified output plug-in. In /etc/snort/snort.conf find "output unified2" and uncomment it. Make sure others output modules are commented.
- As Barnyard2 will be used, we don't need Snort fast alerts nor that it keep binary data. Edit /etc/sysconfig/snort and set:
#ALERTMODE=fast (commented out)
- Restart Snort (MySQL should be already running):
- # service snortd restart
- Start Barnyard2. If you've specified the config daemon option in barnyard2.conf, then Barnyard2 will run as a daemon. Otherwise, it will run locally in the current session. You can also use -D in the command line to run as a daemon:
- # barnyard2 -c /etc/barnyard2/barnyard2.conf -d /var/log/snort -f snort.alert.u -w /etc/barnyard2/barnyard2.waldo
NOTE: The first time, Barnyard2 will warn about "No waldo file". This is OK. Barnyard2 will create it when it finishes its operation
NOTE: You can use "-n" in the command line or "config process_new_records_only" in the config file to instruct Barnyard2 to process new records only. See below for details about processing new records only
Barnyard2 start/stop init.d script
I've modified/written a Barnyard2 init.d startup script (based on http://www.internetsecurityguru.com/barnyard). My script depends on a Barnyard2 daemon configuration file (/etc/sysconfig/barnyard2). The script is for RedHat-based distros. To use it execute:
- Copy init.d/barnyard2 in /etc/init.d/ and set exec permissions on the file:
# cp init.d/barnyard2 /etc/init.d
# chmod a+x /etc/init.d/barnyard2
- Copy sysconfig/barnyard2 in /etc/sysconfig/
# cp sysconfig/barnyard2 /etc/sysconfig
- Register the new service in the system:
# chkconfig --add barnyard2
To star/stop the service use "service barnyard2 start | stop". You can find a copy of these file in the link shown at the end of the post.
Processing new records only
You can use "-n" in the command line to instruct Barnyard to process new records only. Starting in Barnyard 0.2, there is a new option for continual-mode processing. This option, –n, is used to specify that only new events are processed. This allows us to configure Barnyard to ignore any existing events and only process events that are received after it was started. This option has special interactions when used with the bookmark option. Normally, when using the bookmark option before a bookmark has been created, Barnyard will process all of the existing records. Often times, this is not the desired behavior, and it would be convenient if we could configure Barnyard to process only the new records. This can be accomplished by combining the –n and –w options. If both the –n and –w options are specified and the bookmark file does not exist, then Barnyard will skip any existing records and only process new records as they arrive (and update the bookmark file accordingly). However, if the bookmark file does exist, Barnyard will start processing events as indicated by the contents of the bookmark file. It is common to use both the bookmark and new events-only options together when running Barnyard in continual-processing mode.
(Taken from the book "Snort IDS and IPS Toolkit" – see the Intro part of the guide for references and bibliography)
(Intro part can be found here)
Barnyard(2) scripts: http://www.jigsawshare.com/12809