Installing Barnyard2

jbc22 edited this page Nov 1, 2011 · 13 revisions

Introduction

We're going to use barnyard2 to tail the log file(s) of your IDS(es). The latest version of barnyard2 can be found here: http://www.securixlive.com/barnyard2/download.php . Likewise, release notes and the latest installation guide can be found here: http://www.securixlive.com/barnyard2/docs/index.php . The last half of this article is broken up into IDS-specific configurations (i.e.: Snort vs Sagan vs Suricata).

Installation

After downloading, unpack, change directories, configure with your database support, make and install. For mysql:

tar -zxvf barnyard2*.tar.gz
cd barnyard2*
./configure --with-mysql
make
sudo make install

For postgresql:

tar -zxvf barnyard2*.tar.gz
cd barnyard2*
./configure --with-postgresql
make
sudo make install

For Oracle:

tar -zxvf barnyard2*.tar.gz
cd barnyard2*
./configure --with-oracle
make
sudo make install

Configure

Move the configuration file to the proper place.

sudo cp etc/barnyard2.conf /etc/

Edit the config file (/etc/barnyard2.conf):

config daemon

config hostname: localhost -> Change to the hostname of your box (you can type hostname at a terminal to determine what this is).

config interface: eth0 -> Change this line to the interface you are going to listen on.

output database: log, mysql, user=snorby password=password dbname=snorby host=localhost -> Add in the proper details for this line (your database type, credentials, database name and the IP of the db server).

config logdir: /var/log/barnyard2/

config waldo_file: /var/log/barnyard2/barnyard2.waldo

Snort Specific

Test Run

Take barnyard2 for a test run:

sudo /usr/local/bin/barnyard2 -c /etc/barnyard2.conf -G /etc/snort/gen-msg.map -S /etc/snort/sid-msg.map -d /var/log/snort -f snort.log -w /var/log/barnyard2/barnyard2.waldo

Adding to startup

Brigham Young University did a great write up on this. The following is a snippet from their article, with minor grammatical and wiki formatting changes (see: https://lswiki.byu.edu/index.php/Snort,_Barnyard2,_and_Snorby):

Now we create a startup script which takes care of starting up barnyard2. Go to your home directory and edit a file named 'barnyard2'. The following should be the contents of that file:

#!/bin/sh

case $1 in
	start)
		echo "starting $0..."
		barnyard2 -d /var/log/snort -f snort.out
		echo -e 'done.'
	;;
	stop)
		echo "stopping $0..."
		killall barnyard2
		echo -e 'done.'
	;;
	restart)
		$0 stop
		$0 start
	;;
	*)
		echo "usage: $0 (start|stop|restart)"
	;;
esac

Now we set up the script we just made so that it is run at boot time and shutdown time after and before the corresponding snort script is run, respectively:

chmod 700 barnyard2
cp barnyard2 /etc/init.d/
update-rc.d barnyard2 defaults 21 00

Now we reboot our machine and do the usual tests (the mysql 'count' query, etc.) to make sure barnyard2 is working with your IDS. If the database is consistently given more and more data, then everything works so far.

The mysql count query they suggest is as follows (except a minor change in the db name, adapted for this tutorial):

mysql -u root -p
{enter password}
mysql> use snorby;
mysql> select count(*) from event;

Sagan Specific

Back to Snorby E-Book