Fetching latest commit…
Cannot retrieve the latest commit at this time.
|Failed to load latest commit information.|
Slackware Current Repository by Conraid ====================================================================== barnyard2 (Snort output processor) Barnyard2 is a fork of the original barnyard project, designed specifically for Snort's new unified2 file format. It is a critical tool for the parsing of Snort's binary log files to a variety of output plugins, capable of asynchronously processing, while Snort continues it's job. HOME: https://github.com/firnsy/barnyard2 ====================================================================== NOTE: 0) Preparation -------------- For Barnyard2 to be useful, you will need a working setup of Snort, saving output to a log in the binary "unified2" format. Check the Snort documentation to find out how to do this. You will also need a working database server. These instructions are based on using MySQL, as it is included with Slackware, but other databases can be used as well. 1) Test Barnyard2 ----------------- Before starting Barnyard2 as a daemon, do a quick test to see if it can read the Snort log: # barnyard2 -d /var/log/snort -f snort.log Barnyard2 will parse the its configuration file and start processing the Snort log file. If there are already events in the log, it will show them with their classification. Now check if Snort is working by doing a port scan from another computer on the network (this won't work if done from another terminal on the same system) # nmap -A <ip_address_of_snort_box> Snort should detect the port scan, write the event to the log, and Barnyard2 should display it. 2) Configure Barnyard2 ---------------------- 2.1 Setting up your database Follow these steps to set up the database in MySQL: (replacing the <...> fields with your passwords) # cd /usr/doc/barnyard2-*/schemas # mysql -p Enter password: <your_mysql_root_password> mysql> create database snort; mysql> grant create,select,update,insert,delete on snort.* to snort@localhost; mysql> set password for snort@localhost=PASSWORD('<your_mysql_snort_password>'); mysql> exit # mysql -p < create_mysql snort Enter password: <your_mysql_root_password> This will create the snort database and the tables. 2.2 Edit the configuration file Open the /etc/barnyard2.conf file with your favorite editor, go to the end and edit the sample mysql configuration so that it looks like this: output database: log, mysql, user=snort password=<your_mysql_snort_password> dbname=snort host=localhost 2.3 Start barnyard2 as a daemon The Barnyard2 package installs a script to start and stop the daemon. Use it like this to start Barnyard2: # /etc/rc.d/rc.barnyard2 start You can repeat the test with the port scan and the event should be logged in your database now. 3) Automatic startup and shutdown of Barnyard2 ---------------------------------------------- If you want Barnyard2 to start / stop automatically at boot and shutdown, use these lines in your /etc/rc.d/rc.local: # Start barnyard2 if [ -x /etc/rc.d/rc.barnyard2 ] ; then echo "Starting Barnyard2..." /etc/rc.d/rc.barnyard2 start fi And include this in your /etc/rc.d/rc.local_shutdown: # Stop barnyard2 if [ -x /etc/rc.d/rc.barnyard2 ] ; then echo "Stopping Barnyard2..." /etc/rc.d/rc.barnyard2 stop fi ======================