Skip to content
Branch: master
Find file History
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.


Slackware Current Repository by Conraid


barnyard2 (Snort output processor)

Barnyard2 is a fork of the original barnyard project, designed
specifically for Snort's new unified2 file format. It is a critical
tool for the parsing of Snort's binary log files to a variety of
output plugins, capable of asynchronously processing, while Snort
continues it's job.



0) Preparation

For Barnyard2 to be useful, you will need a working setup of Snort, saving
output to a log in the binary "unified2" format.
Check the Snort documentation to find out how to do this.

You will also need a working database server. These instructions are based
on using MySQL, as it is included with Slackware, but other databases can
be used as well.

1) Test Barnyard2

Before starting Barnyard2 as a daemon, do a quick test to see if it can read
the Snort log:

  # barnyard2 -d /var/log/snort -f snort.log

Barnyard2 will parse the its configuration file and start processing the Snort
log file.
If there are already events in the log, it will show them with their

Now check if Snort is working by doing a port scan from another computer on
the network (this won't work if done from another terminal on the same system)

  # nmap -A <ip_address_of_snort_box>

Snort should detect the port scan, write the event to the log, and Barnyard2
should display it.

2) Configure Barnyard2

2.1 Setting up your database

Follow these steps to set up the database in MySQL:
(replacing the <...> fields with your passwords)

  # cd /usr/doc/barnyard2-*/schemas
  # mysql -p
  Enter password: <your_mysql_root_password>

  mysql> create database snort;
  mysql> grant create,select,update,insert,delete on snort.* to snort@localhost;
  mysql> set password for snort@localhost=PASSWORD('<your_mysql_snort_password>');
  mysql> exit

  # mysql -p < create_mysql snort
  Enter password: <your_mysql_root_password>

This will create the snort database and the tables.

2.2 Edit the configuration file

Open the /etc/barnyard2.conf file with your favorite editor, go to the end and
edit the sample mysql configuration so that it looks like this:

  output database: log, mysql, user=snort password=<your_mysql_snort_password> dbname=snort host=localhost

2.3 Start barnyard2 as a daemon

The Barnyard2 package installs a script to start and stop the daemon. Use it
like this to start Barnyard2:

  # /etc/rc.d/rc.barnyard2 start

You can repeat the test with the port scan and the event should be logged in
your database now.

3) Automatic startup and shutdown of Barnyard2

If you want Barnyard2 to start / stop automatically at boot and shutdown, use
these lines in your /etc/rc.d/rc.local:

# Start barnyard2
if [ -x /etc/rc.d/rc.barnyard2 ] ; then
        echo "Starting Barnyard2..."
        /etc/rc.d/rc.barnyard2 start

And include this in your /etc/rc.d/rc.local_shutdown:

# Stop barnyard2
if [ -x /etc/rc.d/rc.barnyard2 ] ; then
        echo "Stopping Barnyard2..."
        /etc/rc.d/rc.barnyard2 stop

You can’t perform that action at this time.