Skip to content
Newer
Older
100644 160 lines (119 sloc) 6.7 KB
1912fdf @firnsy initial import.
authored
1
2 ------------------------------------------------------------------------------
3 0. SUMMARY
4 ------------------------------------------------------------------------------
5
104e231 @firnsy updated: cleaned up documentation and added a dedicated readme for th…
authored
6 Barnyard2 - version 2-1.10
1912fdf @firnsy initial import.
authored
7
104e231 @firnsy updated: cleaned up documentation and added a dedicated readme for th…
authored
8 This README contains some quick information about how to set up and
1912fdf @firnsy initial import.
authored
9 configure barnyard2 to ensure it works as it should.
10
11 Distribution Site:
12 http://www.securixlive.com/barnyard2
13
14
15 ------------------------------------------------------------------------------
16 1. COPYRIGHT
17 ------------------------------------------------------------------------------
18
2f5d496 @firnsy updated: releast notes and readme prior to release.
authored
19 Copyright (C)2008-2012 Ian Firns <firnsy@securixlive.com>
1912fdf @firnsy initial import.
authored
20 Copyright (C)2008-2010 SecurixLive <dev@securixlive.com>
21
22 This program is free software; you can redistribute it and/or modify
23 it under the terms of the GNU General Public License Version 2 as
24 published by the Free Software Foundation. You may not use, modify or
25 distribute this program under any other version of the GNU General
26 Public License.
27
28 This program is distributed in the hope that it will be useful,
29 but WITHOUT ANY WARRANTY; without even the implied warranty of
30 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
31 GNU General Public License for more details.
32
33 You should have received a copy of the GNU General Public License
34 along with this program; if not, write to the Free Software
35 Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
36
104e231 @firnsy updated: cleaned up documentation and added a dedicated readme for th…
authored
37 Some of this code has been taken from Snort, which was developed by
1912fdf @firnsy initial import.
authored
38 Martin Roesch and The Snort Team (http://www.snort.org/team.html).
39
104e231 @firnsy updated: cleaned up documentation and added a dedicated readme for th…
authored
40 Some of this code has been taken from barnyard, which was developed by
1912fdf @firnsy initial import.
authored
41 Martin Roesch and Andrew R. Baker.
42
43 Some of this code has been taken from tcpdump, which was developed
44 by the Network Research Group at Lawrence Berkeley National Lab,
45 and is copyrighted by the University of California Regents.
46
47
48 ------------------------------------------------------------------------------
49 2. DESCRIPTION
50 ------------------------------------------------------------------------------
51
52 Barnyard2 is an open source interpreter for Snort unified2 binary output files.
53 Its primary use is allowing Snort to write to disk in an efficient manner and
54 leaving the task of parsing binary data into various formats to a separate
55 process that will not cause Snort to miss network traffic.
56
104e231 @firnsy updated: cleaned up documentation and added a dedicated readme for th…
authored
57 Barnyard2 has 3 modes of operation:
58 1. batch (or one-shot),
59 2. continual, and
60 3. continual w/ bookmark.
61
1912fdf @firnsy initial import.
authored
62 In batch (or one-shot) mode, barnyard2 will process the explicitly specified
63 file(s) and exit.
64
65 In continual mode, barnyard2 will start with a location to look and a specified
66 file pattern and continue to process new data (and new spool files) as they
67 appear.
68
69 Continual mode w/ bookmarking will also use a checkpoint file (or waldo file in
70 the snort world) to track where it is. In the event the barnyard2 process ends
71 while a waldo file is in use, barnyard2 will resume processing at the last
72 entry as listed in the waldo file.
73
74 The "-f", "-w", and "-o" options are used to determine which mode barnyard2
75 will run in. It is legal for both the "-f" and "-w" options to be used on the
76 command line at the same time, however any data that exists in the waldo file
77 will override the command line data from the "-f" and "-d" options. See the
78 command directives section below for more detail.
79
80 Barnyard2 processing is controlled by two main types of directives: input
81 processors and output plugins. The input processors read information in from a
104e231 @firnsy updated: cleaned up documentation and added a dedicated readme for th…
authored
82 specific format ( currently the spo_unified2 output module of Snort ) and
1912fdf @firnsy initial import.
authored
83 output them in one of several ways.
84
85
86 ------------------------------------------------------------------------------
87 3. USAGE
88 ------------------------------------------------------------------------------
89
104e231 @firnsy updated: cleaned up documentation and added a dedicated readme for th…
authored
90 Command line:
1912fdf @firnsy initial import.
authored
91
00bfa4e @firnsy cosmetics: removed the tab monster.
authored
92 barnyard2 [-options]
1912fdf @firnsy initial import.
authored
93
94
95 Gernal Options:
96
97 -c <file> Use configuration file <file>
98 -C <file> Read the classification map from <file>
99 -D Run barnyard2 in background (daemon) mode
100 -e Display the second layer header info
101 -E Log alert messages to NT Eventlog. (Win32 only)
102 -F Turn off fflush() calls after binary log writes
103 -g <gname> Run barnyard2 gid as <gname> group (or gid) after initialization
104 -G <file> Read the gen-msg map from <file>
105 -h <name> Define the hostname <name>. For logging purposes only
106 -i <if> Define the interface <if>. For logging purposes only
107 -I Add Interface name to alert output
108 -l <ld> Log to directory <ld>
109 -m <umask> Set umask = <umask>
110 -O Obfuscate the logged IP addresses
111 -q Quiet. Don't show banner and status report
112 -r <id> Include 'id' in barnyard2_intf<id>.pid file name
113 -R <file> Read the reference map from <file>
114 -S <file> Read the sid-msg map from <file>
115 -t <dir> Chroots process to <dir> after initialization
116 -T Test and report on the current barnyard2 configuration
117 -u <uname> Run barnyard2 uid as <uname> user (or uid) after initialization
118 -U Use UTC for timestamps
119 -v Be verbose
120 -V Show version number
121 -? Show this information
104e231 @firnsy updated: cleaned up documentation and added a dedicated readme for th…
authored
122
1912fdf @firnsy initial import.
authored
123 Continual Processing Options:
124 -a <dir> Archive processed files to <dir>
125 -f <base> Use <base> as the base filename pattern
126 -d <dir> Spool files from <dir>
127 -n Only process new events
128 -w <file> Enable bookmarking using <file>
00bfa4e @firnsy cosmetics: removed the tab monster.
authored
129
1912fdf @firnsy initial import.
authored
130 Batch Processing Mode Options:
131 -o Enable batch processing mode
00bfa4e @firnsy cosmetics: removed the tab monster.
authored
132
1912fdf @firnsy initial import.
authored
133
134 Longname options and their corresponding single char version
135 --reference <file> Same as -R
136 --classification <file> Same as -C
137 --gen-msg <file> Same as -G
138 --sid-msg <file> Same as -S
139 --alert-on-each-packet-in-stream Call output plugins on each packet in an alert stream
140 --process-new-records-only Same as -n
141 --pid-path <dir> Specify the directory for the barnyard2 PID file
142 --help Same as -?
143 --version Same as -V
144 --create-pidfile Create PID file, even when not in Daemon mode
145 --nolock-pidfile Do not try to lock barnyard2 PID file
146 --max-mpls-labelchain-len Specify the max MPLS label chain
147 --mpls-payload-type Specify the protocol (ipv4, ipv6, ethernet) that is encapsulated by MPLS
148
149
150 Examples:
151
152 1. Using barnyard2 in continuous mode with a waldo file
153
154 # ./barnyard2 -c /etc/barnyard2.conf -d /var/snort -f snort.u2 -w /var/snort/snort.waldo
155
156 2. Using barnyard2 in batch mode
157
158 # ./barnyard2 -c /etc/barnyard2.conf -o file1.u2 file2.u2 file3.u2
159
Something went wrong with that request. Please try again.