Permalink
Browse files

updated: cleaned up documentation and added a dedicated readme for th…

…e new snortsam plugin.
  • Loading branch information...
1 parent 99f5c62 commit 104e2314fbc2b3382652a5a373207ed8d66ffec4 @firnsy committed Jul 6, 2011
Showing with 184 additions and 86 deletions.
  1. +12 −12 README
  2. +11 −11 doc/README.aruba
  3. +44 −44 doc/README.database
  4. +18 −19 doc/README.sguil
  5. +99 −0 doc/README.snortsam
View
24 README
@@ -3,9 +3,9 @@
0. SUMMARY
------------------------------------------------------------------------------
-Barnyard2 - version 2-1.9
+Barnyard2 - version 2-1.10
-This README contains some quick information about how to set up and
+This README contains some quick information about how to set up and
configure barnyard2 to ensure it works as it should.
Distribution Site:
@@ -34,10 +34,10 @@ You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
-Some of this code has been taken from Snort, which was developed by
+Some of this code has been taken from Snort, which was developed by
Martin Roesch and The Snort Team (http://www.snort.org/team.html).
-Some of this code has been taken from barnyard, which was developed by
+Some of this code has been taken from barnyard, which was developed by
Martin Roesch and Andrew R. Baker.
Some of this code has been taken from tcpdump, which was developed
@@ -54,11 +54,11 @@ Its primary use is allowing Snort to write to disk in an efficient manner and
leaving the task of parsing binary data into various formats to a separate
process that will not cause Snort to miss network traffic.
-Barnyard2 has 3 modes of operation:
- 1. batch (or one-shot),
- 2. continual, and
- 3. continual w/ bookmark.
-
+Barnyard2 has 3 modes of operation:
+ 1. batch (or one-shot),
+ 2. continual, and
+ 3. continual w/ bookmark.
+
In batch (or one-shot) mode, barnyard2 will process the explicitly specified
file(s) and exit.
@@ -79,15 +79,15 @@ command directives section below for more detail.
Barnyard2 processing is controlled by two main types of directives: input
processors and output plugins. The input processors read information in from a
-specific format ( currently the spo_unified2 output module of Snort ) and
+specific format ( currently the spo_unified2 output module of Snort ) and
output them in one of several ways.
------------------------------------------------------------------------------
3. USAGE
------------------------------------------------------------------------------
-Command line:
+Command line:
barnyard2 [-options]
@@ -119,7 +119,7 @@ Command line:
-v Be verbose
-V Show version number
-? Show this information
-
+
Continual Processing Options:
-a <dir> Archive processed files to <dir>
-f <base> Use <base> as the base filename pattern
View
@@ -73,13 +73,13 @@ Specifies the type of secret used for the Snort sensor to authenticate to the
Aruba MC, one of:
sha1 - The shared secret, represented as a SHA1 hash. You can generate
- this string with the openssl tool as
- "echo password | openssl dgst -sha1", changing the string
- "password" to the shared secret string.
+ this string with the openssl tool as
+ "echo password | openssl dgst -sha1", changing the string
+ "password" to the shared secret string.
md5 - The shared secret, represented as a MD5 hash. You can generate
- this string with the openssl tool as
- "echo password | openssl dgst -md5", changing the string
- "password" to the shared secret string.
+ this string with the openssl tool as
+ "echo password | openssl dgst -md5", changing the string
+ "password" to the shared secret string.
cleartext - The shared secret in plaintext.
* secret *
@@ -90,14 +90,14 @@ be represented to match the secret type setting (SHA1, MD5 or cleartext).
Specifies the action that the Aruba MC will take against the source MAC
address of the station reported by the Snort sensor, one of:
- blacklist - Terminate all network access for the wireless user,
+ blacklist - Terminate all network access for the wireless user,
placing them on the blacklist. Station will be unable
- to access the wireless network until the blacklist
- duration expires.
+ to access the wireless network until the blacklist
+ duration expires.
setrole:<rolename> - Modify the user's role assignment to the specified role
name. The new role can be configured to restrict or
- grant access to the network as needed by the
- administrator.
+ grant access to the network as needed by the
+ administrator.
Example:
View
@@ -1,14 +1,14 @@
I. Summary
-The database output plug-in enables snort to log to
+The database output plug-in enables snort to log to
- - Postgresql,
+ - Postgresql,
- MySQL,
- - any unixODBC database,
- - MS SQL Server and
- - Oracle.
+ - any unixODBC database,
+ - MS SQL Server and
+ - Oracle.
-This README contains some quick information about how to set up and
+This README contains some quick information about how to set up and
configure database logging with in snort. More complete and
update to date documentation about this plugin can be found at:
@@ -20,46 +20,46 @@ update to date documentation about this plugin can be found at:
http://www.andrew.cmu.edu/~rdanyliw/snort/snortdb/snortdb_faq.html
-Questions or comments about the database plugin can be directed to
+Questions or comments about the database plugin can be directed to
Roman Danyliw <roman@danyliw.com> or to the snort-users mailing
list.
II. Database Setup
-To get this plug-in working you must have a database set up and
+To get this plug-in working you must have a database set up and
configured properly. Take the the following steps to get things
working.
- 1) Install MySQL, Postgresql, Oracle, MS SQL Server or
+ 1) Install MySQL, Postgresql, Oracle, MS SQL Server or
(unixODBC + some other RDBMS)
MySQL => http://www.mysql.org
Postgresql => http://www.postgesql.org
unixODBC => http://www.unixodbc.org
Oracle => http://www.oracle.com
SQL Server => http://www.microsoft.com
- 2) Follow directions from your database vendor to be sure your
+ 2) Follow directions from your database vendor to be sure your
RDBMS is properly configured and secured.
- 3) Follow directions from your vendor to create a database for
+ 3) Follow directions from your vendor to create a database for
snort.
- MySQL example
+ MySQL example
% echo "CREATE DATABASE snort;" | mysql -u root -p
4) Create a user that has privileges to INSERT and SELECT
- on that database.
+ on that database.
- example
+ example
- First create a user - for this example we will use "snortusr"
- - now grant the right privileges for that user
+ - now grant the right privileges for that user
> grant INSERT,SELECT on snort.* to snortusr@localhost;
- In addition, grant that user the UPDATE privilege on the
'sensor' table
> grant INSERT,SELECT,UPDATE on snort.sensor to snortusr@localhost;
5) Build the structure of the database according to files supplied
- with snort in the "schemas" directory as the user created in
+ with snort in the "schemas" directory as the user created in
step 4.
Do this while in the snort source directory.
@@ -71,7 +71,7 @@ working.
% psql snort < ./schemas/create_postgresql
For Oracle
- The file "./schemas/create_oracle.sql" contains the database
+ The file "./schemas/create_oracle.sql" contains the database
structure.
For MS SQL Server
@@ -89,15 +89,15 @@ working.
functionality for each column as in the mysql and
postgresql examples. The mysql file is the best example to
follow since it is optimized (given that mysql supports tiny
- ints and unsigned ints). I intend to document this process
+ ints and unsigned ints). I intend to document this process
better in the future to make this process easier.
- As you create database structure files for new RDBMS mail
+ As you create database structure files for new RDBMS mail
them in so they can be included as part of the distribution.
III. Plugin Configuration
-You must add some information to the snort configuration file
+You must add some information to the snort configuration file
to enable database logging. The configuration file distributed
with snort has some sample configuration lines.
@@ -122,15 +122,15 @@ Arguments:
All other parameters are optional but may be necessary
depending on how you have configured your RDBMS.
- dbname - the name of the database you are connecting to
+ dbname - the name of the database you are connecting to
host - the host the RDBMS is on
- port - the port number the RDBMS is listening on
+ port - the port number the RDBMS is listening on
user - connect to the database as this user
- password - the password for given user
+ password - the password for given user
sensor_name - specify your own name for this snort
sensor. If you do not specify a name one will be
@@ -150,15 +150,15 @@ Arguments:
searchability....... - very good
- human readability... - not readable unless you
+ human readability... - not readable unless you
are a true geek
requires post processing
base64: Represent binary data as a base64 string.
storage requirements - ~1.3x the size of the binary
- searchability....... - impossible without post
+ searchability....... - impossible without post
processing
human readability... - not readable
@@ -169,27 +169,27 @@ Arguments:
Non ascii data is represented as a ".". If you choose
this option then data for ip and tcp options will
still be represented as "hex" because it does not
- make any sense for that data to be ascii.
+ make any sense for that data to be ascii.
storage requirements - Slightly larger than the
binary because some characters
are escaped (&,<,>)
- searchability....... - very good for searching for
+ searchability....... - very good for searching for
a text string
- impossible if you want to
+ impossible if you want to
search for binary
human readability... - very good
detail - How much detailed data do you want to store? The options
are:
- full: (default) log all details of a packet that
- caused an alert (including ip/tcp options and
+ full: (default) log all details of a packet that
+ caused an alert (including ip/tcp options and
the payload)
- fast: log only a minimum amount of data. You severely
+ fast: log only a minimum amount of data. You severely
limit the potential of some analysis
applications if you choose this option, but
this is still the best choice for some
@@ -262,7 +262,7 @@ IV. Changelog
2002-10-14: Transaction abstraction functions (Begin/Commit/Rollback)
Fixed transaction SQL for MS-SQL
Fixed incorrect return value for MS-SQL Insert()
-2002-10-12: Fixed (PostgreSQL) sensor initialization to the sensor table
+2002-10-12: Fixed (PostgreSQL) sensor initialization to the sensor table
by setting a default last_cid value
Fixed schema detection bug on MS-SQL enabled builds
2002-09-17: Make sure that a packet payload larger than those supported
@@ -274,22 +274,22 @@ IV. Changelog
The database now remembers the last used cid for a given sensor
(via the sensor.last_cid field). Cids will no longer ever
be re-used (even if an alert are deleted).
-2002-08-13: Fixed logic to detect the DB schema version correctly when support
+2002-08-13: Fixed logic to detect the DB schema version correctly when support
for MS-SQL and another database are present
-2002-08-12: Fixed length bug in code that generates the SQL INSERT statement
+2002-08-12: Fixed length bug in code that generates the SQL INSERT statement
into signature table
2002-06-05: Fixed memory leak occurring when a signature is seen for the
first time (Dirk Geschke)
2002-04-13: Fixed memory leak with query results structure under PostgreSQL
-2002-04-15: Detect and use correct OCI library (v8 or 9) (Chad Kreimendahl)
+2002-04-15: Detect and use correct OCI library (v8 or 9) (Chad Kreimendahl)
Improved debugging messages on Oracle connection failure
(Imran Smith)
2002-02-28: New schema v105
Added support for native Oracle date format
2002-01-16: Fixed double-free of signature if it could not be inserted into
the database
2002-01-13: Properly escaped database fields with a quote character
-2001-10-23: Truncate reference names larger than the underlying database
+2001-10-23: Truncate reference names larger than the underlying database
schema will support
2001-10-04: Catch condition where the iphdr is NULL
2001-09-26: New schema v104
@@ -321,7 +321,7 @@ IV. Changelog
the plugin to the alert or log facility
Changed name from spo_log_database to spo_database
Removed all old references to the log facility
- Fixed a logic error that prevented messages from
+ Fixed a logic error that prevented messages from
the portscan preprocessor to be logged.
2000-08-24: Fixed the full logging of tcp fields
Added encoding and detail to sensor table
@@ -332,21 +332,21 @@ IV. Changelog
Added encoding option so you can select hex, base64,
or ascii for logging binary data
Added the "detail" option so you can choose between
- full and fast logging.
-2000-08-23: A lot of code cleanup.
+ full and fast logging.
+2000-08-23: A lot of code cleanup.
Added linked list to store queries before they are
executed.
Added all tcp, udp, and icmp fields
Added support for tcp and ip options
Added support for logging the packet payload
2000-08-14: Added usage, very verbose error messages and other
small fixes. No real functional changes. This update
- is focused on making the plugin easier to install
+ is focused on making the plugin easier to install
and configure.
2000-06-06: Multiple instantiations is now working
2000-06-06: Added restart and cleanexit functions
2000-06-02: Bugfixes, better error reporting
-2000-05-09: Bugfixes, documentation fixes, and added some
+2000-05-09: Bugfixes, documentation fixes, and added some
better error reporting
2000-04-13: Bugfixes
2000-04-03: Updated database structure
@@ -356,7 +356,7 @@ IV. Changelog
2000-03-08: Added new table "sensor" and a new field to event
table to represent the sensor
2000-03-08: Added locking on inserts to eliminate concurrency
- problem
+ problem
2000-03-08: Changed "type" and "code" in icmphdr to int2 instead
of char
2000-03-01: Added extra argument to RegisterOutputPlugin
@@ -365,7 +365,7 @@ IV. Changelog
V. Changelog of Database schema
2002-09-03 -- v106
- + ALL: added sensor.last_cid to store the last used cid for a
+ + ALL: added sensor.last_cid to store the last used cid for a
given sid
2002-02-28 -- v105
@@ -376,7 +376,7 @@ V. Changelog of Database schema
2001-06-15 -- v103
+ ALL: removed 4-octet representation from iphdr
- + ALL: removed all classification/priority definitions from the
+ + ALL: removed all classification/priority definitions from the
DDL scripts
+ ALL: added support for signature priorities, ID, and revision ID
Oops, something went wrong.

0 comments on commit 104e231

Please sign in to comment.