Skip to content
Go to file
Cannot retrieve contributors at this time
393 lines (283 sloc) 12.1 KB

Building & Installing SAGAN For FreeBSD 8 & liblognorm < 0.3.9

Goal => Configure Sagan with liblognorm to log to unified2 snort logging format, using barnyard2 for output plugins

This goal outlines the best practices to decouple the processor and allow for the fastest logging, and alerting chain possible.

Install these Dependencies from Ports Tree:

Note: Althought the versions are listed here explicit, you may want/need to build the latest from the port tree.


pcre-8.30_2         Perl Compatible Regular Expressions library
perl-5.12.4_4       Practical Extraction and Report Language
libdnet-1.11_3      A simple interface to low level networking routines
libee-0.3.2         An event expression library inspired by CEE
libestr-0.1.2       A library for some string essentials
autoconf-2.68       Automatically configure source code on many Un*x platforms 
automake-1.11.1     GNU Standards-compliant Makefile generator (1.11)
pulledpork-0.6.1_2  Script to update snort-2.8+ rules
syslog-ng-3.3.5     A powerful syslogd replacement


Build these freebsd packages from '/usr/ports', 'pkg_add -r', or 'portmaster -n'

[user@sensor /usr/ports/devel/libee]# sudo make clean install 

Barnyard2 Output Plugins:

Barnyard2 output plugins such as 'mysql' require additional dependencies to be prebuilt.


barnyard2-1.9_2     An output system for Snort or Suricata that parses unified2
mysql-client-5.5.23 Multithreaded SQL database (client) (can be added for barnyard2 sql logging)

Switch FreeBSD syslog to syslog-ng using FIFO

Modify your '/etc/rc.conf'

syslog_ng_config="-u root"

Add New syslog-ng outputs to /usr/local/etc/syslog-ng.conf

destination sagan {



log {
	# uncomment this line to open port 514 to receive messages


Note: FreeBSD imports in the /etc/syslog.conf as a module to syslog-ng

Stop old Syslog & Start syslog-ng

[user@sensor ~/sagan-0.2.1]# sudo mkfifo /var/run/sagan.fifo

[user@sensor ~/]# sudo /etc/rc.d/syslog stop
[user@sensor ~/]# sudo /usr/local/etc/rc.d/syslog-ng start

Installing the rest From Source: (At this time Sagan and liblognorm are not in the FreeBSD ports tree.)


Option 1. Fetch Nightly

GIT REPO for liblognorm;a=summary

[user@sensor ~/]# wget -O liblognorm.0.3.4.tar.gz ";a=snapshot;h=f4b985047cd23be087aa93632acdd7ef7ea8ec70;sf=tgz"
- or - 
[user@sensor ~/]# git clone git://

Nightly requires auto tooling to build your ./configure file

[user@sensor ~/]# cd liblognorm*
[user@sensor ~/liblognorm]# aclocal
[user@sensor ~/liblognorm]# autoconf
[user@sensor ~/liblognorm]# autoreconf -f -i -Wall,no-obsolete

Option 2. Fetch a tag/snapshot

Tags should be ready release with configure files liblognorm.0.3.4.tar.gz;a=snapshot;h=f4b985047cd23be087aa93632acdd7ef7ea8ec70;sf=tgz

[user@sensor ~/]# fetch
[user@sensor ~/]# tar -zxvf liblognorm-*

Continue to Compile liblognorm

[user@sensor ~/]# cd liblognorm*

[user@sensor ~/liblognorm]# LDFLAGS=-L/usr/local/lib CFLAGS=-I/usr/local/include ./configure
[user@sensor ~/liblognorm]# make 
[user@sensor ~/liblognorm]# sudo make install

You should see

Libraries have been installed in:


The normalizer binary has been installed with liblognorm, and can assist you in testing your *.rulebase files.

$ normalizer -r ./example.rulebase -e json < ./example.log
{"src-port": "14121", "src-ip": "", "username": "bobuser"}


Download and Decompress Sagan

[user@sensor ~/]# fetch

[user@sensor ~/]# tar zxvf sagan-*

[user@sensor ~/]# cd sagan *

Configure Sagan to log to unified2 snort logging format. This is best way to decouple the processor and allow for the fastest logging. Use barnyard2 for output plugins.

[user@sensor ~/sagan-0.2.1] LDFLAGS=-L/usr/local/lib CFLAGS=-I/usr/local/include ./configure --disable-mysql --disable-postgresql --disable-esmtp --disable-prelude --enable-lognorm --enable-libdnet --disable-snortsam
[user@sensor ~/sagan-0.2.1]# make 
[user@sensor ~/sagan-0.2.1]# sudo make install

At the end of the install you should see


/usr/bin/install -c -d "/usr/local/share/man/man8"
/usr/bin/install -c -m 644 etc/sagan.8 "/usr/local/share/man/man8"
/usr/bin/install -c -m 755 src/sagan "/usr/local/sbin/sagan"
/usr/bin/install -c -d "/var/log/sagan"
/usr/bin/install -c -d "/var/run/sagan"

Sagan has been installed! You still need to do a few more things before your
up and running. See for
more information.

Ensure the binary is properly linked and will run without segfault

  • LDD shows that libee, libestr, liblognorm, libpcap, libdnet, threading, pcre are all enabled and compiled in.
[user@sensor ~/sagan-0.2.1]# sudo ldd /usr/local/sbin/sagan 
/usr/local/sbin/sagan: => /usr/local/lib/ (0x80085e000) => /lib/ (0x800a6c000) => /usr/local/lib/ (0x800c9f000) => /usr/local/lib/ (0x800ea7000) => /usr/local/lib/ (0x8010ae000) => /lib/ (0x8012b0000) => /lib/ (0x8014d1000) => /usr/local/lib/ (0x8016f4000) => /lib/ (0x80194a000)

Create a FreeBSD Sagan Service Script

[user@sensor ~/sagan-0.2.1]# fetch -o /usr/local/etc/rc.d/sagan

[user@sensor ~/sagan-0.2.1]# sudo chmod a+x /usr/local/etc/rc.d/sagan 

Modify your '/etc/rc.conf' and this new sagan rc.d startup script.



Download rules via Pulledpork (rule set manager) Note: pulledpork does not at this time support the classification.config, reference.config, or any *.rulebase files

[user@sensor ~/sagan-0.2.1]# fetch -o /usr/local/etc/pulledpork/pulledpork.sagan.conf

[user@sensor ~/sagan-0.2.1]# fetch -o /usr/local/etc/sagan-rules/classification.config

[user@sensor ~/sagan-0.2.1]# fetch -o /usr/local/etc/sagan-rules/reference.config

[user@sensor ~/sagan-0.2.1]# -d -T -vv -c /usr/local/etc/pulledpork/pulledpork.sagan.conf

You should see pulled pork run.

Writing /var/log/sid_changes.log....
Rule Stats....
	Enabled Rules:----1538
	Dropped Rules:----6
	Disabled Rules:---1
	Total Rules:------1545
Please review /var/log/sid_changes.log for additional details
Fly Piggy Fly!

Modify the Sagan Config '/usr/local/etc/sagan.conf' to # all rules file names and only use

include $RULE_PATH/sagan.rules


Download and install 'fetchcarl'

[user@sensor ~/sagan-0.2.1]# fetch -o /usr/local/bin/fetchcarl

[user@sensor ~/sagan-0.2.1]# chmod +x /usr/local/bin/fetchcarl

[user@sensor ~]# fetchcarl --help
usage: fetchcarl options

This command will assist in downloading and updating sagan-rules rulebase, and map files. 

   -f, --file		Sagan configuration file location	
		  	  default: /usr/local/etc/sagan.conf  	
   -u, --url		Sagan-rule git repo url 

   -v, --verbose  	Verbose
   -h, --help		Show this message

[user@sensor ~]# fetchcarl --verbose
the folder (/tmp/sagan_rules) you specified does not exist or doesn't contain a git repo.. fetching
Cloning into '/tmp/sagan_rules'...
remote: Counting objects: 549, done.
remote: Compressing objects: 100% (255/255), done.
remote: Total 549 (delta 462), reused 368 (delta 292)
Receiving objects: 100% (549/549), 275.21 KiB, done.
Resolving deltas: 100% (462/462), done.
Finished pulling sagan rules.
Sagan rulebase and config update complete. 
 (Note: Sagan *.rules were not updated. Use pulledpork for this process.)

Running Sagan

Run Sagan for the first time.

[user@sensor ~]# /usr/local/etc/rc.d/sagan start

... wait -- do stuff like fail ssh logins, and sudo cmds ...

[user@sensor ~]# ls -la /var/log/sagan/sagan*

-rw-r--r--  1 root   sagan   4785 May 10 18:20 sagan.u2.1336685484



Create barnyard2.conf files

[user@sensor ~]# sudo fetch -o /usr/local/etc/barnyard2.cli.conf
[user@sensor ~]# cat /usr/local/etc/barnyard2.cli.conf

# this is not hard, only unified2 is supported ;)
input unified2

# Step 3: setup the output plugins

output alert_fast: stdout

Run Barnyard2

Collect the unified2 data and output to double check alert chain is working.

[user@sensor ~]# sudo mkdir /var/log/barnyard2  # Barnyard complains when this directory doesnt exist, although it is not used.

[user@sensor ~]# barnyard2 -c /usr/local/etc/barnyard2.cli.conf -C /usr/local/etc/sagan-rules/classification.config -S /usr/local/etc/sagan-rules/ -R /usr/local/etc/sagan-rules/reference.config -f sagan.u2 -d /var/log/sagan/ --nolock-pidfile

[user@sensor ~]# cat alert 

[**] [5000075] [OPENSSH] Authentication success [shadowbq] [**]
[Classification: successful-user] [Priority: 1]
2012-05-10 17:25:39 -> auth info
Message:  Accepted publickey for shadowbq from port 59625 ssh2
[Xref =>]

[**] [5000406] [OPENSSH] Accepted publickey [**]
[Classification: successful-user] [Priority: 1]
2012-05-10 17:25:39 -> auth info
Message:  Accepted publickey for shadowbq from port 59625 ssh2
[Xref =>]


Working.. Moving ON!

Barnyard Production Service

Set up barnyard2 to run in via rc.d

Modify your '/etc/rc.conf' and barnyard rc.d startup script.

barnyard2_flags="-D -f sagan.u2 -d /var/log/sagan"

Optional. Barnyard2 and Existing Snorby/Base/DB

Set up barnyard2 to log to snorby mysql remote database (this can be skipped if not running snorby, or remote db)

[user@sensor ~]# sudo fetch -o /usr/local/etc/barnyard2.conf
[user@sensor ~]# sudo cat /usr/local/etc/barnyard2.conf 

config reference_file:	    /usr/local/etc/sagan-rules/reference.config
config classification_file: /usr/local/etc/sagan-rules/classification.config
config sid_file:	    /usr/local/etc/sagan-rules/
config hostname:	    sagan
config interface:	    misc
config waldo_file:          /var/log/sagan/barnyard2.waldo
input unified2
output database: log, mysql, user=snorby password=s3cr3tsauce dbname=snorby host=snorby

Start Barnyard2

[user@sensor ~]# sudo /usr/local/etc/rc.d/barnyard2 start
You can’t perform that action at this time.