1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
|
README.SLACKWARE
================
0) Preparation
--------------
For Barnyard2 to be useful, you will need a working setup of Snort, saving
output to a log in the binary "unified2" format.
Check the Snort documentation to find out how to do this.
You will also need a working database server. These instructions are based
on using MySQL, as it is included with Slackware, but other databases can
be used as well.
1) Test Barnyard2
-----------------
Before starting Barnyard2 as a daemon, do a quick test to see if it can read
the Snort log:
# barnyard2 -d /var/log/snort -f snort.log
Barnyard2 will parse the its configuration file and start processing the Snort
log file.
If there are already events in the log, it will show them with their
classification.
Now check if Snort is working by doing a port scan from another computer on
the network (this won't work if done from another terminal on the same system)
# nmap -A <ip_address_of_snort_box>
Snort should detect the port scan, write the event to the log, and Barnyard2
should display it.
2) Configure Barnyard2
----------------------
2.1 Setting up your database
Follow these steps to set up the database in MySQL:
(replacing the <...> fields with your passwords)
# cd /usr/doc/barnyard2-*/schemas
# mysql -p
Enter password: <your_mysql_root_password>
mysql> create database snort;
mysql> grant create,select,update,insert,delete on snort.* to snort@localhost;
mysql> set password for snort@localhost=PASSWORD('<your_mysql_snort_password>');
mysql> exit
# mysql -p < create_mysql snort
Enter password: <your_mysql_root_password>
This will create the snort database and the tables.
2.2 Edit the configuration file
Open the /etc/barnyard2.conf file with your favorite editor, go to the end and
edit the sample mysql configuration so that it looks like this:
output database: log, mysql, user=snort password=<your_mysql_snort_password> dbname=snort host=localhost
2.3 Start barnyard2 as a daemon
The Barnyard2 package installs a script to start and stop the daemon. Use it
like this to start Barnyard2:
# /etc/rc.d/rc.barnyard2 start
You can repeat the test with the port scan and the event should be logged in
your database now.
3) Automatic startup and shutdown of Barnyard2
----------------------------------------------
If you want Barnyard2 to start / stop automatically at boot and shutdown, use
these lines in your /etc/rc.d/rc.local:
# Start barnyard2
if [ -x /etc/rc.d/rc.barnyard2 ] ; then
echo "Starting Barnyard2..."
/etc/rc.d/rc.barnyard2 start
fi
And include this in your /etc/rc.d/rc.local_shutdown:
# Stop barnyard2
if [ -x /etc/rc.d/rc.barnyard2 ] ; then
echo "Stopping Barnyard2..."
/etc/rc.d/rc.barnyard2 stop
fi
|