Snort 2.9 on CentOS 6.3 (continued) with Barnyard2


This is a continuation of the post on installing Snort 2.9 on CentOS 6.4 (http://nkush.blogspot.com.au/2013/03/snort-29-on-centos-63.html). This post installs Barnyard2 on the host.

Barnyard is an output system for Snort. If effectively allows better snort performance by enabling Snort to produce binary output which is then processed by Barnyard.

Barnyard processes the binary Snort output files (unified2 binary) and stores the processed data into a database back-end, for example MySQL. The advantage of using Barnyard instead of the database output from Snort is that Barnyard is able to “cache” the data in case the database is unavailable.

Barnyard is able to be executed in three modes, this example employs the continual mode with bookmarking. A bookmark (waldo) file is employed to keep track of the progress of Barnyard processing. In case of Barnyard failure, it can resume where it left off based on the bookmark file.

Installation:

Install and configure MySQL

  1. yum -y install mysql mysql-server mysql-devel mysql-bench
  2. service mysqld start
  3. /usr/bin/mysql_secure_installation

Download and install Barnyard2 from http://securixlive.com/barnyard2/download.php

  1. wget http://securixlive.com/download/barnyard2/barnyard2-1.9.tar.gz
  2. tar zxvf barnyard2-1.9.tar.gz
  3. cd barnyard2-1.9
  4. ./configure –with-mysql –with-mysql-libraries=/usr/lib64/mysql/
  5. make
  6. make install

Configure Barnyard to process Snort output

Change Snort config to output to the unified file format

  1. output unified2: filename merged.log, limit 128, mpls_event_types, vlan_event_types

Change the Barnyard config (/usr/local/etc/barnyard2.conf)

  1. config logdir: /var/log/barnyard2
  2. config hostname:    localhost
  3. config interface:    ethX
  4. config daemon
  5. config set_gid:nnnn
  6. config set_uid:nnnn
  7. config show_year
  8. config umask: 066
  9. config waldo_file: /var/log/snort/barnyard2.waldo
  10. input unified2
  11. output database: log, mysql, user=snort password=password dbname=barnyard2 host=localhost

Create the MySQL database for Barnyard

  1. mysqladmin -u root -p create barnyard2
  2. mysql -u root -p -D barnyard2 < ./schemas/create_mysql

Grant privileges to database

  1. mysql -u root -p
  2. GRANT ALL PRIVILEGES ON barnyard2.* TO [email protected] WITH GRANT OPTION;
  3. SET PASSWORD FOR [email protected]=PASSWORD('password');

Prepare Barnyard2

  1. touch /var/log/snort/barnyard2.waldo
  2. chown -R snort:snort /var/log/snort

Run Barnyard then Snort

  1. barnyard2 -c /usr/local/etc/barnyard2.conf -d /var/log/snort/ -w /var/log/snort/barnyard2.waldo -f merged.log -u snort -g snort -D
  2. snort -c /etc/snort/snort.conf -i eth4 -u snort -g snort -D

If all goes well then you should see events being logged into your event table in the barnyard2 database.

Errors:

ERROR: unable to find mysqlclient library (libmysqlclient.*)

  1. ./configure –with-mysql-libraries=/usr/lib64/mysql/

ERROR: Unable to open directory '’ (No such  file or directory) ERROR: Unable to find the next spool file!

  1.  Ensure that the waldo file is specified (by the -w option included as a command line argument or in the config file)

WARNING: Can’t extract timestamp extension from ‘alert’using base '’

  1. Ensure that the unified2 file is specified (by the -f option included as a command line argument or in the config file)

FATAL ERROR: Absdir is not a subset of the logdir

  1.  Ensure that the logdir is configured in the Barnyard configuration file

FATAL ERROR: database: mysql_error: Can’t connect to local MySQL server through socket ‘/var/lib/mysql/mysql.sock’ (2)

  1. Ensure that the MySQL service/daemon is running

See also