Snort 2.9.8.x on Ubuntu – Part 4: Installing Barnyard2

UPDATE: Snort 2.9.9.x has been released. Please see the updated series of articles here or my quick install guide here.

I am leaving this older guide online for anyone who wants to install this older version of Snort on Ubuntu, but you really should be using the updated guide for the 2.9.9.x version of Snort, since support for older versions of Snort are set to expire, and the updated guide is kept more up to date and includes BASE instead of Snorby for a Web GUI.


  1. Installing Snort
  2. Configure Snort to Run as a NIDS
  3. Writing and Testing a Single Rule With Snort
  4. Installing Barnyard2
  5. Installing PulledPork
  6. Creating Upstart Scripts for Snort
  7. Creating systemD Scripts for Snort
  8. Installing Snorby on Ubuntu 12
  9. Installing Snorby on Ubuntu 14
  10. Installing Snorby on Ubuntu 15
  11. Conclusion

Installing Barnyard2

In the previous three articles in this series, we installed Snort, configured it to run as a NIDS, and configured a rule. In this article, we are going to install and configure Barnyard2, which is a dedicated spooler that will help reduce the load on the Snort server.


You will be prompted to create both a MySQL root password, as well as a password for a MySQL database snort user. In the examples below, we have chose to use MYSQLROOTPASSWORD as the MySQL root password, and MYSQLSNORTPASSWORD as the MySQL database snort user. Please note the differences when working below.


First, we need to install some pre-requisites:

sudo apt-get install -y mysql-server libmysqlclient-dev mysql-client autoconf libtool

You will be prompted for the MySQL root password. We choose MYSQLROOTPASSWORD for the below examples.

Next, we need to edit the snort.conf:

sudo vi /etc/snort/snort.conf

We need to add a line that tells Snort to output events in binary form (so that Barnyard2 can read them). After line 520 in /etc/snort/snort.conf (a line that is a commented-out example), add the following line and save the file:

output unified2: filename snort.u2, limit 128

This line tells snort to output events in the unified2 binary format (which is easier for snort to output rather than human-readable alerts).

Next we need to get, configure, and install Barnyard2.

Note on Barnyard2 Version: In the commands below, we will be downloading a specific snapshot of Barnyard2 from github: Barnyard2 version 2.1.14 with commits from Oct 21, 2015 (this is the latest version at this time). I chose not to use the latest stable release: 2.1.13 because some patches have been added after that release that are important, and I chose not to use the Head release, because that will change after the release of this guide, and I won’t have had the ability to test it. If you want, you can (and probably will want) to use the current head release of Barnyard2, but if you have issues, you can always come back and use the version I’ve used below which I have verified will work with the other pieces of software in this guide.

cd ~/snort_src
wget -O barnyard2-2-1.14-336.tar.gz
tar zxvf barnyard2-2-1.14-336.tar.gz
mv barnyard2-7254c24702392288fe6be948f88afb74040f6dc9 barnyard2-2-1.14-336
cd barnyard2-2-1.14-336
autoreconf -fvi -I ./m4

Barnyard2 needs access to the dnet.h library, which we installed with the Ubuntu libdumbnet package earlier. However, Barnyard2 expects a different file name for this library. Create a soft link from dnet.h to dubmnet.h so there are no issues:

sudo ln -s /usr/include/dumbnet.h /usr/include/dnet.h
sudo ldconfig

Depending on the architecture of your system (x86 or x64), choose to run one of the following lines to tell Barnyard2 where the MySQL libraries are:

./configure --with-mysql --with-mysql-libraries=/usr/lib/x86_64-linux-gnu
./configure --with-mysql --with-mysql-libraries=/usr/lib/i386-linux-gnu

Then continue with the install:

sudo make install

Barnyard2 is now installed to /usr/local/bin/barnyard2. To configure Snort to use Barnyard2, we need to copy a few files from the source package:

cd ~/snort_src/barnyard2-2-1.14-336
sudo cp etc/barnyard2.conf /etc/snort

# the /var/log/barnyard2 folder is never used or referenced
# but barnyard2 will error without it existing
sudo mkdir /var/log/barnyard2
sudo chown snort.snort /var/log/barnyard2

sudo touch /var/log/snort/barnyard2.waldo
sudo chown snort.snort /var/log/snort/barnyard2.waldo
sudo touch /etc/snort/

Since Barnyard2 saves alerts to our MySQL database, we need to create that database, as well as a ‘snort’ MySQL user to access that database. Run the following commands to create the database and MySQL user.

When prompted for a password, use the MYSQLROOTPASSWORD . You will also be setting the MySQL snort user password in the fourth mysql command (to MYSQLSNORTPASSWORD), so change it there as well.

$ mysql -u root -p
mysql> create database snort;
mysql> use snort;
mysql> source ~/snort_src/barnyard2-2-1.13/schemas/create_mysql
mysql> grant create, insert, select, delete, update on snort.* to 'snort'@'localhost';
mysql> exit

Now that the Snort database has been created, we need to tell Barnyard2 about the details of the database. Edit the Barnyard2 configuration file:

sudo vi /etc/snort/barnyard2.conf

and at the end of the file, append this line:

output database: log, mysql, user=snort password=MYSQLSNORTPASSWORD dbname=snort host=localhost

Since the password is in the barnyard2.conf file, we should prevent other users from reading it:

sudo chmod o-r /etc/snort/barnyard2.conf

Now Barnyard2 is configured to work with Snort. To test, let’s run Snort and Barnyard2 and generate some alerts.  First, we run Snort as a daemon. We use the same parameters as before, with the addition of the -D flag, which tells snort to run as a daemon, and we removed -A Console since we don’t want alerts to show on the screen. Take note of the PID of the process so you can kill it later if needed:

sudo /usr/local/bin/snort -q -u snort -g snort -c /etc/snort/snort.conf -i eth0 -D

Ping the IP address of the interface specified above (eth0). If you check Snort’s log directory, you should see a file called snort.u2.nnnnnnnnnn (the n’s are replaced by numbers). These are the binary alerts that snort has written out for Barnyard2 to process.

Now we want to tell Barnyard2 to look at these events and load into the snort database instance. We run Barnyard2 with the following flags:

-c /etc/snort/barnyard2.conf        the Barnyard2 configuration file
-d /var/log/snort                   the location to look for the snort binary output file
-f snort.u2                         the name of the file to look for.
-w /var/log/snort/barnyard2.waldo   the path to the waldo file (checkpoint file).
-u snort                            run Barnyard2 as the following user after startup
-g snort                            run Barnyard2 as the following group after startup

Run the following command:

sudo barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.u2 -w /var/log/snort/barnyard2.waldo -g snort -u snort

you should see output similar to the below:

        --== Initialization Complete ==--

  ______   -*> Barnyard2 <*-
 / ,,_  \  Version 2.1.14 (Build 336)
 |o"  )~|  By Ian Firns (SecurixLive):
 + '''' +  (C) Copyright 2008-2013 Ian Firns <>

Using waldo file '/var/log/snort/barnyard2.waldo':
    spool directory = /var/log/snort
    spool filebase  = snort.u2
    time_stamp      = 1412527313
    record_idx      = 16
Opened spool file '/var/log/snort/snort.u2.1412527313'
Closing spool file '/var/log/snort/snort.u2.1412527313'. Read 16 records
Opened spool file '/var/log/snort/snort.u2.1412528990'
Waiting for new data

Use ctrl-cps to find it as in the example below):

user@snortserver:~$ ps aux | grep snort
      snort     1296  0.0  2.1 297572 43988 ?        Ssl  03:15   0:00 /usr/local/bin/snort -q -u snort -g snort -c /etc/snort/snort.conf -i eth0 -D
      user      1314  0.0  0.0   4444   824 pts/0    S+   03:17   0:00 grep --color=auto snort
user@snortserver:~$ sudo kill 1296

Congratulations, if you have output similar to the above then you have successfully Configured Barnyard2. Continue to the next section to install PulledPork

Comments are Disabled