Snort 2.9.8.x on Ubuntu – Part 4: Installing Barnyard2
I am leaving this older guide online for anyone who wants to install this older version of Snort on Ubuntu, but you really should be using the updated guide for the 2.9.9.x version of Snort, since support for older versions of Snort are set to expire, and the updated guide is kept more up to date and includes BASE instead of Snorby for a Web GUI.
- Installing Snort
- Configure Snort to Run as a NIDS
- Writing and Testing a Single Rule With Snort
- Installing Barnyard2
- Installing PulledPork
- Creating Upstart Scripts for Snort
- Creating systemD Scripts for Snort
- Installing Snorby on Ubuntu 12
- Installing Snorby on Ubuntu 14
- Installing Snorby on Ubuntu 15
In the previous three articles in this series, we installed Snort, configured it to run as a NIDS, and configured a rule. In this article, we are going to install and configure Barnyard2, which is a dedicated spooler that will help reduce the load on the Snort server.
You will be prompted to create both a MySQL root password, as well as a password for a MySQL database snort user. In the examples below, we have chose to use MYSQLROOTPASSWORD as the MySQL root password, and MYSQLSNORTPASSWORD as the MySQL database snort user. Please note the differences when working below.
First, we need to install some pre-requisites:
sudo apt-get install -y mysql-server libmysqlclient-dev mysql-client autoconf libtool
You will be prompted for the MySQL root password. We choose MYSQLROOTPASSWORD for the below examples.
Next, we need to edit the snort.conf:
sudo vi /etc/snort/snort.conf
We need to add a line that tells Snort to output events in binary form (so that Barnyard2 can read them). After line 520 in /etc/snort/snort.conf (a line that is a commented-out example), add the following line and save the file:
output unified2: filename snort.u2, limit 128
This line tells snort to output events in the unified2 binary format (which is easier for snort to output rather than human-readable alerts).
Next we need to get, configure, and install Barnyard2.
Note on Barnyard2 Version: In the commands below, we will be downloading a specific snapshot of Barnyard2 from github: Barnyard2 version 2.1.14 with commits from Oct 21, 2015 (this is the latest version at this time). I chose not to use the latest stable release: 2.1.13 because some patches have been added after that release that are important, and I chose not to use the Head release, because that will change after the release of this guide, and I won’t have had the ability to test it. If you want, you can (and probably will want) to use the current head release of Barnyard2, but if you have issues, you can always come back and use the version I’ve used below which I have verified will work with the other pieces of software in this guide.
cd ~/snort_src wget https://github.com/firnsy/barnyard2/archive/7254c24702392288fe6be948f88afb74040f6dc9.tar.gz -O barnyard2-2-1.14-336.tar.gz tar zxvf barnyard2-2-1.14-336.tar.gz mv barnyard2-7254c24702392288fe6be948f88afb74040f6dc9 barnyard2-2-1.14-336 cd barnyard2-2-1.14-336 autoreconf -fvi -I ./m4
Barnyard2 needs access to the dnet.h library, which we installed with the Ubuntu libdumbnet package earlier. However, Barnyard2 expects a different file name for this library. Create a soft link from dnet.h to dubmnet.h so there are no issues:
sudo ln -s /usr/include/dumbnet.h /usr/include/dnet.h sudo ldconfig
Depending on the architecture of your system (x86 or x64), choose to run one of the following lines to tell Barnyard2 where the MySQL libraries are:
./configure --with-mysql --with-mysql-libraries=/usr/lib/x86_64-linux-gnu ./configure --with-mysql --with-mysql-libraries=/usr/lib/i386-linux-gnu
Then continue with the install:
make sudo make install
Barnyard2 is now installed to /usr/local/bin/barnyard2. To configure Snort to use Barnyard2, we need to copy a few files from the source package:
cd ~/snort_src/barnyard2-2-1.14-336 sudo cp etc/barnyard2.conf /etc/snort # the /var/log/barnyard2 folder is never used or referenced # but barnyard2 will error without it existing sudo mkdir /var/log/barnyard2 sudo chown snort.snort /var/log/barnyard2 sudo touch /var/log/snort/barnyard2.waldo sudo chown snort.snort /var/log/snort/barnyard2.waldo sudo touch /etc/snort/sid-msg.map
Since Barnyard2 saves alerts to our MySQL database, we need to create that database, as well as a ‘snort’ MySQL user to access that database. Run the following commands to create the database and MySQL user.
When prompted for a password, use the MYSQLROOTPASSWORD . You will also be setting the MySQL snort user password in the fourth mysql command (to MYSQLSNORTPASSWORD), so change it there as well.
$ mysql -u root -p mysql> create database snort; mysql> use snort; mysql> source ~/snort_src/barnyard2-2-1.13/schemas/create_mysql mysql> CREATE USER 'snort'@'localhost' IDENTIFIED BY 'MYSQLSNORTPASSWORD'; mysql> grant create, insert, select, delete, update on snort.* to 'snort'@'localhost'; mysql> exit
Now that the Snort database has been created, we need to tell Barnyard2 about the details of the database. Edit the Barnyard2 configuration file:
sudo vi /etc/snort/barnyard2.conf
and at the end of the file, append this line:
output database: log, mysql, user=snort password=MYSQLSNORTPASSWORD dbname=snort host=localhost
Since the password is in the barnyard2.conf file, we should prevent other users from reading it:
sudo chmod o-r /etc/snort/barnyard2.conf
Now Barnyard2 is configured to work with Snort. To test, let’s run Snort and Barnyard2 and generate some alerts. First, we run Snort as a daemon. We use the same parameters as before, with the addition of the -D flag, which tells snort to run as a daemon, and we removed -A Console since we don’t want alerts to show on the screen. Take note of the PID of the process so you can kill it later if needed:
sudo /usr/local/bin/snort -q -u snort -g snort -c /etc/snort/snort.conf -i eth0 -D
Ping the IP address of the interface specified above (eth0). If you check Snort’s log directory, you should see a file called snort.u2.nnnnnnnnnn (the n’s are replaced by numbers). These are the binary alerts that snort has written out for Barnyard2 to process.
Now we want to tell Barnyard2 to look at these events and load into the snort database instance. We run Barnyard2 with the following flags:
-c /etc/snort/barnyard2.conf the Barnyard2 configuration file -d /var/log/snort the location to look for the snort binary output file -f snort.u2 the name of the file to look for. -w /var/log/snort/barnyard2.waldo the path to the waldo file (checkpoint file). -u snort run Barnyard2 as the following user after startup -g snort run Barnyard2 as the following group after startup
Run the following command:
sudo barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.u2 -w /var/log/snort/barnyard2.waldo -g snort -u snort
you should see output similar to the below:
--== Initialization Complete ==-- ______ -*> Barnyard2 <*- / ,,_ \ Version 2.1.14 (Build 336) |o" )~| By Ian Firns (SecurixLive): http://www.securixlive.com/ + '''' + (C) Copyright 2008-2013 Ian Firns <email@example.com> Using waldo file '/var/log/snort/barnyard2.waldo': spool directory = /var/log/snort spool filebase = snort.u2 time_stamp = 1412527313 record_idx = 16 Opened spool file '/var/log/snort/snort.u2.1412527313' Closing spool file '/var/log/snort/snort.u2.1412527313'. Read 16 records Opened spool file '/var/log/snort/snort.u2.1412528990' Waiting for new data
Use ctrl-cps to find it as in the example below):
user@snortserver:~$ ps aux | grep snort snort 1296 0.0 2.1 297572 43988 ? Ssl 03:15 0:00 /usr/local/bin/snort -q -u snort -g snort -c /etc/snort/snort.conf -i eth0 -D user 1314 0.0 0.0 4444 824 pts/0 S+ 03:17 0:00 grep --color=auto snort user@snortserver:~$ sudo kill 1296 user@snortserver:~$
Congratulations, if you have output similar to the above then you have successfully Configured Barnyard2. Continue to the next section to install PulledPork