Snort 2.9.9.x on Ubuntu – Part 4: Installing Barnyard2
- Installing Snort
- Configuring Snort to Run as a NIDS
- Writing and Testing a Single Rule With Snort
- Installing Barnyard2
- Installing PulledPork
- Creating Upstart Scripts for Snort on Ubuntu 14
- Creating systemD Scripts for Snort on Ubuntu 16
- Installing BASE
In the previous three articles in this series, we installed Snort, configured it to run as a NIDS, and configured a rule. In this article, we are going to install and configure Barnyard2, which is a dedicated spooler that will help reduce the load on the Snort server.
You will be prompted to create both a MySQL root password, as well as a password for a MySQL database snort user. In the examples below, we have chose to use MYSQLROOTPASSWORD as the MySQL root password, and MYSQLSNORTPASSWORD as the MySQL database snort user. Please note the differences when working below.
First, we need to install some pre-requisites:
sudo apt-get install -y mysql-server libmysqlclient-dev mysql-client autoconf libtool
You will be prompted for the MySQL root password. We choose MYSQLROOTPASSWORD for the below examples.
Next, we need to edit the snort.conf:
sudo vi /etc/snort/snort.conf
We need to add a line that tells Snort to output events in binary form (so that Barnyard2 can read them). After line 520 in /etc/snort/snort.conf (a line that is a commented-out example), add the following line and save the file:
output unified2: filename snort.u2, limit 128
This line tells snort to output events in the unified2 binary format (which is easier for snort to output rather than human-readable alerts).
Next we need to get, configure, and install Barnyard2.
Note on Barnyard2 Version: In the commands below, we will be downloading the current head release of Barnyard2 rather than a specific release number, which at this time is 2.1.14. Now download and prepare to install:
cd ~/snort_src wget https://github.com/firnsy/barnyard2/archive/master.tar.gz -O barnyard2-Master.tar.gz tar zxvf barnyard2-Master.tar.gz cd barnyard2-master autoreconf -fvi -I ./m4
Barnyard2 needs access to the dnet.h library, which we installed with the Ubuntu libdumbnet package earlier. However, Barnyard2 expects a different file name for this library. Create a soft link from dnet.h to dubmnet.h so there are no issues:
sudo ln -s /usr/include/dumbnet.h /usr/include/dnet.h sudo ldconfig
Depending on the architecture of your system (x86 or x64), choose to run one of the following lines to tell Barnyard2 where the MySQL libraries are:
./configure --with-mysql --with-mysql-libraries=/usr/lib/x86_64-linux-gnu ./configure --with-mysql --with-mysql-libraries=/usr/lib/i386-linux-gnu
Then continue with the install:
make sudo make install
Barnyard2 is now installed to /usr/local/bin/barnyard2. Test to ensure that Barnyard2 installed properly by running:
user@snortserver$ /usr/local/bin/barnyard2 -V
To configure Snort to use Barnyard2, we need to copy a few files from the source package:
sudo cp ~/snort_src/barnyard2-master/etc/barnyard2.conf /etc/snort/ # the /var/log/barnyard2 folder is never used or referenced # but barnyard2 will error without it existing sudo mkdir /var/log/barnyard2 sudo chown snort.snort /var/log/barnyard2 sudo touch /var/log/snort/barnyard2.waldo sudo chown snort.snort /var/log/snort/barnyard2.waldo
Since Barnyard2 saves alerts to our MySQL database, we need to create that database, as well as a ‘snort’ MySQL user to access that database. Run the following commands to create the database and MySQL user.
When prompted for a password, use the MYSQLROOTPASSWORD . You will also be setting the MySQL snort user password in the fourth mysql command (to MYSQLSNORTPASSWORD), so change it there as well.
$ mysql -u root -p mysql> create database snort; mysql> use snort; mysql> source ~/snort_src/barnyard2-master/schemas/create_mysql mysql> CREATE USER 'snort'@'localhost' IDENTIFIED BY 'MYSQLSNORTPASSWORD'; mysql> grant create, insert, select, delete, update on snort.* to 'snort'@'localhost'; mysql> exit
Now that the Snort database has been created, we need to tell Barnyard2 about the details of the database. Edit the Barnyard2 configuration file:
sudo vi /etc/snort/barnyard2.conf
and at the end of the file, append this line:
output database: log, mysql, user=snort password=MYSQLSNORTPASSWORD dbname=snort host=localhost sensor name=sensor01
Since the password is in the barnyard2.conf file, we should prevent other users from reading it:
sudo chmod o-r /etc/snort/barnyard2.conf
Now Barnyard2 is configured to work with Snort. To test, let’s run Snort and Barnyard2 and generate some alerts. First, we run Snort as a daemon. We use the same parameters as before, with the addition of the -D flag, which tells snort to run as a daemon, and we removed -A Console since we don’t want alerts to show on the screen. Take note of the PID of the process so you can kill it later if needed:
sudo /usr/local/bin/snort -q -u snort -g snort -c /etc/snort/snort.conf -i eth0 -D
Ping the IP address of the interface specified above (eth0). If you check Snort’s log directory, you should see a file called snort.u2.nnnnnnnnnn (the n’s are replaced by numbers). These are the binary alerts that snort has written out for Barnyard2 to process.
Now we want to tell Barnyard2 to look at these events and load into the snort database instance. We run Barnyard2 with the following flags:
-c /etc/snort/barnyard2.conf the Barnyard2 configuration file -d /var/log/snort the location to look for the snort binary output file -f snort.u2 the name of the file to look for. -w /var/log/snort/barnyard2.waldo the path to the waldo file (checkpoint file). -u snort run Barnyard2 as the following user after startup -g snort run Barnyard2 as the following group after startup
Run the following command:
sudo barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.u2 -w /var/log/snort/barnyard2.waldo -g snort -u snort
you should see output similar to the below:
--== Initialization Complete ==-- ______ -*> Barnyard2 <*- / ,,_ \ Version 2.1.14 (Build 336) |o" )~| By Ian Firns (SecurixLive): http://www.securixlive.com/ + '''' + (C) Copyright 2008-2013 Ian Firns <email@example.com> Using waldo file '/var/log/snort/barnyard2.waldo': spool directory = /var/log/snort spool filebase = snort.u2 time_stamp = 1412527313 record_idx = 16 Opened spool file '/var/log/snort/snort.u2.1412527313' Closing spool file '/var/log/snort/snort.u2.1412527313'. Read 16 records Opened spool file '/var/log/snort/snort.u2.1412528990' Waiting for new data
Use ctrl-c to stop barnyard2 from running, then stop the snort Daemon using ps to find and terminate it as in the example below):
user@snortserver:~$ ps aux | grep snort snort 1296 0.0 2.1 297572 43988 ? Ssl 03:15 0:00 /usr/local/bin/snort -q -u snort -g snort -c /etc/snort/snort.conf -i eth0 -D user 1314 0.0 0.0 4444 824 pts/0 S+ 03:17 0:00 grep --color=auto snort user@snortserver:~$ sudo kill 1296 user@snortserver:~$
Congratulations, if you have output similar to the above then you have successfully Configured Barnyard2. Continue to the next section to install PulledPork