Installing Snort 2.9.7.x on Ubuntu – Part 4: Installing Barnyard2
UPDATE: Snort 2.9.9.x has been released. Please see the updated series of articles here or my quick install guide here.
I am leaving this older guide online for anyone who wants to install this older version of Snort on Ubuntu, but you really should be using the updated guide for the 2.9.9.x version of Snort, since support for older versions of Snort are set to expire, and the updated guide is kept more up to date and includes BASE instead of Snorby for a Web GUI.
- Installing Snort
- Configure Snort to Run as a NIDS
- Writing and Testing a Single Rule With Snort
- Installing Barnyard2
- Installing PulledPork
- Installing BASE
- Creating Startup Scripts
In the previous three articles in this series, we installed Snort, configured it to run as a NIDS, and configured a rule. In this article, we are going to install and configure Barnyard2, which is a dedicated spooler that will help reduce the load on the Snort server.
You will be prompted to create both a MySQL root password, as well as a password for a MySQL database snort user. In the examples below, we have chose to use MYSQLROOTPASSWORD as the MySQL root password, and MYSQLSNORTPASSWORD as the MySQL database snort user. Please note the differences when working below.
First, we need to install some pre-requisites:
sudo apt-get install -y mysql-server libmysqlclient-dev mysql-client autoconf libtool
You will be prompted for the MySQL root password. We choose MYSQLROOTPASSWORD for the below examples.
Next, we need to edit the snort.conf:
sudo vi /etc/snort/snort.conf
We need to add a line that tells Snort to output events in binary form (so that Barnyard2 can read them). After line 520 in /etc/snort/snort.conf (a line that is a commented-out example), add the following line and save the file:
output unified2: filename snort.u2, limit 128
This line tells snort to output events in the unified2 binary format (which is easier for snort to output rather than human-readable alerts).
Next we need to get, configure, and install Barnyard2:
cd ~/snort_src wget https://github.com/firnsy/barnyard2/archive/v2-1.13.tar.gz -O barnyard2-2-1.13.tar.gz tar zxvf barnyard2-2-1.13.tar.gz cd barnyard2-2-1.13 autoreconf -fvi -I ./m4
Depending on the architecture of your system (x86 or x64), choose to run one of the following lines to tell Barnyard2 where the MySQL libraries are:
./configure --with-mysql --with-mysql-libraries=/usr/lib/x86_64-linux-gnu ./configure --with-mysql --with-mysql-libraries=/usr/lib/i386-linux-gnu
Then continue with the install:
make sudo make install
NOTE: If you get dnet.h errors at the make stage, you may need to tell the system where the dnet.h files are. Run the following commands before running make again (this has been occasionally reported as an issue):
sudo ln -s /usr/include/dumbnet.h /usr/include/dnet.h sudo ldconfig
Barnyard2 is now installed to /usr/local/bin/barnyard2. To configure Snort to use Barnyard2, we need a few files:
cd ~/snort_src/barnyard2-2-1.13 sudo cp etc/barnyard2.conf /etc/snort # the /var/log/barnyard2 folder is never used or referenced # but barnyard2 will error without it existing sudo mkdir /var/log/barnyard2 sudo chown snort.snort /var/log/barnyard2 sudo touch /var/log/snort/barnyard2.waldo sudo chown snort.snort /var/log/snort/barnyard2.waldo sudo touch /etc/snort/sid-msg.map
Since Barnyard2 saves alerts to our MySQL database, we need to create that database, as well as a ‘snort’ MySQL user to access that database. Run the following commands to create the database and MySQL user.
When prompted for a password, use the MYSQLROOTPASSWORD . You will also be setting the MySQL snort user password in the fourth mysql command (to MYSQLSNORTPASSWORD), so change it there as well.
$ mysql -u root -p mysql> create database snort; mysql> use snort; mysql> source ~/snort_src/barnyard2-2-1.13/schemas/create_mysql mysql> CREATE USER 'snort'@'localhost' IDENTIFIED BY 'MYSQLSNORTPASSWORD'; mysql> grant create, insert, select, delete, update on snort.* to 'snort'@'localhost'; mysql> exit
Now that the Snort database has been created, we need to tell Barnyard2 about the details of the database. Edit the Barnyard2 configuration file:
sudo vi /etc/snort/barnyard2.conf
and at the end of the file, append this line:
output database: log, mysql, user=snort password=MYSQLSNORTPASSWORD dbname=snort host=localhost
Since the password is in the barnyard2.conf file, we should prevent other users from reading it:
sudo chmod o-r /etc/snort/barnyard2.conf
Now Barnyard2 is configured to work with Snort. To test, let’s run Snort and Barnyard2 and generate some alerts. First, we run Snort as a daemon. We use the same parameters as before, with the addition of the -D flag, which tells snort to run as a daemon, and we removed -A Console since we don’t want alerts to show on the screen. Take note of the PID of the process so you can kill it later if needed:
sudo /usr/local/bin/snort -q -u snort -g snort -c /etc/snort/snort.conf -i eth0 -D
Ping the IP address of the interface specified above (eth0). If you check Snort’s log directory, you should see a file called snort.u2.nnnnnnnnnn (the n’s are replaced by numbers). These are the binary alerts that snort has written out for Barnyard2 to process.
Now we want to tell Barnyard2 to look at these events and load into the snort database instance. We run Barnyard2 with the following flags:
-c /etc/snort/barnyard2.conf the Barnyard2 configuration file -d /var/log/snort the location to look for the snort binary output file -f snort.u2 the name of the file to look for. -w /var/log/snort/barnyard2.waldo the path to the waldo file (checkpoint file). -u snort run Barnyard2 as the following user after startup -g snort run Barnyard2 as the following group after startup
Run the following command:
sudo barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.u2 -w /var/log/snort/barnyard2.waldo -g snort -u snort
you should see output similar to the below:
--== Initialization Complete ==-- ______ -*> Barnyard2 <*- / ,,_ \ Version 2.1.13 (Build 327) |o" )~| By Ian Firns (SecurixLive): http://www.securixlive.com/ + '''' + (C) Copyright 2008-2013 Ian Firns <email@example.com> Using waldo file '/var/log/snort/barnyard2.waldo': spool directory = /var/log/snort spool filebase = snort.u2 time_stamp = 1412527313 record_idx = 16 Opened spool file '/var/log/snort/snort.u2.1412527313' Closing spool file '/var/log/snort/snort.u2.1412527313'. Read 16 records Opened spool file '/var/log/snort/snort.u2.1412528990' Waiting for new data
Use ctrl-c to exit after Barnyard2 finishes processing.
Now we want to check the MySQL snort database for events. Run the following command to get a count of the events in the database. Enter the MySQL snort user password (MYSQLSNORTPASSWORD) when prompted:
mysql -u snort -p -D snort -e "select count(*) from event"
you should see similar output (with a count greater than zero):
+----------+ | count(*) | +----------+ | 4 | +----------+
Stop the Snort daemon (if you don’t have the PID, use ps to find it as in the example below):
user@snortserver:~$ ps aux | grep snort snort 1296 0.0 2.1 297572 43988 ? Ssl 03:15 0:00 /usr/local/bin/snort -q -u snort -g snort -c /etc/snort/snort.conf -i eth0 -D user 1314 0.0 0.0 4444 824 pts/0 S+ 03:17 0:00 grep --color=auto snort user@snortserver:~$ sudo kill 1296 user@snortserver:~$
Congratulations, if you have output similar to the above then you have successfully Configured Barnyard2. Continue to the next section
to install PulledPork
Comments are Disabled