Install barnyard2
Restart snort
# /etc/init.d/snortd restart
Restarting snortd (via systemctl): [ OK ]
-------------------
cd /usr/src
wget https://github.com/firnsy/barnyard2/archive/master.zip
unzip master.zip
cd barnyard2-master/
autoreconf -fvi -I ./m4
./configure --with-mysql
if error clear
./configure --with-mysql --with-mysql-libraries=/usr/lib64/mysql/
make && make install
#mv /usr/local/etc/barnyard2.conf /etc/snort
#cp schemas/create_mysql /usr/src/
sudo cp etc/barnyard2.conf /etc/snort
sudo mkdir /var/log/barnyard2
sudo chown snort.snort /var/log/barnyard2
sudo touch /var/log/snort/barnyard2.bookmark
sudo chown snort.snort /var/log/snort/barnyard2.bookmark
#create database snort;
# mysql -u root -p snort < /usr/src/barnyard2-master/schemas/create_mysql
# vi /etc/snort/barnyard2.conf
add following line in bottom of the config file
output database: log, mysql, user=snort password=MYPASSWORD dbname=snort host=localhost
# locate sid-msg.map
/etc/snort/community-rules/sid-msg.map
/etc/snort/etc/sid-msg.map
/etc/snort/rules/sid-msg.map
# cp /etc/snort/etc/sid-msg.map /etc/snort/
--== Initializing Barnyard2 ==--
Initializing Input Plugins!
Initializing Output Plugins!
Parsing config file "/etc/snort/barnyard2.conf"
+[ Signature Suppress list ]+
----------------------------
+[No entry in Signature Suppress List]+
----------------------------
+[ Signature Suppress list ]+
Barnyard2 spooler: Event cache size set to [2048]
Log directory = /var/log/barnyard2
INFO database: Defaulting Reconnect/Transaction Error limit to 10
INFO database: Defaulting Reconnect sleep time to 5 second
[ClassificationPullDataStore()]: No Classification found in database ...
[SignaturePullDataStore()]: No signature found in database ...
[SystemPullDataStore()]: No System found in database ...
[ReferencePullDataStore()]: No Reference found in database ...
[SignatureReferencePullDataStore()]: No Reference found in database ...
database: compiled support for (mysql)
database: configured to use mysql
database: schema version = 107
database: host = localhost
database: user = root
database: database name = snort
database: sensor name = localhost.localdomain:NULL
database: sensor id = 1
database: sensor cid = 1
database: data encoding = hex
database: detail level = full
database: ignore_bpf = no
database: using the "log" facility
--== Initialization Complete ==--
______ -*> Barnyard2 <*-
/ ,,_ \ Version 2.1.14 (Build 337)
|o" )~| By Ian Firns (SecurixLive): http://www.securixlive.com/
+ '''' + (C) Copyright 2008-2013 Ian Firns <firnsy@securixlive.com>
WARNING: Ignoring corrupt/truncated waldofile '/var/log/snort/barnyard2.bookmark'
Waiting for new spool file
Restart snort
# /etc/init.d/snortd restart
Restarting snortd (via systemctl): [ OK ]
-------------------
cd /usr/src
wget https://github.com/firnsy/barnyard2/archive/master.zip
unzip master.zip
cd barnyard2-master/
autoreconf -fvi -I ./m4
./configure --with-mysql
if error clear
./configure --with-mysql --with-mysql-libraries=/usr/lib64/mysql/
make && make install
#mv /usr/local/etc/barnyard2.conf /etc/snort
#cp schemas/create_mysql /usr/src/
sudo cp etc/barnyard2.conf /etc/snort
sudo mkdir /var/log/barnyard2
sudo chown snort.snort /var/log/barnyard2
sudo touch /var/log/snort/barnyard2.bookmark
sudo chown snort.snort /var/log/snort/barnyard2.bookmark
#create database snort;
# mysql -u root -p snort < /usr/src/barnyard2-master/schemas/create_mysql
# vi /etc/snort/barnyard2.conf
add following line in bottom of the config file
output database: log, mysql, user=snort password=MYPASSWORD dbname=snort host=localhost
#sudo chmod o-r /etc/snort/barnyard2.conf
--------------------------------------------------------
barnyard2 test mode
#barnyard2 -T -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.u2
Running in Test mode
--== Initializing Barnyard2 ==--
Initializing Input Plugins!
Initializing Output Plugins!
Parsing config file "/etc/snort/barnyard2.conf"
+[ Signature Suppress list ]+
----------------------------
+[No entry in Signature Suppress List]+
----------------------------
+[ Signature Suppress list ]+
Barnyard2 spooler: Event cache size set to [2048]
INFO database: Defaulting Reconnect/Transaction Error limit to 10
INFO database: Defaulting Reconnect sleep time to 5 second
[SignatureReferencePullDataStore()]: No Reference found in database ...
database: compiled support for (mysql)
database: configured to use mysql
database: schema version = 107
database: host = localhost
database: user = root
database: database name = snort
database: sensor name = localhost.localdomain:NULL
database: sensor id = 2
database: sensor cid = 1
database: data encoding = hex
database: detail level = full
database: ignore_bpf = no
database: using the "log" facility
--== Initialization Complete ==--
______ -*> Barnyard2 <*-
/ ,,_ \ Version 2.1.14 (Build 337)
|o" )~| By Ian Firns (SecurixLive): http://www.securixlive.com/
+ '''' + (C) Copyright 2008-2013 Ian Firns <firnsy@securixlive.com>
Barnyard2 successfully loaded configuration file!
Barnyard2 exiting
database: Closing connection to database "snort"
--------------------------------------------------------
barnyard2 test mode
#barnyard2 -T -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.u2
Running in Test mode
--== Initializing Barnyard2 ==--
Initializing Input Plugins!
Initializing Output Plugins!
Parsing config file "/etc/snort/barnyard2.conf"
+[ Signature Suppress list ]+
----------------------------
+[No entry in Signature Suppress List]+
----------------------------
+[ Signature Suppress list ]+
Barnyard2 spooler: Event cache size set to [2048]
INFO database: Defaulting Reconnect/Transaction Error limit to 10
INFO database: Defaulting Reconnect sleep time to 5 second
[SignatureReferencePullDataStore()]: No Reference found in database ...
database: compiled support for (mysql)
database: configured to use mysql
database: schema version = 107
database: host = localhost
database: user = root
database: database name = snort
database: sensor name = localhost.localdomain:NULL
database: sensor id = 2
database: sensor cid = 1
database: data encoding = hex
database: detail level = full
database: ignore_bpf = no
database: using the "log" facility
--== Initialization Complete ==--
______ -*> Barnyard2 <*-
/ ,,_ \ Version 2.1.14 (Build 337)
|o" )~| By Ian Firns (SecurixLive): http://www.securixlive.com/
+ '''' + (C) Copyright 2008-2013 Ian Firns <firnsy@securixlive.com>
Barnyard2 successfully loaded configuration file!
Barnyard2 exiting
database: Closing connection to database "snort"
here we need to change the eth0 instead of null
#vi /etc/snort/barnyard.conf
config hostname: hostname
config interface:eth0
---------------------------------------------
# locate barnyard2.config
/usr/src/barnyard2-master/rpm/barnyard2.config
#/usr/local/bin/barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.u2 -w /var/log/snort/barnyard2.bookmark -g snort -u snort
ERROR: Unable to open SID file '/etc/snort/sid-msg.map' (No such file or directory)
ERROR: [Barnyard2Init()], failed while processing [/etc/snort/sid-msg.map]
Fatal Error, Quitting..
#vi /etc/snort/barnyard.conf
config hostname: hostname
config interface:eth0
---------------------------------------------
# locate barnyard2.config
/usr/src/barnyard2-master/rpm/barnyard2.config
# vi /usr/src/barnyard2-master/rpm/barnyard2.config //edit
#/usr/local/bin/barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.u2 -w /var/log/snort/barnyard2.bookmark -g snort -u snort
ERROR: Unable to open SID file '/etc/snort/sid-msg.map' (No such file or directory)
ERROR: [Barnyard2Init()], failed while processing [/etc/snort/sid-msg.map]
Fatal Error, Quitting..
# locate sid-msg.map
/etc/snort/community-rules/sid-msg.map
/etc/snort/etc/sid-msg.map
/etc/snort/rules/sid-msg.map
# cp /etc/snort/etc/sid-msg.map /etc/snort/
--== Initializing Barnyard2 ==--
Initializing Input Plugins!
Initializing Output Plugins!
Parsing config file "/etc/snort/barnyard2.conf"
+[ Signature Suppress list ]+
----------------------------
+[No entry in Signature Suppress List]+
----------------------------
+[ Signature Suppress list ]+
Barnyard2 spooler: Event cache size set to [2048]
Log directory = /var/log/barnyard2
INFO database: Defaulting Reconnect/Transaction Error limit to 10
INFO database: Defaulting Reconnect sleep time to 5 second
[ClassificationPullDataStore()]: No Classification found in database ...
[SignaturePullDataStore()]: No signature found in database ...
[SystemPullDataStore()]: No System found in database ...
[ReferencePullDataStore()]: No Reference found in database ...
[SignatureReferencePullDataStore()]: No Reference found in database ...
database: compiled support for (mysql)
database: configured to use mysql
database: schema version = 107
database: host = localhost
database: user = root
database: database name = snort
database: sensor name = localhost.localdomain:NULL
database: sensor id = 1
database: sensor cid = 1
database: data encoding = hex
database: detail level = full
database: ignore_bpf = no
database: using the "log" facility
--== Initialization Complete ==--
______ -*> Barnyard2 <*-
/ ,,_ \ Version 2.1.14 (Build 337)
|o" )~| By Ian Firns (SecurixLive): http://www.securixlive.com/
+ '''' + (C) Copyright 2008-2013 Ian Firns <firnsy@securixlive.com>
WARNING: Ignoring corrupt/truncated waldofile '/var/log/snort/barnyard2.bookmark'
Waiting for new spool file
-----------------------------------
mysql> select * from sensor;
+-----+----------------------------+-----------+--------+--------+----------+--- -------+
| sid | hostname | interface | filter | detail | encoding | la st_cid |
+-----+----------------------------+-----------+--------+--------+----------+--- -------+
| 1 | localhost.localdomain:NULL | NULL | NULL | 1 | 0 | 0 |
+-----+----------------------------+-----------+--------+--------+----------+--- -------+
1 row in set (0.00 sec)
------------------------------------
mysql> update sensor set hostname='localhost.localdomain:eth0';
Query OK, 1 row affected (0.03 sec)
Rows matched: 1 Changed: 1 Warnings: 0
mysql> update sensor set interface='eth0';
Query OK, 1 row affected (0.03 sec)
Rows matched: 1 Changed: 1 Warnings: 0
mysql> select * from sensor;
+-----+----------------------------+-----------+--------+--------+----------+----------+
| sid | hostname | interface | filter | detail | encoding | last_cid |
+-----+----------------------------+-----------+--------+--------+----------+----------+
| 1 | localhost.localdomain:eth0 | eth0 | NULL | 1 | 0 | 0 |
+-----+----------------------------+-----------+--------+--------+----------+----------+
1 row in set (0.01 sec)
mysql> select * from sensor;
+-----+----------------------------+-----------+--------+--------+----------+---
| sid | hostname | interface | filter | detail | encoding | la
+-----+----------------------------+-----------+--------+--------+----------+---
| 1 | localhost.localdomain:eth0 | eth0 | NULL | 1 | 0 |
| 2 | localhost.localdomain:NULL | NULL | NULL | 1 | 0 |
+-----+----------------------------+-----------+--------+--------+----------+---
2 rows in set (0.02 sec)
+-----+----------------------------+-----------+--------+--------+----------+---
| sid | hostname | interface | filter | detail | encoding | la
+-----+----------------------------+-----------+--------+--------+----------+---
| 1 | localhost.localdomain:eth0 | eth0 | NULL | 1 | 0 |
| 2 | localhost.localdomain:NULL | NULL | NULL | 1 | 0 |
+-----+----------------------------+-----------+--------+--------+----------+---
2 rows in set (0.02 sec)
mysql> delete from sensor where sid=2;
Query OK, 1 row affected (0.03 sec)
+-----+----------------------------+-----------+--------+--------+----------+----------+
| sid | hostname | interface | filter | detail | encoding | last_cid |
+-----+----------------------------+-----------+--------+--------+----------+----------+
| 1 | localhost.localdomain:eth0 | eth0 | NULL | 1 | 0 | 0 |
+-----+----------------------------+-----------+--------+--------+----------+----------+
----------------------------------------
optional ignore trafic
# vi /etc/snort/snort.conf
edit
config bpf_file: /etc/snort/ignore.bpf
then create a file
# vi /etc/snort/ignore.bpf
!(src net 192.168.1.0/24)
-------------------------------------------
No comments:
Post a Comment