Setting up Barnyard2

If you did not download and unpack the Barnyard2 source package during the steps listed in Getting and Installing Necessary Tools then you first need to get the source files before installing them:.

  1. Working from /usr/src/snorttemp, download the latest version of Barnyard2: # wget https://github.com/firnsy/barnyard2/archive/v2-1.13.tar.gz
  2. Extract the files from the Barnyard2 package: # tar -xzvf v2-1.13.tar.gz
  3. Switch to the Barnyard directory: # cd barnyard2-2-1.13
  4. Compile and install with the following 4-step series of commands (waiting for each one to finish successfully before starting the next)”
    1. # ./autogen.sh
    2. # ./configure –with-mysql –with-mysql-libraries=/usr/lib/i386-linux-gnu/
    3. # make
    4. # make install

    Note for 64-bit users: if you are running the 64-bit version of Ubuntu Linux, the correct mysql library directory should be /usr/lib/x86_64-linux-gnu/ as the argument of the –with-mysql-libraries= option.

  5. The Barnyard2 program should end up in the same location as Snort: /usr/local/bin

The next step is to create the directories and move the configuration files to the locations where they need to be. Before you start following these steps, make sure you are in the directory where you extracted the Barnyard2 package, such as /usr/src/snorttempt/barnyard2-2-1.13. These instructions assume that Snort unified2 output will be directed to the directory /var/log/snort, and therefore that is where Barnyard2 will look to retrieve those log files.

  1. Copy the Barnyard2 configuration file to the same location where snort.conf is: # cp etc/barnyard2.conf /etc/snort
  2. Create a logging directory for Barnyard2: # mkdir /var/log/barnyard2
  3. Make the directory writeable: # chmod 666 /var/log/barnyard2
  4. Create a placeholder (blank file) for the waldo file required by Barnyard2: # touch /var/log/snort/barnyard2.waldo
  5. Although Snort no longer uses the signature ID mapping file sid-msg.map, Barnyard2 does use it, and references it in the Barnyard2 configuration file. There is a copy of the sid-msg.map file distributed with each new rules package, located in the /etc directory that is created in your temporary directory when you unpack the rules tarball. If you did not already copy this file during the Snort manual tool installation process, copy the file now. Perhaps confusingly, this is not the same /etc directory found under Snort. To get the sid-msg.map file, navigate to /usr/src/snorttemp/etc and copy the file to /etc/snort: # cp sid-msg.map /etc/snort

The next step is to modify the Barnyard2 configuration file so the program knows where to look for the files it needs to reference, and so Barnyard2 will be able to write to the MySQL database.

  1. Change the directory to the location of the configuration file: # cd /etc/snort
  2. Open the configuration file for editing using nano or another editor: # nano barnyard2.conf
  3. The barnyard2.conf file is organized into three sections – variable declarations, input settings, and output settings – and changes need to be made to the first and third sections.
    1. Locate the paths to key Snort files, and make sure the paths are correctly set to point to the appropriate files in /etc/snort:
      config reference_file: /etc/snort/reference.config
      config classification_file: /etc/snort/classification.config
      config gen_file: /etc/snort/gen-msg.map
      config sid_file: /etc/snort/sid-msg.map
    2. Find the setting for output logging, uncomment it, and edit it to read:
      config logdir: /var/log/barnyard2
    3. Find the lines with hostname and interface declarations, un-comment them, and edit them to read:
      config hostname: localhost
      config interface: eth0
    4. Find the line for declaring the path to the waldo file and edit it to read:
      config waldo_file: /var/log/snort/barnyard2.waldo
  1. Skip over the second section – as noted in the file’s comments, there is only one type of input allowed for Barnyard2, so the default setting is the only possibility.
  2. In the third section on output plugins, you will see that there are many options for directing Barnyard2 output. For our purposes, we’re going to insert the output into a MySQL database, so scroll down to the database section. All other output plugin options should be commented out.
    1. Comment out the alert_fast plugin, which is enabled by default in barnyard2.conf
    2. Add a new line at the end of the commented examples in the database section, using the following database parameters:

      output database: log, mysql, user=snort password=snortpass dbname=snort host=localhost

  1. Save the barnyard2.conf file by pressing Ctrl-X and answering Yes.

In a production deployment of Snort, it’s likely that both Snort and Barnyard2 would be running as daemon processes, in which case they would be started using commands contained in a Linux init.d script. To test the functionality of Barnyard2 and Snort as we’ve just configured them, however, the simplest approach is to open two separate terminal windows, and then run Barnyard2 in one and Snort in the other. There is no reason to be running as root for this process, although if you are not you will need to use sudo to launch the programs.

  1. Open a command shell by searching for and selecting Terminal from the Dash Home in the Ubuntu desktop.
  2. Navigate to the directory where Barnyard2 is located: $ cd /usr/local/bin
  3. Launch Barnyard2 with the following command string (you will need to supply your password after you enter the command using sudo): $ sudo barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f merged.log -w /var/log/snort/barnyard2.waldo
  4. Once Barnyard is running, open a second terminal session.
  5. Navigate to the directory where Snort is located: $ cd /usr/local/bin
  6. Launch Snort with the following command string (you will need to supply your password after you enter the command using sudo): $ sudo snort -c /etc/snort/snort.conf
  7. When you see on the screen that Snort is running, you can switch back to the terminal window where Barnyard2 is running and you should see some indication that it is processing the unified2 log output from Snort. If you are running Snort with the testing rules described in Generating Alerts loaded, or if you otherwise cause a Snort alert to fire, then you will see the alert information as Barnyard2 parses the output.
  8. If you have already completed the steps to install BASE, then you can also see the results of the Barynard2 process writing to MySQL. Open a browser window and open the URL http://127.0.0.1/base/base_main.php