Snort mailing list archives
Re: new Barnyard new snortb
From: Michael Anderson <mca () arlut utexas edu>
Date: Wed, 12 May 2004 15:22:25 -0500
Be prepared, this response is long.I've played with barnyard off and on but just recently decided to take the plunge and use it exclusively to log to a mysql database. First you have to tell snort to write to a unified log file. This is a binary file containing all of the alert information. Then you need to set up barnyard to read the unified log file and then insert the alerts into the database. To tell snort to write to the unified log file you need to set the following in snort.conf.
snort.conf: output log_unified: filename snort.log, limit 128This entry in the snort.conf file will tell snort to write unified alert info to the snort.log.<id> file. The id is a timestamp to identify unique log files. The limit of 128 is 128 MB. Once this limit is reached, a new log file will be started. You are responsible for getting rid of old log files. The log files will be written to the /var/log/snort directory by default.
Next you need to set up barnyard to read the log files and load the data into a database. I set up a barnyard.conf file that looks like:
barnyard.conf: config localtimeoutput log_acid_db: mysql, database snort, server localhost, user snortuser, password snortpassword, sensor_id 1
The first config option tells barnyard to use localtime for the alert timestamp. The default is gmtime (that got me when I first started using barnyard). The output line is similar to the output line in snort.conf. Would have been nice if they kept the exact same format. You will of course need to change your user/password to your setup.
Next you need to launch snort and barnyard. You shouldn't need to do anything different to launch snort. Barnyard does have a few command line parameters that are important. My invocation looks like: barnyard -D -c barnyard.conf -w /var/log/snort/snort_waldo.log -f snort.log -X /var/run/barnyard.pid
The -D flag tells barnyard to run in daemon mode (i.e. in the background). The -c flag indicates that you want to read a conf file. The -w flag says you want to maintain a waldo file. A waldo file is a checkpoint file that tells barnyard which snort.log file it is reading and how many records have been read. If you shut down barnyard and restart it, the waldo file will prevent you from reloading all of the previous alerts. The -f flag tells barnyard the base name of the unified output file and the -X flag tells barnyard to write the pid of the daemon process to a file (this is not required but I have a cron script that checks to make sure everything is running).
Now comes a problem I found with barnyard 0.2.0. If you have been using snort to log to a mysql database, all of the snort alerts are loaded into the signature table with the rev of the alert. Barnyard will look in the signature table to see if one exists, if not it will create a new signature entry. The problem is barnyard will not use the rev from the incoming alert to find the entry in the signature table, barnyard uses a rev of 0. Since there is no signature for the alert with a rev of 0, a new entry is created. This in effect creates a duplicate signature with a new unique id so all of your old 'ICMP PING NMAP' alerts will not have the same id as your new alert. I made the following modifications to fix this. I emailed Andrew Baker about this problem but have not head back from him yet. If you feel up to it the fixes are as follows:
diffs to op_acid_db.c 95c95 < unsigned int priority); --- > unsigned int priority, u_int32_t rev); 266c266 < record->event.priority)) == 0) --- > record->event.priority,record->event.sig_rev)) == 0) 357c357 < record->log.event.priority)) == 0) --- > record->log.event.priority,record->log.event.sig_rev)) == 0) 833c833 < ClassType *class_type, unsigned int priority) --- > ClassType *class_type, unsigned int priority, u_int32_t rev) 842c842< if(OpAcidDb_GetSigId(op_data, sid->msg, sid->rev, sid->sid, &sig_id) == 1)
---> if(OpAcidDb_GetSigId(op_data, sid->msg, rev, sid->sid, &sig_id) == 1)
854c854< e_message, class_id, priority, sid->rev, sid->sid) < MAX_QUERY_SIZE)
---> e_message, class_id, priority, rev, sid->sid) < MAX_QUERY_SIZE)
860c860< OpAcidDb_GetSigId(op_data, sid->msg, sid->rev, sid->sid, &sig_id);
--- > OpAcidDb_GetSigId(op_data, sid->msg, rev, sid->sid, &sig_id);Hope this helps you get started. Let me know if you have any other questions.
-Mike Chuck Holley wrote:
To be honest mike I am new to barnyard and really don't understand how this thing works with snort. What do I need to do to get this thing to log. My current snort config ports everything into a Mysql database,, which of course is very slow because I have just about all the rules in and alerting on all of them. I know its not getting all the traffic. How dod I go about tweaking snort to work with barnyard, mysql, and ACID. I have only been running this IDS for about a month and just found out that I need to be using something like barnyard. Your help would be muchappreciated.-----Original Message-----From: Michael Anderson [mailto:mca () arlut utexas edu] Sent: Wednesday, May 12, 2004 3:39 PMTo: Chuck Holley Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] new Barnyard new snortbI am running snort 2.1.1 and barnyard 0.2.0. I haven't tried snort 2.1.2 yet but I'm assuming the configuration would be the same. What type of problems are you having?-Mike Chuck Holley wrote:I have been trying to get info on how to use the new barnyard with the new snort. Has anyone done this successfully yet? if so, how does it work andwhere do I go for some guidance on this. ThanksChuck Holley LAN Administrator FitnessQuest Inc. Canton, OH cholley () fitnessquest com
------------------------------------------------------- This SF.Net email is sponsored by Sleepycat SoftwareLearn developer strategies Cisco, Motorola, Ericsson & Lucent use to deliver higher performing products faster, at low TCO.
http://www.sleepycat.com/telcomwpreg.php?From=osdnemail3 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- new Barnyard new snortb Chuck Holley (May 12)
- Re: new Barnyard new snortb Michael Anderson (May 12)
- snort and firewall all in one machine Peggy Kam (May 13)
- Re: snort and firewall all in one machine Matt Kettler (May 13)
- snort and firewall all in one machine Peggy Kam (May 13)
- <Possible follow-ups>
- Re: new Barnyard new snortb Michael Anderson (May 12)
- RE: new Barnyard new snortb Chuck Holley (May 13)
- Re: new Barnyard new snortb Bamm Visscher (May 13)
- RE: new Barnyard new snortb Chuck Holley (May 14)
- RE: new Barnyard new snortb Chuck Holley (May 13)
- Re: new Barnyard new snortb Michael Anderson (May 12)
- Re: new Barnyard new snortb Michael Anderson (May 14)