[Snort-users] new Barnyard new snortb
mca at ...1717...
Wed May 12 13:23:08 EDT 2004
Be prepared, this response is long.
I've played with barnyard off and on but just recently decided to take
the plunge and use it exclusively to log to a mysql database. First you
have to tell snort to write to a unified log file. This is a binary
file containing all of the alert information. Then you need to set up
barnyard to read the unified log file and then insert the alerts into
the database. To tell snort to write to the unified log file you need
to set the following in snort.conf.
output log_unified: filename snort.log, limit 128
This entry in the snort.conf file will tell snort to write unified alert
info to the snort.log.<id> file. The id is a timestamp to identify
unique log files. The limit of 128 is 128 MB. Once this limit is
reached, a new log file will be started. You are responsible for
getting rid of old log files. The log files will be written to the
/var/log/snort directory by default.
Next you need to set up barnyard to read the log files and load the data
into a database. I set up a barnyard.conf file that looks like:
output log_acid_db: mysql, database snort, server localhost, user
snortuser, password snortpassword, sensor_id 1
The first config option tells barnyard to use localtime for the alert
timestamp. The default is gmtime (that got me when I first started
using barnyard). The output line is similar to the output line in
snort.conf. Would have been nice if they kept the exact same format.
You will of course need to change your user/password to your setup.
Next you need to launch snort and barnyard. You shouldn't need to do
anything different to launch snort. Barnyard does have a few command
line parameters that are important. My invocation looks like:
barnyard -D -c barnyard.conf -w /var/log/snort/snort_waldo.log -f
snort.log -X /var/run/barnyard.pid
The -D flag tells barnyard to run in daemon mode (i.e. in the
background). The -c flag indicates that you want to read a conf file.
The -w flag says you want to maintain a waldo file. A waldo file is a
checkpoint file that tells barnyard which snort.log file it is reading
and how many records have been read. If you shut down barnyard and
restart it, the waldo file will prevent you from reloading all of the
previous alerts. The -f flag tells barnyard the base name of the
unified output file and the -X flag tells barnyard to write the pid of
the daemon process to a file (this is not required but I have a cron
script that checks to make sure everything is running).
Now comes a problem I found with barnyard 0.2.0. If you have been using
snort to log to a mysql database, all of the snort alerts are loaded
into the signature table with the rev of the alert. Barnyard will look
in the signature table to see if one exists, if not it will create a
new signature entry. The problem is barnyard will not use the rev from
the incoming alert to find the entry in the signature table, barnyard
uses a rev of 0. Since there is no signature for the alert with a rev
of 0, a new entry is created. This in effect creates a duplicate
signature with a new unique id so all of your old 'ICMP PING NMAP'
alerts will not have the same id as your new alert. I made the
following modifications to fix this. I emailed Andrew Baker about this
problem but have not head back from him yet. If you feel up to it the
fixes are as follows:
diffs to op_acid_db.c
< unsigned int priority);
> unsigned int priority, u_int32_t rev);
< record->event.priority)) == 0)
> record->event.priority,record->event.sig_rev)) == 0)
< record->log.event.priority)) == 0)
> record->log.event.priority,record->log.event.sig_rev)) == 0)
< ClassType *class_type, unsigned int priority)
> ClassType *class_type, unsigned int priority, u_int32_t rev)
< if(OpAcidDb_GetSigId(op_data, sid->msg, sid->rev, sid->sid,
&sig_id) == 1)
> if(OpAcidDb_GetSigId(op_data, sid->msg, rev, sid->sid, &sig_id)
< e_message, class_id, priority, sid->rev, sid->sid) <
> e_message, class_id, priority, rev, sid->sid) <
< OpAcidDb_GetSigId(op_data, sid->msg, sid->rev, sid->sid,
> OpAcidDb_GetSigId(op_data, sid->msg, rev, sid->sid, &sig_id);
Hope this helps you get started. Let me know if you have any other
Chuck Holley wrote:
>To be honest mike I am new to barnyard and really don't understand how this
>thing works with snort. What do I need to do to get this thing to log. My
>current snort config ports everything into a Mysql database,, which of
>course is very slow because I have just about all the rules in and alerting
>on all of them. I know its not getting all the traffic.
>How dod I go about tweaking snort to work with barnyard, mysql, and ACID. I
>have only been running this IDS for about a month and just found out that I
>need to be using something like barnyard. Your help would be much
>From: Michael Anderson [mailto:mca at ...1717...]
>Sent: Wednesday, May 12, 2004 3:39 PM
>To: Chuck Holley
>Cc: snort-users at lists.sourceforge.net
>Subject: Re: [Snort-users] new Barnyard new snortb
>I am running snort 2.1.1 and barnyard 0.2.0. I haven't tried snort
>2.1.2 yet but I'm assuming the configuration would be the same. What
>type of problems are you having?
>Chuck Holley wrote:
>>I have been trying to get info on how to use the new barnyard with the new
>>snort. Has anyone done this successfully yet? if so, how does it work and
>>where do I go for some guidance on this. Thanks
>>cholley at ...11679...
More information about the Snort-users