Barnyard2 Installation Linux: Unterschied zwischen den Versionen

Aus Xinux Wiki
Zur Navigation springen Zur Suche springen
 
(6 dazwischenliegende Versionen desselben Benutzers werden nicht angezeigt)
Zeile 3: Zeile 3:
 
*apt-get install libpcap-dev libprelude-dev
 
*apt-get install libpcap-dev libprelude-dev
 
=Edit /etc/snort/snort.conf=
 
=Edit /etc/snort/snort.conf=
 +
*change
 
<pre>
 
<pre>
###################################################
+
#output unified2: filename snort.log, limit 128, nostamp, mpls_event_types, vlan_event_types
# Step #6: Configure output plugins
+
output unified2: filename snort.log, limit 128, mpls_event_types, vlan_event_types
# For more information, see Snort Manual, Configuring Snort - Output Modules
+
</pre>
###################################################
 
  
# unified2
 
# Recommended for most installs
 
# output unified2: filename merged.log, limit 128, nostamp, mpls_event_types, vlan_event_types
 
# output unified2: filename snort.log, limit 128, nostamp, mpls_event_types, vlan_event_types
 
output database log,mysql, user=snort password=snort dbname=snort host=localhost
 
</pre>
 
 
=Compile and Install Barnyard2=
 
=Compile and Install Barnyard2=
 
*git clone git://github.com/firnsy/barnyard2.git
 
*git clone git://github.com/firnsy/barnyard2.git
Zeile 26: Zeile 20:
 
*make
 
*make
 
*make install
 
*make install
 +
*cp etc/barnyard2.conf /etc/snort/
 +
*touch /var/log/snort/barnyard2.waldo
 +
=Settings barnyard2.conf=
 +
*cat /etc/snort/barnyard2.conf
 +
<pre>
 +
config reference_file:      /etc/snort/reference.config
 +
config classification_file: /etc/snort/classification.config
 +
config gen_file:            /etc/snort/gen-msg.map
 +
config sid_file:            /etc/snort/sid-msg.map
 +
config logdir: /var/log/barnyard2
 +
config waldo_file: /var/log/snort/barnyard2.waldo
 +
config archivedir: /var/log/snort
 +
input unified2
 +
output alert_fast: stdout
 +
output database: log, mysql, user=snort password=snort dbname=snort host=localhost
 +
</pre>
 +
=Test=
 +
==snort==
 +
*snort  -u snort -g snort -c /etc/snort/snort.conf -i guest-bridge
 +
==barnyard2==
 +
*barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.log  -w /var/log/snort/barnyard2.waldo -g snort -u snort
 +
==mysql==
 +
*mysql> select * from data limit 5 ;
 +
<pre>
 +
+-----+-----+------------------------------------------------------------------------------------------------------------------+
 +
| sid | cid | data_payload                                                                                                    |
 +
+-----+-----+------------------------------------------------------------------------------------------------------------------+
 +
|  1 |  1 | 5E40BF5B00000000E9F3060000000000101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F3031323334353637 |
 +
|  1 |  2 | 5E40BF5B00000000E9F3060000000000101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F3031323334353637 |
 +
|  1 |  3 | 5E40BF5B00000000E9F3060000000000101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F3031323334353637 |
 +
|  1 |  4 | 5E40BF5B00000000E9F3060000000000101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F3031323334353637 |
 +
|  1 |  5 | 5E40BF5B00000000E9F3060000000000101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F3031323334353637 |
 +
+-----+-----+------------------------------------------------------------------------------------------------------------------+
 +
5 rows in set (0.00 sec)
 +
</pre>
 +
 +
=Database Settings=
 +
*sudo mysql -u root -p
 +
*mysql > create database snort;
 +
*mysql > use snort;
 +
*mysql > source /root/barnyard2/schemas/create_mysql
 +
*mysql > CREATE USER 'snort'@'localhost' IDENTIFIED BY 'snort'*
 +
*mysql > grant create, insert, select, delete, update on snort.* to 'snort'@'localhost';
 +
=Systemd=
 +
*cat /etc/systemd/system/barnyard2.service
 +
<pre>
 +
[Unit]
 +
Description=Barnyard2 Daemon
 +
After=syslog.target network.target
 +
 +
[Service]
 +
Type=simple
 +
ExecStart=/usr/local/bin/barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.u2 -q -w /var/log/snort/barnyard2.waldo -g snort -u snort -D -a /var/log/snort/archived_logs
 +
 +
[Install]
 +
WantedBy=multi-user.target
 +
</pre>
 +
*systemctl enable barnyard2
 +
*systemctl daemon-reload
 +
*systemctl start barnyard2

Aktuelle Version vom 16. Oktober 2018, 11:52 Uhr

Vorbereitung

  • apt-get install -y mysql-server libmysqlclient-dev mysql-client autoconf libtool
  • apt-get install libpcap-dev libprelude-dev

Edit /etc/snort/snort.conf

  • change
#output unified2: filename snort.log, limit 128, nostamp, mpls_event_types, vlan_event_types
output unified2: filename snort.log, limit 128, mpls_event_types, vlan_event_types

Compile and Install Barnyard2

  • git clone git://github.com/firnsy/barnyard2.git
  • cd barnyard2
  • ./autogen.sh
  • CFLAGS='-lpthread'
  • ./configure --with-mysql-libraries=/usr/lib/x86_64-linux-gnu
  • apt-get install libdumbnet-dev
  • ln -s /usr/include/dumbnet.h /usr/include/dnet.h
  • ldconfig
  • make
  • make install
  • cp etc/barnyard2.conf /etc/snort/
  • touch /var/log/snort/barnyard2.waldo

Settings barnyard2.conf

  • cat /etc/snort/barnyard2.conf
config reference_file:      /etc/snort/reference.config
config classification_file: /etc/snort/classification.config
config gen_file:            /etc/snort/gen-msg.map
config sid_file:            /etc/snort/sid-msg.map
config logdir: /var/log/barnyard2
config waldo_file: /var/log/snort/barnyard2.waldo
config archivedir: /var/log/snort
input unified2
output alert_fast: stdout
output database: log, mysql, user=snort password=snort dbname=snort host=localhost

Test

snort

  • snort -u snort -g snort -c /etc/snort/snort.conf -i guest-bridge

barnyard2

  • barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.log -w /var/log/snort/barnyard2.waldo -g snort -u snort

mysql

  • mysql> select * from data limit 5 ;
+-----+-----+------------------------------------------------------------------------------------------------------------------+
| sid | cid | data_payload                                                                                                     |
+-----+-----+------------------------------------------------------------------------------------------------------------------+
|   1 |   1 | 5E40BF5B00000000E9F3060000000000101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F3031323334353637 |
|   1 |   2 | 5E40BF5B00000000E9F3060000000000101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F3031323334353637 |
|   1 |   3 | 5E40BF5B00000000E9F3060000000000101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F3031323334353637 |
|   1 |   4 | 5E40BF5B00000000E9F3060000000000101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F3031323334353637 |
|   1 |   5 | 5E40BF5B00000000E9F3060000000000101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F3031323334353637 |
+-----+-----+------------------------------------------------------------------------------------------------------------------+
5 rows in set (0.00 sec)

Database Settings

  • sudo mysql -u root -p
  • mysql > create database snort;
  • mysql > use snort;
  • mysql > source /root/barnyard2/schemas/create_mysql
  • mysql > CREATE USER 'snort'@'localhost' IDENTIFIED BY 'snort'*
  • mysql > grant create, insert, select, delete, update on snort.* to 'snort'@'localhost';

Systemd

  • cat /etc/systemd/system/barnyard2.service
 
[Unit]
Description=Barnyard2 Daemon
After=syslog.target network.target
 
[Service]
Type=simple
ExecStart=/usr/local/bin/barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.u2 -q -w /var/log/snort/barnyard2.waldo -g snort -u snort -D -a /var/log/snort/archived_logs
 
[Install]
WantedBy=multi-user.target
  • systemctl enable barnyard2
  • systemctl daemon-reload
  • systemctl start barnyard2
Abgerufen von „http://wiki.ixheim.de/index.php?title=Barnyard2_Installation_Linux&oldid=17396