Snort creates the output file format "unified2". So we can read that unified2 file using Barnyard2.
Before install the Barnyard2 we should install and configure Snort and Mysql
We can download the Baryard2 using "wget" command following link
[root@snort barnyard2-1.9]# ./configure --with-mysql
[root@snort barnyard2-1.9]# make
[root@snort barnyard2-1.9]# make install
Open and Edit "barnyard2.conf" file
:wq
Before install the Barnyard2 we should install and configure Snort and Mysql
Baryard2 Installation
We can download the Baryard2 using "wget" command following link
[root@snort snort_install]# wget
http://www.securixlive.com/download/barnyard2/barnyard2-1.9.tar.gz
Extract, compile and install the Barnyard2
[root@snort snort_install]# tar -zxvf barnyard2-1.9.tar.gz
[root@snort barnyard2-1.9]# ./configure --with-mysql
[root@snort barnyard2-1.9]# make
[root@snort barnyard2-1.9]# make install
Copy the "barnyard2.conf" file to "/etc/snort/" and "sid-msg.map" from /snort_install/snort-rule/etc/sid-msg.map to "/etc/snort/"
[root@snort barnyard2-1.9]# cp etc/barnyard2.conf /etc/snort/
[root@snort barnyard2-1.9]# cp etc/barnyard2.conf /etc/snort/
[root@snort barnyard2-1.9]# cp -p /snort_install/snort-rule/etc/sid-msg.map /etc/snort/
[root@snort barnyard2-1.9]# mkdir /var/log/barnyard2
[root@snort barnyard2-1.9]# chmod 666 /var/log/barnyard2
[root@snort ~]# chmod 775 -R /var/log/snort/
[root@snort ~]# chown snort:snort -R /var/log/snort/
Baryard2 Configuration:
[root@snort barnyard2-1.9]# vim /etc/snort/barnyard2.conf
config hostname: snort <---- give hostname and Interface name
config interface: eth0
input unified2 <----- log file format
output database: alert, mysql, user=user-name dbname=database-name password=xxxxx host=localhost
:wq
Barnyard2 Testing
Open the terminal and type following command
[root@snort ~]# snort -u snort -g snort -c /etc/snort/snort.conf -i eth0 &
We will run below command and should get below output
[root@snort ~]# barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort/ -f snort.u2
Closing spool file '/var/log/snort//snort.u2.1374562940'. Read 332 records
Opened spool file '/var/log/snort//snort.u2.1374877709'
Closing spool file '/var/log/snort//snort.u2.1374877709'. Read 0 records
Opened spool file '/var/log/snort//snort.u2.1374881111'
Waiting for new data
options ---> -c Use configuration file
-d Spool files from Directory
-f file pattern
Now Barnyard2 is working fine..
No comments:
Post a Comment