network/barnyard2: Added (log parser for snort)
Signed-off-by: Robby Workman <rworkman@slackbuilds.org>
This commit is contained in:
parent
91e62177b4
commit
3ecfa23e5c
|
@ -0,0 +1,7 @@
|
||||||
|
Barnyard2 is a fork of the original barnyard project, designed
|
||||||
|
specifically for Snort's new unified2 file format. It is a
|
||||||
|
critical tool for the parsing of Snort's binary log files to a
|
||||||
|
variety of output plugins, capable of asynchronous processing,
|
||||||
|
while Snort continues it's job.
|
||||||
|
|
||||||
|
See README.SLACKWARE for some instructions on setting up Barnyard2.
|
|
@ -0,0 +1,97 @@
|
||||||
|
README.SLACKWARE
|
||||||
|
================
|
||||||
|
|
||||||
|
0) Preparation
|
||||||
|
--------------
|
||||||
|
|
||||||
|
For Barnyard2 to be useful, you will need a working setup of Snort, saving
|
||||||
|
output to a log in the binary "unified2" format.
|
||||||
|
Check the Snort documentation to find out how to do this.
|
||||||
|
|
||||||
|
You will also need a working database server. These instructions are based
|
||||||
|
on using MySQL, as it is included with Slackware, but other databases can
|
||||||
|
be used as well.
|
||||||
|
|
||||||
|
|
||||||
|
1) Test Barnyard2
|
||||||
|
-----------------
|
||||||
|
|
||||||
|
Before starting Barnyard2 as a daemon, do a quick test to see if it can read
|
||||||
|
the Snort log:
|
||||||
|
|
||||||
|
# barnyard2 -d /var/log/snort -f snort.log
|
||||||
|
|
||||||
|
Barnyard2 will parse the its configuration file and start processing the Snort
|
||||||
|
log file.
|
||||||
|
If there are already events in the log, it will show them with their
|
||||||
|
classification.
|
||||||
|
|
||||||
|
Now check if Snort is working by doing a port scan from another computer on
|
||||||
|
the network (this won't work if done from another terminal on the same system)
|
||||||
|
|
||||||
|
# nmap -A <ip_address_of_snort_box>
|
||||||
|
|
||||||
|
Snort should detect the port scan, write the event to the log, and Barnyard2
|
||||||
|
should display it.
|
||||||
|
|
||||||
|
|
||||||
|
2) Configure Barnyard2
|
||||||
|
----------------------
|
||||||
|
|
||||||
|
2.1 Setting up your database
|
||||||
|
|
||||||
|
Follow these steps to set up the database in MySQL:
|
||||||
|
(replacing the <...> fields with your passwords)
|
||||||
|
|
||||||
|
# cd /usr/doc/barnyard2-*/schemas
|
||||||
|
# mysql -p
|
||||||
|
Enter password: <your_mysql_root_password>
|
||||||
|
|
||||||
|
mysql> create database snort;
|
||||||
|
mysql> grant create,select,update,insert,delete on snort.* to snort@localhost;
|
||||||
|
mysql> set password for snort@localhost=PASSWORD('<your_mysql_snort_password>');
|
||||||
|
mysql> exit
|
||||||
|
|
||||||
|
# mysql -p < create_mysql snort
|
||||||
|
Enter password: <your_mysql_root_password>
|
||||||
|
|
||||||
|
This will create the snort database and the tables.
|
||||||
|
|
||||||
|
2.2 Edit the configuration file
|
||||||
|
|
||||||
|
Open the /etc/barnyard2.conf file with your favorite editor, go to the end and
|
||||||
|
edit the sample mysql configuration so that it looks like this:
|
||||||
|
|
||||||
|
output database: log, mysql, user=snort password=<your_mysql_snort_password> dbname=snort host=localhost
|
||||||
|
|
||||||
|
2.3 Start barnyard2 as a daemon
|
||||||
|
|
||||||
|
The Barnyard2 package installs a script to start and stop the daemon. Use it
|
||||||
|
like this to start Barnyard2:
|
||||||
|
|
||||||
|
# /etc/rc.d/rc.barnyard2 start
|
||||||
|
|
||||||
|
You can repeat the test with the port scan and the event should be logged in
|
||||||
|
your database now.
|
||||||
|
|
||||||
|
|
||||||
|
3) Automatic startup and shutdown of Barnyard2
|
||||||
|
----------------------------------------------
|
||||||
|
|
||||||
|
If you want Barnyard2 to start / stop automatically at boot and shutdown, use
|
||||||
|
these lines in your /etc/rc.d/rc.local:
|
||||||
|
|
||||||
|
# Start barnyard2
|
||||||
|
if [ -x /etc/rc.d/rc.barnyard2 ] ; then
|
||||||
|
echo "Starting Barnyard2..."
|
||||||
|
/etc/rc.d/rc.barnyard2 start
|
||||||
|
fi
|
||||||
|
|
||||||
|
And include this in your /etc/rc.d/rc.local_shutdown:
|
||||||
|
|
||||||
|
# Stop barnyard2
|
||||||
|
if [ -x /etc/rc.d/rc.barnyard2 ] ; then
|
||||||
|
echo "Stopping Barnyard2..."
|
||||||
|
/etc/rc.d/rc.barnyard2 stop
|
||||||
|
fi
|
||||||
|
|
|
@ -0,0 +1,102 @@
|
||||||
|
#!/bin/sh
|
||||||
|
|
||||||
|
# Slackware build script for barnyard2
|
||||||
|
# Snort binary log processor
|
||||||
|
|
||||||
|
# Written by Niels Horn <niels.horn@gmail.com>
|
||||||
|
# Revision date 2010/09/21
|
||||||
|
|
||||||
|
PRGNAM=barnyard2
|
||||||
|
VERSION=${VERSION:-1.8}
|
||||||
|
BUILD=${BUILD:-1}
|
||||||
|
TAG=${TAG:-_SBo}
|
||||||
|
|
||||||
|
if [ -z "$ARCH" ]; then
|
||||||
|
case "$( uname -m )" in
|
||||||
|
i?86) ARCH=i486 ;;
|
||||||
|
arm*) ARCH=arm ;;
|
||||||
|
*) ARCH=$( uname -m ) ;;
|
||||||
|
esac
|
||||||
|
fi
|
||||||
|
|
||||||
|
CWD=$(pwd)
|
||||||
|
TMP=${TMP:-/tmp/SBo}
|
||||||
|
PKG=$TMP/package-$PRGNAM
|
||||||
|
OUTPUT=${OUTPUT:-/tmp}
|
||||||
|
|
||||||
|
if [ "$ARCH" = "i486" ]; then
|
||||||
|
SLKCFLAGS="-O2 -march=i486 -mtune=i686"
|
||||||
|
LIBDIRSUFFIX=""
|
||||||
|
elif [ "$ARCH" = "i686" ]; then
|
||||||
|
SLKCFLAGS="-O2 -march=i686 -mtune=i686"
|
||||||
|
LIBDIRSUFFIX=""
|
||||||
|
elif [ "$ARCH" = "x86_64" ]; then
|
||||||
|
SLKCFLAGS="-O2 -fPIC"
|
||||||
|
LIBDIRSUFFIX="64"
|
||||||
|
else
|
||||||
|
SLKCFLAGS="-O2"
|
||||||
|
LIBDIRSUFFIX=""
|
||||||
|
fi
|
||||||
|
|
||||||
|
set -e
|
||||||
|
|
||||||
|
rm -rf $PKG
|
||||||
|
mkdir -p $TMP $PKG $OUTPUT
|
||||||
|
cd $TMP
|
||||||
|
rm -rf $PRGNAM-$VERSION
|
||||||
|
tar xvf $CWD/$PRGNAM-$VERSION.tar.gz
|
||||||
|
cd $PRGNAM-$VERSION
|
||||||
|
chown -R root:root .
|
||||||
|
find . \
|
||||||
|
\( -perm 777 -o -perm 775 -o -perm 711 -o -perm 555 -o -perm 511 \) \
|
||||||
|
-exec chmod 755 {} \; -o \
|
||||||
|
\( -perm 666 -o -perm 664 -o -perm 600 -o -perm 444 -o -perm 440 -o -perm 400 \) \
|
||||||
|
-exec chmod 644 {} \;
|
||||||
|
|
||||||
|
CFLAGS="$SLKCFLAGS" \
|
||||||
|
CXXFLAGS="$SLKCFLAGS" \
|
||||||
|
./configure \
|
||||||
|
--prefix=/usr \
|
||||||
|
--libdir=/usr/lib${LIBDIRSUFFIX} \
|
||||||
|
--sysconfdir=/etc \
|
||||||
|
--docdir=/usr/doc/$PRGNAM-$VERSION \
|
||||||
|
--mandir=/usr/man \
|
||||||
|
--localstatedir=/var \
|
||||||
|
--with-mysql-libraries=/usr/lib${LIBDIRSUFFIX}/mysql \
|
||||||
|
--with-mysql-includes=/usr/include/mysql \
|
||||||
|
--build=$ARCH-slackware-linux
|
||||||
|
|
||||||
|
make
|
||||||
|
make install DESTDIR=$PKG
|
||||||
|
|
||||||
|
find $PKG | xargs file | grep -e "executable" -e "shared object" | grep ELF \
|
||||||
|
| cut -f 1 -d : | xargs strip --strip-unneeded 2> /dev/null || true
|
||||||
|
|
||||||
|
mv $PKG/etc/$PRGNAM.conf $PKG/etc/$PRGNAM.conf.new
|
||||||
|
|
||||||
|
# Include rc.barnyard2 file
|
||||||
|
mkdir -p $PKG/etc/rc.d
|
||||||
|
cat $CWD/rc.barnyard2 > $PKG/etc/rc.d/rc.barnyard2.new
|
||||||
|
chmod 0755 $PKG/etc/rc.d/rc.barnyard2.new
|
||||||
|
|
||||||
|
# Create directory for log
|
||||||
|
mkdir -p $PKG/var/log/$PRGNAM
|
||||||
|
|
||||||
|
# Copy database schemas and docs
|
||||||
|
mkdir -p $PKG/usr/doc/$PRGNAM-$VERSION/schemas
|
||||||
|
for sc in schemas/create_*; do
|
||||||
|
cat $sc > $PKG/usr/doc/$PRGNAM-$VERSION/$sc
|
||||||
|
done
|
||||||
|
cp -a \
|
||||||
|
COPYING LICENSE RELEASE.NOTES doc/* \
|
||||||
|
$PKG/usr/doc/$PRGNAM-$VERSION
|
||||||
|
find $PKG/usr/doc/$PRGNAM-$VERSION -name "Makefile*" -exec rm -f {} \;
|
||||||
|
cat $CWD/$PRGNAM.SlackBuild > $PKG/usr/doc/$PRGNAM-$VERSION/$PRGNAM.SlackBuild
|
||||||
|
cat $CWD/README.SLACKWARE > $PKG/usr/doc/$PRGNAM-$VERSION/README.SLACKWARE
|
||||||
|
|
||||||
|
mkdir -p $PKG/install
|
||||||
|
cat $CWD/slack-desc > $PKG/install/slack-desc
|
||||||
|
cat $CWD/doinst.sh > $PKG/install/doinst.sh
|
||||||
|
|
||||||
|
cd $PKG
|
||||||
|
/sbin/makepkg -l y -c n $OUTPUT/$PRGNAM-$VERSION-$ARCH-$BUILD$TAG.${PKGTYPE:-tgz}
|
|
@ -0,0 +1,10 @@
|
||||||
|
PRGNAM="barnyard2"
|
||||||
|
VERSION="1.8"
|
||||||
|
HOMEPAGE="http://www.securixlive.com/barnyard2/"
|
||||||
|
DOWNLOAD="http://www.securixlive.com/download/barnyard2/barnyard2-1.8.tar.gz"
|
||||||
|
MD5SUM="72fc6c490db6ea6a0f46c27d24998067"
|
||||||
|
DOWNLOAD_x86_64=""
|
||||||
|
MD5SUM_x86_64=""
|
||||||
|
MAINTAINER="Niels Horn"
|
||||||
|
EMAIL="niels.horn@gmail.com"
|
||||||
|
APPROVED="rworkman"
|
|
@ -0,0 +1,26 @@
|
||||||
|
config() {
|
||||||
|
NEW="$1"
|
||||||
|
OLD="$(dirname $NEW)/$(basename $NEW .new)"
|
||||||
|
# If there's no config file by that name, mv it over:
|
||||||
|
if [ ! -r $OLD ]; then
|
||||||
|
mv $NEW $OLD
|
||||||
|
elif [ "$(cat $OLD | md5sum)" = "$(cat $NEW | md5sum)" ]; then # toss the redundant copy
|
||||||
|
rm $NEW
|
||||||
|
fi
|
||||||
|
# Otherwise, we leave the .new copy for the admin to consider...
|
||||||
|
}
|
||||||
|
|
||||||
|
preserve_perms() {
|
||||||
|
NEW="$1"
|
||||||
|
OLD="$(dirname $NEW)/$(basename $NEW .new)"
|
||||||
|
if [ -e $OLD ]; then
|
||||||
|
cp -a $OLD ${NEW}.incoming
|
||||||
|
cat $NEW > ${NEW}.incoming
|
||||||
|
mv ${NEW}.incoming $NEW
|
||||||
|
fi
|
||||||
|
config $NEW
|
||||||
|
}
|
||||||
|
|
||||||
|
preserve_perms etc/rc.d/rc.barnyard2.new
|
||||||
|
config etc/barnyard2.conf.new
|
||||||
|
|
|
@ -0,0 +1,49 @@
|
||||||
|
#!/bin/sh
|
||||||
|
# Start/stop/restart barnyard2
|
||||||
|
|
||||||
|
# Settings
|
||||||
|
SNORTLOGDIR=${SNORTLOGDIR:-/var/log/snort}
|
||||||
|
SNORTLOGFILE=${SNORTLOGFILE:-snort.log}
|
||||||
|
IFACE=${IFACE:-any}
|
||||||
|
PIDFILE=/var/run/barnyard2_$IFACE.pid
|
||||||
|
LOGDIR=/var/log/barnyard2
|
||||||
|
|
||||||
|
|
||||||
|
# Start snort:
|
||||||
|
by2_start() {
|
||||||
|
CMDLINE="/usr/bin/barnyard2 -i $IFACE -d $SNORTLOGDIR -f $SNORTLOGFILE -n -D "
|
||||||
|
echo -n "Starting Barnyard2 daemon: $CMDLINE"
|
||||||
|
$CMDLINE --pid-path /var/run --create-pidfile -l $LOGDIR
|
||||||
|
echo
|
||||||
|
}
|
||||||
|
|
||||||
|
# Stop snort:
|
||||||
|
by2_stop() {
|
||||||
|
echo -n "Stopping Barnyard2 daemon..."
|
||||||
|
kill $(cat $PIDFILE)
|
||||||
|
echo
|
||||||
|
sleep 1
|
||||||
|
rm -f $PIDFILE
|
||||||
|
}
|
||||||
|
|
||||||
|
# Restart snort:
|
||||||
|
by2_restart() {
|
||||||
|
by2_stop
|
||||||
|
sleep 1
|
||||||
|
by2_start
|
||||||
|
}
|
||||||
|
|
||||||
|
case "$1" in
|
||||||
|
'start')
|
||||||
|
by2_start
|
||||||
|
;;
|
||||||
|
'stop')
|
||||||
|
by2_stop
|
||||||
|
;;
|
||||||
|
'restart')
|
||||||
|
by2_restart
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
echo "usage $0 start|stop|restart"
|
||||||
|
esac
|
||||||
|
|
|
@ -0,0 +1,19 @@
|
||||||
|
# HOW TO EDIT THIS FILE:
|
||||||
|
# The "handy ruler" below makes it easier to edit a package description. Line
|
||||||
|
# up the first '|' above the ':' following the base package name, and the '|'
|
||||||
|
# on the right side marks the last column you can put a character in. You must
|
||||||
|
# make exactly 11 lines for the formatting to be correct. It's also
|
||||||
|
# customary to leave one space after the ':'.
|
||||||
|
|
||||||
|
|-----handy-ruler------------------------------------------------------|
|
||||||
|
barnyard2: barnyard2 (Snort output processor)
|
||||||
|
barnyard2:
|
||||||
|
barnyard2: Barnyard2 is a fork of the original barnyard project, designed
|
||||||
|
barnyard2: specifically for Snort's new unified2 file format. It is a critical
|
||||||
|
barnyard2: tool for the parsing of Snort's binary log files to a variety of
|
||||||
|
barnyard2: output plugins, capable of asynchronously processing, while Snort
|
||||||
|
barnyard2: continues it's job.
|
||||||
|
barnyard2:
|
||||||
|
barnyard2: Homepage: http://www.securixlive.com/barnyard2/
|
||||||
|
barnyard2:
|
||||||
|
barnyard2:
|
Loading…
Reference in New Issue