98 lines
2.7 KiB
Plaintext
98 lines
2.7 KiB
Plaintext
README.SLACKWARE
|
|
================
|
|
|
|
0) Preparation
|
|
--------------
|
|
|
|
For Barnyard2 to be useful, you will need a working setup of Snort, saving
|
|
output to a log in the binary "unified2" format.
|
|
Check the Snort documentation to find out how to do this.
|
|
|
|
You will also need a working database server. These instructions are based
|
|
on using MySQL, as it is included with Slackware, but other databases can
|
|
be used as well.
|
|
|
|
|
|
1) Test Barnyard2
|
|
-----------------
|
|
|
|
Before starting Barnyard2 as a daemon, do a quick test to see if it can read
|
|
the Snort log:
|
|
|
|
# barnyard2 -d /var/log/snort -f snort.log
|
|
|
|
Barnyard2 will parse the its configuration file and start processing the Snort
|
|
log file.
|
|
If there are already events in the log, it will show them with their
|
|
classification.
|
|
|
|
Now check if Snort is working by doing a port scan from another computer on
|
|
the network (this won't work if done from another terminal on the same system)
|
|
|
|
# nmap -A <ip_address_of_snort_box>
|
|
|
|
Snort should detect the port scan, write the event to the log, and Barnyard2
|
|
should display it.
|
|
|
|
|
|
2) Configure Barnyard2
|
|
----------------------
|
|
|
|
2.1 Setting up your database
|
|
|
|
Follow these steps to set up the database in MySQL:
|
|
(replacing the <...> fields with your passwords)
|
|
|
|
# cd /usr/doc/barnyard2-*/schemas
|
|
# mysql -p
|
|
Enter password: <your_mysql_root_password>
|
|
|
|
mysql> create database snort;
|
|
mysql> grant create,select,update,insert,delete on snort.* to snort@localhost;
|
|
mysql> set password for snort@localhost=PASSWORD('<your_mysql_snort_password>');
|
|
mysql> exit
|
|
|
|
# mysql -p < create_mysql snort
|
|
Enter password: <your_mysql_root_password>
|
|
|
|
This will create the snort database and the tables.
|
|
|
|
2.2 Edit the configuration file
|
|
|
|
Open the /etc/barnyard2.conf file with your favorite editor, go to the end and
|
|
edit the sample mysql configuration so that it looks like this:
|
|
|
|
output database: log, mysql, user=snort password=<your_mysql_snort_password> dbname=snort host=localhost
|
|
|
|
2.3 Start barnyard2 as a daemon
|
|
|
|
The Barnyard2 package installs a script to start and stop the daemon. Use it
|
|
like this to start Barnyard2:
|
|
|
|
# /etc/rc.d/rc.barnyard2 start
|
|
|
|
You can repeat the test with the port scan and the event should be logged in
|
|
your database now.
|
|
|
|
|
|
3) Automatic startup and shutdown of Barnyard2
|
|
----------------------------------------------
|
|
|
|
If you want Barnyard2 to start / stop automatically at boot and shutdown, use
|
|
these lines in your /etc/rc.d/rc.local:
|
|
|
|
# Start barnyard2
|
|
if [ -x /etc/rc.d/rc.barnyard2 ] ; then
|
|
echo "Starting Barnyard2..."
|
|
/etc/rc.d/rc.barnyard2 start
|
|
fi
|
|
|
|
And include this in your /etc/rc.d/rc.local_shutdown:
|
|
|
|
# Stop barnyard2
|
|
if [ -x /etc/rc.d/rc.barnyard2 ] ; then
|
|
echo "Stopping Barnyard2..."
|
|
/etc/rc.d/rc.barnyard2 stop
|
|
fi
|
|
|