Download Barnyard2-1.9.tar.gz
UPDATE: Snort 2.9.9.x has been released. Please see the updated series of articles or my quick install guide. I am leaving this older guide online for anyone who wants to install this older version of Snort on Ubuntu, but you really should be using the for the 2.9.9.x version of Snort, since support for older versions of Snort are set to expire, and the updated guide is kept more up to date and includes BASE instead of Snorby for a Web GUI. Installing Barnyard2. Installing Barnyard2 In the previous three articles in this series, we installed Snort, configured it to run as a NIDS, and configured a rule. In this article, we are going to install and configure, which is a dedicated spooler that will help reduce the load on the Snort server.
Download the latest Snort open source network intrusion prevention software. Barnyard2 provides the following enhancements to the.
Download the latest Snort open source network intrusion prevention software. Barnyard2 provides the following enhancements to the. Download mirrors for barnyard2-1.9.tar.gz (637.58 KB) 2011-02-07 ftp://ftp.fsn.hu/pub/linux/distributions/gentoo/distfiles/ barnyard2-1.9.tar.gz.
Notes You will be prompted to create both a MySQL root password, as well as a password for a MySQL database snort user. In the examples below, we have chose to use MYSQLROOTPASSWORD as the MySQL root password, and MYSQLSNORTPASSWORD as the MySQL database snort user. Please note the differences when working below. Onward First, we need to install some pre-requisites: sudo apt-get install -y mysql-server libmysqlclient-dev mysql-client autoconf libtool You will be prompted for the MySQL root password.
We choose MYSQLROOTPASSWORD for the below examples. Next, we need to edit the snort.conf: sudo vi /etc/snort/snort.conf We need to add a line that tells Snort to output events in binary form (so that Barnyard2 can read them). After line 520 in /etc/snort/snort.conf (a line that is a commented-out example), add the following line and save the file: output unified2: filename snort.u2, limit 128 This line tells snort to output events in the unified2 binary format (which is easier for snort to output rather than human-readable alerts). Next we need to get, configure, and install Barnyard2. Note on Barnyard2 Version: In the commands below, we will be downloading a specific snapshot of Barnyard2 from github: Barnyard2 version 2.1.14 with commits from Oct 21, 2015 (this is the latest version at this time).
I chose not to use the latest stable release: 2.1.13 because some patches have been added after that release that are important, and I chose not to use the Head release, because that will change after the release of this guide, and I won’t have had the ability to test it. If you want, you can (and probably will want) to use the current head release of Barnyard2, but if you have issues, you can always come back and use the version I’ve used below which I have verified will work with the other pieces of software in this guide. Cd /snortsrc wget -O barnyard2-2-1.14-336.tar.gz tar zxvf barnyard2-2-1.14-336.tar.gz mv barnyard2-722288fe6be948f88afb74040f6dc9 barnyard2-2-1.14-336 cd barnyard2-2-1.14-336 autoreconf -fvi -I./m4 Barnyard2 needs access to the dnet.h library, which we installed with the Ubuntu libdumbnet package earlier. However, Barnyard2 expects a different file name for this library. Create a soft link from dnet.h to dubmnet.h so there are no issues: sudo ln -s /usr/include/dumbnet.h /usr/include/dnet.h sudo ldconfig Depending on the architecture of your system (x86 or x64), choose to run one of the following lines to tell Barnyard2 where the MySQL libraries are:./configure -with-mysql -with-mysql-libraries=/usr/lib/x8664-linux-gnu./configure -with-mysql -with-mysql-libraries=/usr/lib/i386-linux-gnu Then continue with the install: make sudo make install Barnyard2 is now installed to /usr/local/bin/barnyard2.
Sign In
. Description Barnyard2 is an open source interpreter for Snort unified2 binary output files. Its primary use is allowing Snort to write to disk in an efficient manner and leaving the task of parsing binary data into various formats to a separate process that will not cause Snort to miss network traffic. This post is a bit unexpected in that a few days ago, I didn’t think I would be installing snort and learning to use it.
But the UCSB iCTF competition is coming up on March 22 and having spoken with a local legend who was giving me some advice on how to prepare, snort is a must-have tool. Having installed Snort just now I feel I should share for those who want to get started in network security monitoring and intrusion detection and prevention. For those who don’t know what Snort is, check out their site. I used some of the information found at installation guide to get started.
First thing to do is to get and install prerequisite packages. The prereqs are:. Libpcap.
PCRE. Libdnet. Barnyard2. DAQ Libpcap If you’re using Ubuntu or any other Debian based Linux OS, you can simply run: $ sudo apt-get install libpcap0.8-dev Otherwise, follow these instructions below. $ wget libpcap-1.2.1.tar.gz $ tar xvzf libpcap-1.2.1.tar.gz $ sudo mv libpcap-1.2.1 /usr/src $ cd /usr/src/libpcap-1.2.1 $ sudo./configure $ sudo make $ sudo make install And libpcap should be good to go!
🙂 PCRE If you’re using Ubuntu, try: $ sudo apt-get install libpcre3-dev Otherwise, follow instructions below: Downloading and getting this installed is pretty much exactly the same as the instructions for libpcap, except from where you get the file. The link for PCRE is: $ wget pcre-8.32.tar.bz2 $ tar xvzf pcre-8.32.tar.bz2 And the rest of the instructions you pretty much follow verbatim from libpcap. Libdnet Ubuntu: $ sudo apt-get install libdnet-dev Otherwise: The link for libdnet is: $ wget libdnet-1.11.tar.gz $ tar xvzf libdnet-1.11.tar.gz And then follow the other steps from above. Barnyard2 The link for barnyard2 is: $ wget barnyard2-1.9.tar.gz $ tar xvzf barnyard2-1.9.tar.gz And then follow the other steps from above.
DAQ The link for DAQ is: $ wget daq-2.0.0.tar.gz $ tar xvzf 2103 Then follow the other steps from above. After finally getting all of these things installed, you can grab snort from this link: $ wget snort-2.9.4.tar.gz $ tar xvzf 2112 Follow the instructions from libpcap to get it installed, and once it’s installed continue reading below. Note: Snort may take longer to run the./configure and make commands. Now run the following commands to create necessary directories: $ mkdir /etc/snort $ mkdir /etc/snort/rules $ mkdir /var/log/snort To get started, I made these files as the installation guide said (if you don’t know how to use vim, use gedit): $ sudo vim /etc/snort/snort.conf OR $ sudo gedit /etc/snort/snort.conf In this file, add the following without the quotes: “include /etc/snort/rules/icmp.rules”. Save the file and exit. $ sudo vim /etc/snort/rules/icmp.rules OR $ sudo gedit /etc/snort/rules/icmp.rules In this file, add the following without the quotes: “alert icmp any any - any any (msg:”ICMP Packet”; sid:477; rev:3;)”.
Save the file and exit. Now to execute snort: $ snort -c /etc/snort/snort.conf -l /var/log/snort/ If this gives you the error “snort: error while loading shared libraries: libdnet.1: cannot open shared object file: No such file or directory”, run the following commands to resolve the error: $ cd /usr/lib $ sudo ln -s /usr/local/lib/libdnet.1.0.1 libdnet.1 Now try running it again and it should work 😀 I don’t exactly know what the text in those two snort files means, but I plan to figure it out over the next few days and I’ll get back to you guys on setting up snort rules and monitoring network traffic. For more info on running snort and the different options you can use, run $ man snort and have a read. After I get snort figured out a bit better I’ll post back here with my findings.
I will get into binary reversing as promised, but for the purposes of this competition I would like to have some idea on the workings of intrusion detection systems since I know nothing about them. Let’s do this! barnyard2-1.9# vim /etc/snort/barnyard2.conf config hostname: snort. This is a detailed 'How to guide' for setting up Suricata with Snorby and Barnyard2. In this particular se up we are using. Suricata from git - 1.4dev.
Snorby -. Barnyard2 - The physical set up that we have is the following: Server1 (IP 192.168.1.91) - Server2 (IP 192.168.1.111).Suricata,Barnyard2.Snorby.
So we have Suricata running on Server1 using unified2 logs which are processed from Barnyard2 and forwarded to the Snorby MYSQL DB on the remote Server2. Server1 and Server2 are Ubuntu LTS 64bit, 12.04 sudo apt-get install gcc g build-essential libssl-dev libreadline6-dev zlib1g-dev linux-headers-generic libsqlite3-dev libxslt-dev libxml2-dev imagemagick git-core libmysqlclient-dev mysql-server libmagickwand-dev default-jre ruby1.9.3 sudo wget bunzip2 wkhtmltopdf-0.10.0rc2-static-amd64.tar.bz2 tar xvf wkhtmltopdf-0.10.0rc2-static-amd64.tar ls -lh sudo cp wkhtmltopdf-amd64 /usr/bin/wkhtmltopdf The above installation is the one that works for Snorby (tested with 2.5.1) for wkhtmltopdf - do not install the one from 'apt-get'. Here are the steps to install Snort:. yum clean all. yum install gcc gcc-c kernel-devel patch make vim ssh libxml2 libxml2-devel. yum install pcre pcre-devel php php-common php-gd gd php-cli php-mysql flex bison php-pear-Numbers-Roman php-pear-Numbers-Words php-pear-Image-Color php-pear-Image-Canvas php-pear-Image-Graph libpcap libpcap-devel mysql mysql-devel mysql-bench mysql-server glib2-devel.
Make sure libpcap (version 1.0.0) is installed. If a version less than 1 is installed, it won’t work. If you need to, you can download using the following commands:.
wget. tar -xzf libpcap-1.0.0.tar.gz.
cd libpcap-1.0.0./configure –prefix=/usr. make. make install. wget. Download libnet-1.0.2a.tar.gz (not.tgz file and not a later version) from.
Download the latest Snort binary from. Download the latest daq from. Download base-1.4.5.tar.gz from Command: wget. Download ADOdb from.
Download Barnyard2: wget. Install libdnet:. cd libdnet-1.12./configure. make. make install.
Install daq:. tar -xf daq-0.5.tar. cd daq-0.5.tar./configure. Http: //jamieyu.com /snort-sguil-ids / Created: 20120204 Updated: 20120221 I recently built Sguil 0.8 on RHEL 6 64-bit servers. This is a nice upgrade for my IDS systems from the good old Sguil 0.7 on RHEL 5 32-bit IDS systems I built back in 2008. There are a few build guides available on Sguil, but I haven’t found one that addresses this specific environment. I’m publishing the steps I took to build my IDS systems here.
Hopefully it will give some guidance to others who intend to do the same. There are many ways to build IDS systems. Snort-Sguil IDS is my favorite and has been in my production environment for years. Snort does the monitoring and alerting while Sguil provides a GUI Interface for IDS. There are other components running on the sensor that feeds additional information to the GUI.
All software components are available free of charge, except the OS. I haven’t tried, but you should be able apply the same setup to a CentOS box, which is almost like a RedHat without logo. I won’t go into details explaining what each software components are for.
There are many good descriptions on the Internet. If this is the first time you build Sguil, I suggest that you take a look at first. It’s a nice howto guide for Sguil 0.7, to which I referred when I built my old IDS systems. I like the way the author approached to build a versatile and secure IDS systems, and have followed many good ideas in the howto guide. You should also be familiar with the. As far as I know, the basic data flow stayed same from 0.7 to 0.8.
To build and run Sguil, you need:. Sguil Server.
Sguil Sensor (with Snort). Source Compiler to compile source code You can use 3 different machines, or you can combine server and compiler on the same machine. You should not put compiler and sensor on the same box. You can add more sensors as needed. Additionally, you’ll run Sguil Client on a workstation with GUI desktop. Hardware spec depends on the amount of network traffic that your IDS sensor is going to monitor.
I’d recommend getting at least 2GB memory and 300GB hard drives in Raid 1 or 5. If you can afford more, add more memory and hard drive space. As long as your hardware is no more than 4 years old, CPU speed should be sufficient.
Multi-core CPUs enhance performance of course. To install RHEL 6 64-bit OS, first consider how you want to partition the hard drive. In my case, I used separate partitions for the following mount points:.
/boot. /. swap. /usr. /tmp. /var. /nsm Notice the /nsm partition is the largest partition that holds all snort and sguil data.
I configured it as logical volume on a separate disk array so I can add more hard drives later on to the volume group. Install RHEL 6 64-bit with core and base packages. Register your new server with RHN. Run “yum update” to get the latest software updates. Add “RHEL Server Optional” Channel for the system on RHN website.
This allows you to add the needed packages to compile code and run software. This is needed for compiler, server and sensor. This section describes how to compile software on your compiler.
Add more packages. # yum install gcc gcc-c make flex bison # yum install pcre-devel zlib-devel libpcap-devel # yum install tcl-devel automake libtool Tcl should already be installed.
The package from RedHat is not threaded, so you will not have multiple threads issue as in RHEL 5. If tcl is not installed, add tcl package: Create a folder /usr/src/nsm and place all your source packages in the folder. The sources are compiled in the particular order as shown below, because some are perquisites for others.
As a general rule, all compiled software will be located in /usr/local/ folder. You will need to copy the software from your compiler to server/sensor/client later (hint: tar and scp).
Symbolic links are created to remove version numbers. There are multiple advantages to create version-less symbolic links, as you’ll see in the commands and configurations below. It also makes it easier to upgrade individual packages without breaking the other components. Download libdnet-1.12.tgz from. # cd /usr/src/nsm # tar zxvf snort-2.9.1.2.tar.gz # rm snort-2.9.1.2.tar.gz # cd snort-2.9.1.2 #./configure -prefix=/usr/local/snort-2.9.1.2 -with-dnet-includes=/usr/local/libdnet/include -with-dnet-libraries=/usr/local/libdnet/lib -with-daq-includes=/usr/local/daq/include -with-daq-libraries=/usr/local/daq/lib # make # make install It’s likely that by the time you see this guide, the good folks on Snort team has released newer version of Snort. You should be able to compile and run newer version the same way you see here.
Download instantnsm-20080613.tar.gz from. # mkdir /var/run/sguil # chown sguil.sguil /var/run/sguil # mkdir -p /etc/sguild/certs # cp /usr/local/sguil/server/sguild.conf /etc/sguild # cp /usr/local/sguil/server/autocat.conf /etc/sguild # cp /usr/local/sguil/server/sguild.users /etc/sguild # cp /usr/local/sguil/server/sguild.queries /etc/sguild # cp /usr/local/sguil/server/sguild.access /etc/sguild # cp /usr/local/sguil/server/sguild.email /etc/sguild # cp /usr/local/sguil/server/sguild.reports /etc/sguild # chown -R sguil.sguil /etc/sguild Modify /etc/sguild/sguild.conf file. # ps -aef grep sguil grep -v grep sguil 1928 1 0 10:00? 00:00:00 tclsh /usr /local /sguil /server /sguild -P /var /run /sguil /sguild.pid -D sguil 1932 1928 0 10:00? 00:00:00 tclsh /usr /local /sguil /server /sguild -P /var /run /sguil /sguild.pid -D sguil 1932 1928 0 10:00? 00:00:00 tclsh /usr /local /sguil /server /sguild -P /var /run /sguil /sguild.pid -D Note: You should see 3 processes above. This section describes how to set up Sguil sensor.
Your sensor should have two NICs, one for management interface (eth0) and the other for listening network traffic (eth1). There’s no need to configure IP address on eth1. The sensor is named as “MYSENSOR”.
This name has to be consistent for software to run correctly. If you have more than one sensor, each sensor should use a different name. The following packages should already be installed on the server: If not installed, use command “yum install xxx” to install. Install additional packages.
# useradd -u 400 -d /home/sguil -c 'SGUIL User' sguil # mkdir -p /nsm/snort-logs/MYSENSOR/OLD # mkdir -p /nsm/snortdata/MYSENSOR/dailylogs # mkdir -p /nsm/snortdata/MYSENSOR/sancp # chown -R sguil.sguil /nsm/snort-logs /nsm/snortdata # ln -s /nsm/snort-logs/MYSENSOR /var/log/snort-MYSENSOR # mkdir /var/run/sguil # chown sguil.sguil /var/run/sguil Configuration files are located in folder /etc/sguil/. This guide only shows the part of the configuration setting that needs to be changed. Leave everything else in the file as is even if you don’t see them here. Copy configuration files. # tar xzvf snortrules-snapshot-2912.tar.gz # touch /usr/local/snortrules/rules/whitelist.rules # touch /usr/local/snortrules/rules/blacklist.rules # mkdir /usr/local/snort/lib/snortdynamicrules # cp /usr/local/snortrules/sorules/precompiled/RHEL-6-0/x86-64/2.9.1.2/.
/usr/local/snort/lib/snortdynamicrules/ # cd /usr/local/snortrules/etc/ Configure Snort by editing /usr/local/snortrules/etc/snort.conf file. This can be tweaked to suit your needs. Here are the lines you must modify to run snort properly. ################################################### # Step #1: Set the network variables. ################################################### ipvar HOMENET 192.168.1.0 / 24 var WHITELISTPATH /usr /local /snortrules /rules var BLACKLISTPATH /usr /local /snortrules /rules ################################################### # Step #4: Configure dynamic loaded libraries. # ps -aef grep sguil grep -v grep sguil 1901 1 0 10:00? 00:00:00 tclsh /usr /local /sguil /sensor /padsagent.tcl -D -c /etc /sguil /padsagent.conf sguil 1903 1901 0 10:00?
00:00:00 cat /nsm /snortdata /MYSENSOR /pads.fifo sguil 1911 1 0 10:00? 00:00:00 tclsh /usr /local /sguil /sensor /pcapagent.tcl -D -c /etc /sguil /pcapagent.conf sguil 1920 1 0 10:00? 00:00:00 tclsh /usr /local /sguil /sensor /sancpagent.tcl -D -c /etc /sguil /sancpagent.conf sguil 1945 1 0 10:00? 00:00:00 tclsh /usr /local /sguil /sensor /snortagent.tcl -D -c /etc /sguil /snortagent.conf sguil 1949 1945 0 10:00? 00:00:00 tail -n 1 -f /nsm /snortdata /MYSENSOR /snort.stats sguil 1954 1 0 10:00? 00:00:00 /usr /local /bin /barnyard2 -c /etc /sguil /barnyard2.conf -f merged.log -pid-path /var /run /sguil -w /var /log /snort-MYSENSOR /waldo2.file -l /var /log /snort-MYSENSOR -a /var /log /snort-MYSENSOR /OLD -d /var /log /snort-MYSENSOR-D sguil 1961 1 1 10:00? 00:00:00 /usr /local /bin /sancp -d /nsm /snortdata /MYSENSOR /sancp -i eth1 -u sguil -g sguil -c /etc /sguil /sancp.conf -D sguil 1914 1 1 10:00?
00:00:00 /usr /local /bin /pads -c /etc /sguil /pads.conf -u sguil -g sguil sguil 1934 1 2 10:00? 00:00:00 /usr /local /bin /snort -u sguil -g sguil -m 122 -l /var /log /snort-MYSENSOR -c /usr /local /snortrules /etc /snort.conf -D -i eth1 -q -A none -U -pid-path /var /run /sguil sguil 1958 1 7 10:00? 00:00:00 /usr /local /bin /snort -u sguil -g sguil -m 122 -l /nsm /snortdata /MYSENSOR /dailylogs / 2011- 12-01 -b -i eth1 Note: You should see 11 processes above. Sguil client can run on many systems. I have Sguil client 0.8 installed on an OpenSuse 64-bit system with Gnome desktop. Install the following packages:. wireshark.
tls. tclx. tcllib. itcl. iwidgets Download sguil-client-0.8.0.tar.gz file from and place under folder /usr/local/. # crontab -e # Restart the sguil packet logger on a regular basis 0. /etc /init.d /sguillogger restart Reboot Sensor and verify all services start properly.
Things don’t always work the way we intended. If you can’t get it work, check your files and folders to make sure you’ve made correct modifications. You can also run software command without daemon mode and turn on verbose logging if available to troubleshoot. Check the logs. If you do get stuck, I’d suggest a few places that you could get some help: For Snort specific questions: Most of the software mentioned here are created and maintained by volunteers.
It’s a good idea to contribute back to the community if you can.