Snort 2.9 on CentOS 6.3 (continued) with Barnyard2

This is a continuation of the post on installing Snort 2.9 on CentOS 6.4 (http://nkush.blogspot.com.au/2013/03/snort-29-on-centos-63.html). This post installs Barnyard2 on the host.

Barnyard is an output system for Snort. If effectively allows better snort performance by enabling Snort to produce binary output which is then processed by Barnyard.

Barnyard processes the binary Snort output files (unified2 binary) and stores the processed data into a database back-end, for example MySQL. The advantage of using Barnyard instead of the database output from Snort is that Barnyard is able to "cache" the data in case the database is unavailable.

Barnyard is able to be executed in three modes, this example employs the continual mode with bookmarking. A bookmark (waldo) file is employed to keep track of the progress of Barnyard processing. In case of Barnyard failure, it can resume where it left off based on the bookmark file.

Installation:

1. Install and configure MySQL
1. yum -y install mysql mysql-server mysql-devel mysql-bench
2. service mysqld start
3. /usr/bin/mysql_secure_installation
2. Download and install Barnyard2 from http://securixlive.com/barnyard2/download.php
1. wget http://securixlive.com/download/barnyard2/barnyard2-1.9.tar.gz
2. tar zxvf barnyard2-1.9.tar.gz
3. cd barnyard2-1.9
4. ./configure --with-mysql --with-mysql-libraries=/usr/lib64/mysql/
5. make
6. make install
3. Configure Barnyard to process Snort output
1. Change Snort config to output to the unified file format
1. output unified2: filename merged.log, limit 128, mpls_event_types, vlan_event_types
2. Change the Barnyard config (/usr/local/etc/barnyard2.conf)
1. config logdir: /var/log/barnyard2
2. config hostname:    localhost
3. config interface:    ethX
4. config daemon
5. config set_gid:nnnn
6. config set_uid:nnnn
7. config show_year
8. config umask: 066
9. config waldo_file: /var/log/snort/barnyard2.waldo
10. input unified2
11. output database: log, mysql, user=snort password=password dbname=barnyard2 host=localhost
4. Create the MySQL database for Barnyard
1. mysqladmin -u root -p create barnyard2
2. mysql -u root -p -D barnyard2 < ./schemas/create_mysql
5. Grant privileges to database
1. mysql -u root -p
2. GRANT ALL PRIVILEGES ON barnyard2.* TO snort@localhost WITH GRANT OPTION;
3. SET PASSWORD FOR snort@localhost=PASSWORD('password');
6. Prepare Barnyard2
1. touch /var/log/snort/barnyard2.waldo
2. chown -R snort:snort /var/log/snort
7. Run Barnyard then Snort
1. barnyard2 -c /usr/local/etc/barnyard2.conf -d /var/log/snort/ -w /var/log/snort/barnyard2.waldo -f merged.log -u snort -g snort -D
2. snort -c /etc/snort/snort.conf -i eth4 -u snort -g snort -D

If all goes well then you should see events being logged into your event table in the barnyard2 database.

Errors:

1. ERROR: unable to find mysqlclient library (libmysqlclient.*)
1. ./configure --with-mysql-libraries=/usr/lib64/mysql/
2. ERROR: Unable to open directory '' (No such
    file or directory)
   ERROR: Unable to find the next spool file!
1.  Ensure that the waldo file is specified (by the -w option included as a command line argument or in the config file)
3. WARNING: Can't extract timestamp extension from 'alert'using base ''
1. Ensure that the unified2 file is specified (by the -f option included as a command line argument or in the config file)
4. FATAL ERROR: Absdir is not a subset of the logdir
1.  Ensure that the logdir is configured in the Barnyard configuration file
5. FATAL ERROR: database: mysql_error: Can't connect to local MySQL server through socket '/var/lib/mysql/mysql.sock' (2)
1. Ensure that the MySQL service/daemon is running