Barnyard is an output system for Snort. If effectively allows better snort performance by enabling Snort to produce binary output which is then processed by Barnyard.
Barnyard processes the binary Snort output files (unified2 binary) and stores the processed data into a database back-end, for example MySQL. The advantage of using Barnyard instead of the database output from Snort is that Barnyard is able to "cache" the data in case the database is unavailable.
Barnyard is able to be executed in three modes, this example employs the continual mode with bookmarking. A bookmark (waldo) file is employed to keep track of the progress of Barnyard processing. In case of Barnyard failure, it can resume where it left off based on the bookmark file.
- http://securixlive.com/barnyard2/download.php from
- wget http://securixlive.com/download/barnyard2/barnyard2-1.9.tar.gz
- tar zxvf barnyard2-1.9.tar.gz
- cd barnyard2-1.9
- ./configure --with-mysql --with-mysql-libraries=/usr/lib64/mysql/
- make install
- mysqladmin -u root -p create barnyard2
- mysql -u root -p -D barnyard2 < ./schemas/create_mysql
- Grant privileges to database
- mysql -u root -p
- GRANT ALL PRIVILEGES ON barnyard2.* TO snort@localhost WITH GRANT OPTION;
- SET PASSWORD FOR snort@localhost=PASSWORD('password');
If all goes well then you should see events being logged into your event table in the barnyard2 database.
- ./configure --with-mysql-libraries=/usr/lib64/mysql/
- ERROR: Unable to open directory '' (No such
file or directory)
ERROR: Unable to find the next spool file!
- Ensure that the waldo file is specified (by the -w option included as a command line argument or in the config file)
- WARNING: Can't extract timestamp extension from 'alert'using base ''
- Ensure that the unified2 file is specified (by the -f option included as a command line argument or in the config file)
- FATAL ERROR: Absdir is not a subset of the logdir
- Ensure that the logdir is configured in the Barnyard configuration file
- FATAL ERROR: database: mysql_error: Can't connect to local MySQL server through socket '/var/lib/mysql/mysql.sock' (2)
- Ensure that the MySQL service/daemon is running