Thursday, 29 June 2017

Setting up Barnyard2 using postgresql / postgres on CentOS 7

Important Fornote: Ensure that your snort instance output mode is set to unified in the snort.conf file e.g.:

output unified2: filename merged.log, limit 128

Do not include the 'nostamp' option with the above statement (as it is by default) otherwise barnyard will fail to read the logs.

and restart with:

sudo service snort restart

Let's firstly download and install barnyard2 with:

yum install autogen libpcap-devel postgresql-devel daq-devel libdnet-devel
cd /tmp
git clone https://github.com/firnsy/barnyard2.git
cd barnyard2
./autogen
./configure --with-postgresql
make
sudo make install

We can then copy the example config:

cp etc/barnyard.conf /etc/barnyard.conf

And ensure the following lines are set appropriately:

config daemon
config hostname: localhost
config interface: eth0
config logdir: /var/log/barnyard2/
config waldo_file: /var/log/barnyard2/barnyard2.waldo

and ensure the following line is present / uncommented:

output alert_fast: stdout

Important Note: Ensure 'deamon' mode is commented out in the barnyard.conf file otherwise you won't be able to debug easily when running the following command.

We can then test the configuration with:

sudo /usr/local/bin/barnyard2 -c /etc/barnyard2.conf -d /var/log/snort -f snort.log -w /var/log/barnyard2/barnyard2.waldo

We can also add a test rule into snort e.g. the following:

vi /etc/snort/rules/local.rules

alert icmp any any -> any any (msg: "ICMP Packet found"; sid:1000001; rev1;)

and restart snort with:

sudo service snort restart

This should hopefully generate a fair few events - even on smaller networks - if sending some ICMP traffic yourself with a ping or traceroute.

Once you are happy with the results we can then comment out the following (in barnyard.conf):

output alert_fast: stdout

and replace it with our postgresql server:

output database: log, postgresql, user=<username> password=<password> dbname=<snorby-database> host=localhost sensor_name=sensor1

Stop and start barnyard2 in using 'daemon' mode (-D)  this time:

sudo /usr/local/bin/barnyard2 -c /etc/barnyard2.conf -d /var/log/snort -f snort.log -w /var/log/barnyard2/barnyard2.waldo -D

Then verify events are present in Snorby - you might also need to restart the worker in some cases.

I ended up purging some of the snort logs and had to delete the .waldo (bookmark) file in order to get barnyard2 to start picking up logs again - once you've deleted the file simply 'touch' it:

touch /var/log/barnyard2/barnyard2.waldo

If all goes to plan we can now create a systemd service as follows:

vi /usr/lib/systemd/system/barnyard2.service

and add the following:

[Unit]
Description=Snort NIDS Daemon
After=syslog.target network.target
Requires=snort.service

[Service]
Type=simple
ExecStart=/usr/local/bin/barnyard2 -c /etc/barnyard2.conf -d /var/log/snort -f snort.log -w /var/log/barnyard2/barnyard2.waldo

[Install]
WantedBy=multi-user.target

Enable and start the service:

sudo systemctl enable 
sudo service barnyard2 start

0 comments:

Post a comment