aboutsummaryrefslogtreecommitdiff
path: root/network/barnyard2/README.SLACKWARE
diff options
context:
space:
mode:
authorNiels Horn <niels.horn@gmail.com>2010-10-15 22:16:57 -0500
committerRobby Workman <rworkman@slackbuilds.org>2010-10-15 22:16:57 -0500
commit3ecfa23e5c1bdf24ffef0b08f3197ea9709fb7ec (patch)
treefe115883ada4cd1837bd36dedc09ca848d39234d /network/barnyard2/README.SLACKWARE
parent91e62177b4609cb34fd1d4063287ec4e39879794 (diff)
network/barnyard2: Added (log parser for snort)
Signed-off-by: Robby Workman <rworkman@slackbuilds.org>
Diffstat (limited to 'network/barnyard2/README.SLACKWARE')
-rw-r--r--network/barnyard2/README.SLACKWARE97
1 files changed, 97 insertions, 0 deletions
diff --git a/network/barnyard2/README.SLACKWARE b/network/barnyard2/README.SLACKWARE
new file mode 100644
index 0000000000000..ec8b942f9904a
--- /dev/null
+++ b/network/barnyard2/README.SLACKWARE
@@ -0,0 +1,97 @@
+README.SLACKWARE
+================
+
+0) Preparation
+--------------
+
+For Barnyard2 to be useful, you will need a working setup of Snort, saving
+output to a log in the binary "unified2" format.
+Check the Snort documentation to find out how to do this.
+
+You will also need a working database server. These instructions are based
+on using MySQL, as it is included with Slackware, but other databases can
+be used as well.
+
+
+1) Test Barnyard2
+-----------------
+
+Before starting Barnyard2 as a daemon, do a quick test to see if it can read
+the Snort log:
+
+ # barnyard2 -d /var/log/snort -f snort.log
+
+Barnyard2 will parse the its configuration file and start processing the Snort
+log file.
+If there are already events in the log, it will show them with their
+classification.
+
+Now check if Snort is working by doing a port scan from another computer on
+the network (this won't work if done from another terminal on the same system)
+
+ # nmap -A <ip_address_of_snort_box>
+
+Snort should detect the port scan, write the event to the log, and Barnyard2
+should display it.
+
+
+2) Configure Barnyard2
+----------------------
+
+2.1 Setting up your database
+
+Follow these steps to set up the database in MySQL:
+(replacing the <...> fields with your passwords)
+
+ # cd /usr/doc/barnyard2-*/schemas
+ # mysql -p
+ Enter password: <your_mysql_root_password>
+
+ mysql> create database snort;
+ mysql> grant create,select,update,insert,delete on snort.* to snort@localhost;
+ mysql> set password for snort@localhost=PASSWORD('<your_mysql_snort_password>');
+ mysql> exit
+
+ # mysql -p < create_mysql snort
+ Enter password: <your_mysql_root_password>
+
+This will create the snort database and the tables.
+
+2.2 Edit the configuration file
+
+Open the /etc/barnyard2.conf file with your favorite editor, go to the end and
+edit the sample mysql configuration so that it looks like this:
+
+ output database: log, mysql, user=snort password=<your_mysql_snort_password> dbname=snort host=localhost
+
+2.3 Start barnyard2 as a daemon
+
+The Barnyard2 package installs a script to start and stop the daemon. Use it
+like this to start Barnyard2:
+
+ # /etc/rc.d/rc.barnyard2 start
+
+You can repeat the test with the port scan and the event should be logged in
+your database now.
+
+
+3) Automatic startup and shutdown of Barnyard2
+----------------------------------------------
+
+If you want Barnyard2 to start / stop automatically at boot and shutdown, use
+these lines in your /etc/rc.d/rc.local:
+
+# Start barnyard2
+if [ -x /etc/rc.d/rc.barnyard2 ] ; then
+ echo "Starting Barnyard2..."
+ /etc/rc.d/rc.barnyard2 start
+fi
+
+And include this in your /etc/rc.d/rc.local_shutdown:
+
+# Stop barnyard2
+if [ -x /etc/rc.d/rc.barnyard2 ] ; then
+ echo "Stopping Barnyard2..."
+ /etc/rc.d/rc.barnyard2 stop
+fi
+