diff options
author | Niels Horn <niels.horn@gmail.com> | 2010-10-15 22:16:57 -0500 |
---|---|---|
committer | Robby Workman <rworkman@slackbuilds.org> | 2010-10-15 22:16:57 -0500 |
commit | 3ecfa23e5c1bdf24ffef0b08f3197ea9709fb7ec (patch) | |
tree | fe115883ada4cd1837bd36dedc09ca848d39234d /network/barnyard2/README.SLACKWARE | |
parent | 91e62177b4609cb34fd1d4063287ec4e39879794 (diff) |
network/barnyard2: Added (log parser for snort)
Signed-off-by: Robby Workman <rworkman@slackbuilds.org>
Diffstat (limited to 'network/barnyard2/README.SLACKWARE')
-rw-r--r-- | network/barnyard2/README.SLACKWARE | 97 |
1 files changed, 97 insertions, 0 deletions
diff --git a/network/barnyard2/README.SLACKWARE b/network/barnyard2/README.SLACKWARE new file mode 100644 index 0000000000000..ec8b942f9904a --- /dev/null +++ b/network/barnyard2/README.SLACKWARE @@ -0,0 +1,97 @@ +README.SLACKWARE +================ + +0) Preparation +-------------- + +For Barnyard2 to be useful, you will need a working setup of Snort, saving +output to a log in the binary "unified2" format. +Check the Snort documentation to find out how to do this. + +You will also need a working database server. These instructions are based +on using MySQL, as it is included with Slackware, but other databases can +be used as well. + + +1) Test Barnyard2 +----------------- + +Before starting Barnyard2 as a daemon, do a quick test to see if it can read +the Snort log: + + # barnyard2 -d /var/log/snort -f snort.log + +Barnyard2 will parse the its configuration file and start processing the Snort +log file. +If there are already events in the log, it will show them with their +classification. + +Now check if Snort is working by doing a port scan from another computer on +the network (this won't work if done from another terminal on the same system) + + # nmap -A <ip_address_of_snort_box> + +Snort should detect the port scan, write the event to the log, and Barnyard2 +should display it. + + +2) Configure Barnyard2 +---------------------- + +2.1 Setting up your database + +Follow these steps to set up the database in MySQL: +(replacing the <...> fields with your passwords) + + # cd /usr/doc/barnyard2-*/schemas + # mysql -p + Enter password: <your_mysql_root_password> + + mysql> create database snort; + mysql> grant create,select,update,insert,delete on snort.* to snort@localhost; + mysql> set password for snort@localhost=PASSWORD('<your_mysql_snort_password>'); + mysql> exit + + # mysql -p < create_mysql snort + Enter password: <your_mysql_root_password> + +This will create the snort database and the tables. + +2.2 Edit the configuration file + +Open the /etc/barnyard2.conf file with your favorite editor, go to the end and +edit the sample mysql configuration so that it looks like this: + + output database: log, mysql, user=snort password=<your_mysql_snort_password> dbname=snort host=localhost + +2.3 Start barnyard2 as a daemon + +The Barnyard2 package installs a script to start and stop the daemon. Use it +like this to start Barnyard2: + + # /etc/rc.d/rc.barnyard2 start + +You can repeat the test with the port scan and the event should be logged in +your database now. + + +3) Automatic startup and shutdown of Barnyard2 +---------------------------------------------- + +If you want Barnyard2 to start / stop automatically at boot and shutdown, use +these lines in your /etc/rc.d/rc.local: + +# Start barnyard2 +if [ -x /etc/rc.d/rc.barnyard2 ] ; then + echo "Starting Barnyard2..." + /etc/rc.d/rc.barnyard2 start +fi + +And include this in your /etc/rc.d/rc.local_shutdown: + +# Stop barnyard2 +if [ -x /etc/rc.d/rc.barnyard2 ] ; then + echo "Stopping Barnyard2..." + /etc/rc.d/rc.barnyard2 stop +fi + |