diff options
author | Niels Horn <niels.horn@gmail.com> | 2010-10-15 22:16:57 -0500 |
---|---|---|
committer | Robby Workman <rworkman@slackbuilds.org> | 2010-10-15 22:16:57 -0500 |
commit | 3ecfa23e5c1bdf24ffef0b08f3197ea9709fb7ec (patch) | |
tree | fe115883ada4cd1837bd36dedc09ca848d39234d /network | |
parent | 91e62177b4609cb34fd1d4063287ec4e39879794 (diff) |
network/barnyard2: Added (log parser for snort)
Signed-off-by: Robby Workman <rworkman@slackbuilds.org>
Diffstat (limited to 'network')
-rw-r--r-- | network/barnyard2/README | 7 | ||||
-rw-r--r-- | network/barnyard2/README.SLACKWARE | 97 | ||||
-rw-r--r-- | network/barnyard2/barnyard2.SlackBuild | 102 | ||||
-rw-r--r-- | network/barnyard2/barnyard2.info | 10 | ||||
-rw-r--r-- | network/barnyard2/doinst.sh | 26 | ||||
-rw-r--r-- | network/barnyard2/rc.barnyard2 | 49 | ||||
-rw-r--r-- | network/barnyard2/slack-desc | 19 |
7 files changed, 310 insertions, 0 deletions
diff --git a/network/barnyard2/README b/network/barnyard2/README new file mode 100644 index 000000000000..2f8ef09cd54d --- /dev/null +++ b/network/barnyard2/README @@ -0,0 +1,7 @@ +Barnyard2 is a fork of the original barnyard project, designed +specifically for Snort's new unified2 file format. It is a +critical tool for the parsing of Snort's binary log files to a +variety of output plugins, capable of asynchronous processing, +while Snort continues it's job. + +See README.SLACKWARE for some instructions on setting up Barnyard2. diff --git a/network/barnyard2/README.SLACKWARE b/network/barnyard2/README.SLACKWARE new file mode 100644 index 000000000000..ec8b942f9904 --- /dev/null +++ b/network/barnyard2/README.SLACKWARE @@ -0,0 +1,97 @@ +README.SLACKWARE +================ + +0) Preparation +-------------- + +For Barnyard2 to be useful, you will need a working setup of Snort, saving +output to a log in the binary "unified2" format. +Check the Snort documentation to find out how to do this. + +You will also need a working database server. These instructions are based +on using MySQL, as it is included with Slackware, but other databases can +be used as well. + + +1) Test Barnyard2 +----------------- + +Before starting Barnyard2 as a daemon, do a quick test to see if it can read +the Snort log: + + # barnyard2 -d /var/log/snort -f snort.log + +Barnyard2 will parse the its configuration file and start processing the Snort +log file. +If there are already events in the log, it will show them with their +classification. + +Now check if Snort is working by doing a port scan from another computer on +the network (this won't work if done from another terminal on the same system) + + # nmap -A <ip_address_of_snort_box> + +Snort should detect the port scan, write the event to the log, and Barnyard2 +should display it. + + +2) Configure Barnyard2 +---------------------- + +2.1 Setting up your database + +Follow these steps to set up the database in MySQL: +(replacing the <...> fields with your passwords) + + # cd /usr/doc/barnyard2-*/schemas + # mysql -p + Enter password: <your_mysql_root_password> + + mysql> create database snort; + mysql> grant create,select,update,insert,delete on snort.* to snort@localhost; + mysql> set password for snort@localhost=PASSWORD('<your_mysql_snort_password>'); + mysql> exit + + # mysql -p < create_mysql snort + Enter password: <your_mysql_root_password> + +This will create the snort database and the tables. + +2.2 Edit the configuration file + +Open the /etc/barnyard2.conf file with your favorite editor, go to the end and +edit the sample mysql configuration so that it looks like this: + + output database: log, mysql, user=snort password=<your_mysql_snort_password> dbname=snort host=localhost + +2.3 Start barnyard2 as a daemon + +The Barnyard2 package installs a script to start and stop the daemon. Use it +like this to start Barnyard2: + + # /etc/rc.d/rc.barnyard2 start + +You can repeat the test with the port scan and the event should be logged in +your database now. + + +3) Automatic startup and shutdown of Barnyard2 +---------------------------------------------- + +If you want Barnyard2 to start / stop automatically at boot and shutdown, use +these lines in your /etc/rc.d/rc.local: + +# Start barnyard2 +if [ -x /etc/rc.d/rc.barnyard2 ] ; then + echo "Starting Barnyard2..." + /etc/rc.d/rc.barnyard2 start +fi + +And include this in your /etc/rc.d/rc.local_shutdown: + +# Stop barnyard2 +if [ -x /etc/rc.d/rc.barnyard2 ] ; then + echo "Stopping Barnyard2..." + /etc/rc.d/rc.barnyard2 stop +fi + diff --git a/network/barnyard2/barnyard2.SlackBuild b/network/barnyard2/barnyard2.SlackBuild new file mode 100644 index 000000000000..d1b9386a383a --- /dev/null +++ b/network/barnyard2/barnyard2.SlackBuild @@ -0,0 +1,102 @@ +#!/bin/sh + +# Slackware build script for barnyard2 +# Snort binary log processor + +# Written by Niels Horn <niels.horn@gmail.com> +# Revision date 2010/09/21 + +PRGNAM=barnyard2 +VERSION=${VERSION:-1.8} +BUILD=${BUILD:-1} +TAG=${TAG:-_SBo} + +if [ -z "$ARCH" ]; then + case "$( uname -m )" in + i?86) ARCH=i486 ;; + arm*) ARCH=arm ;; + *) ARCH=$( uname -m ) ;; + esac +fi + +CWD=$(pwd) +TMP=${TMP:-/tmp/SBo} +PKG=$TMP/package-$PRGNAM +OUTPUT=${OUTPUT:-/tmp} + +if [ "$ARCH" = "i486" ]; then + SLKCFLAGS="-O2 -march=i486 -mtune=i686" + LIBDIRSUFFIX="" +elif [ "$ARCH" = "i686" ]; then + SLKCFLAGS="-O2 -march=i686 -mtune=i686" + LIBDIRSUFFIX="" +elif [ "$ARCH" = "x86_64" ]; then + SLKCFLAGS="-O2 -fPIC" + LIBDIRSUFFIX="64" +else + SLKCFLAGS="-O2" + LIBDIRSUFFIX="" +fi + +set -e + +rm -rf $PKG +mkdir -p $TMP $PKG $OUTPUT +cd $TMP +rm -rf $PRGNAM-$VERSION +tar xvf $CWD/$PRGNAM-$VERSION.tar.gz +cd $PRGNAM-$VERSION +chown -R root:root . +find . \ + \( -perm 777 -o -perm 775 -o -perm 711 -o -perm 555 -o -perm 511 \) \ + -exec chmod 755 {} \; -o \ + \( -perm 666 -o -perm 664 -o -perm 600 -o -perm 444 -o -perm 440 -o -perm 400 \) \ + -exec chmod 644 {} \; + +CFLAGS="$SLKCFLAGS" \ +CXXFLAGS="$SLKCFLAGS" \ +./configure \ + --prefix=/usr \ + --libdir=/usr/lib${LIBDIRSUFFIX} \ + --sysconfdir=/etc \ + --docdir=/usr/doc/$PRGNAM-$VERSION \ + --mandir=/usr/man \ + --localstatedir=/var \ + --with-mysql-libraries=/usr/lib${LIBDIRSUFFIX}/mysql \ + --with-mysql-includes=/usr/include/mysql \ + --build=$ARCH-slackware-linux + +make +make install DESTDIR=$PKG + +find $PKG | xargs file | grep -e "executable" -e "shared object" | grep ELF \ + | cut -f 1 -d : | xargs strip --strip-unneeded 2> /dev/null || true + +mv $PKG/etc/$PRGNAM.conf $PKG/etc/$PRGNAM.conf.new + +# Include rc.barnyard2 file +mkdir -p $PKG/etc/rc.d +cat $CWD/rc.barnyard2 > $PKG/etc/rc.d/rc.barnyard2.new +chmod 0755 $PKG/etc/rc.d/rc.barnyard2.new + +# Create directory for log +mkdir -p $PKG/var/log/$PRGNAM + +# Copy database schemas and docs +mkdir -p $PKG/usr/doc/$PRGNAM-$VERSION/schemas +for sc in schemas/create_*; do + cat $sc > $PKG/usr/doc/$PRGNAM-$VERSION/$sc +done +cp -a \ + COPYING LICENSE RELEASE.NOTES doc/* \ + $PKG/usr/doc/$PRGNAM-$VERSION +find $PKG/usr/doc/$PRGNAM-$VERSION -name "Makefile*" -exec rm -f {} \; +cat $CWD/$PRGNAM.SlackBuild > $PKG/usr/doc/$PRGNAM-$VERSION/$PRGNAM.SlackBuild +cat $CWD/README.SLACKWARE > $PKG/usr/doc/$PRGNAM-$VERSION/README.SLACKWARE + +mkdir -p $PKG/install +cat $CWD/slack-desc > $PKG/install/slack-desc +cat $CWD/doinst.sh > $PKG/install/doinst.sh + +cd $PKG +/sbin/makepkg -l y -c n $OUTPUT/$PRGNAM-$VERSION-$ARCH-$BUILD$TAG.${PKGTYPE:-tgz} diff --git a/network/barnyard2/barnyard2.info b/network/barnyard2/barnyard2.info new file mode 100644 index 000000000000..edbfac211584 --- /dev/null +++ b/network/barnyard2/barnyard2.info @@ -0,0 +1,10 @@ +PRGNAM="barnyard2" +VERSION="1.8" +HOMEPAGE="http://www.securixlive.com/barnyard2/" +DOWNLOAD="http://www.securixlive.com/download/barnyard2/barnyard2-1.8.tar.gz" +MD5SUM="72fc6c490db6ea6a0f46c27d24998067" +DOWNLOAD_x86_64="" +MD5SUM_x86_64="" +MAINTAINER="Niels Horn" +EMAIL="niels.horn@gmail.com" +APPROVED="rworkman" diff --git a/network/barnyard2/doinst.sh b/network/barnyard2/doinst.sh new file mode 100644 index 000000000000..898ed74319c2 --- /dev/null +++ b/network/barnyard2/doinst.sh @@ -0,0 +1,26 @@ +config() { + NEW="$1" + OLD="$(dirname $NEW)/$(basename $NEW .new)" + # If there's no config file by that name, mv it over: + if [ ! -r $OLD ]; then + mv $NEW $OLD + elif [ "$(cat $OLD | md5sum)" = "$(cat $NEW | md5sum)" ]; then # toss the redundant copy + rm $NEW + fi + # Otherwise, we leave the .new copy for the admin to consider... +} + +preserve_perms() { + NEW="$1" + OLD="$(dirname $NEW)/$(basename $NEW .new)" + if [ -e $OLD ]; then + cp -a $OLD ${NEW}.incoming + cat $NEW > ${NEW}.incoming + mv ${NEW}.incoming $NEW + fi + config $NEW +} + +preserve_perms etc/rc.d/rc.barnyard2.new +config etc/barnyard2.conf.new + diff --git a/network/barnyard2/rc.barnyard2 b/network/barnyard2/rc.barnyard2 new file mode 100644 index 000000000000..93e899f4c9e9 --- /dev/null +++ b/network/barnyard2/rc.barnyard2 @@ -0,0 +1,49 @@ +#!/bin/sh +# Start/stop/restart barnyard2 + +# Settings +SNORTLOGDIR=${SNORTLOGDIR:-/var/log/snort} +SNORTLOGFILE=${SNORTLOGFILE:-snort.log} +IFACE=${IFACE:-any} +PIDFILE=/var/run/barnyard2_$IFACE.pid +LOGDIR=/var/log/barnyard2 + + +# Start snort: +by2_start() { + CMDLINE="/usr/bin/barnyard2 -i $IFACE -d $SNORTLOGDIR -f $SNORTLOGFILE -n -D " + echo -n "Starting Barnyard2 daemon: $CMDLINE" + $CMDLINE --pid-path /var/run --create-pidfile -l $LOGDIR + echo +} + +# Stop snort: +by2_stop() { + echo -n "Stopping Barnyard2 daemon..." + kill $(cat $PIDFILE) + echo + sleep 1 + rm -f $PIDFILE +} + +# Restart snort: +by2_restart() { + by2_stop + sleep 1 + by2_start +} + +case "$1" in +'start') + by2_start + ;; +'stop') + by2_stop + ;; +'restart') + by2_restart + ;; +*) + echo "usage $0 start|stop|restart" +esac + diff --git a/network/barnyard2/slack-desc b/network/barnyard2/slack-desc new file mode 100644 index 000000000000..2d38c0aa23c2 --- /dev/null +++ b/network/barnyard2/slack-desc @@ -0,0 +1,19 @@ +# HOW TO EDIT THIS FILE: +# The "handy ruler" below makes it easier to edit a package description. Line +# up the first '|' above the ':' following the base package name, and the '|' +# on the right side marks the last column you can put a character in. You must +# make exactly 11 lines for the formatting to be correct. It's also +# customary to leave one space after the ':'. + + |-----handy-ruler------------------------------------------------------| +barnyard2: barnyard2 (Snort output processor) +barnyard2: +barnyard2: Barnyard2 is a fork of the original barnyard project, designed +barnyard2: specifically for Snort's new unified2 file format. It is a critical +barnyard2: tool for the parsing of Snort's binary log files to a variety of +barnyard2: output plugins, capable of asynchronously processing, while Snort +barnyard2: continues it's job. +barnyard2: +barnyard2: Homepage: http://www.securixlive.com/barnyard2/ +barnyard2: +barnyard2: |