In part 2 of a behind the scenes look at Sort, we shall begin by looking at barnyard. Barnyard can best be described as the middle man between Snort and it’s database. You are probably saying … Snort has native database support built in (if you compiled it as such), why do I need another application to handle this task?!

The answer is rather simple, alert queuing. In almost every production environment, the database for Snort alerts, are not stored locally on the Snort box. So, if there is a loss of transport, or hardware/database issues, what happens to Snort? It will just stop logging alerts, leaving you with no IDS data for the timespan of the outage. Forensically speaking, this is a horrendously bad idea. This is where barnyard will be your savior; as Snort logs alerts to the local unified files, barnyard will keep track of what has or has not been inserted into the database. Barnyard will continue to store alerts in its queue while checking for database availability, ultimately inserting the queued alerts when the correct resources are available.

Let’s get ready to barnyard it up:

First off, we need to download the barnyard source code, available from snort.org, located here. Download the tarball to a temporary location and uncompress it (tar xfzv oinkmaster-2.0.tar.gz) as usual. Now we are ready to compile the barnyard binary and install it. As with all linux applications they seem to love to put themselves into /usr/local, well I myself don’t want it there. So I compiled barnyard in the following manner:

lepus:~/temp/barnyard-0.2.0# ./configure --enable-mysql --prefix=/usr --with-mysql-includes=/usr/include/mysql --with-mysql-libraries=/usr/lib/mysql


If you plan to use barnyard to log to a database (and why wouldn’t you?), you will need to tell configure what database type you want to use. Refer to the barnyard-0.2.0/docs/INSTALL file for other database options. Depending on the location of your mysql support files, it might be necessary to inform configure where they are as well. Following the successful completion of the configure process, as usual make, make install. If you followed my methods, the barnyard binary will now be installed in /usr/bin/.

Now we need a barnyard configuration. The default example conf is located in barnyard-0.2.0/etc/. We need to copy it to /etc (like we did in part 1, with the oinkmaster.conf), and then chown it to be owned by the snort account (chown snort:snort /etc/barnyard.conf). This is a good time to go ahead and make sure that /var/log/snort exists and is owned by snort, because this is where we are going to store our unified log files. As a side note, if you find that even though you are starting snort with -u snort -g snort, and the unified logs are owned by root, you can try starting snort with -m 022 (to set a umask).

Time to dive into the barnyard.conf:

Since my barnyard is very simple, I will just provide it here instead of a download.

# enable daemon mode
config daemon
# use localtime instead of UTC (*not* recommended because of timewarps)
config localtime
# set the hostname (currently only used for the acid db output plugin)
config hostname: xxxx
# set the interface name (currently only used for the acid db output plugin)
config interface: xxxx
# set the output options for mysql/acid_db schema
output alert_acid_db: mysql, sensor_id xx, database xxxx, server xxxx, user xxxx, password xxxx
output log_acid_db: mysql, database xxxx, server xxxx, user snort, password xxxx, detail full

Now we need to create a file in /var/log/snort; the name is up to you. The documentation calls this file waldo, and so did I. For the moment we will leave this file empty, but don’t forget about it, we will need to put some info in it, once we tell snort to do unified logging.

Time to tell snort to do unified logging. Fire up your editor of choice and edit /etc/snort/snort.conf. Near the bottom of the snort.conf is the output plugins, comment out any entries you have for directly writing to a database. Then we need to uncomment two lines, to enable unified logging.

output alert_unified: filename snort.alert, limit 128
output log_unified: filename snort.log, limit 128

Alright, by now, you should have snort configured to output to unified log files, barnyard should have a conf file located in /etc, and oinkmaster should be updating the ruleset every morning. The last piece we need to cover is getting barnyard to do its job. After snort has been restarted, you should now see two files in /var/log/snort called snort.log.xxxxxxx and snort.alert.xxxxxxx as well as the waldo file you created. Edit the waldo file and enter the following info:

/var/log/snort
snort.log.xxxxxxxx

(where xxxx = the exact file name for the snort.log.xxxxx file created by snort)

Time to put barnyard to work:

barnyard -c /etc/barnyard.conf -d /var/log/snort -s /etc/snort/rules/bleeding-sid-msg.map -g /etc/snort/gen-msg.map -p /etc/snort/classification.config -f snort.log -w waldo

Yikes, I know .. but it’s not really that confusing. I’ll break it down like this … tell barnyard where it’s conf file is, tell barnyard to look for the unified goodness, tell barnyard where the informational files are, tell snort what the prefix for the unified log file is, and tell snort where it’s bookmark file is. The purpose of waldo is so barnyard can keep track of what has been written to the database and what is still in queue, as well as claculating timestamps.

You probably noticed, I am using the bleeding-sid-msg.map, if you are like me and using the bleeding edge rule set, I highly suggest you download it from here (bleeding edge). If you don’t, when barnyard processes the unified logs, you will find your database populated with a ton of numbered alerts. This will be nothing but bad times, so download the proper sid-msg.map file.

This concludes a behind the scenes look at snort. If everything covered in this two part series worked out for you, you should have a really well running automated Snort IDS. I know this is sort of backwards, but now I feel like I should do a post or three on setting up snort.

Hope you enjoyed this, and I hope you learned a thing or two.

This entry was posted on Monday, September 17th, 2007 at 11:12 pm and is filed under geek stuff, snort. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.