Using Barnyard2 in Snort

Jun 16,2016

Using Barnyard2 in Snort 

       One of the issues that came with snort is that how snort can keep processing the network traffic without dropping packets and performing extensive output operations such as send alerts and log them to the syslog or a database. One of the solutions was to make snort multithreaded, but it was a nightmare for developers to maintain a stable multithreaded version. As, a result, the final solution, they came up with was using a secondary program which will focus on generating alerts. The communication between snort and this secondary program is to be done by spooling the alerts data using certain kinds of files. And here I’m introducing the unified output format and Barnyard.

        If you are in the network management field and familiar with software define network, we are almost on the same page. Barnyard was first created to isolate the missions of processing output data from snort and keep the later focusing on more fundamental operations to monitor the network traffic.  As it was mentioned in Snort Intrusion Detection and Prevention, “Barnyard can be thought of as an asynchronous event processing and dispatching tool designed for use with Snort.” Furthermore, by using Barnyard along with snort, we will have an extra benefit as we can separate the level of access to snort. On one hand, in snort we need to have a root privilege in order to run the IDS mode. On the other hand, in Barnyard we can be in a user level to read the unified data. One more advantage of using Barnyard is that we always can reanalyze archived data issued by unified Barnyard plug-in. Since I mentioned unified files, I would like to talk about the format of these files; the essential requirements for the format are to be written in a fast way and in a small size.

         Now let’s go to the technical part which is installing Barnyard2 after installing snort. The basic idea here is that snort is to store events in binary form, and then Barnyard2 will read those event in asymmetrically and save them in a MYSQL database. Barnyard will require some requests in order to be installed and work probably such as C compiler and MYSQL server and client as it shown in the command I provided Also we are going to download a MYSQL library by using one of these commands depends on the operating system.

 sudo apt-get install -y mysql-server libmysqlclient-dev mysql-client autoconf libtool-

./configure --with-mysql --with-mysql libraries=/usr/lib/x86_64-linux-gnu  or ./configure --with-mysql --with-mysql-libraries=/usr/lib/i386-linux

 

      To download, unpack and install Barnyard the following command needs to be used:

wget https://github.com/firnsy/barnyard2/archive/7254c24702392288fe6be948f88afb74040f6dc9.tar.gz \-O barnyard2-2-1.14-336.tar.gz

tar zxvf barnyard2-2-1.14-336.tar.gz

mv barnyard2-7254c24702392288fe6be948f88afb74040f6dc9 barnyard2-2-1.14-336

cd barnyard2-2-1.14-336

autoreconf -fvi -I ./m4

make

sudo make install

          All configurations are located in a special configuration file /etc/snort/barnyard2.conf. This file will have all information necessary for Banyard2 to connect to MySQL database. Next step is to test the system. It requires two steps: run Snort and save output to a log and then run Banyard2 and read the output file.

sudo /usr/local/bin/snort -q -u snort -g snort -c /etc/snort/snort.conf -i eth0

sudo barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.u2 -w /var/log/snort/barnyard2.waldo -g snort -u snort

 

        As snort has several modes, Barnyard also provides two modes which are batch processing and continual processing. First, in batch processing mode, Barnyard will process the each and every pre-specified unified files and then quit. The advantages of this mode are pulling tangible data from a unified file, reloading old data into a database, or testing new plug-ins used in snort. Second, in continual mode, events can be processed instantly if they triggered snort alerts.

      Barnyard has one more capability to localize alert messages in very easy way because the data is loaded from sid-msg.map and gen-msg.map files. Unlike snort which has 48 rule files, preprocessors, and rule options.  As a result, if we need to localize messages by using Barnyard, we only need to create new sid-msg.map and gen-msg.map. When a new rule needed to be added, a new entry can be inserted to those two Barnyard primary files.  

About the Author

Follow us

Using Barnyard2 in Snort

 Using Barnyard2 in Snort

Using Barnyard2 in Snort

Using Barnyard2 in Snort

Using Barnyard2 in Snort 

       One of the issues that came with snort is that how snort can keep processing the network traffic without dropping packets and performing extensive output operations such as send alerts and log them to the syslog or a database. One of the solutions was to make snort multithreaded, but it was a nightmare for developers to maintain a stable multithreaded version. As, a result, the final solution, they came up with was using a secondary program which will focus on generating alerts. The communication between snort and this secondary program is to be done by spooling the alerts data using certain kinds of files. And here I’m introducing the unified output format and Barnyard.

        If you are in the network management field and familiar with software define network, we are almost on the same page. Barnyard was first created to isolate the missions of processing output data from snort and keep the later focusing on more fundamental operations to monitor the network traffic.  As it was mentioned in Snort Intrusion Detection and Prevention, “Barnyard can be thought of as an asynchronous event processing and dispatching tool designed for use with Snort.” Furthermore, by using Barnyard along with snort, we will have an extra benefit as we can separate the level of access to snort. On one hand, in snort we need to have a root privilege in order to run the IDS mode. On the other hand, in Barnyard we can be in a user level to read the unified data. One more advantage of using Barnyard is that we always can reanalyze archived data issued by unified Barnyard plug-in. Since I mentioned unified files, I would like to talk about the format of these files; the essential requirements for the format are to be written in a fast way and in a small size.

         Now let’s go to the technical part which is installing Barnyard2 after installing snort. The basic idea here is that snort is to store events in binary form, and then Barnyard2 will read those event in asymmetrically and save them in a MYSQL database. Barnyard will require some requests in order to be installed and work probably such as C compiler and MYSQL server and client as it shown in the command I provided Also we are going to download a MYSQL library by using one of these commands depends on the operating system.

 sudo apt-get install -y mysql-server libmysqlclient-dev mysql-client autoconf libtool-

./configure --with-mysql --with-mysql libraries=/usr/lib/x86_64-linux-gnu  or ./configure --with-mysql --with-mysql-libraries=/usr/lib/i386-linux

 

      To download, unpack and install Barnyard the following command needs to be used:

wget https://github.com/firnsy/barnyard2/archive/7254c24702392288fe6be948f88afb74040f6dc9.tar.gz \-O barnyard2-2-1.14-336.tar.gz

tar zxvf barnyard2-2-1.14-336.tar.gz

mv barnyard2-7254c24702392288fe6be948f88afb74040f6dc9 barnyard2-2-1.14-336

cd barnyard2-2-1.14-336

autoreconf -fvi -I ./m4

make

sudo make install

          All configurations are located in a special configuration file /etc/snort/barnyard2.conf. This file will have all information necessary for Banyard2 to connect to MySQL database. Next step is to test the system. It requires two steps: run Snort and save output to a log and then run Banyard2 and read the output file.

sudo /usr/local/bin/snort -q -u snort -g snort -c /etc/snort/snort.conf -i eth0

sudo barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.u2 -w /var/log/snort/barnyard2.waldo -g snort -u snort

 

        As snort has several modes, Barnyard also provides two modes which are batch processing and continual processing. First, in batch processing mode, Barnyard will process the each and every pre-specified unified files and then quit. The advantages of this mode are pulling tangible data from a unified file, reloading old data into a database, or testing new plug-ins used in snort. Second, in continual mode, events can be processed instantly if they triggered snort alerts.

      Barnyard has one more capability to localize alert messages in very easy way because the data is loaded from sid-msg.map and gen-msg.map files. Unlike snort which has 48 rule files, preprocessors, and rule options.  As a result, if we need to localize messages by using Barnyard, we only need to create new sid-msg.map and gen-msg.map. When a new rule needed to be added, a new entry can be inserted to those two Barnyard primary files.