We’ve just compiled the executable from source code on a dedicated build machine. Let’s continue by uploading the executable from the build machine to the IDS sensor.
thomas@builder: $ scp /home/thomas/barnyard2-install/bin/barnyard2 thomas@ids-sensor:
If this is not possible in your environment, use another means to copy the file.
Since the executable is dynamically linked against the mysqlclient libraries, we have to install them separately.
# apt-get install libmysqlclient18
Create database user and database
First of all you have to decide where to install your databases. The easiest method method is to install the database on the local machine. For a number of reasons, this might not be what you prefer.
When I was configuring barnyard2, I used ‘snort’ as name for the new database.
Create database user
The user I created is ‘snortuser’ and it should have all rights to the ‘snort’ database.
Setup the tables
Setup the tables by executing the following script in your new MySQL database.
Create config file
Create the file /etc/snort/barnyard2.conf In the config file, I assume that the database is running on the local machine. The username is snortusr. Password is secretpwd. The databasename is snort. Adapt this to your setup.
# cat > /etc/snort/barnyard2.conf << EOF config reference_file: /etc/snort/reference.config config classification_file: /etc/snort/classification.config config gen_file: /etc/snort/gen-msg.map config sid_file: /etc/snort/sid-msg.map config logdir: /var/log/snort config hostname: sniffer config interface: eth1 config daemon config waldo_file: /var/log/snort/barnyard2.waldo input unified2 output database: log, mysql, user=snortuser password=secretpwd dbname=snort host=127.0.0.1 # if you want to have to forward alerts also to syslog, uncomment the following 2 lines. #output alert_syslog_full: sensor_name snortIds1-eth1, local #output log_syslog_full: sensor_name snortIds1-eth1, local, log_priority LOG_CRIT EOF
After configuring barnyard2, it can be started with the following command.
# barnyard2 -c /etc/snort/barnyard2.conf -f merged.log
Note that after a few seconds, you’ll be dropped in your shell again. That’s perfectly normal since we configured barnyard2 to run as a daemon. As always, it’s a good idea to check /var/log/syslog for errors. You can also check if the daemon is still running with “ps -ef | grep barnyard2”