Installing and configuring barnyard2

In this previous post, I explained how to compile bardyard2 from source. Now I’ll proceed by configuring barnyard2 on the snort ids sensor that I configured in this post.

Copy executable

We’ve just compiled the executable from source code on a dedicated build machine. Let’s continue by uploading the executable from the build machine to the IDS sensor.

 thomas@builder: $ scp /home/thomas/barnyard2-install/bin/barnyard2 thomas@ids-sensor:

If this is not possible in your environment, use another means to copy the file.

Install dependencies

Since the executable is dynamically linked against the mysqlclient libraries, we have to install them separately.

# apt-get install libmysqlclient18

Create database user and database

First of all you have to decide where to install your databases. The easiest method method is to install the database on the local machine. For a number of reasons, this might not be what you prefer.

Create database

When I was configuring barnyard2, I used ‘snort’ as name for the new database.

Create database user

The user I created is ‘snortuser’ and it should have all rights to the ‘snort’ database.

Setup the tables

Setup the tables by executing the following script in your new MySQL database.
https://github.com/firnsy/barnyard2/blob/master/schemas/create_mysql

Create config file

Create the file /etc/snort/barnyard2.conf In the config file, I assume that the database is running on the local machine. The username is snortusr. Password is secretpwd. The databasename is snort. Adapt this to your setup.

# cat > /etc/snort/barnyard2.conf << EOF
config reference_file:      /etc/snort/reference.config
config classification_file: /etc/snort/classification.config
config gen_file:            /etc/snort/gen-msg.map
config sid_file:            /etc/snort/sid-msg.map
config logdir: /var/log/snort
config hostname:   sniffer
config interface:  eth1
config daemon
config waldo_file: /var/log/snort/barnyard2.waldo
input unified2
output database: log, mysql, user=snortuser password=secretpwd dbname=snort host=127.0.0.1
# if you want to have to forward alerts also to syslog, uncomment the following 2 lines.
#output alert_syslog_full: sensor_name snortIds1-eth1, local
#output log_syslog_full: sensor_name snortIds1-eth1, local, log_priority LOG_CRIT
EOF

Run Barnyard2

After configuring barnyard2, it can be started with the following command.

# barnyard2 -c /etc/snort/barnyard2.conf -f merged.log

Note that after a few seconds, you’ll be dropped in your shell again. That’s perfectly normal since we configured barnyard2 to run as a daemon. As always, it’s a good idea to check /var/log/syslog for errors. You can also check if the daemon is still running with “ps -ef | grep barnyard2”


This page is part of a series about a complete installation and configuration of Snort.
Snort LogoSnort is a registered trademark of Sourcefire, Inc.

9 thoughts on “Installing and configuring barnyard2

  1. Juan

    I followed your instructions to build, install and run barnyard2. Thanks for your help.

    Everything seemed to work, except after I run barnyard2 with:

    barnyard2 -c /etc/snort/barnyard2.conf -f merged.log

    In “top”, the CPU usage for barnyard2 is around 100% for a few minutes and then it drops to approximately 1-7%, but the CPU usage for MySQL jumps to around 100% for a few minutes. Then barnyard2 stops running. I tried running barnyard2 again a few times. With these attempts, the CPU usage for barnyard2 goes to 100% for a few minutes and then barnyard2 dies without the CPU usage spiking for MySQL.

    Do you know what is causing this?

    Reply
  2. Ray Dios Haque

    I had a different sort of problem here. I was missing this file /etc/snort/rules/iplists/default.blacklist when I originally ran pulledpork.pl for the first time. After doing a ‘touch /etc/snort/rules/iplists/default.blacklist’ and re-running pulledpork.pl, it was STILL not creating sid-msg.map because the rules were still up to date.

    This was causing my barnyard2 to fail out, because the sid-msg.map file was missing.

    UGH! To fix it, I had to run ./pulledpork.pl -c /etc/pulledpork/pulledpork.conf -P
    (the -P option tells it to pull everything down, even if the rules are up to date). This allowed pulledpork.pl to finish correctly, and not my barnyard2 starts up too.

    Reply
  3. ShN

    Hello
    Thank you very much for your information!
    I have configured barnyard2 to read Suricata output and write it on mysql.
    every thing is working Ok but inserting data from unified file to Mysql is veeeeery slow and I have no idea about the reason!
    If you have any solution or recommendation that would be grate to let me know!

    Thank you very much

    Reply
    1. Thomas Elsen Post author

      I know it’s very slow the first few minutes, but if you leave it running after that it should be fast. At that point, the CPU usage of the barnyard process should also drop.

      Best regards

      Reply
  4. Rishi

    Even i experienced that “inserting barnyard2 data from unified files to MYSQL is so slowly” … even though i left the suricate for days still the data in mysql is slow

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *