network/barnyard2: Added (log parser for snort)

Signed-off-by: Robby Workman <rworkman@slackbuilds.org>
This commit is contained in:
Niels Horn 2010-10-15 22:16:57 -05:00 committed by Robby Workman
parent 91e62177b4
commit 3ecfa23e5c
7 changed files with 310 additions and 0 deletions

7
network/barnyard2/README Normal file
View file

@ -0,0 +1,7 @@
Barnyard2 is a fork of the original barnyard project, designed
specifically for Snort's new unified2 file format. It is a
critical tool for the parsing of Snort's binary log files to a
variety of output plugins, capable of asynchronous processing,
while Snort continues it's job.
See README.SLACKWARE for some instructions on setting up Barnyard2.

View file

@ -0,0 +1,97 @@
README.SLACKWARE
================
0) Preparation
--------------
For Barnyard2 to be useful, you will need a working setup of Snort, saving
output to a log in the binary "unified2" format.
Check the Snort documentation to find out how to do this.
You will also need a working database server. These instructions are based
on using MySQL, as it is included with Slackware, but other databases can
be used as well.
1) Test Barnyard2
-----------------
Before starting Barnyard2 as a daemon, do a quick test to see if it can read
the Snort log:
# barnyard2 -d /var/log/snort -f snort.log
Barnyard2 will parse the its configuration file and start processing the Snort
log file.
If there are already events in the log, it will show them with their
classification.
Now check if Snort is working by doing a port scan from another computer on
the network (this won't work if done from another terminal on the same system)
# nmap -A <ip_address_of_snort_box>
Snort should detect the port scan, write the event to the log, and Barnyard2
should display it.
2) Configure Barnyard2
----------------------
2.1 Setting up your database
Follow these steps to set up the database in MySQL:
(replacing the <...> fields with your passwords)
# cd /usr/doc/barnyard2-*/schemas
# mysql -p
Enter password: <your_mysql_root_password>
mysql> create database snort;
mysql> grant create,select,update,insert,delete on snort.* to snort@localhost;
mysql> set password for snort@localhost=PASSWORD('<your_mysql_snort_password>');
mysql> exit
# mysql -p < create_mysql snort
Enter password: <your_mysql_root_password>
This will create the snort database and the tables.
2.2 Edit the configuration file
Open the /etc/barnyard2.conf file with your favorite editor, go to the end and
edit the sample mysql configuration so that it looks like this:
output database: log, mysql, user=snort password=<your_mysql_snort_password> dbname=snort host=localhost
2.3 Start barnyard2 as a daemon
The Barnyard2 package installs a script to start and stop the daemon. Use it
like this to start Barnyard2:
# /etc/rc.d/rc.barnyard2 start
You can repeat the test with the port scan and the event should be logged in
your database now.
3) Automatic startup and shutdown of Barnyard2
----------------------------------------------
If you want Barnyard2 to start / stop automatically at boot and shutdown, use
these lines in your /etc/rc.d/rc.local:
# Start barnyard2
if [ -x /etc/rc.d/rc.barnyard2 ] ; then
echo "Starting Barnyard2..."
/etc/rc.d/rc.barnyard2 start
fi
And include this in your /etc/rc.d/rc.local_shutdown:
# Stop barnyard2
if [ -x /etc/rc.d/rc.barnyard2 ] ; then
echo "Stopping Barnyard2..."
/etc/rc.d/rc.barnyard2 stop
fi

View file

@ -0,0 +1,102 @@
#!/bin/sh
# Slackware build script for barnyard2
# Snort binary log processor
# Written by Niels Horn <niels.horn@gmail.com>
# Revision date 2010/09/21
PRGNAM=barnyard2
VERSION=${VERSION:-1.8}
BUILD=${BUILD:-1}
TAG=${TAG:-_SBo}
if [ -z "$ARCH" ]; then
case "$( uname -m )" in
i?86) ARCH=i486 ;;
arm*) ARCH=arm ;;
*) ARCH=$( uname -m ) ;;
esac
fi
CWD=$(pwd)
TMP=${TMP:-/tmp/SBo}
PKG=$TMP/package-$PRGNAM
OUTPUT=${OUTPUT:-/tmp}
if [ "$ARCH" = "i486" ]; then
SLKCFLAGS="-O2 -march=i486 -mtune=i686"
LIBDIRSUFFIX=""
elif [ "$ARCH" = "i686" ]; then
SLKCFLAGS="-O2 -march=i686 -mtune=i686"
LIBDIRSUFFIX=""
elif [ "$ARCH" = "x86_64" ]; then
SLKCFLAGS="-O2 -fPIC"
LIBDIRSUFFIX="64"
else
SLKCFLAGS="-O2"
LIBDIRSUFFIX=""
fi
set -e
rm -rf $PKG
mkdir -p $TMP $PKG $OUTPUT
cd $TMP
rm -rf $PRGNAM-$VERSION
tar xvf $CWD/$PRGNAM-$VERSION.tar.gz
cd $PRGNAM-$VERSION
chown -R root:root .
find . \
\( -perm 777 -o -perm 775 -o -perm 711 -o -perm 555 -o -perm 511 \) \
-exec chmod 755 {} \; -o \
\( -perm 666 -o -perm 664 -o -perm 600 -o -perm 444 -o -perm 440 -o -perm 400 \) \
-exec chmod 644 {} \;
CFLAGS="$SLKCFLAGS" \
CXXFLAGS="$SLKCFLAGS" \
./configure \
--prefix=/usr \
--libdir=/usr/lib${LIBDIRSUFFIX} \
--sysconfdir=/etc \
--docdir=/usr/doc/$PRGNAM-$VERSION \
--mandir=/usr/man \
--localstatedir=/var \
--with-mysql-libraries=/usr/lib${LIBDIRSUFFIX}/mysql \
--with-mysql-includes=/usr/include/mysql \
--build=$ARCH-slackware-linux
make
make install DESTDIR=$PKG
find $PKG | xargs file | grep -e "executable" -e "shared object" | grep ELF \
| cut -f 1 -d : | xargs strip --strip-unneeded 2> /dev/null || true
mv $PKG/etc/$PRGNAM.conf $PKG/etc/$PRGNAM.conf.new
# Include rc.barnyard2 file
mkdir -p $PKG/etc/rc.d
cat $CWD/rc.barnyard2 > $PKG/etc/rc.d/rc.barnyard2.new
chmod 0755 $PKG/etc/rc.d/rc.barnyard2.new
# Create directory for log
mkdir -p $PKG/var/log/$PRGNAM
# Copy database schemas and docs
mkdir -p $PKG/usr/doc/$PRGNAM-$VERSION/schemas
for sc in schemas/create_*; do
cat $sc > $PKG/usr/doc/$PRGNAM-$VERSION/$sc
done
cp -a \
COPYING LICENSE RELEASE.NOTES doc/* \
$PKG/usr/doc/$PRGNAM-$VERSION
find $PKG/usr/doc/$PRGNAM-$VERSION -name "Makefile*" -exec rm -f {} \;
cat $CWD/$PRGNAM.SlackBuild > $PKG/usr/doc/$PRGNAM-$VERSION/$PRGNAM.SlackBuild
cat $CWD/README.SLACKWARE > $PKG/usr/doc/$PRGNAM-$VERSION/README.SLACKWARE
mkdir -p $PKG/install
cat $CWD/slack-desc > $PKG/install/slack-desc
cat $CWD/doinst.sh > $PKG/install/doinst.sh
cd $PKG
/sbin/makepkg -l y -c n $OUTPUT/$PRGNAM-$VERSION-$ARCH-$BUILD$TAG.${PKGTYPE:-tgz}

View file

@ -0,0 +1,10 @@
PRGNAM="barnyard2"
VERSION="1.8"
HOMEPAGE="http://www.securixlive.com/barnyard2/"
DOWNLOAD="http://www.securixlive.com/download/barnyard2/barnyard2-1.8.tar.gz"
MD5SUM="72fc6c490db6ea6a0f46c27d24998067"
DOWNLOAD_x86_64=""
MD5SUM_x86_64=""
MAINTAINER="Niels Horn"
EMAIL="niels.horn@gmail.com"
APPROVED="rworkman"

View file

@ -0,0 +1,26 @@
config() {
NEW="$1"
OLD="$(dirname $NEW)/$(basename $NEW .new)"
# If there's no config file by that name, mv it over:
if [ ! -r $OLD ]; then
mv $NEW $OLD
elif [ "$(cat $OLD | md5sum)" = "$(cat $NEW | md5sum)" ]; then # toss the redundant copy
rm $NEW
fi
# Otherwise, we leave the .new copy for the admin to consider...
}
preserve_perms() {
NEW="$1"
OLD="$(dirname $NEW)/$(basename $NEW .new)"
if [ -e $OLD ]; then
cp -a $OLD ${NEW}.incoming
cat $NEW > ${NEW}.incoming
mv ${NEW}.incoming $NEW
fi
config $NEW
}
preserve_perms etc/rc.d/rc.barnyard2.new
config etc/barnyard2.conf.new

View file

@ -0,0 +1,49 @@
#!/bin/sh
# Start/stop/restart barnyard2
# Settings
SNORTLOGDIR=${SNORTLOGDIR:-/var/log/snort}
SNORTLOGFILE=${SNORTLOGFILE:-snort.log}
IFACE=${IFACE:-any}
PIDFILE=/var/run/barnyard2_$IFACE.pid
LOGDIR=/var/log/barnyard2
# Start snort:
by2_start() {
CMDLINE="/usr/bin/barnyard2 -i $IFACE -d $SNORTLOGDIR -f $SNORTLOGFILE -n -D "
echo -n "Starting Barnyard2 daemon: $CMDLINE"
$CMDLINE --pid-path /var/run --create-pidfile -l $LOGDIR
echo
}
# Stop snort:
by2_stop() {
echo -n "Stopping Barnyard2 daemon..."
kill $(cat $PIDFILE)
echo
sleep 1
rm -f $PIDFILE
}
# Restart snort:
by2_restart() {
by2_stop
sleep 1
by2_start
}
case "$1" in
'start')
by2_start
;;
'stop')
by2_stop
;;
'restart')
by2_restart
;;
*)
echo "usage $0 start|stop|restart"
esac

View file

@ -0,0 +1,19 @@
# HOW TO EDIT THIS FILE:
# The "handy ruler" below makes it easier to edit a package description. Line
# up the first '|' above the ':' following the base package name, and the '|'
# on the right side marks the last column you can put a character in. You must
# make exactly 11 lines for the formatting to be correct. It's also
# customary to leave one space after the ':'.
|-----handy-ruler------------------------------------------------------|
barnyard2: barnyard2 (Snort output processor)
barnyard2:
barnyard2: Barnyard2 is a fork of the original barnyard project, designed
barnyard2: specifically for Snort's new unified2 file format. It is a critical
barnyard2: tool for the parsing of Snort's binary log files to a variety of
barnyard2: output plugins, capable of asynchronously processing, while Snort
barnyard2: continues it's job.
barnyard2:
barnyard2: Homepage: http://www.securixlive.com/barnyard2/
barnyard2:
barnyard2: