mirror of
https://github.com/Ponce/slackbuilds
synced 2024-11-18 22:06:04 +01:00
network/barnyard2: Added (log parser for snort)
Signed-off-by: Robby Workman <rworkman@slackbuilds.org>
This commit is contained in:
parent
91e62177b4
commit
3ecfa23e5c
7 changed files with 310 additions and 0 deletions
7
network/barnyard2/README
Normal file
7
network/barnyard2/README
Normal file
|
@ -0,0 +1,7 @@
|
|||
Barnyard2 is a fork of the original barnyard project, designed
|
||||
specifically for Snort's new unified2 file format. It is a
|
||||
critical tool for the parsing of Snort's binary log files to a
|
||||
variety of output plugins, capable of asynchronous processing,
|
||||
while Snort continues it's job.
|
||||
|
||||
See README.SLACKWARE for some instructions on setting up Barnyard2.
|
97
network/barnyard2/README.SLACKWARE
Normal file
97
network/barnyard2/README.SLACKWARE
Normal file
|
@ -0,0 +1,97 @@
|
|||
README.SLACKWARE
|
||||
================
|
||||
|
||||
0) Preparation
|
||||
--------------
|
||||
|
||||
For Barnyard2 to be useful, you will need a working setup of Snort, saving
|
||||
output to a log in the binary "unified2" format.
|
||||
Check the Snort documentation to find out how to do this.
|
||||
|
||||
You will also need a working database server. These instructions are based
|
||||
on using MySQL, as it is included with Slackware, but other databases can
|
||||
be used as well.
|
||||
|
||||
|
||||
1) Test Barnyard2
|
||||
-----------------
|
||||
|
||||
Before starting Barnyard2 as a daemon, do a quick test to see if it can read
|
||||
the Snort log:
|
||||
|
||||
# barnyard2 -d /var/log/snort -f snort.log
|
||||
|
||||
Barnyard2 will parse the its configuration file and start processing the Snort
|
||||
log file.
|
||||
If there are already events in the log, it will show them with their
|
||||
classification.
|
||||
|
||||
Now check if Snort is working by doing a port scan from another computer on
|
||||
the network (this won't work if done from another terminal on the same system)
|
||||
|
||||
# nmap -A <ip_address_of_snort_box>
|
||||
|
||||
Snort should detect the port scan, write the event to the log, and Barnyard2
|
||||
should display it.
|
||||
|
||||
|
||||
2) Configure Barnyard2
|
||||
----------------------
|
||||
|
||||
2.1 Setting up your database
|
||||
|
||||
Follow these steps to set up the database in MySQL:
|
||||
(replacing the <...> fields with your passwords)
|
||||
|
||||
# cd /usr/doc/barnyard2-*/schemas
|
||||
# mysql -p
|
||||
Enter password: <your_mysql_root_password>
|
||||
|
||||
mysql> create database snort;
|
||||
mysql> grant create,select,update,insert,delete on snort.* to snort@localhost;
|
||||
mysql> set password for snort@localhost=PASSWORD('<your_mysql_snort_password>');
|
||||
mysql> exit
|
||||
|
||||
# mysql -p < create_mysql snort
|
||||
Enter password: <your_mysql_root_password>
|
||||
|
||||
This will create the snort database and the tables.
|
||||
|
||||
2.2 Edit the configuration file
|
||||
|
||||
Open the /etc/barnyard2.conf file with your favorite editor, go to the end and
|
||||
edit the sample mysql configuration so that it looks like this:
|
||||
|
||||
output database: log, mysql, user=snort password=<your_mysql_snort_password> dbname=snort host=localhost
|
||||
|
||||
2.3 Start barnyard2 as a daemon
|
||||
|
||||
The Barnyard2 package installs a script to start and stop the daemon. Use it
|
||||
like this to start Barnyard2:
|
||||
|
||||
# /etc/rc.d/rc.barnyard2 start
|
||||
|
||||
You can repeat the test with the port scan and the event should be logged in
|
||||
your database now.
|
||||
|
||||
|
||||
3) Automatic startup and shutdown of Barnyard2
|
||||
----------------------------------------------
|
||||
|
||||
If you want Barnyard2 to start / stop automatically at boot and shutdown, use
|
||||
these lines in your /etc/rc.d/rc.local:
|
||||
|
||||
# Start barnyard2
|
||||
if [ -x /etc/rc.d/rc.barnyard2 ] ; then
|
||||
echo "Starting Barnyard2..."
|
||||
/etc/rc.d/rc.barnyard2 start
|
||||
fi
|
||||
|
||||
And include this in your /etc/rc.d/rc.local_shutdown:
|
||||
|
||||
# Stop barnyard2
|
||||
if [ -x /etc/rc.d/rc.barnyard2 ] ; then
|
||||
echo "Stopping Barnyard2..."
|
||||
/etc/rc.d/rc.barnyard2 stop
|
||||
fi
|
||||
|
102
network/barnyard2/barnyard2.SlackBuild
Normal file
102
network/barnyard2/barnyard2.SlackBuild
Normal file
|
@ -0,0 +1,102 @@
|
|||
#!/bin/sh
|
||||
|
||||
# Slackware build script for barnyard2
|
||||
# Snort binary log processor
|
||||
|
||||
# Written by Niels Horn <niels.horn@gmail.com>
|
||||
# Revision date 2010/09/21
|
||||
|
||||
PRGNAM=barnyard2
|
||||
VERSION=${VERSION:-1.8}
|
||||
BUILD=${BUILD:-1}
|
||||
TAG=${TAG:-_SBo}
|
||||
|
||||
if [ -z "$ARCH" ]; then
|
||||
case "$( uname -m )" in
|
||||
i?86) ARCH=i486 ;;
|
||||
arm*) ARCH=arm ;;
|
||||
*) ARCH=$( uname -m ) ;;
|
||||
esac
|
||||
fi
|
||||
|
||||
CWD=$(pwd)
|
||||
TMP=${TMP:-/tmp/SBo}
|
||||
PKG=$TMP/package-$PRGNAM
|
||||
OUTPUT=${OUTPUT:-/tmp}
|
||||
|
||||
if [ "$ARCH" = "i486" ]; then
|
||||
SLKCFLAGS="-O2 -march=i486 -mtune=i686"
|
||||
LIBDIRSUFFIX=""
|
||||
elif [ "$ARCH" = "i686" ]; then
|
||||
SLKCFLAGS="-O2 -march=i686 -mtune=i686"
|
||||
LIBDIRSUFFIX=""
|
||||
elif [ "$ARCH" = "x86_64" ]; then
|
||||
SLKCFLAGS="-O2 -fPIC"
|
||||
LIBDIRSUFFIX="64"
|
||||
else
|
||||
SLKCFLAGS="-O2"
|
||||
LIBDIRSUFFIX=""
|
||||
fi
|
||||
|
||||
set -e
|
||||
|
||||
rm -rf $PKG
|
||||
mkdir -p $TMP $PKG $OUTPUT
|
||||
cd $TMP
|
||||
rm -rf $PRGNAM-$VERSION
|
||||
tar xvf $CWD/$PRGNAM-$VERSION.tar.gz
|
||||
cd $PRGNAM-$VERSION
|
||||
chown -R root:root .
|
||||
find . \
|
||||
\( -perm 777 -o -perm 775 -o -perm 711 -o -perm 555 -o -perm 511 \) \
|
||||
-exec chmod 755 {} \; -o \
|
||||
\( -perm 666 -o -perm 664 -o -perm 600 -o -perm 444 -o -perm 440 -o -perm 400 \) \
|
||||
-exec chmod 644 {} \;
|
||||
|
||||
CFLAGS="$SLKCFLAGS" \
|
||||
CXXFLAGS="$SLKCFLAGS" \
|
||||
./configure \
|
||||
--prefix=/usr \
|
||||
--libdir=/usr/lib${LIBDIRSUFFIX} \
|
||||
--sysconfdir=/etc \
|
||||
--docdir=/usr/doc/$PRGNAM-$VERSION \
|
||||
--mandir=/usr/man \
|
||||
--localstatedir=/var \
|
||||
--with-mysql-libraries=/usr/lib${LIBDIRSUFFIX}/mysql \
|
||||
--with-mysql-includes=/usr/include/mysql \
|
||||
--build=$ARCH-slackware-linux
|
||||
|
||||
make
|
||||
make install DESTDIR=$PKG
|
||||
|
||||
find $PKG | xargs file | grep -e "executable" -e "shared object" | grep ELF \
|
||||
| cut -f 1 -d : | xargs strip --strip-unneeded 2> /dev/null || true
|
||||
|
||||
mv $PKG/etc/$PRGNAM.conf $PKG/etc/$PRGNAM.conf.new
|
||||
|
||||
# Include rc.barnyard2 file
|
||||
mkdir -p $PKG/etc/rc.d
|
||||
cat $CWD/rc.barnyard2 > $PKG/etc/rc.d/rc.barnyard2.new
|
||||
chmod 0755 $PKG/etc/rc.d/rc.barnyard2.new
|
||||
|
||||
# Create directory for log
|
||||
mkdir -p $PKG/var/log/$PRGNAM
|
||||
|
||||
# Copy database schemas and docs
|
||||
mkdir -p $PKG/usr/doc/$PRGNAM-$VERSION/schemas
|
||||
for sc in schemas/create_*; do
|
||||
cat $sc > $PKG/usr/doc/$PRGNAM-$VERSION/$sc
|
||||
done
|
||||
cp -a \
|
||||
COPYING LICENSE RELEASE.NOTES doc/* \
|
||||
$PKG/usr/doc/$PRGNAM-$VERSION
|
||||
find $PKG/usr/doc/$PRGNAM-$VERSION -name "Makefile*" -exec rm -f {} \;
|
||||
cat $CWD/$PRGNAM.SlackBuild > $PKG/usr/doc/$PRGNAM-$VERSION/$PRGNAM.SlackBuild
|
||||
cat $CWD/README.SLACKWARE > $PKG/usr/doc/$PRGNAM-$VERSION/README.SLACKWARE
|
||||
|
||||
mkdir -p $PKG/install
|
||||
cat $CWD/slack-desc > $PKG/install/slack-desc
|
||||
cat $CWD/doinst.sh > $PKG/install/doinst.sh
|
||||
|
||||
cd $PKG
|
||||
/sbin/makepkg -l y -c n $OUTPUT/$PRGNAM-$VERSION-$ARCH-$BUILD$TAG.${PKGTYPE:-tgz}
|
10
network/barnyard2/barnyard2.info
Normal file
10
network/barnyard2/barnyard2.info
Normal file
|
@ -0,0 +1,10 @@
|
|||
PRGNAM="barnyard2"
|
||||
VERSION="1.8"
|
||||
HOMEPAGE="http://www.securixlive.com/barnyard2/"
|
||||
DOWNLOAD="http://www.securixlive.com/download/barnyard2/barnyard2-1.8.tar.gz"
|
||||
MD5SUM="72fc6c490db6ea6a0f46c27d24998067"
|
||||
DOWNLOAD_x86_64=""
|
||||
MD5SUM_x86_64=""
|
||||
MAINTAINER="Niels Horn"
|
||||
EMAIL="niels.horn@gmail.com"
|
||||
APPROVED="rworkman"
|
26
network/barnyard2/doinst.sh
Normal file
26
network/barnyard2/doinst.sh
Normal file
|
@ -0,0 +1,26 @@
|
|||
config() {
|
||||
NEW="$1"
|
||||
OLD="$(dirname $NEW)/$(basename $NEW .new)"
|
||||
# If there's no config file by that name, mv it over:
|
||||
if [ ! -r $OLD ]; then
|
||||
mv $NEW $OLD
|
||||
elif [ "$(cat $OLD | md5sum)" = "$(cat $NEW | md5sum)" ]; then # toss the redundant copy
|
||||
rm $NEW
|
||||
fi
|
||||
# Otherwise, we leave the .new copy for the admin to consider...
|
||||
}
|
||||
|
||||
preserve_perms() {
|
||||
NEW="$1"
|
||||
OLD="$(dirname $NEW)/$(basename $NEW .new)"
|
||||
if [ -e $OLD ]; then
|
||||
cp -a $OLD ${NEW}.incoming
|
||||
cat $NEW > ${NEW}.incoming
|
||||
mv ${NEW}.incoming $NEW
|
||||
fi
|
||||
config $NEW
|
||||
}
|
||||
|
||||
preserve_perms etc/rc.d/rc.barnyard2.new
|
||||
config etc/barnyard2.conf.new
|
||||
|
49
network/barnyard2/rc.barnyard2
Normal file
49
network/barnyard2/rc.barnyard2
Normal file
|
@ -0,0 +1,49 @@
|
|||
#!/bin/sh
|
||||
# Start/stop/restart barnyard2
|
||||
|
||||
# Settings
|
||||
SNORTLOGDIR=${SNORTLOGDIR:-/var/log/snort}
|
||||
SNORTLOGFILE=${SNORTLOGFILE:-snort.log}
|
||||
IFACE=${IFACE:-any}
|
||||
PIDFILE=/var/run/barnyard2_$IFACE.pid
|
||||
LOGDIR=/var/log/barnyard2
|
||||
|
||||
|
||||
# Start snort:
|
||||
by2_start() {
|
||||
CMDLINE="/usr/bin/barnyard2 -i $IFACE -d $SNORTLOGDIR -f $SNORTLOGFILE -n -D "
|
||||
echo -n "Starting Barnyard2 daemon: $CMDLINE"
|
||||
$CMDLINE --pid-path /var/run --create-pidfile -l $LOGDIR
|
||||
echo
|
||||
}
|
||||
|
||||
# Stop snort:
|
||||
by2_stop() {
|
||||
echo -n "Stopping Barnyard2 daemon..."
|
||||
kill $(cat $PIDFILE)
|
||||
echo
|
||||
sleep 1
|
||||
rm -f $PIDFILE
|
||||
}
|
||||
|
||||
# Restart snort:
|
||||
by2_restart() {
|
||||
by2_stop
|
||||
sleep 1
|
||||
by2_start
|
||||
}
|
||||
|
||||
case "$1" in
|
||||
'start')
|
||||
by2_start
|
||||
;;
|
||||
'stop')
|
||||
by2_stop
|
||||
;;
|
||||
'restart')
|
||||
by2_restart
|
||||
;;
|
||||
*)
|
||||
echo "usage $0 start|stop|restart"
|
||||
esac
|
||||
|
19
network/barnyard2/slack-desc
Normal file
19
network/barnyard2/slack-desc
Normal file
|
@ -0,0 +1,19 @@
|
|||
# HOW TO EDIT THIS FILE:
|
||||
# The "handy ruler" below makes it easier to edit a package description. Line
|
||||
# up the first '|' above the ':' following the base package name, and the '|'
|
||||
# on the right side marks the last column you can put a character in. You must
|
||||
# make exactly 11 lines for the formatting to be correct. It's also
|
||||
# customary to leave one space after the ':'.
|
||||
|
||||
|-----handy-ruler------------------------------------------------------|
|
||||
barnyard2: barnyard2 (Snort output processor)
|
||||
barnyard2:
|
||||
barnyard2: Barnyard2 is a fork of the original barnyard project, designed
|
||||
barnyard2: specifically for Snort's new unified2 file format. It is a critical
|
||||
barnyard2: tool for the parsing of Snort's binary log files to a variety of
|
||||
barnyard2: output plugins, capable of asynchronously processing, while Snort
|
||||
barnyard2: continues it's job.
|
||||
barnyard2:
|
||||
barnyard2: Homepage: http://www.securixlive.com/barnyard2/
|
||||
barnyard2:
|
||||
barnyard2:
|
Loading…
Reference in a new issue