Snort with Barnyard and MySQL on Centos 6
Full credit for the basis of this guide goes to: http://www.procyonlabs.com/guides/rhel/snort_db_by2/ Modifications were made made for CentOS x64 and mySQL.
To disable this feature, vi /etc/selinux/config file and alter the SELINUX variable to "disabled" instead of "enforcing." A reboot is necessary for this change to take effect.
On the assumption you have mySQL up and running, some or all of these may be already on your system (depending on your installation options). The original guide pulls the latest bits for Barnyard2 from GitHub, and the following are needed to make it ./configure-able.
|# yum install gcc gcc-c++ flex bison pcre-devel zlib-devel libpcap-devel automake libtool|
Download and Install Sources
# cd /usr/src
|# cd /usr/src
# wget http://www.procyonlabs.com/mirrors/snort/daq-0.6.2.tar.gz
# tar zxvf daq-0.6.2.tar.gz
# rm daq-0.6.2.tar.gz && cd daq-0.6.2
# ./configure && make && make install
This is just an example of flag(s) to set for configure. You should only use what you need for your setup.
# cd /usr/src
So you don't have to grab the bits from git, Procyon Labs did it for you. This is recent as of the date of this guide.
# cd /usr/src
Get and Install Rules
|# mkdir /etc/snort
# mkdir /var/snort
Next, we need to download the latest rules/signatures.
There are two rulesets available: Subscribers and Registered Users. Details are on the VRT Rules download page. You will need to go fetch the rules package via a Web browser and move them to this sensor's /etc/snort directory.
|# cd /etc/snort/
# tar zxvf snortrules-snapshot-2910.tar.gz
# rm snortrules-snapshot-2910.tar.gz
# mkdir /usr/local/lib/snort
# cp /etc/snort/so_rules/precompiled/RHEL-6-0/x86-64/220.127.116.11/*.so /usr/local/lib/snort_dynamicrules/
# cat /etc/snort/so_rules/*.rules >> /etc/snort/rules/so-rules.rules
The Snort Manual will help you understand all the options available to you. Just to get you started, the most important settings you'll want to customise for now are:
|# vi /etc/snort/etc/snort.conf|
- ipvar HOME_NET any
- example: ipvar HOME_NET [192.168.0.0/16]
- ipvar EXTERNAL_NET any
- example: ipvar EXTERNAL_NET !$HOME_NET
We also need to configure Section #6 in
This is where we configure the unified2 output plugin. This is the data that Barnyard2 will be using to export events to your database. All you have to do is uncomment and edit the output unified2 line to look like this:
|# output unified2: filename /var/snort/merged.log, limit 128|
Unless you want to use reputation filters, find this section and comment the whole block:
|# Reputation preprocessor. For more information see README.reputation
preprocessor reputation: \
memcap 500, \
priority whitelist, \
nested_ip inner, \
whitelist $WHITE_LIST_PATH/white_list.rules, \
Towards the end of the snort.conf file (Step #7: Customize your rule set and Step #8: Customize your preprocessor and decoder alerts), is where you need to edit so Snort knows which rules to use. Go through the rules and add/delete the ones listed so that only the ones you need are active.
Finally: Customize your Shared Object Snort Rules. Edit to taste.
That's it. Save it and continue.
We will be using Barnyard2 to offload the output processing from Snort. These events will be sent to another system hosting PostgreSQL or to a remote syslog server.
Let's get to the barnyard2.conf file:
|# cp /usr/src/by2/etc/barnyard2.conf /etc/snort/
# vi /etc/snort/barnyard2.conf
Uncomment/comment and/or edit the following lines. Bold indicates changes/additions (and use a better password for the DB than snort, please). The server variable should point to the address of your PostgreSQL server:
config reference_file: /etc/snort/etc/reference.config
config hostname: titan (this it the sensor's hostname)
config daemon (uncomment to run in background)
config show_year (uncomment to include year in timestamps)
config logdir: /var/snort
config waldo_file:/var/snort/waldo (uncomment, define waldo file location)
If using mySQL:
Finally, we need to create the waldo file (we will be using this as a checkpoint file for continuous mode w/ bookmarking):
|# touch /var/snort/waldo|
Start Snort and Barnyard2!
Use the following commands to start everything (the -D puts Snort in daemon mode):
|# snort -c /etc/snort/etc/snort.conf -i eth0 -D
# barnyard2 -c /etc/snort/barnyard2.conf -d /var/snort -f merged.log -w /var/snort/waldo
The -c option specifies the location of the barnyard2.conf file.The -d and -f options specify the directory and name of the Snort logging files, respectively. Lastly, the -w option specifies the location of the waldo file we've just created.