Snort with Barnyard and MySQL on Centos 6

Full credit for the basis of this guide goes to: http://www.procyonlabs.com/guides/rhel/snort_db_by2/ Modifications were made made for CentOS x64 and mySQL.

Disable SELinux

To disable this feature, vi /etc/selinux/config file and alter the SELINUX variable to "disabled" instead of "enforcing." A reboot is necessary for this change to take effect.

Install Dependencies

On the assumption you have mySQL up and running, some or all of these may be already on your system (depending on your installation options). The original guide pulls the latest bits for Barnyard2 from GitHub, and the following are needed to make it ./configure-able.

# yum install gcc gcc-c++ flex bison pcre-devel zlib-devel libpcap-devel automake libtool

Download and Install Sources


# cd /usr/src
# wget http://libdnet.googlecode.com/files/libdnet-1.12.tgz
# tar zxvf libdnet-1.12.tgz
# rm libdnet-1.12.tgz && cd libdnet-1.12
# ./configure && make && make install


# cd /usr/src
# wget http://www.procyonlabs.com/mirrors/snort/daq-0.6.2.tar.gz
# tar zxvf daq-0.6.2.tar.gz
# rm daq-0.6.2.tar.gz && cd daq-0.6.2
# ./configure && make && make install


This is just an example of flag(s) to set for configure. You should only use what you need for your setup.

# cd /usr/src
# wget http://www.procyonlabs.com/mirrors/snort/snort-
# tar zxvf snort-
# rm snort- && cd snort-
# ./configure --enable-sourcefire
# make && make install


So you don't have to grab the bits from git, Procyon Labs did it for you. This is recent as of the date of this guide.

# cd /usr/src
# wget http://www.procyonlabs.com/mirrors/by2/barnyard2-v2-1.10-beta2-6-gc8e30b8.tar.gz
# tar zxvf barnyard2-v2-1.10-beta2-6-gc8e30b8.tar.gz
# rm barnyard2-v2-1.10-beta2-6-gc8e30b8.tar.gz
# mv firnsy-barnyard2-v2-1.10-beta2-6-gc8e30b8 by2
# cd by2

# ./autogen

If usingmySQL:

# ./configure --with-mysql-libraries=/usr/lib64/mysql/
# make && make install

Configure Snort

Get and Install Rules


# mkdir /etc/snort
# mkdir /var/snort

Next, we need to download the latest rules/signatures.

There are two rulesets available: Subscribers and Registered Users. Details are on the VRT Rules download page. You will need to go fetch the rules package via a Web browser and move them to this sensor's /etc/snort directory.

# cd /etc/snort/
# tar zxvf snortrules-snapshot-2910.tar.gz
# rm snortrules-snapshot-2910.tar.gz
# mkdir /usr/local/lib/snort
# cp /etc/snort/so_rules/precompiled/RHEL-6-0/x86-64/*.so /usr/local/lib/snort_dynamicrules/
# cat /etc/snort/so_rules/*.rules >> /etc/snort/rules/so-rules.rules


Configure snort.conf

The Snort Manual will help you understand all the options available to you. Just to get you started, the most important settings you'll want to customise for now are:

# vi /etc/snort/etc/snort.conf
  • ipvar HOME_NET any
    • example: ipvar HOME_NET []
  • ipvar EXTERNAL_NET any
    • example: ipvar EXTERNAL_NET !$HOME_NET

We also need to configure Section #6 in

# unified2

This is where we configure the unified2 output plugin. This is the data that Barnyard2 will be using to export events to your database. All you have to do is uncomment and edit the output unified2 line to look like this:

# output unified2: filename /var/snort/merged.log, limit 128

Unless you want to use reputation filters, find this section and comment the whole block:

# Reputation preprocessor. For more information see README.reputation
preprocessor reputation: \
memcap 500, \
priority whitelist, \
nested_ip inner, \
whitelist $WHITE_LIST_PATH/white_list.rules, \
blacklist $BLACK_LIST_PATH/black_list.rules

Configure Rules

Towards the end of the snort.conf file (Step #7: Customize your rule set and Step #8: Customize your preprocessor and decoder alerts), is where you need to edit so Snort knows which rules to use. Go through the rules and add/delete the ones listed so that only the ones you need are active.

Finally: Customize your Shared Object Snort Rules. Edit to taste.

That's it. Save it and continue.

Configure Barnyard2

We will be using Barnyard2 to offload the output processing from Snort. These events will be sent to another system hosting PostgreSQL or to a remote syslog server.

Let's get to the barnyard2.conf file:

# cp /usr/src/by2/etc/barnyard2.conf /etc/snort/
# vi /etc/snort/barnyard2.conf

Uncomment/comment and/or edit the following lines. Bold indicates changes/additions (and use a better password for the DB than snort, please). The server variable should point to the address of your PostgreSQL server:

config reference_file: /etc/snort/etc/reference.config
config classification_file: /etc/snort/etc/classification.config
config gen_file: /etc/snort/etc/gen-msg.map
config sid_file: /etc/snort/etc/sid-msg.map

config hostname: titan (this it the sensor's hostname)
config interface: eth0 (the management interface (NIC to database or syslog server))

config daemon (uncomment to run in background)

config show_year (uncomment to include year in timestamps)

config logdir: /var/snort

config waldo_file:/var/snort/waldo (uncomment, define waldo file location)

If using mySQL:

output database: log, mysql, user=snort dbname=snort password=your_password host=localhost


Finally, we need to create the waldo file (we will be using this as a checkpoint file for continuous mode w/ bookmarking):

# touch /var/snort/waldo

Start Snort and Barnyard2!

Use the following commands to start everything (the -D puts Snort in daemon mode):

# snort -c /etc/snort/etc/snort.conf -i eth0 -D

# barnyard2 -c /etc/snort/barnyard2.conf -d /var/snort -f merged.log -w /var/snort/waldo

The -c option specifies the location of the barnyard2.conf file.The -d and -f options specify the directory and name of the Snort logging files, respectively. Lastly, the -w option specifies the location of the waldo file we've just created.

Posted by