Dear Snort and Barnyard2 users,

Would you please help me out to solve this barnyard2(src: https://github.com/firnsy/barnyard2) configuration problem, corresponding snort is working good as required.

barnyard2 -v -c /etc/barnyard2.conf -d /var/log/snort

Running in Continuous mode

    --== Initializing Barnyard2 ==--

Initializing Input Plugins!
Initializing Output Plugins!
DEBUG => Alert_FWsam Output plugin is plugged in...
Parsing config file "/etc/barnyard2.conf"

+[ Signature Suppress list ]+

+[No entry in Signature Suppress List]+

+[ Signature Suppress list ]+

Barnyard2 spooler: Event cache size set to [2048]
Log directory = /var/log/barnyard2
Chroot directory = /var/spool/barnyard2

Keyword | Input @

unified2 : init() = 0x441942
unified2 : - readRecordHeader() = 0x4419b5
unified2 : - readRecord() = 0x441b74

Keyword | Output @

alert_cef : 0x428779
alert_syslog : 0x42ee25
log_tcpdump : 0x431a39
database : 0x4389c9
alert_fast : 0x42a673
alert_full : 0x42b290
alert_fwsam : 0x42ba51
alert_unixsock: 0x4303cb
alert_csv : 0x42925d
log_null : 0x431913
log_ascii : 0x430ca3
alert_test : 0x42fc3b
sguil : 0x4327cd
alert_syslog_full: 0x4339df
log_syslog_full: 0x4339bf

    --== Initialization Complete ==--

_ -> Barnyard2 <-
/ ,, \ Version 2.1.13 (Build 327) DEBUG
|o" )~| By Ian Firns (SecurixLive): http://www.securixlive.com/
+ '''' + (C) Copyright 2008-2013 Ian Firns firnsy@securixlive.com

ERROR: Unable to open directory '/var/log/snort' (No such file or directory)
ERROR: Unable to find the next spool file!
===============================================================================
Record Totals:
Records: 0
Events: 0 (0.000%)
Packets: 0 (0.000%)
Unknown: 0 (0.000%)
Suppressed: 0 (0.000%)
===============================================================================
Packet breakdown by protocol (includes rebuilt packets):
ETH: 0 (0.000%)
ETHdisc: 0 (0.000%)
VLAN: 0 (0.000%)
IPV6: 0 (0.000%)
IP6 EXT: 0 (0.000%)
IP6opts: 0 (0.000%)
IP6disc: 0 (0.000%)
IP4: 0 (0.000%)
IP4disc: 0 (0.000%)
TCP 6: 0 (0.000%)
UDP 6: 0 (0.000%)
ICMP6: 0 (0.000%)
ICMP-IP: 0 (0.000%)
TCP: 0 (0.000%)
UDP: 0 (0.000%)
ICMP: 0 (0.000%)
TCPdisc: 0 (0.000%)
UDPdisc: 0 (0.000%)
ICMPdis: 0 (0.000%)
FRAG: 0 (0.000%)
FRAG 6: 0 (0.000%)
ARP: 0 (0.000%)
EAPOL: 0 (0.000%)
ETHLOOP: 0 (0.000%)
IPX: 0 (0.000%)
OTHER: 0 (0.000%)
DISCARD: 0 (0.000%)
InvChkSum: 0 (0.000%)
S5 G 1: 0 (0.000%)
S5 G 2: 0 (0.000%)
Total: 0

===============================================================================

[root-vmjoyabratag04-08:36:40-~] # cat /etc/barnyard2.conf

Barnyard2 example configuration file

This file contains a sample barnyard2 configuration.

You can take the following steps to create your own custom configuration:

1) Configure the variable declarations

2) Setup the input plugins

3) Setup the output plugins

Step 1: configure the variable declarations

in order to keep from having a commandline that uses every letter in the

alphabet most configuration options are set here.

use UTC for timestamps

config utc

set the appropriate paths to the file(s) your Snort process is using.

config reference_file: /etc/snort/reference.config
config classification_file: /etc/snort/classification.config
config gen_file: /etc/snort/gen-msg.map
config sid_file: /etc/snort/sid-msg.map

Configure signature suppression at the spooler level see doc/README.sig_suppress

config sig_suppress: 1:10

Set the event cache size to defined max value before recycling of event occur.

config event_cache_size: 4096

define dedicated references similar to that of snort.

config reference: mybugs http://www.mybugs.com/?s=

define explicit classifications similar to that of snort.

config classification: shortname, short description, priority

set the directory for any output logging

config logdir: /tmp

to ensure that any plugins requiring some level of uniqueness in their output

the alert_with_interface_name, interface and hostname directives are provided.

An example of usage would be to configure them to the values of the associated

snort process whose unified files you are reading.

Example:

For a snort process as follows:

snort -i eth0 -c /etc/snort.conf

Typical options would be:

config hostname: thor

config interface: eth0

config alert_with_interface_name

config hostname: thor

config interface: eth0

enable printing of the interface name when alerting.

config alert_with_interface_name

at times snort will alert on a packet within a stream and dump that stream to

the unified output. barnyard2 can generate output on each packet of that

stream or the first packet only.

config alert_on_each_packet_in_stream

enable daemon mode

config daemon

make barnyard2 process chroot to directory after initialisation.

config chroot: /var/spool/barnyard2

specifiy the group or GID for barnyard2 to run as after initialisation.

config set_gid: 999

specifiy the user or UID for barnyard2 to run as after initialisation.

config set_uid: 999

specify the directory for the barnyard2 PID file.

config pidpath: /var/run/by2.pid

enable decoding of the data link (or second level headers).

config decode_data_link

dump the application data

config dump_payload

dump the application data as chars only

config dump_chars_only

enable verbose dumping of payload information in log style output plugins.

config dump_payload_verbose

enable obfuscation of logged IP addresses.

config obfuscate

enable the year being shown in timestamps

config show_year

set the umask for all files created by the barnyard2 process (eg. log files).

config umask: 066

enable verbose logging

config verbose

quiet down some of the output

config quiet

define the full waldo filepath.

config waldo_file: /tmp/waldo

specificy the maximum length of the MPLS label chain

config max_mpls_labelchain_len: 64

specify the protocol (ie ipv4, ipv6, ethernet) that is encapsulated by MPLS.

config mpls_payload_type: ipv4

set the reference network or homenet which is predominantly used by the

log_ascii plugin.

config reference_net: 192.168.0.0/24

CONTINOUS MODE

set the archive directory for use with continous mode

config archivedir: /tmp

when in operating in continous mode, only process new records and ignore any

existing unified files

config process_new_records_only

Step 2: setup the input plugins

this is not hard, only unified2 is supported ;)

input unified2

Step 3: setup the output plugins

alert_cef

----------------------------------------------------------------------------

Purpose:

This output module provides the abilty to output alert information to a

remote network host as well as the local host using the open standard

Common Event Format (CEF).

Arguments: host=hostname[:port], severity facility

arguments should be comma delimited.

host - specify a remote hostname or IP with optional port number

this is only specific to WIN32 (and is not yet fully supported)

severity - as defined in RFC 3164 (eg. LOG_WARN, LOG_INFO)

facility - as defined in RFC 3164 (eg. LOG_AUTH, LOG_LOCAL0)

Examples:

output alert_cef

output alert_cef: host=192.168.10.1

output alert_cef: host=sysserver.com:1001

output alert_cef: LOG_AUTH LOG_INFO

alert_bro

----------------------------------------------------------------------------

Purpose: Send alerts to a Bro-IDS instance.

Arguments: hostname:port

Examples:

output alert_bro: 127.0.0.1:47757

alert_fast

----------------------------------------------------------------------------

Purpose: Converts data to an approximation of Snort's "fast alert" mode.

Arguments: file <file>, stdout

arguments should be comma delimited.

file - specifiy alert file

stdout - no alert file, just print to screen

Examples:

output alert_fast

output alert_fast: stdout

prelude: log to the Prelude Hybrid IDS system

----------------------------------------------------------------------------

Purpose:

This output module provides logging to the Prelude Hybrid IDS system

Arguments: profile=snort-profile

snort-profile - name of the Prelude profile to use (default is snort).

Snort priority to IDMEF severity mappings:

high < medium < low < info

These are the default mapped from classification.config:

info = 4

low = 3

medium = 2

high = anything below medium

Examples:

output alert_prelude

output alert_prelude: profile=snort-profile-name

alert_syslog

----------------------------------------------------------------------------

Purpose:

This output module provides the abilty to output alert information to local syslog

severity - as defined in RFC 3164 (eg. LOG_WARN, LOG_INFO)

facility - as defined in RFC 3164 (eg. LOG_AUTH, LOG_LOCAL0)

Examples:

output alert_syslog

output alert_syslog: LOG_AUTH LOG_INFO

syslog_full

-------------------------------

Available as both a log and alert output plugin. Used to output data via TCP/UDP or LOCAL ie(syslog())

Arguments:

sensor_name $sensor_name - unique sensor name

server $server - server the device will report to

local - if defined, ignore all remote information and use syslog() to send message.

protocol $protocol - protocol device will report over (tcp/udp)

port $port - destination port device will report to (default: 514)

delimiters $delimiters - define a character that will delimit message sections ex: "|", will use | as mess)

separators $separators - define field separator included in each message ex: " " , will use space as field)

operation_mode $operaion_mode - default | complete : default mode is compatible with default snort syslog message,)

log_priority $log_priority - used by local option for syslog priority call. (man syslog(3) for supported option)

log_facility $log_facility - used by local option for syslog facility call. (man syslog(3) for supported option)

payload_encoding - (default: hex) support hex/ascii/base64 for log_syslog_full using operation_mode .

Usage Examples:

output alert_syslog_full: sensor_name snortIds1-eth2, server xxx.xxx.xxx.xxx, protocol udp, port 514, operation_mode defaut

output alert_syslog_full: sensor_name snortIds1-eth2, server xxx.xxx.xxx.xxx, protocol udp, port 514, operation_mode comple

output log_syslog_full: sensor_name snortIds1-eth2, server xxx.xxx.xxx.xxx, protocol udp, port 514, operation_mode default

output log_syslog_full: sensor_name snortIds1-eth2, server xxx.xxx.xxx.xxx, protocol udp, port 514, operation_mode complete

output alert_syslog_full: sensor_name snortIds1-eth2, server xxx.xxx.xxx.xxx, protocol udp, port 514

output log_syslog_full: sensor_name snortIds1-eth2, server xxx.xxx.xxx.xxx, protocol udp, port 514

output alert_syslog_full: sensor_name snortIds1-eth2, local

output log_syslog_full: sensor_name snortIds1-eth2, local, log_priority LOG_CRIT,log_facility LOG_CRON

log_ascii

----------------------------------------------------------------------------

Purpose: This output module provides the default packet logging funtionality

Arguments: None.

Examples:

output log_ascii

log_tcpdump

----------------------------------------------------------------------------

Purpose

This output module logs packets in binary tcpdump format

Arguments:

The only argument is the output file name.

Examples:

output log_tcpdump: tcpdump.log

sguil

----------------------------------------------------------------------------

Purpose: This output module provides logging ability for the sguil interface

See doc/README.sguil

Arguments: agent_port <port>, sensor_name <name>

arguments should be comma delimited.

agent_port - explicitly set the sguil agent listening port

(default: 7736)

sensor_name - explicitly set the sensor name

(default: machine hostname)

Examples:

output sguil

output sguil: agent_port=7000

output sguil: sensor_name=argyle

output sguil: agent_port=7000, sensor_name=argyle

database: log to a variety of databases

----------------------------------------------------------------------------

Purpose: This output module provides logging ability to a variety of databases

See doc/README.database for additional information.

Examples:

output database: log, mysql, user=root password=test dbname=db host=localhost

output database: alert, postgresql, user=snort dbname=snort

output database: log, odbc, user=snort dbname=snort

output database: log, mssql, dbname=snort user=snort password=test

output database: log, oracle, dbname=snort user=snort password=test

alert_fwsam: allow blocking of IP's through remote services

----------------------------------------------------------------------------

output alert_fwsam: <SnortSam Station="">:<port>/<key>

<FW Mgmt="" Station="">: IP address or host name of the host running SnortSam.

<port>: Port the remote SnortSam service listens on (default 898).

<key>: Key used for authentication (encryption really)

of the communication to the remote service.

Examples:

output alert_fwsam: snortsambox/idspassword

output alert_fwsam: fw1.domain.tld:898/mykey

output alert_fwsam: 192.168.0.1/borderfw 192.168.1.254/wanfw

[root-vmjoyabratag04-08:37:10-~]

Snort Wiki

Home

Project Admins:

Discussion

barnyard2 -v -c /etc/barnyard2.conf -d /var/log/snort

+[ Signature Suppress list ]+

+[No entry in Signature Suppress List]+

Keyword | Input @

Keyword | Output @

===============================================================================

Barnyard2 example configuration file

This file contains a sample barnyard2 configuration.

You can take the following steps to create your own custom configuration:

1) Configure the variable declarations

2) Setup the input plugins

3) Setup the output plugins

Step 1: configure the variable declarations

in order to keep from having a commandline that uses every letter in the

alphabet most configuration options are set here.

use UTC for timestamps

config utc

set the appropriate paths to the file(s) your Snort process is using.

Configure signature suppression at the spooler level see doc/README.sig_suppress

config sig_suppress: 1:10

Set the event cache size to defined max value before recycling of event occur.

config event_cache_size: 4096

define dedicated references similar to that of snort.

config reference: mybugs http://www.mybugs.com/?s=

define explicit classifications similar to that of snort.

config classification: shortname, short description, priority

set the directory for any output logging

config logdir: /tmp

to ensure that any plugins requiring some level of uniqueness in their output

the alert_with_interface_name, interface and hostname directives are provided.

An example of usage would be to configure them to the values of the associated

snort process whose unified files you are reading.

Example:

For a snort process as follows:

snort -i eth0 -c /etc/snort.conf

Typical options would be:

config hostname: thor

config interface: eth0

config alert_with_interface_name

config hostname: thor

config interface: eth0

enable printing of the interface name when alerting.

at times snort will alert on a packet within a stream and dump that stream to

the unified output. barnyard2 can generate output on each packet of that

stream or the first packet only.

config alert_on_each_packet_in_stream

enable daemon mode

config daemon

make barnyard2 process chroot to directory after initialisation.

specifiy the group or GID for barnyard2 to run as after initialisation.

config set_gid: 999

specifiy the user or UID for barnyard2 to run as after initialisation.

config set_uid: 999

specify the directory for the barnyard2 PID file.

config pidpath: /var/run/by2.pid

enable decoding of the data link (or second level headers).

config decode_data_link

dump the application data

config dump_payload

dump the application data as chars only

config dump_chars_only

enable verbose dumping of payload information in log style output plugins.

config dump_payload_verbose

enable obfuscation of logged IP addresses.

config obfuscate

enable the year being shown in timestamps

config show_year

set the umask for all files created by the barnyard2 process (eg. log files).

config umask: 066

enable verbose logging

config verbose

quiet down some of the output

config quiet

define the full waldo filepath.

config waldo_file: /tmp/waldo

specificy the maximum length of the MPLS label chain