cleesmith/snort_barnyard2

## snort_barnyard2
Install Snort and Barnyard2 virtualbox ubuntu 12.04 and 14.04

Aug 2014:

Snort:
... in virtualbox set Network + Advanced 'Promiscuous Mode' to 'Allow All'
sudo apt-get install snort
ps aux | grep -i snort
sudo service snort stop
sudo nano /etc/snort/snort.conf
    - comment out all lines that start with 'output'
    - add:
        output unified2: filename merged.log, limit 128

sudo nano /etc/snort/snort.debian.conf
    - ensure:
        DEBIAN_SNORT_INTERFACE="eth0" ... or whatever interface is 'promiscuous'
        ... verify:
        ifconfig

reboot server

sudo ls -la /var/log/snort/
sudo nano /var/log/snort/merged.conf
... if all is well, it should log suspicious traffic to that file

... generate some traffic from os x:
ping 192.168.0.19 ... let it run for awhile
nmap -v -sn 192.168.0.19
sudo nmap -v -O 192.168.0.19
____________________________________________________________________________________________
Barnyard2:
... add needed dependencies:
sudo apt-get install build-essential libtool autoconf git
sudo apt-get install libpcap-dev libmysqld-dev

git clone git://github.com/firnsy/barnyard2.git

cd barnyard2
./autogen.sh
CFLAGS='-lpthread' ./configure --with-mysql --with-mysql-libraries=/usr/lib/x86_64-linux-gnu --prefix=$HOME/barnyard2-install
make
mkdir $HOME/barnyard2-install
make install
find $HOME/barnyard2-install

dpkg -l libmysqlclient18
... if not installed then do:
sudo apt-get install libmysqlclient18

... assuming: either an install of the mysql snort database, or one was loaded from a mysqldump, has been done already

... create barnyard2.conf:
sudo nano /etc/snort/barnyard2.conf
... or:
cat > /etc/snort/barnyard2.conf << EOF
config reference_file:      /etc/snort/reference.config
config classification_file: /etc/snort/classification.config
config gen_file:            /etc/snort/gen-msg.map
config sid_file:            /etc/snort/sid-msg.map
config logdir: /var/log/snort
config hostname:  some_host_name
config interface:  eth0
config daemon
config waldo_file: /var/log/snort/barnyard2.waldo
input unified2
output database: log, mysql, user=osprotect password=???? dbname=snort host=127.0.0.1
# to forward alerts also to syslog, uncomment the following 2 lines:
# output alert_syslog_full: sensor_name snortIds1-eth1, local
# output log_syslog_full: sensor_name snortIds1-eth1, local, log_priority LOG_CRIT
EOF

sudo ~/barnyard2-install/bin/barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f merged.log -w /var/log/snort/barnyard2.waldo

... note: that after a few seconds, you’ll be dropped in your shell again.
    That’s perfectly normal since we configured barnyard2 to run as a daemon.
    As always, it’s a good idea to check /var/log/syslog for errors.
    You can also check if the daemon is still running with “ps -ef | grep barnyard2″
	Install Snort and Barnyard2 virtualbox ubuntu 12.04 and 14.04

	Aug 2014:

	Snort:
	... in virtualbox set Network + Advanced 'Promiscuous Mode' to 'Allow All'
	sudo apt-get install snort
	ps aux \| grep -i snort
	sudo service snort stop
	sudo nano /etc/snort/snort.conf
	- comment out all lines that start with 'output'
	- add:
	output unified2: filename merged.log, limit 128

	sudo nano /etc/snort/snort.debian.conf
	- ensure:
	DEBIAN_SNORT_INTERFACE="eth0" ... or whatever interface is 'promiscuous'
	... verify:
	ifconfig

	reboot server

	sudo ls -la /var/log/snort/
	sudo nano /var/log/snort/merged.conf
	... if all is well, it should log suspicious traffic to that file

	... generate some traffic from os x:
	ping 192.168.0.19 ... let it run for awhile
	nmap -v -sn 192.168.0.19
	sudo nmap -v -O 192.168.0.19
	____________________________________________________________________________________________
	Barnyard2:
	... add needed dependencies:
	sudo apt-get install build-essential libtool autoconf git
	sudo apt-get install libpcap-dev libmysqld-dev

	git clone git://github.com/firnsy/barnyard2.git

	cd barnyard2
	./autogen.sh
	CFLAGS='-lpthread' ./configure --with-mysql --with-mysql-libraries=/usr/lib/x86_64-linux-gnu --prefix=$HOME/barnyard2-install
	make
	mkdir $HOME/barnyard2-install
	make install
	find $HOME/barnyard2-install

	dpkg -l libmysqlclient18
	... if not installed then do:
	sudo apt-get install libmysqlclient18

	... assuming: either an install of the mysql snort database, or one was loaded from a mysqldump, has been done already

	... create barnyard2.conf:
	sudo nano /etc/snort/barnyard2.conf
	... or:
	cat > /etc/snort/barnyard2.conf << EOF
	config reference_file: /etc/snort/reference.config
	config classification_file: /etc/snort/classification.config
	config gen_file: /etc/snort/gen-msg.map
	config sid_file: /etc/snort/sid-msg.map
	config logdir: /var/log/snort
	config hostname: some_host_name
	config interface: eth0
	config daemon
	config waldo_file: /var/log/snort/barnyard2.waldo
	input unified2
	output database: log, mysql, user=osprotect password=???? dbname=snort host=127.0.0.1
	# to forward alerts also to syslog, uncomment the following 2 lines:
	# output alert_syslog_full: sensor_name snortIds1-eth1, local
	# output log_syslog_full: sensor_name snortIds1-eth1, local, log_priority LOG_CRIT
	EOF

	sudo ~/barnyard2-install/bin/barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f merged.log -w /var/log/snort/barnyard2.waldo

	... note: that after a few seconds, you’ll be dropped in your shell again.
	That’s perfectly normal since we configured barnyard2 to run as a daemon.
	As always, it’s a good idea to check /var/log/syslog for errors.
	You can also check if the daemon is still running with “ps -ef \| grep barnyard2″