Skip to content

Instantly share code, notes, and snippets.

@ianunruh

ianunruh/snorby.md

Last active December 14, 2015 03:09
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save ianunruh/5018867 to your computer and use it in GitHub Desktop.
Save ianunruh/5018867 to your computer and use it in GitHub Desktop.
Download ZIP
Snorby tutorial
Raw
snorby.md

This tutorial assumes that you have a 64-bit installation of Debian Wheezy and are running as the root user.

MySQL

First, we'll install and configure MySQL.

apt-get install mysql-server
mysql -u root -p

Enter your root password that you set when installing MySQL and execute these queries:

CREATE USER snorby@localhost IDENTIFIED BY 'snorby';
CREATE DATABASE snorby;
GRANT ALL PRIVILEGES ON snorby.* TO snorby@localhost;
FLUSH PRIVILEGES;

Snort

Now we'll install Snort. When you install Snort, you'll need to specify the network you're monitoring.

apt-get install snort

Open /etc/snort/snort.conf and add the following line:

output unified2: filename snort.u2, limit 128

This will cause Snort to output to the binary format required by Barnyard2. Save the file and restart the Snort service:

service snort restart

Barnyard 2

Now, we'll install Barnyard2. The purpose of this tool is to parse binary output from Snort for insertion into our MySQL database.

apt-get install libpcap-dev libmysqlclient-dev git build-essential autoconf libtool
git clone git://github.com/firnsy/barnyard2.git && cd barnyard2
git branch stable
./autogen.sh
./configure --with-mysql-includes=/usr/include/mysql --with-mysql-libraries=/usr/lib/x86_64-linux-gnu
make && make install
cp etc/barnyard2.conf /etc/

That was fun. Now we'll edit the Barnyard2 configuration and add or change the following lines:

config sid_file: /etc/snort/community-sid-msg.map
config hostname: snorby
config interface: eth0
config daemon
config waldo_file: /var/log/barnyard2/waldo
output database: log, mysql, user=snorby password=snorby dbname=snorby host=localhost

Lookup the uid and gid of the Snort user created by the installation of Snort. You can then have Barnyard2 run as the Snort user instead of root.

Now, we'll want to create a service for Barnyard2. Open up /etc/init.d/barnyard2 and add the following:

#!/bin/sh

case $1 in
    start)
        echo "starting $0..."
        barnyard2 -d /var/log/snort -f snort.u2
        echo -e 'done.'
    ;;
    stop)
        echo "stopping $0..."
        killall barnyard2
        echo -e 'done.'
    ;;
    restart)
        $0 stop
        $0 start
    ;;
    *)
        echo "usage: $0 (start|stop|restart)"
    ;;
esac

Then run the following:

chmod +x /etc/init.d/barnyard2
mkdir -p /var/log/barnyard2
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment