Continuing with the last post Snort from scratch part I now I’ll explain how to install BASE and barnyard2. BASE (Basic Analysis and Security Engine) provides a web front-end to query and analyze the alerts coming from Snort. The alerts will send to a MySQL database, this feature is provided by barnyard2. Barnyard2 is an output system for Snort, it reads the binary logs from snort using the unified2 format and then it will resend the information of this logs to a database backend, for this We’ll configure Snort to output alerts to this format.

Install BASE dependencies

# yum install -y mysql-server mysql-devel php-mysql php-adodb php-pear php-gd httpd
# pear channel-update pear.php.net
# pear install Numbers_Roman
# pear install channel://pear.php.net/Image_Canvas-0.3.5
# pear install channel://pear.php.net/Image_Graph-0.8.0

Preparing MySQL environment
– Initializing mysql and configuring to start the daemon at boot time:

# service mysql start
# chkconfig --levels 235 mysql on

– Preparing the new database for snort:

# mysql -u root -p
<pre>mysql> create database snort;
mysql> grant select,insert,update,delete,create on snort.* to snort@localhost;
mysql> set password for snort@localhost=PASSWORD('snortpassword');

Setup snort to log out in unified2 format

# vi /etc/snort/snort.conf
output unified2: filename snort.u2, limit 128

Installing barnyard2

# cd /tmp ; wget http://www.securixlive.com/download/barnyard2/barnyard2-1.9.tar.gz
# tar -xzvf barnyard2-1.9.tar.gz
# cd barnyard2-1.9
# ./configure --with-mysql
# make && make install
# cp etc/barnyard2.conf /etc/snort/
# mysql -u snort -psnortpassword snort < schemas/create_mysql
# touch /etc/snort/barnyard2.waldo
# chmod 777 /etc/snort/barnyard2.waldo
# chown snort:snort /etc/snort/barnyard2.waldo&#91;/sourcecode&#93;

- Edit barnyard2 configuration:

&#91;sourcecode language="BASH"&#93;
# vi /etc/snort/barnyard2.conf
&#91;/sourcecode&#93;
&#91;sourcecode language="BASH"&#93;
config reference_file: /etc/snort/reference.config
config classification_file: /etc/snort/classification.config
config gen_file: /etc/snort/rules/gen-msg.map
config sid_file: /etc/snort/rules/sid-msg.map
input unified2
config hostname: localhost
config interface: eth0
config alert_with_interface_name
output database: log, mysql, user=snort password=snortpassword dbname=snort host=localhost&#91;/sourcecode&#93;

<strong>Adapting our init script to work with barnyard2</strong>


# vi /etc/init.d/snortd
BARNYARD2=/usr/local/bin/barnyard2

start()
{
[ -x $SNORTD ] || exit 5

echo -n $"Starting $prog: "
daemon --pidfile=$PID_FILE $SNORTD $LINK_LAYER $NO_PACKET_LOG $DUMP_APP -D $PRINT_INTERFACE $INTERFACE -u $USER -g $GROUP $CONF -l $LOGDIR $PASS_FIRST $BPFFILE $BPF && success || failure
RETVAL=$?
$BARNYARD2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.u2 -w /etc/snort/barnyard2.waldo -u snort -g snort -D
[ $RETVAL -eq 0 ] && touch $lockfile
echo
return $RETVAL
}

stop()
{
echo -n $"Stopping $prog: "
killproc $SNORTD
killproc $BARNYARD2
if [ -e $PID_FILE ]; then
chown -R $USER:$GROUP /var/run/snort_eth0.* && rm -f /var/run/snort_eth0.pi*
fi
RETVAL=$?
if [ "x$runlevel" = x0 -o "x$runlevel" = x6 ] ; then
trap TERM
killall $prog 2>/dev/null
trap TERM
fi
[ $RETVAL -eq 0 ] && rm -f $lockfile
echo
return $RETVAL
}

– Restart Snortd:

# /etc/init.d/snortd restart

Installing BASE

# cd /tmp ; wget http://sourceforge.net/projects/secureideas/files/latest/download
# tar -xzvf base-1.4.5.tar.gz
# cp -r base-1.4.5/ /var/www/base
# cd /var/www/base/
# cp base_conf.php.dist base_conf.php

– Edit BASE scripts configuration:

# vi base_conf.php
$BASE_urlpath = '/base';
$DBlib_path = '/usr/share/php/adodb';
$alert_dbname = 'snort';
$alert_host = 'localhost';
$alert_port = '3306';
$alert_user = 'snort';
$alert_password = 'snortpassword';

Configuring Apache

# vi /etc/httpd/conf.d/base.conf
Alias /base /var/www/base/
<directory "/var/www/base/">
AllowOverride None
Order allow,deny
Allow from all
AuthName "Snort IDS"
AuthType Basic
AuthUserFile /etc/snort/base.passwd
Require valid-user
</directory>

– Generating password file for web access for BASE:

# htpasswd -c /etc/snort/base.passwd snortadmin

– Restart apache:

# service httpd restart

Accessing to the BASE web environment

http://IP-WEB-SERVER/base/base_db_setup.php

and click create BASE AV

Snort from scratch (Part II): Installing BASE & barnyard2
Tagged on:             

One thought on “Snort from scratch (Part II): Installing BASE & barnyard2

  • July 2, 2014 at 22:49
    Permalink

    For “Adapting our init script to work with barnyard2” – at which part of the script do I make the changes? at the top?

    Reply

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Follow

Get every new post delivered to your Inbox

Join other followers: