After succesfully installing Suricata and Snorby, I’m going to use Barnyard2 to read the alerts and send them to Snorby’s database. Barnyard2 understands the unified2 binary format. If you get lost, don’t be worry because I’m going to update the Snorby how-to. If you can’t wait, I’ve followed these steps:
- Download Barnyard2
wget http://www.securixlive.com/download/barnyard2/barnyard2-1.9.tar.gz - tar xvfz barnyard2-1.9.tar.gz
- cd barnyard2-1.9/
- You’ll need mysql libraries, if you want to store Suricata’s events
apt-get install mysql-client libmysqlclient-dev - I’m going to compile barnyard2 with pfring an libpcap support. If you followed my howto, include files and libraries are inside /opt/PF_RING
./configure –with-mysql –with-libpcap-includes=/opt/PF_RING/include –with-libpcap-libraries=/opt/PF_RING/lib –with-libpfring-includes=/opt/PF_RING/include –with-libpfring-libraries=/opt/PF_RING/lib - make && make install
- Let’s check if barnyard2 is ready. If you see a pig all is good
barnyard2 –help
/ ,,_ \ Version 2.1.9 (Build 263)
|o” )~| By the SecurixLive.com Team: http://www.securixlive.com/about.php
+ ”” + (C) Copyright 2008-2010 SecurixLive. - If barnyard complains about libpcap.so.1 not being found, use this:
ln -s /opt/PF_RING/lib/libpcap.so.1 /usr/lib/libpcap.so.1 - Now, you will need a barnyard2 config file:
cp etc/barnyard2.conf /etc/barnyard2.conf - Edit /etc/barnyard2.conf and add the following line (change dbuser, dbpass, database, x.x.x.x with the rigth values for your snorby MySQL database):
output database: alert, mysql, user=dbuser password=dbpass dbname=database host=x.x.x.x - Barnyard’s config file need to know where are your config and map files to indentify the rules. I’m using Emerging Threats rules in my /etc/suricata directory.
# set the appropriate paths to the file(s) your Suricata process is using.
config reference_file: /etc/suricata/reference.config
config classification_file: /etc/suricata/classification.config
config gen_file: /etc/suricata/gen-msg.map
config sid_file: /etc/suricata/sid-msg.map - Check if you find this lines in /etc/suricata/suricata.yaml:
- unified2-alert:
enabled: yes
filename: unified2.alert - Ok. I have Suricata running. With this command the unified2 binary files will be read and new events will be sent to snorby -> barnyard2 -c /etc/barnyard2.conf -d /var/log/suricata -f unified2.alert
- All seems to work fine. Snorby is starting to show events.
- Snorby is awesome. More info soon!
Advertisement
Hello. You might want to check the Security Onion distro which has many of the tools you have used in your posts: http://securityonion.blogspot.com/