Database Output and Graphical Analysis.pdf

MODULE 4 Configur@ Snortfor Databc$e Outputand Grrphical Analysis

About This Module

This module presents a technique in which Snort log and alert data is output in the unified2forrrat and written to a database. This binary output format is less process intensive so Snortcan concentrate its efforts on processing packet data. The Bamyard2 program is a tool that canaccept the unified or unified2 output and take over the task ofprocessing it.

Module Objectives:

. Describe the unified2 output format

r Understand the benefits using a separate tool to handle output tasks

o Install and configure Barnyard2

. Configure MySQL

. Configure BASE

49

http://it4training.com

Gonfiguring Snort for Database Output and Graphical Analysis

Slide 46

The Unified2 Output Formats

Snort has the ability to produce a fast, binary output format called the uni f ied2 format. Theidea behind this capability is to have other applications do the work of processing Snort output,thus relieving the Snort process. This makes Snort run more efficiently since it can concentratemore of its efforts on processing packets rather than having to also worry about output.

What is Produced With Unilied Outputs?

Uni f ied2 output can produce three types of files: an alert file, packet log file or a trueunified file. The alert file is simply information about the alert, which includes some of thepacket header information in addition to the alert information, such as alert message, SID andrevision number if so configured in the rule. The packet log file contains the full packetinformation that triggered the alert wfiich also includes the alert information. Unified includesboth logging styles in a single, unified file.

The directives to enable the different syles of logging would be as follows:

o alert_unified2. log_unj-f i-ed2

o unified2

When MPI,S support is turned on, MPLS labels can be included in unified2 events. Useoptionmpls_event_types toenablethis. Ifoptionmplseventtypesisnotused,thenMPLS labels will be not be included in unified2 events.

An additional option vlan_event_type may be used in environments with VLANs. Thisoption will log the VLAN ID from the packet headers. If no VLAN ID is present then a 0 willbe used.

What do You do With Unified2 Output?

To take advantage ofunified output, you need some tool to read that output and perforrn thejob of processing it the way the Snort process would have done. This includes being able toconvert it to flat ASCtr, PCAP or redirect output to a database. By handing this offto anotherprocess, Snort can spend more of it's time processing packets.

One such application to handle unified output is called Barnyard2.Barnyard2 takes the unifiedoutput files created by Snort and allows you to configure the output in a variety of ways. LikeSnort, BarnyarD canproduce output in many formats including ASCtr, PCAP, or database

Notes:

50

StllffiEIrire


Configuring Snort for Database Output and Graphical Analysis

Slide 47

output. Barnyard2 is a fork of the original Bamyard project, and is under active development.It is maintained by and can be downloaded from http://www.securixlive.com (latest changesare maintaned at https://github.com/firnsy/bamyard2). Securix is not only responsible formaintaining Barnyard2, they have also been tasked with maintaining the Snort databaseschema.

It should be noted that even though there is currently a database output plugin available in theSnort sourcecode - it is no longer being developed or supported and will be removed in a futurerelease.

Barnyard2 is a robust application that features several modes of operation includingcheckpoint mode in which it can write a transaction log to track what data has been processed.This enables Bamyard2 to pick up where it left offif it were to tenninate unexpectedly.

Barnyard2's architecture is as follows:

o data processors - to accept input from Snort.

r output plug-ins - to produce various forms of output

Barnyard2 Data Processors

There are two data processors. Each is described below:

. spi_alert - This data processor reads alerts produced by Snort in its unified2 output format.

o spi_log - This data processor reads log data produced by Snort in its unified2 outputformat.

Barnyard2 Output Plug-ins

Output plug-ins are directly associated with the data processors. These relationships are

identified with the descriptions for the output plug-ins below:

o alert_fast - Converts data received by spi_a1ert. This produces a concise, one line peralert output that increases performance because of its light weight. However, itsperfonnance gains are at the expense of having much more limited inforrnation about the

alert.

. log_ascii - This output plug-in receives data from spi_log to produce an ASCtr packetdump forrnat that contains the full packet data related to logged events and alerts.

r alert_syslog - Takes data from the spi af ert processor to produce syslog compatibleoutput.

Slide 48

$fir\JM

Notes:

$ilffiffif?vm51


Slide 49


o database - Takes data from both spi_a1ert and spi_log to produce packet and logdatatrl a database.

Other output plug-ins are available in the current Bamyard2 production release, but will not becovered here, they include csv, alert sguil and alert cef.

Installing Barnyard2

This section will step through the process of installing and configuring Bamyard for use withyour Snort installation.

Obtain the Barnyard Distribution

In class we will be using Barnyard2-1.10 Beta. Although we do not promote running beta codein production environments, in this particular case we are making an exception as there are anumber of improvements to version 1.9. It should already be present in the following directory:/usr / l-ocal- / src.It is also available from Github.

Install Barnyard

Perform the following steps onsnortbox to complete the Barnyard2 installation:

r. Make swe you are in the following directory: /usr / loca7.2. Issue the following command to unpack the Barryard distribution:

IrootGsnortbox 1ocalJ# unzip src/firnsy-barnyard2-w2-L.10-beta1-0-g411db8a.zip

3. Enter the firnsy-barnyard2- 94437b5.

lrootGsnortbox locall # cd firnsy-barnyard2-94437b5lrootGsnortbox firnsy-barnyard2-9 4437b51 #

Notes:

52



4. Run the configuration script as follows:

I root @ snortbox firnsy-barnyard2-9 4437b5) $ . ,/autogen. sh

5. Build Barnyard using the following commands:

[rootGsnortbox firnsy-barnyard2-9443'7b5]# ./config.ure --with-mysql && make &&nake install

Copy the barnyard.conf file located in the:

/ us x / Lo c a1 / f irns y-b arny ar d2 - 9 4 437b5 / eL c directory to the / eL c / s no rtdirectory with the following colnmand:

IrootGsnortbox firnsy-barnyard2-9443'7b51# cp etc,/barnyard2.conf /etc/snort

Create a log directory for Bamyard2. This is required for Barnyard2 to start properly:

lroot Gsnortbox f irnsy-barnyard2- 9 4 437b5) # nkdir /war / Log /barnyard2

Slide 50 Conliguration

As with Snort, Bamyard has a primary configuration file: barnyard2 . conf . This file, likesnort . conf, is very heavily corrmented which makes understanding the settings easierfrom the onset. They can be removed when you become more comfortable with the contents ofthe file. Fortunately, its not quite as large as snort . conf so you should be able to get fairlycomfortable with the file after using it a couple of time. This section will step through thefeatures of the barnyard2. conf file.

Confrguration Declarations

This section of the file allows you to declare values for certain variables. For the most part, thedefault configuration options listed in the file are to support the database output plug-in.

SIide 51

*-}\#@

Notes:

Hilmffift,s53



The illustration below is an excerpt from the file. We will discuss the options to be used inclass.

#use UTC for timestamps#config utc

# set the appropriate paths to the file(s) your Snort process is usj-ngconfig reference_fiie: /etc/snort/reference.configconfig classification_fi1e : / etc / snort /classificatlon. configconfig gen_fiIe t /eLc/snort/gen-msg.mapconfig sid_file z /eLc/snort/ sid-msg.map

o config utc - Specifies if the data should output as UTC

. config reference_file - Specifies the Snort reference.config file.

. config classifrcation_fiIe - Specifies the classification.config file to use.

. conlig gen_file - Specifies the gen-msg.map (to be discused later in the chapter).

. eon{ig sid_file - Specifies the sid-msg.map (to be discused later in the chapter.

+

# Example:# Eor a snort process as folJ-ows:# snort -1 eth0 -c /eLc/snort.conf#

# Typical options would be:# config hostname: thor# config i-nterface: ethO# config alert_with_interface_name#config hostname: snortboxconfj-g interface: ethl

# enabl-e pri-nting of the interface name when alerting.x#

# conf i g alert_w j-th_interf ace_name

config hostname - Specifies the name assigned to the sensor.

config interface - Specifies the name assigned to the sensing interface.

conlig alert with_interface_name - Prints the interface name when alerting.

Notes:

54



The next few options we will look at are used to help Barnyard? when we run as a daemon.

# define the fuII waldo filepath.xtr#config waldo_file: /tmp/waldo

# specificy the maximum length of the MPI,S labe1 chain#

# CONTINOUS MODE

+

# set the archive directory for use with continous mode

#

#config archivedir: /tmp

# when in operatlng in continous mode, only process new records and ignore any# existing unifj-ed files#

#config process new records only

. confrg watdo_file - Specifies the location of the write-ahead log frle.

. config archivedir - Specifies the location to copy unified logs to after they have been read.

. process_new_records - When in continous mode only process new data.

There are many options that we do not duscuss in class. Some have not yet been fullyintegrated inlo B amyard.

Notes:

55


Slide 52


Configuring the Input and Output Plug-ins

The following excerpts show portions of the input and output plug-in configuration section ofthe barnyard2 . conf file. Some of options have been omitted.

# Step 2: setup the i-nput pluginsinput unified2

# Step 3: setup the output plugins

# alert_fast4---- -----#Purpose: Converts data to an approxlmation of Snortrs "fast alert" mode.Argr.rments: file <file>, stdout# arguments should be# file - specifiy alert file# stdout - no alert fj-1e, just

output alert_fast: stdout

cornma delimited.

print to screen

The input field specifies the type of input to expect. The output options specrry how to outputthe data. They are fairly well documented in the barnyard2 . conf file. Some notableoptions are illustrated in the following excerpt in the form of the alert sys 1og option andthe 1 o g_t cpdump configuration option.

Notes:

56



# alert_syslog#---------#

# Purpose:# This output module provides the abilty to output alert information# remote network host as well as the locaf host.#

# Arguments: host=hostname[:port], severity facility# arguments should be comma delj-mited.# host - specify a remote hostname or fP with optional_ port number# this is only specific to WIN32 (and is not yet fu11y#severity - as defined in RFC 3164 (eg. LOG_WARN, LOG_INEO)# facility - as defined i-n RFC 3164 (eg. tOG AUTH, tOG LOCATO)#

# Examples:#output alert_syslog

# log_tcpdump# --------#

# Purpose# This output module logs packets in binary tcpdump format

toa

supported)

#

#

#tt#

#il

#

#

+

##

Arguments:The only argument is the output file name.

Examples:output 1og_tcpdump: tcpdump. 1og

:::1::::-1::-::-:-::::::1-::-ii:::::::Purpose: This output module provides logging ability toSee doc/README.database for additi-onaI i-nformation.

Examples:output database: 1og, mysql, user=root password=test

a vari-ety of databases

dbname=db

Notes:

57



Barnyard Command Line Options

Slide 54 The following is a listing of the command line options available to Barnyard:

lroot8snortbox -l # barnyard2 -?

-*> Barnyaxd2 <*-/ ,,_ \ Version 2.1.10-beta1 (Bui1d 266)lo" )-l By fan Eirns (Securj-xlive): http: //www.securixlive.com/+ I I I I + (C) Copyright 2008-20LL Ian Firns <firnsyGsecurixlj_ve.com>

USAGE: barnyard2Gernal Options:

-c <fi1e>-C <fi-Ie>

[-options] <fil-ter opti-ons)

-D

-E-q <gname>

<fi1e><name><if>

<l_d><umask>

<id><fi1e><f11e><dir>

<uname>

-G-h-i-I-1-m

Y-r-R-S-t-a

-u

Use configuration file <file>Read the classificatlon map from <file>Run barnyard2 in background (daemon) modeDisplay the second layer header infoTurn off fflush ( ) calls after binary log writesRun barnyard2 gid as <gname> group (or gld) afterinitializationRead the gen-msq map from <fil-e>Defj-ne the hostname <name>. For logging purposes onlyDefine the interface <if>. For logging purposes onlyAdd Interface name to al-ert outputLog to directory <1d>Set umask = (umask)Obfuscate the logged IP addressesQuiet. Donrt show banner and status reportf nclude ' j-d' ln barnyard2_intf<id>, p j_d f i_1e nameRead the reference map from <fil-e>Read the sid-msg map from <fi-le>Chroots process to <dir> after initializationTest and report on the current barnyard2 configurationRun barnyard2 uid as <uname> user (or uid) afterinitializati-on

Notes:

58



Use UTC for timestampsBe verboseShow versi-on numberInclude year in timestamp in the al-ert and log filesShow this information

Continual Processing Options :

-a <dir> Archj-ve processed fj-les to <dir>-f <base> Use <base) as the base filename pattern-d <dir> Spool files from <dir>-n Only process new events-w <fife> Enable bookmarking using <fi1e>

Batch Processj-ng Mode Options:-o Enable batch processj_ng mode

-U-v-\7

-v

Longname options and their--reference <file>--classi-fication <file>--gen-msg <fj-Ie>--sid-msg <file>

--process-new-records -on1y--pid-path <dir>

--heIp--versi-on--create-pidfi-1e--nolock-pidfi-1e

lrootGSnortbox -l #

corresponding single char versj-onSame as -RSame as -CSame as -GSame as -S

--a1ert-on-each-packet-j-n-stream Ca11 output plugi-ns on each packet i-n anafert streamSame as -n

Specify the dj-rectory for the barnyard2 PIDfileSame as -?Same as -V

Create PID fi1e, even when not in Daemon modeDo not try to lock barnyard2 PID file

Notes:

59


Slide 55


A couple of these options speciff what mode Bamyard2 will operate in. These modes aredescribed below:

o Batch processing mode - This mode is enabled with the -o command line switch. In thismode, Bamyard2 reads the Snort output unified2 log file you speciff and quits once it hasbeen processed.

o Continual with checkpoint mode - This mode runs Barnyard2 continually and trackswhere it is at any given time in processing the Snort output unified2 log file. By keeping arecord of what it has processed thus far, Barnyard2 is able to pick up where it left offif itwere to terminate unexpectedly. Barnyard2 uses a Write-Ahead-Logging file. This is morecommonly known as a ohaldo" file and may be specified in the configuration file. TheWaldo file is created upon start. This file tracks the following infonnation:o The directory location of the Snort unified log fileso The unified log file name prefixo The currenl file name suffixo The record location with the crrrent log file

Barnyard and Custom Rules

Snort's stock rule set contains a couple of files that are important to the proper operation ofBarnyard:

o sid-msg.map - Lists Snort ID (SID) numbers, their associated messages and referenceinformation. These are the SIDs related to detection engine alerts.

. gen-msg.map - Lists Generator ID (GID) numbers, their associated SID numbers and theirmessages. This is where the GID/SID parings are defined for alerts generated by entitiesother than the detection engine.

While these files are pre-configured and updated along with rule updates you can obtain fromvarious sources such as snort.org, they do not contain any information related to custom rulesor preprocessors you may have in your installation. Be sure to update these files with customrule or preprocessor information and, when you download rule updates, you must add yourcustom information as well.

Notes:

60



The syntax for sid-msg.map is shown below. The excerpt shown is from the leadingcomments in the sid-msg. map file. Also shown are the first two entries in the file toprovide an example of how the syntax is applied.

# $rd$# Format: SID I I MSG I I Opti-ona1 References I I Optional References .. ,

# SlD -> MSG map

l-03 I I BACKDOOR subseven 22 | | araehnids,4B5 | I

104 ll BACKDOOR - Dagger*1.4.0_cl-1ent_connect IlurJ-, www. tlsecurity. net/backdoor/Daqger. 1. 4. html105 ll BACKDOOR - Dagger_1.4.0 ll arachnids,4B4

ur1, www. hackfix. orgr/subseven/arachnidsr 4B3 I I

| | ur1, www. tf secur j-ty. net,/

The syntax for the gen-ms g . map file is shown below. The excerpt shown is from the leadingcomments in the file. As in the previous example, the fust few lines of this file are shown toprovide an example of how this $mtux is applied in the file.

# srds# GENERATORS -> msg map# Format: generatorid ll alertid ll MSG

1ll1l2|1I3ll1l100 ll 1

100 ll 2

100 lt 3

101 ll 1

702 ll 1

snort general alerttag: Tagged Packetsnort dynamic alert

spp_portscan: Portscan Detectedspp_portscan: Portscan Statusspp_portscan: Portscan Endedspp_minfrag: mj-nfrag alerthttp_decode: Unicode Attack

Notes:

61



C onfi guring the Datab as e

Before we can use Bamyard2 to write information to a database we must first create one! Thesystems in class came pre-installed with MySQL using default settings and options. The Snortdatabase must be created, have permissions assigned and have its schema imported. This is arelativly straight forward process :

1. Create the Snort database and MySQL user accounts. Then secure the accounts withpasswords and configure them with the appropriate permissions.

To do this, you will need to access the MySQL command line client application. Fromwithin this application you will issue a series of statements as illustrated below.

IrootGsnortbox] # rrysglVJelcome to the MySQI monitor. Commands endYour MySQl, connection id is 2

Server version: 5.0.'7"7 Source di-stribution

Type 'he1p;' or '\h' for help, Type t\c' tostatement.

with ; or \9.

cl-ear the currenl input

mysql> set password for root@localfuqst=password('passwordt )

Query OK, 0 rows affected (0.00 sec)

mysql> create databaEe snort;Query OK, 1 row affected (0.03 sec)

mysql> grant create, insert, select, delete, update on snort.*snortG }ocalhost;Query OK, 0 rows affected (0.00 sec)

mysql> set password for snortGlocalhost=rassword( rpasswordr) ;Query OK, 0 rows affected (0.00 sec)

mysql> exitByelrootGsnortboxl #

"*Note that the items in bold are the commands you enter. The other items are representations of thefeedback you should see on the screen. ln this command sequence, we have set the password for the

root and snort MySQL users to password as indicated by the portion of the command string

as follows: ('pas sword').Enter the directory that contains the schemas for the various databasessupported by Snort:

Notes:

62



2. I root G snortbox ] # cd /usr / Loc,al / f irnsy-barnyard2- 94437b5 /schemas

3. Issue the following command to set up the database schema for Snort:

lroot8snortbox schemasi # nysql -P < <:reat- mysql snort. You will be prompted for a password; enter the password you assigned to the root user

(password).

Next, check to see that the database was created and that it contains the tables needed forSnort to operate properly.

Iroot@snortbox schemas]# rysq1 -pEnter password:Wel-come to the MySQl, monltor. Commands end wj-th ; or \9.Your MySQL connection i-d is 9 to server version: 5.0.'7'7

Type 'he1p;' or '\h' for he1p. Type '\ctstatement.

mysql> show databases;+- - -- - - -- - ------- - - - -+I Database I

to clear the current input

I information schemaI mysqlI snortI test+-- - - -- - -- -- - - - -- - -- -+4 rows in set (0.00 sec)

Notes:

63



mysql> use snortDatabase changedmysql> ehow tables;+------------------+I Tables_in_snort I

+-- - - -- - -- -- - - - - - --+I data I

I detail I

I encoding I

I event I

I icmphdr I

I rphdrI optI referenceI reference_systemI schemaI sensorI sig_cl-assI sig_referenceI signatureI tcphdrI udphdr+-- ---- -- - -- - - - - -- -+16 rows in set (0.00 sec)

mysql> exitByeIrootGsnortbox schemas] #

Notes:

64



Setup the Graphical Interface

The section that follows steps you through the process of setting up the BASE graphicalinterface and all the supporting packages. BASE is a straight forward GUI for analysis of Snortinformation. We will be using BASE throught the class. Keep in mind there are other analysisconsoles available such as SGUIL, Snorby, Snort Report and more. In a productionenvirorunent find the console taht best suits your needs.

To install and configure BASE the follow these instructions:

1. Switch to the following directory:

I root Gsnortbox] # cd,/var /wvrw /hr-m]-2. Unpack the ADODB package to provide an interface between the GUI and the MySQL

database as follows:lrootGsnortbox html-l # tar zxvf /ro,sr/Loc,aL/ src/adodb49O.l"gz

3. Unpack the BASE package which provides the graphical front end to the Snort database

alert data as follows:IrootGsnortbox htm]-l # tar zxvf /wsr/Local/src/base-1.4.5.tar.92

+. Change the ownership of the BASE directory as follows:

IrootGsnortbox htm]-l # chown apache base-1.4.5s. Edit the php.ini file to tune the error reporting level.

. Open the file / eLc / php . ini in a text editor. If you are using VI, enter the command

as follows:lrootGsnortbox htmll # vim /etc/php.ini

o Navigate to the portion of the file where the error reporting is configured. If you are

using the VI editot you can quickly navigate to this line by typing 348 <shift>g

. Uncomment the line below:

ierror_rePorting = E_A.LL & -E_NOIICE

. Comment out the following line (this appea$ several lines below.)

emor_reporting = E_AJ,L

Write the changes to the file and exit with the following command:

:wq

Notes:

65


6. Restart the httpd process to implement the changes you just made to the PHPconfiguration with the following command:

lrootGsnortbox html] # service httpd restart

7. Conligure BASE by opening a web browser and entering the following URL:http: / /L92. 168 . LLt .lO/base-1 .4 .5The first time the BASE page is accessed, the BASE setup script executes as follows.

Ttls tulhr,IiftS p*ges rrill prcnryt yo$ tur set $F infuiaafisn ta.fini*tr tha in$all of ESSE"If *rty of fl*e options ffi[s{.- Brd rBd, thers $rill *ts 3 d€s#*ption sf what yeu' need ts ds bBlfty lha cha*^

fisnl*ru,*

8. Click the "Continue" link to go to the next step.

Notes:


66



9. Select the language from the drop-down list and enter the fully qualified path to theADODB directory as follows:/var/www/htm1/adodb

Click the Continue button to complete this step of the setup script:

Notes:

67



10. Next, enter the following information in the fields provided. If you will not be using anarchive database, you can leave that set offields blank"

o I)atabase Name: snort

o Database Host: localhost

o Database User Name: snort

o Database Password: password

Ifyou have not changed the default port number for access to the database service, you canleave the field blank, but the remaining fields need to be filled in.

Click the Continue button to move on to the next step in the setup process.

Notes:

l{r1r"..'B liiffit

unfi#&.@L d blank{,*rdaffiul8

68

SIlUtElr*vry:


11. You can choose to use the BASE Authentication System which allows you to configure an

account to ensure that only authorized users can see the Snort alerts in BASE.

To configure an acconnt, select the Use Authentication System check box and fill in theaccount credentials.

For the purposes of the class, enter the following credentials:

o Check the Use Authentication Systemboxo Admin User Name: snort

. Password: password

o Full Name: Snort

Click the Continue button to move on to the next step in the setup process.

Notes:


69



12. The screen that follows instructs the setup script to create the database tables used by theBASE application. Click the Create BASE AG button to create the tables and continue.

Suecesafullp, *r*ated 'aeid agi$ucee*s{u lly mealsd'x'*id*ag*aJeri'S,u*cesnfi.rli!,r flrea{e,J 'a*id ip ea*li*Successfu lly created *cid_e.;*ntSx*aessfu1l1' cr'es:ted'bas*_r*les"S**ces*fi.r1ly lll"dSSEIED Adr*in releS Lrccessfirlly lf,lSE.RTE* .&Lrthe nti*Eted Us*r mieS uceessfu lly llqi$f HTEO AncnSq'11 sgs U ser rcleS.uncers:fully I{'i*EftTE.U &krl Srurp trd,itsr ruleSue cessfully crealed bsse_users'

'remmfu$mffi' p$ffi Wfl Try.:*#ffiffiffir%ssil-, ,ffi "$., ffir,rdffiXffiffi#f:"--ad#

EASE tahlqr Adds tables t* exterd the Sn,ort DB to suppo,rt tfre B&SE fi.rnctiona,lity *fi.l'JE,S uc*essfirli-5, craat*d user.

The umdedying AIefi BE is confguld fr^r usa.Ee rr*ith BASE-

Additisnal DB wrmis*ionslfl srder to suppo,rt Al*rt purging {the selec irc #itrity te'perman,*ntrly delete alerts ftorfl the date,base} and Dl'il.S*rrtheistooktry caching, the DB user "snort'" must h*ns the BELTIE and UFDATE pr,Mlege on th,e dst*base""sn+rt@ calhcsf'

tlnw continue tci step 5"".

When the tables have been created, you get an indication to that effect as illustrated above.Click the Step 5 link at the bottom of the screen to finish the BASE setup process.

Notes:

70

sllffifitfrrE


13. At this point, you will be prompted to login using the credentials you selected uponexecution of the BASE setup script.

Lagirt:

Paax*M:

@@

Notes:


7l


Configuring Snod for Database Output and Graphical Analysis

SacrtlrGrafil Aturt 0&tX

6rg*h r,t*rt B*ntl{}ll Trnrs

14. The working BASE main screen should look similm to the illustration below:

S€aB.ireilir:sl: 0 / 0Ur$qB6ftldrtf: &

8.kgorie6:0T&l Nulxharaf Akrtf: B

. 8rc tP qddr3r g

. DeBllFeddrs:&r UniquelPft.nkF{l

. Sourue F*r,t$: *

r o TCP{*} UEP{8}. Dest Ffrhi 0

r o TcF{t} UDFiO1

?rafEa Prafile bf ProiosolrcP {0${}

I ' W'##W:effi4iffit( \\&.:":e"net rltJlt,"ifr/,t lry :! e+ . "t$wi*|. i ft.?' I

uaP {0t&}:-:::---:-, .:Tt=--

F{rtscsn Tffi'fiG {tr%}

15. Create a slmbolic link for Snort rule documentation with the following commands

[rootGsnortbox htm]-l# ln -s /et.c,/Ey:ort/doc/si-gnatures /var/www/htm]-/baee-1.4 .S/sigmatures

IrootGsnortbox htm]-l# 1n -s /etc/Enort/rules /vac/www/htnl/base-L.4.S,/rutes

Notes:

72



16. On snortbox, issue the following commands to enable the BASE graphing capability (thisstep may be done from any directory).

[rootGsnortbox html] # pear insta1t /uEr/]-oaaL/stc./Image_Color-l .0.4 . tarIrootGsnortbox html] # pear insta]-l /usr/Local/ scc/Log-L.]-2.3. tar[rootGSnortbox hLmI] # pear insta]-l

Numbers_Roman-1 . 0 . 2 . tarfrootGSnortbox htm]-l # pear insta].lNumbers_Words-0 . 13 . 1 . tarlrootGSnortbox htmll # pear instaLlImage_Canvas-O . 3 . 1 . tarlrootGSnortbox htmll # pear inEta].].Image_Graph-O. 7 .2 .t-ar

/uEr/Loaa]-/ src,/

/lasr/loc,al/erc/

/lasr/Loc,aL/src/

/ras:r/LocaL/ src/

The BASE application should be fully installed and operational at this point. You can test thegraphing capability by opening BASE and clicking the Graph Alert Data link.

This functionality will be explored further in the module that follows.

Notes:

73



Slide 56

Lab Exercises

Perform the following exercises.

Lab #1: Barnyard2 Installation

Perform aBarnyxd? installation. Refer to the installation discussion in the chapter for detailedinstallation instructions.

Lab #22 Database Configuration

Perform database conliguration tasks. Refer to the configuration discussion in the chapter fordetailed installation instructions.

Lab #3: BASE Installation

Perform the BASE installation. Refer to the installation discussion in the chapter for detailedinstallation instructions.

Lab#42 Barnyard2 Configuration Lab

This lab has you make a few final configuration updates in preparation for running Barnyard2with Snort.

o Openthe /eLc/snort/snort.conf fileandbelowtheunified2sectionofttheoutputpluginds, add the following line:

output unified2: fi-lename merged.log, l-imit 128

Once you complete the edits, save the file and exit the editing application.

r Edit the / eLc/ snort,/barnyard2 . conf filebarnyard2. conf is the primary configuration file for the Banryard application. For thisinstallation make the following edits:

Inthe configuration section of the barnyard2.conf file, uncomentthe conf ig hostnameand conf ig interface line and make the following changes.

confJ-g hostname: snortboxconfig interface: ethl

Notes:

74

mmnff*rm



Uncomment and the lines for the options: conf i g wal-do_f i 1e, conf 1 g ar chive -dir and conf ig process_new_records_only so they look like the following.

config waldo_file: /tmp/waIdo

config archivedir: /tmp

conf ig process_new_records_onIy

In the output section of the bamyard2.conf file, disable the output al.ert_fast:stdout line of the output plug-ins and add the following line after the output data-base line.

output database: 1og, mysq1, user=snort password=password dbname=snorthost=localhost

This directive enables barnyard2 to send output to the MySQL database. When you havecompleted these edits, save them and quit the editing application.

17. Run Snort to begin producing unified output.

Restart Snort. Earlier you made achangle to the snort . conf file to enable unified2 out-put. Snort has to be restarted so that it can re-read the conffile and begin to produceunified2 output. Issue the following command:

I root G snortbox ]-o ca1 1 # / eLc. / Lrrit. d,/ snortd restartYou can veriS that you are getting unified2 output by entering the / v ar / Log / s no r tdirectory and listing the files there. Files structured as illustrated below are your indicationthat Snort is producing unified output as anticipated.

IrootGsnortbox loca1] * cd /var/log/snorLIrootGsnortbox snort]# 1s -a1-rw------- 1 root root 24 Aug 24 t1:36 mer9ed.1o9.1314192843

Notes:

75



18. StartBarnyafiZ.

Use the following command to start Barnyard2. Note that in the example below, the optionswill be separated in their own lines to make it more readable. As you enter the command,allow it to wrap on its own. Press the [Enter] key only after typing the entire text of thecommand. When you enter this command, you can omit the line continuation characters (\)as shown in the example. Just type the command and let it wrap as you fype.

barnyard2 \-c / et c / snort,/barnyard2. conf \-d /var/Ioglsnort \-f merged.log

When you execute this command, you will see Banryard2 output various messages indicat-ing that is initializing its input processors, output plug-ins and connecting to the database. Ifthere is no waldo file you will see a message indicating that Barnyard2 fuled, to open it.This is normal and the waldo file will be created upon start. If there is a problem, it will exitat this point. If all is working as anticipated, the shell will appear to hang until you press

ICtrl] + [c] to stop the process.

BeforetenninatingtheBarnyard2processwiththe ICtrl] + [c], useabrowsertoaccessthe BASE interface. Use nmap on uttila to generate some alert traffic. Verify that your alertsare displaying as anticipated. If so, your Barnyard2 implementation is successfi.rl; Bamyard2 isaccepting data from the Snort unified2 output file and passing it along to the MySQL database.

Notes:

76

ffiffiEtftm



Lab #5: Implementing a Barnyard2 Startup Script

Yonr Snort installation now includes Bamyard2.In addition to the other processes that shouldstart automatically on system startup (HTTPD, MySQL, Snort), Barnyafi2 should alsoautomatically start so the system can begin processing unified2 log files immediately.

There is a pre-configured startup script called barnyard2 tnthe /usr / l_ocal_/srcdirectory. Just copy the script into the / etc/ j,niL. d directory and follow the remainingsteps.

Next we will use chkconf ig to enable the daemon See the instructions below.

IrootGsnortboxIrootGsnortboxIrootGsnortboxIrootGsnortboxIrootGsnortbox

# cp /tsr/Loc,al/src./barnyarrl2 /etc,/init.d* cp /asr / Loc,a]-/ stc./barnyard2 . sysconfig / eLc./ eysconfig,/barnyard2# clrnod 155 /etc/init.d,/barnyard2# chkconfig --add barnyard2#

You can test whether or not your startup script is working by entering the following:

IrootGsnortbox snort] # serwice barnyard2 startStarting Snort Output Processor (barnyard2):IrootGsnortbox snort] #

loKl

Notes:

77



Slide 57

Module Summaty

This module discussed the benefits of using Barnyard2 with your Snort installation to off-loadthe burden of processing output from the Snort process. The module also covered installationof the application and its configuration. Barnyard2 has many output options available so, byusing it, you don't loose any of the functionality of having Snort handle output and you gain asignificant performance boost by having Barnyard2 handle output tasks.

Notes:

78


Documents

Database Output and Graphical Analysis.pdf