Snort, the intrusion detection system (IDS) application produced by Sourcefire, is one of the most popular open source security tools. Snort is a signature-based, what Snort calls "rules," IDS engine that is fast and simple to deploy and to tune. Rules are open and easily edited, and adding your own rules is quick and painless. Snort is also capable of outputting data in a variety of formats: binary (called "unified"), syslog, to a...
file and to a SQL database -- Oracle, PostgreSQL, MySQL or Microsoft SQL Server. To do this, one or more output plug-ins can be enabled. Many users commonly output data to a SQL database.
As with any IDS, performance and accuracy are key. Improvements in accuracy result in reduced false positives and more focus on actual threats. Performance improvements result in processing those threats and receiving alerts on them in a timely manner. In this tip, we're not going to focus on configuring Snort to be more accurate, but rather tuning Snort to work faster and in a more efficient manner with a third-party application, Barnyard.
Outputting to unified format in Snort
Barnyard improves Snort's speed and efficiency processing outputted data off-loaded by Snort. Barnyard leaves Snort more capacity to perform its key function: scanning and analyzing traffic for anomalies and attacks. We will set Snort to output its alerts and logs to the unified (binary) format, which isn't as processor-intensive as other kinds of output, and then make use of Barnyard to process the resulting output into our required format(s). This tip presumes you already have Snort installed and configured.
Barnyard basically takes the Snort unified output and processes it into alerts or database output. It is developed and supported by Sourcefire. Before Barnyard is installed and running, we need to make a change to our Snort configuration, usually contained in the /etc/snort/snort.conf configuration file, to output in unified format.
# vi /etc/snort/snort.conf
In the default snort.conf file, there should be two commented out entries for unified output that look like this:
output alert_unified: filename snort.alert, limit 128 output log_unified: filename snort.log, limit 128
Uncomment these entries. They result in alerts and logs both being outputted in unified format, to the snort.alert and snort.log files respectively. The time in time_t format is appended to the file name. A limit of 128Mb in size is applied to each file using the limit option. You can adjust this setting to suit your environment. Then, you need to disable all other output plug-ins by commenting out all but the unified output plug-in lines. You should now restart Snort so the changes you've made take can effect.
# /etc/init.d/snortd restart
Installing and configuring Barnyard
Next, let's install Barnyard. It's available from the Snort website. The current release is 0.2 and you can download it and unpack it like so:
# wget http://www.snort.org/dl/barnyard/barnyard-0.2.0.tar.gz # tar -zxf barnyward-0.2.0.tar.gz
Now, you need to create, configure and install the Barnyard package.
# cd barnyard-0.2 # ./configure --enable-mysql # make # make install
You can see we've specified the --enable-mysql option to configure, thus enabling MySQL support. You could also replace it with PostgreSQL by using --enable-postgres. In both cases, if required, there are configuration options to specify the location of the libraries and includes for each database package.
Go ahead and copy the Barnyard configuration file, barnyard.conf, from the etc directory to a suitable place. I recommend the /etc/snort directory for the sake of simplicity.
# cp etc/barnyard.conf /etc/snort/barnyard.conf
Let's configure Barnyard first. Open the barnyard.conf configuration file. The configuration file is heavily commented. First, uncomment the config daemon option -- this will run Barnyard in daemon mode. Next, if you use the BASE console, a Web-based console for Snort that used to be called ACID, and want to output to its database, then you need to adjust two more options:
Now, we need to configure the actual output options. Each option is preceded with the word "output," then the type of output and then related configuration options. You can output in Snort's "fast alert" format like so:
output alert_fast /var/log/snort/alert
The only variable is the file name for the output file. In this case, the file is called /var/log/snort/alert. You can also output to Syslog, CSV, log PCAP, Snort's ASCII packet dump mode and into sguil's database format. If you want to output to the BASE database format, you can use the output options below:
output alert_acid_db: mysql, sensor_id 1, database snort, server localhost, user snort, password snort output log_acid_db: mysql, sensor_id 1, database snort, server localhost, user snort, password snort
We'll proceed to configure two output options, one for alerts and one for logs. Both of them are going to be outputted into MySQL and be recorded as coming from sensor ID #1. You will need to update the database name, server, the user and the password to reflect your environment.
Creating a WAL file in Barntyard
You can start Barnyard now. It has two principal modes: one-shot and continual. One-shot mode just processes one binary file and exits. Continual mode reads the file and processes outputs on an ongoing basis. It can be run in a checkpoint mode using a Write-Ahead-Logging (WAL) file, also known as a waldo file, which tracks Barnyard's current position in the log file. We're going to run in the checkpoint continual mode. To do this we need to create our waldo file:
# vi /var/log/snort/barnyard.waldo
The file should be structured like so:
/var/log/snort snort.log log file suffix log file position
The first entry is the location of the Snort log file, by default /var/log/snort. The second entry is the log file prefix, usually snort.log, and then the suffix for the current log file. Get this suffix, normally something like 1234567890, from your current Snort log file in your logging directory. The log file will look something like:
The last option, the log file position, is the record number that Barnyard is up to in the log file. Since we've just installed Barnyard, we specify this as 0. This number will get updated as Barnyard processes the log file with the current record number processed; this allows Barnyard to return to processing after an unexpected stop or the like, without losing any data.
So our final waldo file looks like: /var/log/snort snort.log 1234567890 0
Finally, we want to start Barnyard so we execute the barnyard binary which is installed into the /usr/local/bin directory by default.
# /usr/local/bin/barnyard -c /etc/snort/barnyard.conf -g /etc/snort/gen-msg.map -s /etc/snort/sid-msg.map -d /var/log/snort -f snort.log -w /var/log/snort/barnyard.waldo
The command line options are simple. The -c option specifies the location of the barnyard.conf configuration file. The -g and -s options specify the locations of the SID and GID map files that come with Snort. It is important that you specify these, as they provide the information that tells Barnyard what a particular alert means. The -d and -f options specify the directory and name of the Snort logging files, respectively. Lastly, the -w option specifies the location of the waldo file we've just created.
If you've specified the config daemon option in barnyard.conf, then Barnyard will run as a daemon. Otherwise, it will run locally in the current session. It is recommended that you create an init script for Barnyard. Remember to ensure that Barnyard starts before Snort, to guarantee Barnyard is running and ready to process Snort data when Snort starts.