Reading Unified Logged Data

Problem

You want to process your unified output files.

Solution

Download Barnyard from http://www.snort.org/dl and then install it with the following commands:

[root@localhost root]# tar zxvf barnyard-0.2.0.tar.gz [root@localhost barnyard-0.2.0]# cd barnyard-0.2.0 [root@localhost barnyard-0.2.0]# ./configure [root@localhost barnyard-0.2.0]# make [root@localhost barnyard-0.2.0]# make install

If you already have Snort configured to output unified logs, you can test Barnyard with the following:

[root@localhost root]# barnyard -o /var/log/snort/*

This creates the human-readable dump.log and fast.alert files in your current directory.

Discussion

Barnyard processes unified and binary Snort output files. By offloading the log processing to a tool like Barnyard, Snort can concentrate on what it does best: capturing network traffic and detecting intrusions. Barnyard has several output plug-ins. Some mimic the functionality already built into Snort, such as fast alerts, ASCII packet dumps, syslog, and pcap. It also offers new plug-ins such as CSV output, advanced syslog output, ACID, and SQUIL support. Barnyard also has database support, such as MySQL. However, it must be installed with the appropriate configure switch, such as --enable-mysql, to enable this support. This allows Barnyard to process unified output files and log the data to a database.

If you do not have all the necessary configuration files in their default locations, you may have to run the command with more parameters, such as in the following:

[root@localhost root]# barnyard -c /root/barnyard-0.2.0/etc/barnyard.conf -o /var/log/snort/* -s /root/snort-2.2.x/etc/sid-msg.map -g /root/snort-2.2.x/etc/gen-msg.map -p /root/snort-2.2.x/etc/classification.config

See Also

Recipe 2.17

Recipe 2.11