cleesmith · April 6, 2019 22:47
diff --git a/snort_barnyard2 b/snort_barnyard2
 Install Snort and Barnyard2 virtualbox ubuntu 12.04 and 14.04

 Aug 2014:

 Snort:
 ... in virtualbox set Network + Advanced 'Promiscuous Mode' to 'Allow All'
 sudo apt-get install snort
 ps aux | grep -i snort
 sudo service snort stop
 sudo nano /etc/snort/snort.conf
    - comment out all lines that start with 'output'
    - add:
        output unified2: filename merged.log, limit 128

 sudo nano /etc/snort/snort.debian.conf
    - ensure:
        DEBIAN_SNORT_INTERFACE="eth0" ... or whatever interface is 'promiscuous'
        ... verify:
        ifconfig

 reboot server

 sudo ls -la /var/log/snort/
 sudo nano /var/log/snort/merged.conf
 ... if all is well, it should log suspicious traffic to that file

 ... generate some traffic from os x:
 ping 192.168.0.19 ... let it run for awhile
 nmap -v -sn 192.168.0.19
 sudo nmap -v -O 192.168.0.19
 ____________________________________________________________________________________________
 Barnyard2:
 ... add needed dependencies:
 sudo apt-get install build-essential libtool autoconf git
 sudo apt-get install libpcap-dev libmysqld-dev

 git clone git://github.com/firnsy/barnyard2.git

 cd barnyard2
 ./autogen.sh
 CFLAGS='-lpthread' ./configure --with-mysql --with-mysql-libraries=/usr/lib/x86_64-linux-gnu --prefix=$HOME/barnyard2-install
 make
 mkdir $HOME/barnyard2-install
 make install
 find $HOME/barnyard2-install

 dpkg -l libmysqlclient18
 ... if not installed then do:
 sudo apt-get install libmysqlclient18

 ... assuming: either an install of the mysql snort database, or one was loaded from a mysqldump, has been done already

 ... create barnyard2.conf:
 sudo nano /etc/snort/barnyard2.conf
 ... or: 
 cat > /etc/snort/barnyard2.conf << EOF
 config reference_file:      /etc/snort/reference.config
 config classification_file: /etc/snort/classification.config
 config gen_file:            /etc/snort/gen-msg.map
 config sid_file:            /etc/snort/sid-msg.map
 config logdir: /var/log/snort
 config hostname:  some_host_name
 config interface:  eth0
 config daemon
 config waldo_file: /var/log/snort/barnyard2.waldo
 input unified2
 output database: log, mysql, user=osprotect password=???? dbname=snort host=127.0.0.1
 # to forward alerts also to syslog, uncomment the following 2 lines:
 # output alert_syslog_full: sensor_name snortIds1-eth1, local
 # output log_syslog_full: sensor_name snortIds1-eth1, local, log_priority LOG_CRIT
 EOF

 sudo ~/barnyard2-install/bin/barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f merged.log -w /var/log/snort/barnyard2.waldo

 ... note: that after a few seconds, you’ll be dropped in your shell again.
    That’s perfectly normal since we configured barnyard2 to run as a daemon. 
    As always, it’s a good idea to check /var/log/syslog for errors. 
    You can also check if the daemon is still running with “ps -ef | grep barnyard2″
	Install Snort and Barnyard2 virtualbox ubuntu 12.04 and 14.04

	Aug 2014:

	Snort:
	... in virtualbox set Network + Advanced 'Promiscuous Mode' to 'Allow All'
	sudo apt-get install snort
	ps aux \| grep -i snort
	sudo service snort stop
	sudo nano /etc/snort/snort.conf
	- comment out all lines that start with 'output'
	- add:
	output unified2: filename merged.log, limit 128

	sudo nano /etc/snort/snort.debian.conf
	- ensure:
	DEBIAN_SNORT_INTERFACE="eth0" ... or whatever interface is 'promiscuous'
	... verify:
	ifconfig

	reboot server

	sudo ls -la /var/log/snort/
	sudo nano /var/log/snort/merged.conf
	... if all is well, it should log suspicious traffic to that file

	... generate some traffic from os x:
	ping 192.168.0.19 ... let it run for awhile
	nmap -v -sn 192.168.0.19
	sudo nmap -v -O 192.168.0.19
	____________________________________________________________________________________________
	Barnyard2:
	... add needed dependencies:
	sudo apt-get install build-essential libtool autoconf git
	sudo apt-get install libpcap-dev libmysqld-dev

	git clone git://github.com/firnsy/barnyard2.git

	cd barnyard2
	./autogen.sh
	CFLAGS='-lpthread' ./configure --with-mysql --with-mysql-libraries=/usr/lib/x86_64-linux-gnu --prefix=$HOME/barnyard2-install
	make
	mkdir $HOME/barnyard2-install
	make install
	find $HOME/barnyard2-install

	dpkg -l libmysqlclient18
	... if not installed then do:
	sudo apt-get install libmysqlclient18

	... assuming: either an install of the mysql snort database, or one was loaded from a mysqldump, has been done already

	... create barnyard2.conf:
	sudo nano /etc/snort/barnyard2.conf
	... or:
	cat > /etc/snort/barnyard2.conf << EOF
	config reference_file: /etc/snort/reference.config
	config classification_file: /etc/snort/classification.config
	config gen_file: /etc/snort/gen-msg.map
	config sid_file: /etc/snort/sid-msg.map
	config logdir: /var/log/snort
	config hostname: some_host_name
	config interface: eth0
	config daemon
	config waldo_file: /var/log/snort/barnyard2.waldo
	input unified2
	output database: log, mysql, user=osprotect password=???? dbname=snort host=127.0.0.1
	# to forward alerts also to syslog, uncomment the following 2 lines:
	# output alert_syslog_full: sensor_name snortIds1-eth1, local
	# output log_syslog_full: sensor_name snortIds1-eth1, local, log_priority LOG_CRIT
	EOF

	sudo ~/barnyard2-install/bin/barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f merged.log -w /var/log/snort/barnyard2.waldo

	... note: that after a few seconds, you’ll be dropped in your shell again.
	That’s perfectly normal since we configured barnyard2 to run as a daemon.
	As always, it’s a good idea to check /var/log/syslog for errors.
	You can also check if the daemon is still running with “ps -ef \| grep barnyard2″