In part 1 of this Snort series we discussed installing Snort on CentOS 6.5 minimal. In part 2 we now move on to installing PulledPork and Barnyard2. PulledPork is not a meal you eat while you install Snort. PulledPork is designed to manage your rules. I know it’s a weird name to use but this is what I found on the reasoning behind it:
The name pulledpork was chosen because this code pulls the rules that you need! Yes, it is and can be that simple.
Barnyard2 is a spooler for Snort’s unified2 output format. Because of Barnyard2, the parsing of data can be handled by another process. Oink oink.. let’s get started.
Before you begin configuring PulledPork, I recommend you register on Snort.org because you will need the Oinkcode. The Oinkcode will be placed in some of the URLs we will be configuring in PulledPork’s configuration file.
Install the Prerequisites
cd ~/tmp yum -y install perl-libwww-perl perl-Crypt-SSLeay perl-Archive-Tar
Download PulledPork from Google Code
wget https://pulledpork.googlecode.com/files/pulledpork-0.7.0.tar.gz tar -zxf pulledpork(tab) cd pulledpork-(version) cp pulledpork.pl /usr/sbin ; chmod 755 /usr/sbin/pulledpork.pl cp etc/* /etc/snort/
In the above commands, you have downloaded PulledPork, extracted it and copied files to their proper directories.
Modify the PulledPork Configuration
My guidance is to read through the configuration files and uncomment the rules you want Snort to use. If you see a line which says <oinkcode> that means to add the Oinkcode you received after registering on Snort’s website. You can view my example configuration file here.
In this next step, we will be updating path locations within the pulledpork.conf file. To locate the location of these files you can utilize mlocate. First update the internal database:
Here’s an example of how to find the path to snort.conf:
Within the pulledpork.conf file, make the following changes:
Modify the path to the snort binary:
Path for .rules file containing all of the processed rules:
Path .rules will be written to:
Path to local.rules:
Update the path to sid-msg.map:
Update the path to your snort.conf file:
Update the Distro line:
Update the path to your blacklist rules:
Comment out IPRVersion:
Update the path to snort_control:
Update the paths for rule modification files:
enablesid=/etc/snort/enablesid.conf dropsid=/etc/snort/dropsid.conf disablesid=/etc/snort/disablesid.conf modifysid=/etc/snort/modifysid.conf
pulledpork.pl -vv -c /etc/snort/pulledpork.conf -T -l
-vv = EXTRA Verbose mode, you know.. for in-depth troubleshooting and other such nonsense.
-c = Where the pulledpork config file lives.
-T = Process text based rules files only, i.e. DO NOT process so_rules
-l = Log information to logger rather than stdout messages.
Add PulledPork to Crontab
vi /etc/crontab 0 0 * * * root /usr/sbin/pulledpork.pl -c /etc/snort/pulledpork.conf
cd ~/tmp mkdir /var/log/barnyard2 mkdir /usr/local/src/firnsy-barnyard2 && cd /usr/local/src/firnsy-barnyard2 wget https://github.com/firnsy/barnyard2/archive/v2-1.13.tar.gz tar -zxvf v2-1.13.tar.gz cd barnyard2-2-1.13 autoreconf -fvi -I ./m4 ./configure --with-mysql --with-mysql-libraries=/usr/lib64/mysql/ make make install
Modify the barnyard2.conf file
Set the output logging directory:
config logdir: /var/log/snort
Set the interface to be used:
config interface: eth0
Configure daemon mode:
Define the full waldo filepath:
config waldo_file: /etc/snort/barnyard2-log.waldo
Verify the input:
Modify the output line:
Because the output of Snort is in unified2 format it won’t be easily readable. You could output to a tcpdump log file to view in Wireshark to tcpdump:
output log_tcpdump: tcpdump.log
Set the output database:
log, mysql, user=snort password=snort dbname=snort host=localhost
Save the file and quit.
cp /usr/local/etc/barnyard2.conf /etc/snort/barnyard2.conf
Create the Barnyard2 Startup Script
cd /usr/local/src/firnsy-barnyard2/barnyard2-2-1.13 cp rpm/barnyard2 /etc/init.d/ chmod +x /etc/init.d/barnyard2
cp rpm/barnyard2.config /etc/sysconfig/barnyard2 chkconfig --add barnyard2 chkconfig barnyard2 on
Here’s an example of my Barnyard2 startup script which I needed to make modifications for it to work properly.
Modify the /etc/sysconfig/barnyard2 file
# Config file for /etc/init.d/barnyard2 LOG_FILE="snort.log"
# You probably don't want to change this, but in case you do SNORTDIR="/var/log/snort" INTERFACES="eth0"
# Probably not this either CONF=/etc/snort/barnyard2.conf
Set Up MySQL Server
service mysqld start /usr/bin/mysql_secure_installation
mysql -u root -p create database snort; grant all on snort.* to snort@localhost; set password for snort@localhost=password('snort'); use snort; source /usr/local/src/firnsy-barnyard2/barnyard2-2-1.13/schemas/create_mysql
show tables; flush privileges; exit
chkconfig --add mysqld chkconfig mysqld on
Verify Barnyard2 and MySQL
barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.log -w /etc/snort/barnyard2-log.waldo -D
Start Snort if it isn’t running:
service snortd start
Now verify if events are being written to MySQL:
mysql -u root -p use snort; mysql> select count(*) from event;
The last installment of the Snort series will be installing the web user interface, Snorby, for analyzing alerts in your environment.