Re: [Snort-users] Barnyard2 - CYGWIN - Windows Compile
beenph
> I've tried to leave a message with Firnsy, and a message in one of the
> Google groups about getting this compiled, but no response.
>
I think you sent the message only to me and i was going to respond.
> I'll post in her to see if things can get cleared up. It appears that
> Barnyard2 can be compiled for use with Windows, using CYGWIN as the
> compiler.
>
> https://github.com/firnsy/barnyard2/commit/f71a8d3136970aef184bbab071532a239
> 03584d2
>
The branch you whould be using is
https://github.com/binf/barnyard2/tree/pre-stable
OR
https://github.com/firnsy/barnyard2/tree/pre-stable
Mine is a few commit ahead and got some unrelated bug fix and will
get merged when testing is done with.
I would suggest that you wait for the release version to make a
"package" since 2-1.9 will not compile under CYGWIN.
Now to compile under CYGWIN you will need
(see attachement for package details)
But mainly it stand out to the following.
1: compiler package (gcc)
2: autotools/autoconf.
3: winpcap for pcap headers.
4. If you plan to compile some output module, make sure you compiled
the required software so it can actually be linked.
> I've checked out the latest code and  it does look like all the necessary
> bits have been added to do this.
>
> I've never used CYGWIN to compile. Suricata provides a guide on how to
> compile for Windows. Barnyard2 should be doing this, but doesn't.
>
Currently in its form Windows native support is not a priority.
I understand this could frustrate a small amount of users but this is why
CYGWIN support was tested and added.
One of the goal of the next MAJOR release of barnyard2 is windows
compatibility/compilation,
but its not in the top 10 feature and could be added down the road.
> Is there anyone that can help in getting this compiled for use in Windows? I
> will create a guide, and get it out to the masses so hopefully it will clear
> up any confusion on how to do this in the future
>
I appreciate your effort trying to support windows users and if you
have further inqueries
let us know on our ML's or to our e-mails.
I hope this will help you a bit.
-elz
Michael Steele
selected the 4 packages as extras to install into the 'c:/cygwin/pkgs'
folder during the initial install of CYGWIN.
1) 2.22.51-1 -- binutils: The GNU assembler.linker and binary utilities
2) 4.5.3-2 -- libgcc1: GCC compiler support shared runtime
3) 3.82.90-1 -- make: The GNU version of the 'make' utility
4) 1.0.3-1 -- makedepend: X Org Makefile dependency tool
>> I would suggest that you wait for the release version to make a "package"
since 2-1.9 will not compile under CYGWIN.
So, before continuing I should wait for the next 'Release Version' before
compiling?
The file binf-barnyard2-v2-1.9-54-g58ce15d.zip won't compile under CYGWIN?
----------\
Just to get started so I have a better understanding of the process:
I downloaded (binf-barnyard2-v2-1.9-54-g58ce15d.zip) from the link below:
https://github.com/binf/barnyard2/tree/pre-stable
I created a 'c:/cygwin/barnyard2' folder and placed all contents of the
above downloaded file into it.
Now I'm guessing I need a command line to compile after going into the
cygwin terminal?
From what I think; I'll need two separate compiles;
1) MySQL output?
2) SQL Server output?
I'm not real sure what needs to be done after the compile. What the end
result needs to be is a zip file with all the necessary support files and
folders that can be dissolved into the end folder '\winids\barnyard2', and
then barnyard executed from there. The end result down the road will be an
auto installer (msi).
----------/
>> I understand this could frustrate a small amount of users but this is why
CYGWIN support was tested and added.
Absolutely, but under the circumstances (snort dropping the output database,
and Suricata with no output database option) this is the only option
available.
>> One of the goal of the next MAJOR release of barnyard2 is windows
compatibility/compilation, but it's not in the top 10 feature and could be
added down the road.
This could be a major problem as time goes by. It seems that if Snort and
Suricata wants to support Windows as a distribution then there will need to
be a native way to get the alerts from Snort, or Suricata to a database
without using a kludge (CYGWIN) to accomplish the task.
We are also hoping for a native build of Suricata (32/64 bit), sometime in
the future, as we are for Snort (64bit).
There are other obstacles in the path that Windows will need to address
soon, but I'm trying to do this in some logical order.
Kindest regards,
Michael...
Rich Rumble
> The file binf-barnyard2-v2-1.9-54-g58ce15d.zip won't compile under CYGWIN?
compile, for win32
and I made it available here:
http://xinn.org/Barnyard2-Win32/barnyard2.zip It was
compiled to support MySQL.
https://github.com/binf/barnyard2/tree/CYGWIN-COMPILE (not available anymore)
> Absolutely, but under the circumstances (snort dropping the output database,
> and Suricata with no output database option) this is the only option
> available.
any bugs or
features have since the version I compiled will suffer or lack those. The caveat
with using it was you have to use 127.0.0.1 instead of "localhost" if
it's parsing
the log's to the local DB.
> This could be a major problem as time goes by. It seems that if Snort and
> Suricata wants to support Windows as a distribution then there will need to
> be a native way to get the alerts from Snort, or Suricata to a database
> without using a kludge  (CYGWIN) to accomplish the task.
on the win32
platform. I'm sorry I can't offer more help in porting than that :(
-rich
beenph
The pre-stable branch containes changes of the CYGWIN-COMPILE + others
enchancements.
This is why CYGWIN-COMPILE does not exist anymore.
-elz
Michael Steele
>> I would suggest that you wait for the release version to make a "package"
since 2-1.9 will not compile under CYGWIN.
I should hold off until 2-2.x of Barnyard2 is released before continuing to
get a compiled version for Windows under CYGWIN?
Kindest Regards,
Michael Steele
-----Original Message-----
From: barnyar...@googlegroups.com
[mailto:barnyar...@googlegroups.com] On Behalf Of beenph
Sent: Monday, February 20, 2012 6:18 PM
To: barnyar...@googlegroups.com
Subject: Re: [Snort-users] Barnyard2 - CYGWIN - Windows Compile
beenph
> Just to be sure where we are at right now;
>
>>> I would suggest that you wait for the release version to make a "package"
> since 2-1.9 will not compile under CYGWIN.
>
> I should hold off until 2-2.x of Barnyard2 is released before continuing to
> get a compiled version for Windows under CYGWIN?
>
> Kindest Regards,
>
> Michael Steele
2-1.10 will compile under cygwin. (pre-stable) is 2-1.10
-elz
Michael Steele
correct source?
Kindest Regards,
Michael Steele
-----Original Message-----
From: barnyar...@googlegroups.com
[mailto:barnyar...@googlegroups.com] On Behalf Of beenph
Sent: Tuesday, February 21, 2012 6:41 AM
To: barnyar...@googlegroups.com
Subject: Re: [Snort-users] Barnyard2 - CYGWIN - Windows Compile
mich...@winsnort.com
$
What are the lines I need to run to make this the compile happen?
Rich Rumble
<mich...@winsnort.com> wrote:
> I think I have everything. I have the
> 'firnsy-barnyard2-v2-1.10-beta2-16-ga0d93e6.zip' file which I believe to be
> the last release that compiles with CYGWIN, at least until the next stable
> version is released.
>
> I need someone to guide me through the compiling. I have CYGWIN installed
> with all the dependencies. I have placed the source code into a folder
> called barnyard located in the 'cygwin' folder. I would like to compile a
> MySQL and a SQL Server version.
by2. I'll try to write something up if I get it going. I was able to compile the
firnsy-barnyard2-v2-1.10-beta2-16 by running ./autogen && ./configure &&make
and that worked, I'm now trying to add in MySQL (and prostgresql) support also.
-rich
Michael Steele
should be all that different from Unix.
Maybe someone will jump in here that has some firsthand knowledge of the
process.
What is the command line to compile Barnyard2 with MySQL support under
Windows and CYGWIN?
What is the command line to compile Barnyard2 with SQL Server support under
Windows and CYGWIN?
Kindest regards,
Michael...
-----Original Message-----
From: barnyar...@googlegroups.com
[mailto:barnyar...@googlegroups.com] On Behalf Of Rich Rumble
Sent: Tuesday, February 21, 2012 11:50 AM
To: barnyar...@googlegroups.com
Subject: Re: [Snort-users] Barnyard2 - CYGWIN - Windows Compile
Rich Rumble
> It sounds like it is pretty complicated for Windows and I'm not sure why it
> should be all that different from Unix.
special allowances
for non-posix OS's. Cygwin/MinGW are build targets that take some tweaking
to get them going.
> Maybe someone will jump in here that has some firsthand knowledge of the
> process.
> What is the command line to compile Barnyard2 with MySQL support under
> Windows and CYGWIN?
Simple right... ehhh not so much. Compiling MySQL is a problem in of itself. I
bet one could "cheat" and place already compiled binaries and certain source
code here an there in the Cygwin folders or system paths. Perhaps using the
proper --include paths and dir's... I haven't really tried that approach yet.
Below you will find my brief instructions, I don't have time today to make a
fresh install of Cygwin, but this should get you closer to the end.
I've got pcap
installed already so that step is skipped here, but you can find a very good
tutorial on the Suricata page for pcap+cygwin installation
https://redmine.openinfosecfoundation.org/attachments/download/684/SuricataWinInstallationGuide_v1.1.pdf
> What is the command line to compile Barnyard2 with SQL Server support under
> Windows and CYGWIN?
I am not sure. I hope the "guide" below will help you, at the end I've
placed a link
to my untested build that supports MySQL and Postgresql.
=======================================
Install Cygwin
http://www.cygwin.com/setup.exe
You will need to run the setup.exe and make sure
GCC, PERL, MAKE, BISON, LIBREAD, ZLIB (and probably others) are installed
in your cygwin environment. I will have to start with
a fresh install to find all depenancies.
Download MySQL ftp://mirror.anl.gov/pub/mysql/Downloads/MySQL-5.5/mysql-5.5.21.zip
Extract to c:\cygwin\mysql-5.5.21
Open the Cygwin shell
cd /cygwindrive/c/cygwin/mysql-5.5.21
perl cmake/configure.pl
After a long time, it should finish. You will have to edit one file
as to avoid conflicts. Edit mysql-5.5.21/strings/dtoa.c
Replace all "dtoa" strings with "_dtoa", also replace the
uppercase strings with uppercase (DTOA with _DTOA).
Now run make
make mysqlclient
If all goes well, eventually mysqlclient should
be finished. You can now run make install
make install
Once that finishes, the MySQL sources should be installed in
the proper places for Cygwin to find them.
If you want to install postgresql also simply download it
http://ftp.postgresql.org/pub/source/v9.1.2/postgresql-9.1.2.tar.gz
extract to c:\cygwin\postgresql-9.1.2
cd ../postgresql-9.1.2/
./configure
make
make install
That should also place all the postgresql files where cygwin can
find them. Now configure and make barnyard2 using both (or more)
database clients:
cd ../barnyar2/
./configure --with-mysql --with-postgresql
make
make install
That should do it as far as making. Now you need to copy the depandant
dll and or exe files into one directory.
mkdir /cygwindrive/c/barnyar2-win32
cp /cygwindrive/c/cygwin/mysql-5.5.21/libmysql/cygmysqlclient-18.dll
/cygwindrive/c/barnyar2-win32
cp /cygwindrive/c/cygwin/barnyard2/src/.libs/barnyard2.exe
/cygwindrive/c/barnyar2-win32
cp /cygwindrive/c/cygwin/barnyard2/etc/barnyard2.conf
/cygwindrive/c/barnyar2-win32
Remember when editing the barnyard2.conf file, use 127.0.0.1 instead
of the "localhost" keyword
beacuse if I recall correctly, that's just how it is :) If your not
logging to the localhost, then
any IP or FQDN should work fine.
If you do not have Cygwin installed or in the systems' path, you will
need all of the following
files for a "standalone" install to work
barnyard2.conf
barnyard2.exe
cygcrypt-0.dll
cygcrypto-0.9.8.dll
cyggcc_s-1.dll
cygiconv-2.dll
cygintl-8.dll
cyglber-2-3-0.dll
cygldap-2-3-0.dll
cygminires.dll
cygmysqlclient-18.dll
cygpq.dll
cygsasl2-2.dll
cygssl-0.9.8.dll
cygwin1.dll
cygz.dll
My build can be found here: http://xinn.org/Barnyard2-Win32/by2-latest.zip
You can use this as a basic BY2 config file:
#Example By2 Config file by Rich Rumble
config classification_file: C:\Snort\etc\classification.config
config gen_file: C:\Snort\etc\gen-msg.map
config reference_file: C:\Snort\etc\reference.config
config sid_file: C:\Snort\etc\sid-msg.map
input unified2
output database: log, mysql, user=snort-user password=SXhPnC3wa7bhnaSq
dbname=snort host=127.0.0.1
Michael Steele
What you are describing is confusing, and it's most likely because I'm a
Windows user; your describing installing MySQL as a full install then
compiling Barnyard2 with the install.
The end result I'm looking for is having two barnyard2.zip files; one with
MySQL support and one with SQL Server support. Your describing the MySQL
install below.
Let's say I have an existing Windows IDS that is fully functional, and I
want to convert it from Output database to unified. I'm presently able to
view the alerts using the BASE console, but Snort is using the output
database option.
I know I'll need to change the snort.conf from output database to unified,
I'll also need to configure the barnyard.conf file, and then run the
barnyard.exe with the correct parameters. Is this basically what I'll need
to do on an existing IDS?
When I get finished compiling below, will I be able to have a stand alone
zip file that contains everything that is needed to run barnyard2 on
Windows?
Hope I didn't confuse you :)
Kindest regards,
Michael...
-----Original Message-----
From: barnyar...@googlegroups.com
[mailto:barnyar...@googlegroups.com] On Behalf Of Rich Rumble
Sent: Tuesday, February 21, 2012 3:49 PM
To: barnyar...@googlegroups.com
Subject: Re: [Snort-users] Barnyard2 - CYGWIN - Windows Compile
Rich Rumble
> Just so I'm understanding the end result;
>
> What you are describing is confusing, and it's most likely because I'm a
> Windows user; your describing installing MySQL as a full install then
> compiling Barnyard2 with the install.
If Cygwin had a "mysql-devel" package available in their repo's you
wouldn't have to do this, same with libpcap(or winpcap). But these
aren't already made/available in the Cygwin repo's, so you can either
compile them/install them, or in some cases DL the sources and copy
them into the correct folders in Cygwin, and the program can link (or
whatever it's called) to those headers and binaries. I'm not all that
experienced in programming, but I've been compiling ported software for
years, so while I don't know exactly what I'm doing, I do get by. It's
taken a long time to get this far ;)
> The end result I'm looking for is having two barnyard2.zip files; one with
> MySQL support and one with SQL Server support. Your describing the MySQL
> install below.
proper places using "make install" so Cygwin would know where to
look. It's entirely possible to do this without compiling, and using already
made binaries and sources, and copying into the various Cygwin dir's
(usr/local, /usr/include, /usr/lib) or by using the --include=mysql-folder-here
in the ./configure arguments.
> Let's say I have an existing Windows IDS that is fully functional, and I
> want to convert it from Output database to unified. I'm presently able to
> view the alerts using the BASE console, but Snort is using the output
> database option.
>
> I know I'll need to change the snort.conf from output database to unified,
> I'll also need to configure the barnyard.conf file, and then run the
> barnyard.exe with the correct parameters. Is this basically what I'll need
> to do on an existing IDS?
snort from scratch on windows, I would have to build/make mysql before I
could issue the --with-mysql configure flag. If I didn't have mysql lib's and
bin's in the proper place in cygwin, that flag would fail and configure would
fail or continue on and just drop mysql support.
>
> When I get finished compiling below, will I be able to have a stand alone
> zip file that contains everything that is needed to run barnyard2 on
> Windows?
directory, but all the elements will be on your system. I take that back, if
you had cygwin in your M$ path, you would not have to copy the files into
the same dir. But for a computer that doesn't have Cygwin installed, you
to do what I did with the zip file below, place all these DLL's and the exe
and the CONF file into the same dir. I have not yet tested today's build
but I aim to tomorrow. If I have time I'll get a proper guide written with a
very fresh cygwin install.-rich
beenph
> On Tue, Feb 21, 2012 at 11:25 AM, mich...@winsnort.com
> <mich...@winsnort.com> wrote:
>> I think I have everything. I have the
>> 'firnsy-barnyard2-v2-1.10-beta2-16-ga0d93e6.zip' file which I believe to be
>> the last release that compiles with CYGWIN, at least until the next stable
>> version is released.
>>
Wait for 2-1.10 release to make any build and Support for
(MSSQL,ORACLE and ODBC) is not built in 2-1.10
It will soon enough, and since no body complained yet most of the user
base is MySQL or PostgreSQL.
And if you do not want to wait for 2-1.10 then use my branch
"pre-stable" that can be found @
https://github.com/binf/barnyard2/tree/pre-stable (commit:
58ce15d38efca8652e75e3d43fb668f93e932fd7)
since it has received a few essential bugfix thanks to great stress
test done by Rusell Fuleton
-elz
Michael Steele
process until the 2-1.10 is released.
I need a way to bridge the data gap between the IDS and the database before
Sourcefire removes the output database option, which is getting near. I'm
mostly concerned with getting Barnyard compiled for MySQL and SQL Server at
this point, because that's all my guides deal with right now.
Rich has provided a link to his latest build that was still Cygwin
buildable. Seeing this is a new project I'll work with this build to get the
feel on how to install, configure, and document the procedures.
Kindest regards,
Michael...
-----Original Message-----
From: barnyar...@googlegroups.com
[mailto:barnyar...@googlegroups.com] On Behalf Of beenph
Sent: Tuesday, February 21, 2012 6:52 PM
To: barnyar...@googlegroups.com
Subject: Re: [Snort-users] Barnyard2 - CYGWIN - Windows Compile
Michael Steele
I have a new install of XP with Snort. I've made the necessary alterations
from using the output database option in snort to using unified 2. I'm
attaching 3 configuration files;
Snort.conf - This is my current configuration.
Barnyard2.conf - This is my current configuration.
Start.bat - This is the line I'll be running Barnyard with.
Can you could look at these configuration files and make sure I have them
set properly. There may need to be items added, changed, or possibly
removed?
I think these are the differences from my original install using the output
database in snort to using unified2;
I've processed the 'sid-msg.map' using the 'create-sidmap.pl' and placed it
into the snort/etc folder. I'm assuming this is necessary for unified2?
I installed all the files from within the 'by2-latest' that I got from you
into the 'd:\winids\barnyard' folder.
I created the snort.conf exactly as I did when using the output database
option, except I left the hash in front of the output database line, and
removed the hash from 'output unified2: filename merged.log, limit 128,
nostamp, mpls_event_types, vlan_event_types' line to activate unified2.
I inserted the lines from the 'barnyard2-example.conf' into the
'barnyard2.conf' with the necessary changes pointing to my install paths.
I will use the run line from the Readme file with all the necessary path
changes.
barnyard2.exe -c barnyard2.conf -l d:\winids\snort\barnyard2 -o
d:\winids\snort\log\merged.log
-c <file> Use configuration file <file>
-l <ld> Log to directory <ld>
-o Enable batch processing mode
-c barnyard2.conf - This is the location and name of the barnyard
configuration
-l d:\winids\snort\barnyard2 - This is the folder for the log directory, and
I have created this folder. I'm not real sure what this folder is there for?
-o d:\winids\snort\log\merged.log - This enables batch mode and it's
pointing to the log file that Snort creates from the unified line in the
snort.conf. I'm not sure what this is for? It seems that the -o should be
the -l?
I think Barnyard can create a single log file or multiple? What is the best
method? It looks like the snort.conf and the barnyard run line needs to be
in sync on the logging method?
Another question; does Barnyard need to be compiled when there is a new
version of MySQL installed?
I have initiated anything yet, waiting for you to add any suggestions.
Kindest regards,
Michael...
-----Original Message-----
From: barnyar...@googlegroups.com
[mailto:barnyar...@googlegroups.com] On Behalf Of Rich Rumble
Sent: Tuesday, February 21, 2012 6:30 PM
To: barnyar...@googlegroups.com
Subject: Re: [Snort-users] Barnyard2 - CYGWIN - Windows Compile
Rich Rumble
> Can you could look at these configuration files and make sure I have them
> set properly. There may need to be items added, changed, or possibly
> removed?
to local MySQL db's on our senors. So the example config in that zip
file is very close to what I do.
> I've processed the 'sid-msg.map' using the 'create-sidmap.pl' and placed it
> into the snort/etc folder. I'm assuming this is necessary for unified2?
> -o d:\winids\snort\log\merged.log - This enables batch mode and it's
> pointing to the log file that Snort creates from the unified line in the
> snort.conf. I'm not sure what this is for? It seems that the -o should be
> the -l?
Using the -c option the logging directory is read from the snort config.
> I think Barnyard can create a single log file or multiple? What is the best
> method? It looks like the snort.conf and the barnyard run line needs to be
> in sync on the logging method?
Barnyard is parsing my U2 logs and placing the data in a DB, the only log
it creates for me is the waldo (place holder) file.
> Another question; does Barnyard need to be compiled when there is a new
> version of MySQL installed?
Shouldn't, unless your taking advantage of some new feature and or
something has fundamentally changed changed in the protocol.
Again I'm no expert, but it all looks good to me, give it a whirl.
-rich
Michael Steele
Ok, it appears to be working. I have alerts in the BASE console.
Regarding portscans; Do I actually need the portscan option enabled in the
snort.conf in order for portscans to be delivered to the BASE console. I was
under the impression that barnyard directly handles portscans?
To the BIG thing: I can run the line to start Barnyard, but it quits after
parsing the log file. How do you keep Barnyard running?
Kindest regards,
Michael...
-----Original Message-----
From: barnyar...@googlegroups.com
[mailto:barnyar...@googlegroups.com] On Behalf Of Rich Rumble
Sent: Wednesday, February 22, 2012 3:34 PM
To: barnyar...@googlegroups.com
Subject: Re: [Snort-users] Barnyard2 - CYGWIN - Windows Compile
Rich Rumble
> To the BIG thing: I can run the line to start Barnyard, but it quits after
> parsing the log file. How do you keep Barnyard running?
build for Cygwin I will make sure to mention the Continual Processing
options as well as the Batch option.
Continual Processing Options:
-a <dir> Archive processed files to <dir>
-f <base> Use <base> as the base filename pattern
-d <dir> Spool files from <dir>
-n Only process new events <---- This should do it for you.
-w <file> Enable bookmarking using <file>
-rich
Michael Steele
This is my runline:
barnyard2.exe -c barnyard2.conf -l d:\winids\snort\barnyard2 -o
d:\winids\snort\log\merged.log
I added the -n to the above line and when I execute it from the terminal
window it parses the log, displays the stats, and exits.
Also I checked the ' d:\winids\snort\barnyard2' folder and it is empty?
Kindest regards,
Michael...
-----Original Message-----
From: barnyar...@googlegroups.com
[mailto:barnyar...@googlegroups.com] On Behalf Of Rich Rumble
Sent: Wednesday, February 22, 2012 4:17 PM
To: barnyar...@googlegroups.com
Subject: Re: [Snort-users] Barnyard2 - CYGWIN - Windows Compile
Rich Rumble
> Do I need to add the 5 switches you are showing below or just the -n?
> This is my runline:
> barnyard2.exe -c barnyard2.conf -l d:\winids\snort\barnyard2 -o
> d:\winids\snort\log\merged.log
>
> I added the -n to the above line and when I execute it from the terminal
> window it parses the log, displays the stats, and exits.
tested any of the continuous methods, maybe someone else
on the list can speak to how to better run in a continuous and or
service mode. Snort and Suricata can run as a service, but I'm
not sure BY2 can... Anyone ?
-rich
Michael Steele
The '-n doesn't seem to do anything. It processes all the alerts every time
I run the line below:
barnyard2.exe -c barnyard2.conf -l d:\winids\snort\barnyard2 -o
d:\winids\snort\log\merged.log -n
or
barnyard2.exe -n -c barnyard2.conf -l d:\winids\snort\barnyard2 -o
d:\winids\snort\log\merged.log
Kindest regards,
Michael...
WINSNORT.com Management Team Member
--
****************** Established ~ 2001 *******************
* Visit Us @ http://www.winsnort.com *
* ~~ FREE WinIDS Snort installation guides ~~ *
* ~~ FREE support forums ~~ *
* Snort: Open Source Network IDS - http://www.snort.org *
*********************************************************
-----Original Message-----
From: barnyar...@googlegroups.com
[mailto:barnyar...@googlegroups.com] On Behalf Of Rich Rumble
Sent: Wednesday, February 22, 2012 4:52 PM
To: barnyar...@googlegroups.com
Subject: Re: [Snort-users] Barnyard2 - CYGWIN - Windows Compile
Rich Rumble
> Rich,
>
> The '-n doesn't seem to do anything. It processes all the alerts every time
> I run the line below:
>
> barnyard2.exe -c barnyard2.conf -l d:\winids\snort\barnyard2 -o
> d:\winids\snort\log\merged.log -n
> or
> barnyard2.exe -n -c barnyard2.conf -l d:\winids\snort\barnyard2 -o
> d:\winids\snort\log\merged.log
with "batch mode" and not staying open. Try dropping the
"-o" instead. Sorry I can't test at this point in the day.
http://www.securixlive.com/barnyard2/docs/manual.php
-rich
Michael Steele
the -o but then it finds no file, and a couple of other options and it's
still doing the same thing?
Maybe you can take a look at your running configuration?
I'm thinking I only need to be working with one log file and the -o switch
is used for multiple files?
My setup is:
D:\winids\barnyard
D:\Winids\snort\barnyard2
D:\Winids\snort\log
output unified2: filename merged.log, limit 128, nostamp, mpls_event_types,
vlan_event_types
I'm running the barnyard2.exe directly from the 'd:\winids\barnyard' folder
barnyard2.exe -c barnyard2.conf -l d:\winids\snort\barnyard2 -o
d:\winids\snort\log\merged.log
Running the above line processes all the alerts each time the line is ran.
If it's possible to run Barnyard2.exe as a service, I think I might be able
to do that?
It looks like it's all up and running except for two items:
1) Processes the complete merged.log file each time barnyard2.exe is ran.
2) Barnyard2 is showing 1101 events processed, but BASE is only showing 1100
new events. It appears that one event could be getting lost somewhere? BASE
is always off by one event after each run.
I also need to clear up the Portscan issue. It's processing portscans but
are the portscan entries coming from the portscan.log or from the
merged.log?
Kindest regards,
Michael...
-----Original Message-----
From: barnyar...@googlegroups.com
[mailto:barnyar...@googlegroups.com] On Behalf Of Rich Rumble
Sent: Wednesday, February 22, 2012 5:08 PM
To: barnyar...@googlegroups.com
Subject: Re: [Snort-users] Barnyard2 - CYGWIN - Windows Compile
Rich Rumble
> I'm looking at the docs and It's looking all geek to me. I tried removing
> the -o but then it finds no file, and a couple of other options and it's
> still doing the same thing?
>
> Maybe you can take a look at your running configuration?
>
> I'm thinking I only need to be working with one log file and the -o switch
> is used for multiple files?
>
> My setup is:
>
> D:\winids\barnyard
> D:\Winids\snort\barnyard2
> D:\Winids\snort\log
>
> output unified2: filename merged.log, limit 128, nostamp, mpls_event_types,
> vlan_event_types
>
barnyard2.exe -c barnyard2.conf -d c:\Snort\log -f merged -l c:\Snort\barnyard2
So this uses the -f option, looking for files that start with "merged"
maybe that
will work.You may need to specify the -w waldo file for these options
I don't know
for sure.
-rich
Michael Steele
Kindest regards,
Michael...
-----Original Message-----
From: barnyar...@googlegroups.com
[mailto:barnyar...@googlegroups.com] On Behalf Of Rich Rumble
Sent: Wednesday, February 22, 2012 6:51 PM
To: barnyar...@googlegroups.com
Subject: Re: [Snort-users] Barnyard2 - CYGWIN - Windows Compile
beenph
> What is the waldo file?
>
barnyard that will allow barnyard2 to resume unified2 processing
when it is stoped without reprocessing previous unified2 records.
-elz
Michael Steele
d:\winids\snort\barnyard2
When I run the above I get this in the terminal window:
>> WARNING: Can't extract timestamp extension from 'merged.log'using base
'merged'
There is nothing going into the 'd:\winids\snort\barnyard2' folder? Is it
supposed to be populated with anything?
What is the unified2 line in your snort.conf?
Kindest regards,
Michael...
-----Original Message-----
From: barnyar...@googlegroups.com
[mailto:barnyar...@googlegroups.com] On Behalf Of Rich Rumble
Sent: Wednesday, February 22, 2012 6:51 PM
To: barnyar...@googlegroups.com
Subject: Re: [Snort-users] Barnyard2 - CYGWIN - Windows Compile
beenph
> barnyard2.exe -c barnyard2.conf -d d:\winids\snort\log -f merged -l
> d:\winids\snort\barnyard2
>
> When I run the above I get this in the terminal window:
>
>>> WARNING: Can't extract timestamp extension from 'merged.log'using base
> 'merged'
>
> There is nothing going into the 'd:\winids\snort\barnyard2' folder? Is it
> supposed to be populated with anything?
>
> What is the unified2 Â line in your snort.conf?
>
Should look to something like : output unified2: filename
Michael Steele
output unified2: filename merged.log, limit 128
It's now putting a time stamp on the log file so it appears that the -f and
-o switch must need to be used?
I'm burnt. After several hours I can get Barnyard to process the log file,
but it processes the complete log file every time I run the configuration.
It has to be easier then this for Windows?
Kindest regards,
Michael...
WINSNORT.com Management Team Member
--
****************** Established ~ 2001 *******************
* Visit Us @ http://www.winsnort.com *
* ~~ FREE WinIDS Snort installation guides ~~ *
* ~~ FREE support forums ~~ *
* Snort: Open Source Network IDS - http://www.snort.org *
*********************************************************
firnsy
Let's go over the README a little ...
---- 8< ----
Barnyard2 has 3 modes of operation:
1. batch (or one-shot),
2. continual, and
3. continual w/ bookmark.
---- >8 ----
So we have three distinct modes, which I think explicitly indicates that
these modes are discrete and can not be combined. Elaborating on the
modes the README provides the following descriptions.
---- 8< ----
In batch (or one-shot) mode, barnyard2 will process the explicitly
specified file(s) and exit.
In continual mode, barnyard2 will start with a location to look and a
specified file pattern and continue to process new data (and new spool
files) as they appear.
Continual mode w/ bookmarking will also use a checkpoint file (or waldo
file in the snort world) to track where it is. In the event the
barnyard2 process ends while a waldo file is in use, barnyard2 will
resume processing at the last entry as listed in the waldo file.
---- >8 ----
So going over your problem, the log files are processed every time you
rerun. It sounds like you are in a "continuous" mode of operation
_without_ bookmark. To determine how to put barnyard2 in a specific mode
of operation, the README provides the following flag descriptions.
---- 8< ----
Continual Processing Options:
-a <dir> Archive processed files to <dir>
-f <base> Use <base> as the base filename pattern
-d <dir> Spool files from <dir>
-n Only process new events
-w <file> Enable bookmarking using <file>
Batch Processing Mode Options:
-o Enable batch processing mode
---- >8 ----
I would suggest that you need to add -w to generate a bookmark (or
waldo) file so barnyard2 knows where the processing got up to.
I'm not sure why you think the "-f" and "-o" need to be used as they are
clearly two different modes of operations.
As suggested by Rich, for typical operation of barnyard2 you will need
to at least specify the "-d" (which directory to looking), "-f" (what
filename pattern to look for - minus the timestamp), "-w" (the bookmark
file).
I'm not sure how to make it easier for Windows user's. However, we
definitely accept any and all patches (with some review) - particularly
for documentation.
Regards,
firnsy
Michael Steele
What I will need is a way to process the merged.log on a as needed basis,
even if barnyard goes down, without processing pre-processed alerts.
It appears that the 'Continual mode w/ bookmarking' should the best way, or
is there a simpler way?
This is my unified2 configuration in the snort.conf.
output unified2: filename merged.log, limit 128, nostamp, mpls_event_types,
vlan_event_types
I can't think of why I would need a time stamp on the end of the file?
I am running barnyard.exe directly from the barnyard2 folder
barnyard2.exe -a d:\winids\snort\log -f merged -d d:\winids\snort\log -n -w
d:\winids\snort\log\barnyard.waldo
Continual Processing Options:
-a <dir> Archive processed files to <dir>
-f <base> Use <base> as the base filename pattern
-d <dir> Spool files from <dir>
-n Only process new events
-w <file> Enable bookmarking using <file>
The above is what I think is needed. The-a might be a problem if it's not
all inclusive in Barnyard.
Running the above run line I get:
--------------------\
Initializing Input Plugins!
Initializing Output Plugins!
Parsing config file "./barnyard2.conf"
cygwin warning:
MS-DOS style path detected: d:\winids\snort\etc\reference.config
Preferred POSIX equivalent is: /snort/etc/reference.config
CYGWIN environment variable option "nodosfilewarning" turns off this
warning.
Consult the user's guide for more details about POSIX paths:
http://cygwin.com/cygwin-ug-net/using.html#using-pathnames
ERROR: Stat check on log dir (/var/log/barnyard2) failed: No such file or
directory.
Fatal Error, Quitting..
--------------------/
Michael Steele
barnyard2.exe -c barnyard2.conf -a d:\winids\snort\log -f merged -d
d:\winids\snort\log -n -w d:\winids\snort\log\barnyard.waldo
Forgot the -c, but it didn't make a difference.
I also tried the below with the same result:
barnyard2.exe -c barnyard2.conf -a d:/winids/snort/log -f merged -d
d:/winids/snort/log -n -w d:/winids/snort/log/barnyard.waldo
Michael Steele
Windows. It all looks so simple now :)
I'll look at the guide and see if I can make it a little easier for the
Windows users.
----------8----------
output unified2: filename merged.log, limit 128
barnyard2.exe -c barnyard2.conf -d d:\winids\snort\log -f merged.log -l
d:\winids\barnyard2 -w d:\winids\snort\log\barnyard.waldo
----------8----------
Is there any of the other unused switches that I'll need to use with
Continual Processing with Bookmarking?
-n what is it used for? It seems like it's processing new alerts without it.
Continual Processing Options:
-a <dir> Archive processed files to <dir>
-n Only process new events
I cleared the log folder, renewed the MySQL database, allowed Snort to
collect some alerts, and ran run line above.
Alerts are being populated into the terminal window. Stopped Barnyard2,
there are 55 events showing, started BASE, there are 55 alerts added,
restarted Barnyard2, collected 5 events, stopped Barnyard2, started BASE and
there are 5 new alerts added.
Looks like success.
How does Barnyard handle Portscans; do I need the line below, or does it
need altered?
preprocessor sfportscan: proto { all } memcap { 10000000 } sense_level {
low } logfile { portscan.log }
Kindest regards,
Michael...
-----Original Message-----
From: barnyar...@googlegroups.com
[mailto:barnyar...@googlegroups.com] On Behalf Of firnsy
Sent: Thursday, February 23, 2012 6:33 AM
Michael Steele
Will MySQL, SQL Server, and Postgresql be in the same Barnyard2 compile?
I have Continual Processing with bookmarking enabled and is working great.
barnyard2.exe -c barnyard2.conf -d d:\winids\snort\log -f merged.log -l
d:\winids\barnyard2 -w d:\winids\snort\log\barnyard.waldo -n
How do I configure the run line to process only new events and exit the
terminal window, and all consecutive runs, only process new events?
Kindest regards,
Michael...
-----Original Message-----
From: barnyar...@googlegroups.com
[mailto:barnyar...@googlegroups.com] On Behalf Of Rich Rumble
Sent: Tuesday, February 21, 2012 3:49 PM
To: barnyar...@googlegroups.com
Subject: Re: [Snort-users] Barnyard2 - CYGWIN - Windows Compile