barnyard2 설치

#####snort.conf 설정변경##########################

두줄추가 (output부분)

#unified

output unified2: filename snort.log, limit 128

########barnyard2 설치(64bit기준)########################################

cd /root/

barnyard2.tar.gz복사

tar zxvf barnyard2-1.8.tar.gz

cd barnyard2-1.8

./configure --with-mysql-libraries=/usr/lib64/mysql/

make

make install

cp etc/barnyard2.conf /etc/snort/

mkdir /var/log/barnyard2

chmod 666 /var/log/barnyard2

touch /var/log/snort/barnyard2.waldo

chown snort:snort /var/log/snort/barnyard2.waldo

########barnyard2 수정#########################################

vi /etc/snort/barnyard2.conf

주석해제

config hostname:        locahost

config interface:       eth0

output database: log, mysql, user=snort password=ahslxj1234 dbname=snort host=localhost

########sid-msg.map최신화######################################

barnyard의 output은 이벤트명을 포함하지 않기 때문에 매칭파일을 사용해야한다.

안그러면 DB에 이벤트명이 제대로 박히지 않는다.

매핑파일 위치: /etc/snort/sid-msg.map

create-sidmap.pl 스크립트를 이용하면 최신룰로 매칭할 수 있다.(검색ㄱㄱ)

########실행#########################################

/usr/local/bin/barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.log -w /var/log/snort/barnyard2.waldo -D

참고:
http://gsxbinary.blogspot.com/2010/07/snort-barnyard2-mysql-base-intro.html

http://blog.nielshorn.net/2010/09/snort-barnyard2-base-complete-installation/

 

barnyard2 실행 전후 퍼포먼스 측정

 

 초당 로그기록량 증가

드롭률 감소

로그량이 많을땐 barnyard가 진리다