Spawnzao

Dando continuidade ao artigo anterior (Instalando o Snort (NIDS) no CentOS 7), vamos agora instalar o Barnyard2, responsável por vigiar a inclusão de novos registros no arquivo de log do Snort e enviá-los para um Banco de Dados, no nosso caso vamos utilizar o Mysql ou MariaDB no CentOS 7.

Vamos instalar as dependências:

yum install mariadb-devel mariadb-server

Criar uma pasta temporária para compilar o Barnyard2:

mkdir /usr/local/src/snort
cd /usr/local/src/snort

Baixar o Source do Barnyard2 via git:

git clone https://github.com/firnsy/barnyard2.git barnyard2

Entrar no diretório, compilar e instalar:

cd barnyard2/
./autogen.sh
./configure --with-mysql --with-mysql-libraries=/usr/lib64/mysql
make && make install

Agora vamos copiar os arquivos necessários para seus corretos diretórios e acertar suas permissões.

cp rpm/barnyard2 /etc/init.d/
cp rpm/barnyard2.config /etc/sysconfig/barnyard2
cp /usr/local/etc/barnyard2.conf /etc/snort/barnyard.conf
cp /usr/local/bin/barnyard2 /usr/bin/
chmod +x /etc/init.d/barnyard2
chkconfig --add barnyard2
systemctl daemon-reload
mkdir /var/log/snort/archive
chown snort:snort /var/log/snort -R
chown snort:snort /etc/snort -R

Agora vamos configurar o /etc/snort/barnyard.conf:

# to ensure that any plugins requiring some level of uniqueness in their output
# the alert_with_interface_name, interface and hostname directives are provided.
# An example of usage would be to configure them to the values of the associated
# snort process whose unified files you are reading.
#
# Example:
# For a snort process as follows:
# snort -i eth0 -c /etc/snort.conf
#
# Typical options would be:
# config hostname: thor
# config interface: eth0
# config alert_with_interface_name
#
config hostname: saturno
config interface: em2

…

# alert_fast
# —————————————————————————-
# Purpose: Converts data to an approximation of Snort’s “fast alert” mode.
#
# Arguments: file , stdout
# arguments should be comma delimited.
# file – specifiy alert file
# stdout – no alert file, just print to screen
#
# Examples:
# output alert_fast
# output alert_fast: stdout
#
#output alert_fast: stdout

…

# database: log to a variety of databases
# —————————————————————————-
#
# Purpose: This output module provides logging ability to a variety of databases
# See doc/README.database for additional information.
#
# Examples:
# output database: log, mysql, user=root password=test dbname=db host=localhost
# output database: alert, postgresql, user=snort dbname=snort
# output database: log, odbc, user=snort dbname=snort
# output database: log, mssql, dbname=snort user=snort password=test
# output database: log, oracle, dbname=snort user=snort password=test
#
output database: log, mysql, user=snort password=snort dbname=snort host=localhost

Vamos configurar o /etc/sysconfig/snort:

#ALERTMODE=fast

Vamos configurar o arquivo /etc/sysconfig/barnyard2:

# Config file for /etc/init.d/barnyard2
LOG_FILE=”alert.log”

# You probably don’t want to change this, but in case you do
SNORTDIR=”/var/log/snort”
INTERFACES=”eth1″

# Probably not this either
CONF=/etc/snort/barnyard.conf

EXTRA_ARGS=”-u snort -g snort”

Alterar o arquivo /etc/init.d/barnyard2:

ARCHIVEDIR=”$SNORTDIR/archive”
WALDO_FILE=”$SNORTDIR/barnyard2.waldo”
BARNYARD_OPTS=”-D -c $CONF -d $SNORTDIR -w $WALDO_FILE -l $SNORTDIR -a $ARCHIVEDIR -f $LOG_FILE -X $PIDFILE $EXTRA_ARGS”

Vamos iniciar o Banco de Dados MariaDB:

systemctl start mariadb.service

Não vou entrar no mérito de configurar segurança no Banco de Dados, estou utilizando sem senha:

mysql -u root 
MariaDB [(none)]> create database snort;
MariaDB [(none)]> create user 'snort'@'localhost' identified by 'snort';
MariaDB [(none)]> grant all on snort.* to 'snort'@'localhost' identified by 'snort';
MariaDB [(none)]> flush privileges;
MariaDB [(none)]> exit

Vamos Criar as tabelas do Snort:

mysql -u root -D snort < /usr/local/src/snort/barnyard2/schemas/create_mysql

Agora vamos inciar o serviço do Barnyard:

service barnyard2 start

Até a próxima.