Barnyard2

Barnyard2 adalah juru bahasa sumber terbuka (open source interpreter) untuk file keluaran biner
Snort unified2. Penggunaan utamanya adalah memungkinkan Snort untuk menulis ke disk secara
efisien dan membiarkan tugas mengurai data biner ke dalam berbagai format ke proses terpisah
yang tidak akan menyebabkan Snort kehilangan lalu lintas jaringan.
Fungsi dari tool ini adalah untuk menyimpan dan memproses output biner dari snort
kedalam database MySQL.

Pulledpork

 PulledPork, which will automatically download the latest rulesets from the Snort website.

Paket2 pendukung Snort

build-essential: provides the build tools (GCC and the like) to compile software.

bison, flex: parsers required by DAQ (DAQ is installed later below).

libpcap-dev: Library for network traffic capture required by Snort.

libpcre3-dev: Library of functions to support regular expressions required by Snort.

libdumbnet-dev: the libdnet library provides a simplified, portable interface to several low-level
networking routines. Many guides for installing Snort install this library from
source, although that is not necessary.

zlib1g-dev: A compression library required by Snort.

liblzma-dev: Provides decompression of swf files (adobe flash)

openssl and libssl-dev: Provides SHA and MD5 file signatures

File-file snort

We now need to move the following files from the extracted Snort tarball to the snort configuration
folder:

classification.config describes the types of attack classifications that Snort understands (grouping
rules into these types of classifications), such as trojan-activity or system-call-
detect. The list of classifications can be found in section 3.4.6 of the Snort Manual

file_magic.conf describes rules for identifying file types.

reference.config contains urls that are referenced in the rules that provide more information about
alerts.

snort.conf is the configuration file for Snort, it tells Snort where resources are located, and how to
output alerts, among other things.

threshold.conf allows you to control the number of events that are required to generate an alert,
which can help suppress noisy alerts. More information here.

attribute table.dtd lets Snort use outside information to determine protocols and policies. More
information here.
gen-msg.map tells Snort which pre-processor is used by which rule. More information here.

unicode.map provides a mapping between Unicode languages and the identifier. This file is required
by Snort in order to start.
Cara menjalankan Snort

Menjalankan di console:

sudo snort -A console -q -c /etc/snort/snort.conf -i enp0s3

sudo snort -A console -q -u snort -g snort -c /etc/snort/snort.conf -i enp0s3

Cara cek konfigurasi dan rules

sudo snort -T -c /etc/snort/snort.conf -i enp0s3

mesin-a@mesin-A:~$ sudo barnyard2 -c /etc/snort/barnyard2.conf -d
/var/log/snort -f snort.u2 -w /var/log/snort/barnyard2.waldo -g snort -u
snort
Running in Continuous mode

--== Initializing Barnyard2 ==--

Initializing Input Plugins!
Initializing Output Plugins!
Parsing config file "/etc/snort/barnyard2.conf"

+[ Signature Suppress list ]+

----------------------------
+[No entry in Signature Suppress List]+
----------------------------
+[ Signature Suppress list ]+

Barnyard2 spooler: Event cache size set to [2048]

Log directory = /var/log/barnyard2
INFO database: Defaulting Reconnect/Transaction Error limit to 10
INFO database: Defaulting Reconnect sleep time to 5 second
database: compiled support for (mysql)
database: configured to use mysql
database: schema version = 107
database: host = localhost
database: user = snort
database: database name = snort
database: sensor name = mesin-A:NULL
database: sensor id = 1
database: sensor cid = 324
database: data encoding = hex
database: detail level = full
database: ignore_bpf = no
database: using the "log" facility

--== Initialization Complete ==--

______ -*> Barnyard2 <*-

/ ,,_ \ Version 2.1.14 (Build 336)
|o" )~| By Ian Firns (SecurixLive): http://www.securixlive.com/
+ '''' + (C) Copyright 2008-2013 Ian Firns <firnsy@securixlive.com>

Using waldo file '/var/log/snort/barnyard2.waldo':

spool directory = /var/log/snort
spool filebase = snort.u2
time_stamp = 1583254985
record_idx = 0
Opened spool file '/var/log/snort/snort.u2.1583308342'
ERROR: Unable to open log spool file '/var/log/snort/snort.u2.1583308342'
(Permission denied)
Closing spool file '/var/log/snort/snort.u2.1583308342'. Read 0 records
ERROR: Unable to create spooler!
===========================================================================
====
Record Totals:
Records: 0
Events: 0 (0.000%)
Packets: 0 (0.000%)
Unknown: 0 (0.000%)
Suppressed: 0 (0.000%)
===========================================================================
====
Packet breakdown by protocol (includes rebuilt packets):
ETH: 0 (0.000%)
ETHdisc: 0 (0.000%)
VLAN: 0 (0.000%)
IPV6: 0 (0.000%)
IP6 EXT: 0 (0.000%)
IP6opts: 0 (0.000%)
IP6disc: 0 (0.000%)
IP4: 0 (0.000%)
IP4disc: 0 (0.000%)
TCP 6: 0 (0.000%)
UDP 6: 0 (0.000%)
ICMP6: 0 (0.000%)
ICMP-IP: 0 (0.000%)
TCP: 0 (0.000%)
UDP: 0 (0.000%)
ICMP: 0 (0.000%)
TCPdisc: 0 (0.000%)
UDPdisc: 0 (0.000%)
ICMPdis: 0 (0.000%)
FRAG: 0 (0.000%)
FRAG 6: 0 (0.000%)
ARP: 0 (0.000%)
EAPOL: 0 (0.000%)
ETHLOOP: 0 (0.000%)
IPX: 0 (0.000%)
OTHER: 0 (0.000%)
DISCARD: 0 (0.000%)
InvChkSum: 0 (0.000%)
S5 G 1: 0 (0.000%)
S5 G 2: 0 (0.000%)
Total: 0
===========================================================================
====
mesin-a@mesin-A:~$