Barnyard

From NSMWiki
Jump to: navigation, search

Background

Barnyard "decouples output overhead from the Snort network intrusion detection system and allows Snort to run at full speed."[1]

The official Snort documentation states that having another program like Barnyard perform the slow action of writing to a database while Snort logs alerts in the binary unified format will increase Snort performance.[2]

With Sguil, Barnyard is used to process unified files prior to passing the data on to the Sguil sensor agent.

Usage

The README file in sensor/barnyard_mods contains instructions for patching Barnyard, which is required for Barnyard to work properly with Sguil 0.6.0 or 0.6.1. The command line usage for the patched version is identical to that of the standard Barnyard version.

Usage: barnyard [OPTIONS]...             (continual mode)
   or: barnyard -o [OPTIONS]... FILES... (batch mode)
Information Options:
  -h         Show this help information
  -?         Show this help information
  -V         Show version and exit
  -R         Display processed configuration and exit
General Configuration Options:
  -c <file>  Use configuration file <file>
  -d <dir>   Read spool files from <dir>
  -L <dir>   Write output files in <dir>
  -v         Increase the verbosity level by 1
  -s <file>  Read the sid-msg map from <file>
  -g <file>  Read the gen-msg map from <file>
  -p <file>  Read the classification map from <file>
Continual Processing Mode Options:
  -a <dir>   Archive processed files to <dir>
  -f <base>  Use <base> as the base unified filename
  -n         Only process new events
  -w <file>  Enable bookmarking using <file>
  -D         Run in daemon mode
  -X <file>  Use <file> as the pid file
Batch Processing Mode Options:
  -o         Enable batch processing mode

Barnyard related links

Snort download page for Barnyard

Sguil FAQ: Barnyard says "No input plugin found"

Sguil FAQ: Barnyard dies at startup with "Duplicate Entry" error

References

  1. http://sourceforge.net/projects/barnyard
  2. http://www.snort.org/docs/snort_htmanuals/htmanual_261/node9.html