Barnyard2 and Remote Syslog Problems
-
Hello everyone, I'm running a fresh install of 2.4.2_1 with snort package 3.2.9.6_1. I can always get snort alerts to local log correctly and then I can have the firewall logs remotely hit the remote (same subnet) syslog server perfectly fine. Howeever, using the WebUI to send to the remote syslog server; I see nothing in my pcaps that show any UDP traffic attempts. During my troubleshooting when I switched tcp (same port). I see barnyard2 establishing a tcp connection successfully; however no alerts or data payload is sent. Doing a U2spewfoo on the waldo file on the interface shows data with packet payload along with the standard fast alert file at /var/log/snort/snort_interface spool file and waldo. I've also tried playing with the log facility to ensure I'm not suing something possibly conflicting but it just doesn't work for me.
I am using ET open and Snort VRT rules with policy enabled. There's plenty of alerting however trying to get Barnyard2 to even properly send to the remote syslog server is just not working for me at all. The only way I can even get remote syslog feature working is to save alerts to the firewall logs and then forward the logs to my syslog server from the firewall side. Which I don't want to do; and based on the topic at: https://forum.pfsense.org/index.php?topic=142690.0 I definitely want to see full payload sent to the syslog server.
Can someone please advise on what they have on their setup either in WebUI or if you manually added/revised config files on the file system?
Barnyard2.conf on the interface:
[2.4.2-RELEASE][admin@pfsense.local]/root: less /usr/local/etc/snort/snort_64371_bge1/barnyard2.conf # barnyard2.conf # barnyard2 can be found at http://www.securixlive.com/barnyard2/index.php # ## General Barnyard2 settings ## config quiet config daemon config decode_data_link config alert_with_interface_name config event_cache_size: 8192 config show_year config dump_payload config archivedir: /var/log/snort/snort_bge164371/barnyard2/archive config reference_file: /usr/local/etc/snort/snort_64371_bge1/reference.config config classification_file: /usr/local/etc/snort/snort_64371_bge1/classification.config config sid_file: /usr/local/etc/snort/snort_64371_bge1/sid-msg.map config gen_file: /usr/local/etc/snort/snort_64371_bge1/gen-msg.map config hostname: pfsense.local config interface: bge1 config waldo_file: /var/log/snort/snort_bge164371/barnyard2/64371_bge1.waldo config logdir: /var/log/snort/snort_bge164371 ## START user pass through ## ## END user pass through ## ## Setup input plugins ## input unified2 ## Setup output plugins ## # syslog_full: log to a remote syslog receiver output log_syslog_full: sensor_name pfsense.local, server <my ip="" redacted="">, protocol udp, port 514, operation_mode complete, payload_encoding ascii, log_facility LOG_SYSLOG, log_priority LOG_INFO</my>
Also looking at this thread; it appears others may have my same issue: https://forum.pfsense.org/index.php?topic=126201.0
Has anyone been able to get utilize Barnayrd2 only for remote syslog alert + full payload? I can't even get alerts to kick out without payload to
-
With the last Snort update, I added the modifications suggested by the user in the thread you linked. So far as I know, that new code works as he was successfully using it.
I will need to make some time for testing on my own. I personally gave up on Barnyard2 quite some time back. It was just too finicky and does not seem well supported on FreeBSD. The last time the port was materially updated on FreeBSD was 2013. That was a version change from 1.12 to 1.13. Coincidentally, it was that version change where I saw all kinds of MySQL issues emerge with using Barnyard2 and Snorby.
Bill
-
Hi Bill,
Thanks for the response. Yes I saw your changes and I got excited as I saw the other user's thread hoping that would've been a fix or recent changes in the snort package would've solved my issue.
I PM'd the MichaelB and he's got some changes in syslog.conf and snort.conf which could be in effect still. I thought I was doing something wrong or some reminiscence; I'm awaiting his response on what changes could be part of it.
Personal frustration and in agreement with barnyard2; At some point I almost would rather take the hit of inefficiency to have a package/setting where every alert gets written to it's own unified2 log and then a watch script does something like u2spewfoo /var/log/snort_foo | nc -u <remotesyslog>514 for the new alert file and then every so often the automatic log management wipes out the old logs.</remotesyslog>
-
Update: Got suricata Barnyard2 working fine without problems. Seems isolated to Snort package. Unlike the unfortunately the WebUI isn't the same that sets the full payload settings fixed like in Snort. I added a pass through which gets converted into Base64 upon returning to the screen. This causes a double log condition. So instead I've set the WebUI to log local but also set the pass through for the settings I wanted.
## START user pass through ## output log_syslog_full: sensor_name pfsenseWAN, server <redacted>protocol udp, port 514, operation_mode complete, log_facility LOG_LOCAL1, log_priority LOG_INFO ## END user pass through ## ## Setup input plugins ## input unified2 ## Setup output plugins ## # syslog_full: log to a syslog receiver output alert_syslog_full: sensor_name pfsenseWAN, local, log_facility LOG_LOCAL1, log_priority LOG_INFO</redacted>
Attached is a screenshot of what is shown.
In the Syslog via Barnyard2 config using SURICATA (not snort) this is the style of syslog I get when testing. It includes the hex edition payload of what is captured as part of the packet alert decode.
| [SNORTIDS[LOG]: [pfsenseWAN] ] || 2018-02-15 11:17:27.330+-06 1 [1:2023472:5] ET POLICY External IP Lookup Domain (myip.opendns .com in DNS lookup) || policy-violation || 17 73.32.116.14 208.69.39.2 4 20 0 73 30561 0 0 20173 0 || 55131 53 53 46268 || 87 00015C9E56462C4138AF84D60800450000497761000040114ECD4920740ED0452702D75B00350035B4BC908700100001000000000001046D796970076F70656E646E7303636F6D00000100010000291000000080000000 || \0x0A |
I hope this helps others; though I hope we are able to figure out what is going on with the snort package.
| [SNORTIDS[LOG]: [pfsenseWAN] ] || 2018-02-15 11:29:26.742+-06 1 [1:2023472:5] ET POLICY External IP Lookup Domain (myip.opendns .com in DNS lookup) || policy-violation || 17 73.32.116.14 146.112.60.53 4 20 0 73 26959 0 0 34177 0 || 61626 53 53 35866 || 87 ..\.VF,A8.....E..IiO..@...I t..p<5...5.5...............myip.opendns.com.......)........ || \0x0A |
And resulting pass through you have to specify payload_encoding ascii <– if you want to show up in the syslog instead of default hex.
output log_syslog_full: sensor_name pfsenseWAN, server <server ip="">, protocol udp, port 514, operation_mode complete, payload_encoding ascii, log_facility LOG_LOCAL1, log_priority LOG_INFO
![hex decode syslog payload example.PNG](/public/imported_attachments/1/hex decode syslog payload example.PNG)
![hex decode syslog payload example.PNG_thumb](/public/imported_attachments/1/hex decode syslog payload example.PNG_thumb)</server> -
I double checked and I am pretty sure it has nothing to do with my firewall log settings, as I configured these to send to a different port.
Can you post a screenshot of the Snort settings you tried + did you also try with HEX encoding instead of Ascii?
Edit: I see that you could not even get Snort to work without payload. What's the output of :```
ps auxww | grep snort -
If you guys figure something out, just let me know and I can update the GUI code.
If you want to make manual edits of the Barnyard2 config file, then you will need to start/stop Snort and Barnyard2 using the command line instead of the GUI icons. When you use the GUI, it will overwrite the config files for Snort and Barnyard2. However, if you use the shell script in /usr/local/etc/rc.d/snort.sh, then that simply starts the binaries (Snort and Barnyard2 when it is enabled) on the interfaces using the existing config files. This will let you try various settings directly in the config file for Barnyard2.
So something like this will stop and start Snort and Barnyard2 on all interfaces –
/usr/local/etc/rc.d/snort.sh stop # to stop the process /usr/local/etc/rc.d/snort.sh start # to start the process /usr/local/etc/rc.d/snort.sh restart # to stop and start the process
Looks like from your other posts that you already know where to find the actual Barnyard2 config file for an interface.
Bill
-
Hi guys thanks for the response. @Mike - snort was running fine and blocking; barnyard was operational. No distinct errors related that I could see. As soon as I ditched snort and went with the suricata packaged and did the reload (as per what Bill stated) using manual barnyard2.conf settings; I got payload working just fine. Even out of the box without manual configuration basic alerting on the Suricata package worked. I've done full warm and cold reboots as well before I gave up on Snort and just tried Suricata out of dumb luck.
-
Well if you decide to test again with Snort let us know!
Perhaps you were just running multiple interfaces and configured barnyard on the wrong one?