Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Issue with Snort Barnyard2 and Bro integration

    Scheduled Pinned Locked Moved IDS/IPS
    1 Posts 1 Posters 498 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      jrcalvert
      last edited by jrcalvert

      I am struggling to get Snort logs to Bro via Barnyard.
      I have configured as below so far:

      On the Bro server:

      • in bro/site/local.bro I have set: @load policy/integration/barnyard2
      • broctl deploy
      • cat bro/logs/current/loaded_scripts.log I can see that barnyard scripts are loaded

      On pfSense

      • Snort package, Snort Interfaces, edit interface settings, barnyard2 tab
        • enable barnyard2, enable Bro-IDS, set remote host and port = 47760 (also tried 47761 for bro in cluster mode), Save
        • restart Snort for the interface. Snort restarts, but barnyard fails.
          In system logs:
          Jul 24 15:24:38 barnyard2 398 FATAL ERROR: failed! Could not connect to Bro!
          Jul 24 15:24:27 barnyard2 398 alert_bro Connecting to Bro (192.168.x.x:47761)...

      On bro server during restart of snort/barnyard, checking broker.log file it looks like connection from pfsense disconnects the Bro workers that are listening to mirror interfaces.

      I have seen various references to adding the following to local.bro, but these don't seem compatible with my version:
      @load frameworks/communication/listen

      redef Communication::nodes += {
      ["local"] = [$host=127.0.0.1, $class="barnyard", $events=/Barnyard2::.*/, $connect = F, $ssl = F]
      };

      I am running pfsense 2.4.3 release p1 (amd64), Snort version 3.2.9.6_1, and Bro version 2.5-749 (on ubuntu 16.04.4 LTS).

      Thanks

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.