Issue with Snort Barnyard2 and Bro integration
-
I am struggling to get Snort logs to Bro via Barnyard.
I have configured as below so far:On the Bro server:
- in bro/site/local.bro I have set: @load policy/integration/barnyard2
- broctl deploy
- cat bro/logs/current/loaded_scripts.log I can see that barnyard scripts are loaded
On pfSense
- Snort package, Snort Interfaces, edit interface settings, barnyard2 tab
- enable barnyard2, enable Bro-IDS, set remote host and port = 47760 (also tried 47761 for bro in cluster mode), Save
- restart Snort for the interface. Snort restarts, but barnyard fails.
In system logs:
Jul 24 15:24:38 barnyard2 398 FATAL ERROR: failed! Could not connect to Bro!
Jul 24 15:24:27 barnyard2 398 alert_bro Connecting to Bro (192.168.x.x:47761)...
On bro server during restart of snort/barnyard, checking broker.log file it looks like connection from pfsense disconnects the Bro workers that are listening to mirror interfaces.
I have seen various references to adding the following to local.bro, but these don't seem compatible with my version:
@load frameworks/communication/listenredef Communication::nodes += {
["local"] = [$host=127.0.0.1, $class="barnyard", $events=/Barnyard2::.*/, $connect = F, $ssl = F]
};I am running pfsense 2.4.3 release p1 (amd64), Snort version 3.2.9.6_1, and Bro version 2.5-749 (on ubuntu 16.04.4 LTS).
Thanks