Snort and Barnyard2
-
Okey, so, this is quite a noob question i belive. ;DBut, í´ve hade snort running for quite a while on my firewall, and just recently upgraded snort to the newest version and pfsense to 1.2.3.
The GUI of the snort package had changed with some new features, like barnyard2. Since i did not know what that was I disabled it. I´ve searched the forum, but cannot find any explanation to what it does, so I googled and, as i understand it it is some sort of log analizer for snort.
Thought, as it is now, i dont get any block logs or anything from snort. But, it seems to be running.
Do I need to enable it to get the logs working or? Does barnyard2 have any more features.
-
You do not need to enable it. Make sure the interface is enabled(green) and edit Snort interfaces preprocessor tab and check off the boxes.
-
Okey, so I need to tic some of the boxes to make snort do any work at all? =)
What of them are sensible to mark for a standard saftey setup?
Performance Statistics
Portscan DetectionOr?
-
Okey, so I need to tic some of the boxes to make snort do any work at all? =)
What of them are sensible to mark for a standard saftey setup?
Performance Statistics
Portscan DetectionOr?
Barnyard2 is Fixed now in snort pkg v. 1.25
James
-
Okey!
Thanks for all the answers!
But still, I need to tick some preprocessors to get snort to start checking the traffick on my interface?
//A
-
James, thank you very much for your hard work on Snort - awesome package!
I've upgraded with each new version and am running Snort 2.8.5.3 pkg v. 1.25. Snort runs but my one problem is Banyard 2 which is showing enabled but is not running due to mysql. I do have mysql enabled but forgot the original password required in the barnyard tab. Restarting snort shows this entry in the logs:
barnyard2[32432]: fatal error: database: mysql_error: can't connect to local mysql server through socket '/tmp/mysql.sock
I looked at the snorby tutorial in the FAQ for barnyard but I know you said barnyard is now fixed so not sure what to do to get banyard2 to turn green/enabled with my password issue. Any ideas?