Barnyard2 - MySQL schema?

MediocreFred · Aug 26, 2010, 4:15 PM

Hello,

I've been using Pfsense for a few years with snort enabled. I would now like to enable Barnyard2 so I can send the snort logs to a MySQL server. I have MySQL running on a separate dedicated server.

How do I create the database schema that Barnyard2 requires? I've searched all over and the only references I find are on snort.org forums - but, they discuss multiple versions of the schema and I am not sure which of them will work with the snort package in pfsense.

I have read through the "how to install snorby" article (http://www.securityjokes.com/2010/04/pfsense-remote-logging-and-snorby.html), but, it does not answer my question. I would like to use my own MySQL server and just create the required database.

Versions that I am using:
pfsense: 1.2.3-RELEASE
snort: 2.8.6.1 pkg v. 1.33
MySQL: 5.1.50

So, my two questions are:

1. How do I create the database schema that Barnyard2 requires? A link to a script will be very much appreciated.

2. While installing snort on the pfsense server, I noticed that it installs MySQL on to the pfsense server. Can this mysql instance be used for Barnyard2? Any issues with doing this? Does this MySQL instance already have the barnyard2 database schema created in it?

Thanks,
MediocreFred.

jamesdean · Aug 26, 2010, 9:25 PM

Download

http://www.securixlive.com/download/barnyard2/barnyard2-1.9-beta1.tar.gz

The file needed to import into mysql is in

/barnyard2-1.9-beta1/schemas

James

MediocreFred · Aug 27, 2010, 12:01 AM

Thanks very much James!

A follow up question - is it possible to use the MySQL that gets installed with Snort to store Barnyard2's logs (by creating a new database with the correct schema that you have linked to)?

The reason I ask is that my MySQL server may occasionally be taken offline for maintenance; if I understand correctly, Snort will either stop or not start if Barnyard cannot connect to its database. This means that if my MySQL server is down, Snort will be down too. I'd rather not have this dependency. My PFSense server runs all year long - I've only had to restart it when I update pfsense.

Thanks,
MediocreFred.

jamesdean · Aug 27, 2010, 1:09 AM

Snort Package installs only mysql client NOT the server.

If barnyard2 dies snort will not die in any event.

Ops, I forgot include something in barnyard2 GUI code. I'll update in a bit.

James

MediocreFred · Aug 27, 2010, 1:27 AM

Ah, ok… that makes perfect sense. Thanks for taking the time to clarify!

I hardly ever say this, but, thanks a million for your near real-time updates of the snort package!

I noticed that when Barnyard2 couldn't start up (due to the missing db schema on my MySQL server), it generated a Barnyard2: FATAL ERROR in the log, but, Snort didn't start up either. Looking through the log, it seems like Snort loaded up all its rules and as its last step, it starts up Barnyard2; if Barnyard2 encounters a fatal error, it looks like Snort aborts too. This caused me to assume that if Barnyard2 lost its db connectivity, snort would crash as well.

-MediocreFred.

@jamesdean:

Snort Package installs only mysql client NOT the server.

If barnyard2 dies snort will not die in any event.

Ops, I forgot include something in barnyard2 GUI code. I'll update in a bit.

James

jamesdean · Aug 27, 2010, 7:52 PM

Hi

Your good to go, just finished testing every thing is seems fine.
You may want to reinstall the package as barnyard2 was not being installed correctly.

If you want you can start barnyard2, you can even use SSL with it.

James

g4m3c4ck · Aug 28, 2010, 12:53 AM

Is Services: Snort 2.8.6 pkg v. 1.31 effected by that same gui bug? I have it working but I am just wondering what the issue was.

jamesdean · Aug 28, 2010, 10:05 PM

No, but you should really update when you can.

James