Snort/Barnyard2 interface via Stunnel


  • pfSense 2.1.3
    Snort 2.9.6
    Barnyard2 ?
    Stunnel 4.43.0

    Unified2 feed from Snort remains constant on all sensors

    First off, thank you for such a great software security suite of tools.

    Pointing several Snort IDS sensors to a remote MYSQL server using a common port (lets call it TCP 3333). Created the Stunnel cert at the remote server using:

    openssl req -new -x509 -days 365 -nodes -config stunnel.cnf -out stunnel.pem -keyout stunnel.pem

    I did not create the Diffie-Hellman 'openssl gendh 512 >> stunnel.pem' as I did not see anything in the pfSense Barnyard2 configuration that suggested integration. However the other native Stunnel relationships do support the DH key.

    All Stunnel connections are in place and operational to the remote MYSQL server. I did have to go into the working pfSense Barnyard2.conf and append [port = 3333] to the MYSQL line. The remote Stunnel takes the incoming port TCP 3333 feeds and port forwards the data streams to the local TCP 3306 MYSQL listener.

    Restarting the Snort interface everything comes up and the remote end does see the incoming connection from the pfSense Snort application. My challenge is that Barnyard2 stops working and the connection is closed after a while. The Native feeds from the other remote Snort senors remain functional.

    Any ideas on keeping the Barnyard2 application running?


  • @wq6n:

    pfSense 2.1.3
    Snort 2.9.6
    Barnyard2 ?
    Stunnel 4.43.0

    Unified2 feed from Snort remains constant on all sensors

    First off, thank you for such a great software security suite of tools.

    Pointing several Snort IDS sensors to a remote MYSQL server using a common port (lets call it TCP 3333). Created the Stunnel cert at the remote server using:

    openssl req -new -x509 -days 365 -nodes -config stunnel.cnf -out stunnel.pem -keyout stunnel.pem

    I did not create the Diffie-Hellman 'openssl gendh 512 >> stunnel.pem' as I did not see anything in the pfSense Barnyard2 configuration that suggested integration. However the other native Stunnel relationships do support the DH key.

    All Stunnel connections are in place and operational to the remote MYSQL server. I did have to go into the working pfSense Barnyard2.conf and append [port = 3333] to the MYSQL line. The remote Stunnel takes the incoming port TCP 3333 feeds and port forwards the data streams to the local TCP 3306 MYSQL listener.

    Restarting the Snort interface everything comes up and the remote end does see the incoming connection from the pfSense Snort application. My challenge is that Barnyard2 stops working and the connection is closed after a while. The Native feeds from the other remote Snort senors remain functional.

    Any ideas on keeping the Barnyard2 application running?

    Do you see any Barnyard2 related messages in the system log on the pfSense side?  The latest Barnyard2 binary seems to have a problem with multiple instances concurrently accessing the same SQL DB.  This usually manifests itself with a "duplicate key" error written to the pfSense system log.

    The fix, if you have this error, is to choose only one Barnyard2 instance to update the References table.  There is a checkbox to handle this on the BARNYARD tab in Snort.

    Bill