Configuring a Snort IDS

Firmware: ALL

CollectorA TLC module that gathers or receives log messages from Log Sources.: Database CollectorA type of Collector that gathers log messages from an application that logs to an External Database.

Snort IDS 2.9.2.3 and earlier

To configure Snort IDS 2.9.2.3 or earlier to send log messages to TLC:

output database: alert, mysql, user=<DB_User> password=<DB_Pass> dbname=<Database_Name> host=<DB_Server_IP> sensor_name=<Sensor_Name> ignore_bpf=yes

Example:

output database: alert, mysql, user=snort password=Pass dbname=ids host=127.0.0.1 sensor_name=SnortDMZ ignore_bpf=yes

Snort IDS 2.9.3.0 and later

To configure Snort IDS 2.9.3.0 or later to send log messages to TLC:

output unified2: filename merged.log, limit 128, nostamp, mpls_event_types, vlan_event_types

https://github.com/firnsy/barnyard2/releases

With the installer (./autogen.sh), create a configuration pointing to your MySQL libraries; for example: 

./configure --with-mysql-with-libraries=/usr/lib64/mysql

/usr/local/etc

output database: alert, mysql, user=<DB_User> password=<DB_Pass> dbname=<Database_Name> host=<DB_Server_IP> sensor_name=<Sensor_Name> ignore_bpf=yes

Example:

output database: alert, mysql, user=snort password=Pass dbname=ids host=127.0.0.1 sensor_name=SnortDMZ ignore_bpf=yes

barnyard2 -c /usr/local/etc/barnyard2.conf -o <snort_log>

Where <snort_log> is the name of a Snort log file (e.g., snort.log.1418337318) to be collected by TLC.

Once Barnyard2 starts, event information should eventually populate your Snort database tables.