Configuration with Sagan & Barnyard2 isn't that much different than Snort & Barnyard2. Sagan will need to have Unified2 support (libdnet support) built into it. For information about how to do that, see the SaganHOWTO page.

Below is a "simple sample" configuration file. In this example, we'll just be storing the Sagan events to a standard MySQL Snort database using the standard Snort schema. Keep in mind that Barnyard2 supports many other output formats, and this is a simple example! Modifying this example to support MS SQL, Oracle, PostgreSQL, Prelude framework, Sguil, etc. should be pretty simple.


###########################################################################
# Simple example Barnyard2 configuration file.   If you understand how to used Barnyard2
# with Snort,  then you already understand how to use Barnyard2 with Sagan :)
###########################################################################

# Sagan reference file.  Contains information about where to find URL's related to triggered 
# events. 

config reference_file:     /usr/local/etc/sagan-rules/reference.config

# Sagan classifications file.   This stores the classification of an event and it's priority level. 
# Much of this is similar to Snort's classifications with a few extra Sagan classifications
# added. 

config classification_file: /usr/local/etc/sagan-rules/classification.config

# The is a message to "what generated" the event.  Right now,  this is not needed as Sagan
# only has one generator.  However,  this is likely to changed in the near future. 

#config gen_file:            /tmp/gen-msg.map

# Sid (rule ID) to message map.  This typically ships with the latest rule set.  However,  it
# can be generated by oinkmaster's "create-sidmap.pl". 

config sid_file:           /usr/local/etc/sagan-rules/sagan-sid-msg.map

# The hostname of our Sagan sensor.

config hostname:        sagan-syslog

# The "interface".   In the IDS/IPS world,  this would be something like "eth0".  We don't really
# have a "interface",  so I typically set it to "syslog". 

config interface:       syslog

# Username/Group for Barnyard2 to run as.  Remember,  whatever user/group you set this to
# has to have access to your Sagan unified2 output. 

config set_gid:         sagan
config set_uid:         sagan

# The "Where's Waldo" file.  Keeps track of some counters used within the Snort database.

config waldo_file: /var/log/barnyard2/barnyard2-sagan.waldo

# Tell's Barnyard2 that the input from Sagan will indeed be Unified2.

input unified2

# In this example,  we'll be logging to a MySQL database with the standard Snort schema.  Barnyard2 
# supports many different output formats (MS SQL, Prelude, Sguil, PostgreSQL, etc).
 
output database: log, mysql, user=barnyard password=mypassword dbname=my_snort_database host=192.168.0.1, detail full

-- ChampClark - 2011-03-15

Topic revision: r1 - 2011-03-15 - ChampClark
 
This site is powered by the TWiki collaboration platform Powered by PerlCopyright © 2008-2017 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback