Configuration with Sagan & Barnyard2 isn't that much different than Snort & Barnyard2. Sagan will need to have Unified2 support (libdnet support) built into it. For information about how to do that, see the
SaganHOWTO page.
Below is a "simple sample" configuration file. In this example, we'll just be storing the Sagan events to a standard
MySQL Snort database using the standard Snort schema. Keep in mind that Barnyard2 supports many other output formats, and this is a simple example! Modifying this example to support MS SQL, Oracle,
PostgreSQL, Prelude framework, Sguil, etc. should be pretty simple.
###########################################################################
# Simple example Barnyard2 configuration file. If you understand how to used Barnyard2
# with Snort, then you already understand how to use Barnyard2 with Sagan :)
###########################################################################
# Sagan reference file. Contains information about where to find URL's related to triggered
# events.
config reference_file: /usr/local/etc/sagan-rules/reference.config
# Sagan classifications file. This stores the classification of an event and it's priority level.
# Much of this is similar to Snort's classifications with a few extra Sagan classifications
# added.
config classification_file: /usr/local/etc/sagan-rules/classification.config
# The is a message to "what generated" the event. Right now, this is not needed as Sagan
# only has one generator. However, this is likely to changed in the near future.
#config gen_file: /tmp/gen-msg.map
# Sid (rule ID) to message map. This typically ships with the latest rule set. However, it
# can be generated by oinkmaster's "create-sidmap.pl".
config sid_file: /usr/local/etc/sagan-rules/sagan-sid-msg.map
# The hostname of our Sagan sensor.
config hostname: sagan-syslog
# The "interface". In the IDS/IPS world, this would be something like "eth0". We don't really
# have a "interface", so I typically set it to "syslog".
config interface: syslog
# Username/Group for Barnyard2 to run as. Remember, whatever user/group you set this to
# has to have access to your Sagan unified2 output.
config set_gid: sagan
config set_uid: sagan
# The "Where's Waldo" file. Keeps track of some counters used within the Snort database.
config waldo_file: /var/log/barnyard2/barnyard2-sagan.waldo
# Tell's Barnyard2 that the input from Sagan will indeed be Unified2.
input unified2
# In this example, we'll be logging to a MySQL database with the standard Snort schema. Barnyard2
# supports many different output formats (MS SQL, Prelude, Sguil, PostgreSQL, etc).
output database: log, mysql, user=barnyard password=mypassword dbname=my_snort_database host=192.168.0.1, detail full
--
ChampClark - 2011-03-15