[Bro] Attach Barnyard2 to Bro2

Jeremy Cox jeremy.cox at washk12.org
Mon Jan 27 10:57:05 PST 2014

I did.  I have also put it back into standalone mode to see if that did
it.... No luck.

/opt/bro2/share/bro/site# cat local.bro
##! Local site policy. Customize as appropriate.
##! This file will not be overwritten when upgrading or reinstalling!

# This script logs which scripts were loaded during each run.
@load misc/loaded-scripts

# Apply the default tuning scripts for common tuning settings.
@load tuning/defaults

# Load the scan detection script.
@load misc/scan

# Log some information about web applications being used by users
# on your network.
@load misc/app-stats

# Detect traceroute being run on the network.
@load misc/detect-traceroute

# Generate notices when vulnerable versions of software are discovered.
# The default is to only monitor software found in the address space defined
# as "local".  Refer to the software framework's documentation for more
# information.
@load frameworks/software/vulnerable

# Detect software changing (e.g. attacker installing hacked SSHD).
@load frameworks/software/version-changes

# This adds signatures to detect cleartext forward and reverse windows
@load-sigs frameworks/signatures/detect-windows-shells

# Uncomment the following line to begin receiving (by default hourly) emails
# containing all of your notices.
# redef Notice::policy += { [$action = Notice::ACTION_ALARM, $priority = 0]

# Load all of the scripts that detect software in various protocols.
@load protocols/ftp/software
@load protocols/smtp/software
@load protocols/ssh/software
@load protocols/http/software
# The detect-webapps script could possibly cause performance trouble when
# running on live traffic.  Enable it cautiously.
#@load protocols/http/detect-webapps

# This script detects DNS results pointing toward your Site::local_nets
# where the name is not part of your local DNS zone and is being hosted
# externally.  Requires that the Site::local_zones variable is defined.
@load protocols/dns/detect-external-names

# Script to detect various activity in FTP sessions.
@load protocols/ftp/detect

# Scripts that do asset tracking.
@load protocols/conn/known-hosts
@load protocols/conn/known-services
@load protocols/ssl/known-certs

# This script enables SSL/TLS certificate validation.
@load protocols/ssl/validate-certs

# Uncomment the following line to check each SSL certificate hash against
the ICSI
# certificate notary service; see http://notary.icsi.berkeley.edu .
# @load protocols/ssl/notary

# If you have libGeoIP support built in, do some geographic detections and
# logging for SSH traffic.
@load protocols/ssh/geo-data
# Detect hosts doing SSH bruteforce attacks.
@load protocols/ssh/detect-bruteforcing
# Detect logins using "interesting" hostnames.
@load protocols/ssh/interesting-hostnames

# Detect SQL injection attacks.
@load protocols/http/detect-sqli

#### Network File Handling ####

# Enable MD5 and SHA1 hashing for all files.
@load frameworks/files/hash-all-files

# Detect SHA1 sums in Team Cymru's Malware Hash Registry.
@load frameworks/files/detect-MHR

@load policy/integration/barnyard2
   redef Communication::nodes += {
       ["local"] = [$host=, $class="barnyard",
$events=/Barnyard2::barnyard_alert/, $connect = F]

*Jeremy Cox*
Senior Network Engineer, ISO

*Washington County School District*121 W Tabernacle - St. George - UT


This e-mail, including any attachments thereto, contains information that
may be confidential or privileged, and is intended solely for the
individual or entity to whom it is addressed.  Recipient is hereby notified
that any disclosure, copying or distribution of this message is strictly
prohibited.  IF YOU ARE NOT THE INTENDED RECIPIENT, please notify the
originator of this e-mail immediately and destroy all information
received.  Thank you.

On Mon, Jan 27, 2014 at 11:14 AM, Siwek, Jonathan Luke
<jsiwek at illinois.edu>wrote:

> On Jan 27, 2014, at 11:54 AM, Jeremy Cox <jeremy.cox at washk12.org> wrote:
> > But I'm not sure where those alerts end up being logged in bro.
> It produces a barnyard2.log.
> Did you redef Communication::nodes to register Bro to receive the barnyard
> events?  E.g. in site/local.bro put code like the following:
>  @load policy/integration/barnyard2
>   redef Communication::nodes += {
>       ["local"] = [$host=, $class="barnyard",
> $events=/Barnyard2::barnyard_alert/, $connect = F]
>   };
> - Jon
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140127/751d71af/attachment.html 

More information about the Bro mailing list