[Bro] Attach Barnyard2 to Bro2

Jeremy Cox jeremy.cox at washk12.org
Wed Jan 22 11:48:18 PST 2014 

Thanks Jon,  I'll give that a try.

Jeremy

*Jeremy Cox*
Senior Network Engineer, ISO

*Washington County School District*121 W Tabernacle - St. George - UT
435-634-4315
www.washk12.org
687474703a2f2f7777772e7375706572746563686775792e636f6d

IMPORTANT NOTICE REGARDING THIS ELECTRONIC COMMUNICATION:

This e-mail, including any attachments thereto, contains information that
may be confidential or privileged, and is intended solely for the
individual or entity to whom it is addressed.  Recipient is hereby notified
that any disclosure, copying or distribution of this message is strictly
prohibited.  IF YOU ARE NOT THE INTENDED RECIPIENT, please notify the
originator of this e-mail immediately and destroy all information
received.  Thank you.



On Wed, Jan 22, 2014 at 10:56 AM, Siwek, Jonathan Luke
<jsiwek at illinois.edu>wrote:

>
> On Jan 21, 2014, at 3:11 PM, Jeremy Cox <jeremy.cox at washk12.org> wrote:
>
> > I am attempting to use Barnyard2 to feed events from Suricata to Bro2.
>  It looks like Barnyard2 wants to access Bro on 47757/tcp.  Bro is not
> currently listening to that port.
>
> > Should bro be listening to 47757/tcp?
>
> Only if you’re running a command-line bro.  47757/tcp is the default
> listen port for running bro command-line style.
>
> > And Im not sure how to get it listening, or if thats just the old port
> it used to listen to.  I attempted to have barnyard connect to 47760 in
> standalone mode
>
> 47760/tcp is the default listen port of the bro instance of BroControl’s
> standalone node.
>
> > and 47761 or 47762 or 47763 in clustered mode.
>
> 47761/tcp is the listen port of the bro manager node when using BroControl
> to manage a closer.  It probably makes most sense to configure Barnyard2 to
> connect to this port if you’re running a Bro cluster.
>
> > In all instances Barnyard seems to connect to Bro, and then unexpectedly
> crashes.  Am I missing something?
>
> What versions of Bro and Barnyard2 are you using (and any particular
> configure flags for Barnyard2, like —enable-ipv6) ?  IIRC I think you will
> need at least Bro 2.1 and Barnyard 2.1.10.
>
> I was able to get something simple working w/ latest Bro and Barnyard git
> master branches.  The only extra thing to do in Bro that’s not obvious is
> make sure the manager node has code to accept Barnyard alerts (putting it
> in site/local.bro is the simple way):
>
>    @load policy/integration/barnyard2
>    redef Communication::nodes += {
>        ["local"] = [$host=127.0.0.1, $class="barnyard",
> $events=/Barnyard2::barnyard_alert/, $connect = F]
>    };
>
> Another limitation of the Barnaryd2 Bro output plugin is that if it tries
> to send events regarding non-TCP/UDP/ICMP ports, it may crash.  See [1] for
> a potential patch for that, which doesn't seem to have been reviewed or
> merged in to Barnyard2 yet.
>
> - Jon
>
> [1]
> http://mailman.icsi.berkeley.edu/pipermail/bro-dev/2013-January/005607.html
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140122/add82124/attachment.html

More information about the Bro mailing list