[Bro] Attach Barnyard2 to Bro2

[Jeremy Cox]

That seems to be working well.  I had to upgrade barnyard, and I also
patched barnyard2 with the patch listed.  Barnyard appears to be pushing
the alerts into Bro.  At least it has not crashed :).

But I'm not sure where those alerts end up being logged in bro.

/mnt/iscsi/bro/logs/current# ls

communication.log  dhcp.log  dpd.log    ftp.log   known_hosts.log
smtp.log   software.log  stderr.log  syslog.log  weird.log

conn.log           dns.log   files.log  http.log  known_services.log
socks.log  ssl.log       stdout.log  tunnel.log


I haven't seen any new files show up.

I am hopeful that I can tie the two IDSs together in the same set of logs
and rotations.  So that when I analyze the logs, they are both from the
same time period.

Jeremy

*Jeremy Cox*
Senior Network Engineer, ISO

*Washington County School District*121 W Tabernacle - St. George - UT
435-634-4315
www.washk12.org
687474703a2f2f7777772e7375706572746563686775792e636f6d

IMPORTANT NOTICE REGARDING THIS ELECTRONIC COMMUNICATION:

This e-mail, including any attachments thereto, contains information that
may be confidential or privileged, and is intended solely for the
individual or entity to whom it is addressed.  Recipient is hereby notified
that any disclosure, copying or distribution of this message is strictly
prohibited.  IF YOU ARE NOT THE INTENDED RECIPIENT, please notify the
originator of this e-mail immediately and destroy all information
received.  Thank you.



On Wed, Jan 22, 2014 at 10:56 AM, Siwek, Jonathan Luke
<jsiwek at illinois.edu>wrote:

>
> On Jan 21, 2014, at 3:11 PM, Jeremy Cox <jeremy.cox at washk12.org> wrote:
>
> > I am attempting to use Barnyard2 to feed events from Suricata to Bro2.
>  It looks like Barnyard2 wants to access Bro on 47757/tcp.  Bro is not
> currently listening to that port.
>
> > Should bro be listening to 47757/tcp?
>
> Only if you’re running a command-line bro.  47757/tcp is the default
> listen port for running bro command-line style.
>
> > And Im not sure how to get it listening, or if thats just the old port
> it used to listen to.  I attempted to have barnyard connect to 47760 in
> standalone mode
>
> 47760/tcp is the default listen port of the bro instance of BroControl’s
> standalone node.
>
> > and 47761 or 47762 or 47763 in clustered mode.
>
> 47761/tcp is the listen port of the bro manager node when using BroControl
> to manage a closer.  It probably makes most sense to configure Barnyard2 to
> connect to this port if you’re running a Bro cluster.
>
> > In all instances Barnyard seems to connect to Bro, and then unexpectedly
> crashes.  Am I missing something?
>
> What versions of Bro and Barnyard2 are you using (and any particular
> configure flags for Barnyard2, like —enable-ipv6) ?  IIRC I think you will
> need at least Bro 2.1 and Barnyard 2.1.10.
>
> I was able to get something simple working w/ latest Bro and Barnyard git
> master branches.  The only extra thing to do in Bro that’s not obvious is
> make sure the manager node has code to accept Barnyard alerts (putting it
> in site/local.bro is the simple way):
>
>    @load policy/integration/barnyard2
>    redef Communication::nodes += {
>        ["local"] = [$host=127.0.0.1, $class="barnyard",
> $events=/Barnyard2::barnyard_alert/, $connect = F]
>    };
>
> Another limitation of the Barnaryd2 Bro output plugin is that if it tries
> to send events regarding non-TCP/UDP/ICMP ports, it may crash.  See [1] for
> a potential patch for that, which doesn't seem to have been reviewed or
> merged in to Barnyard2 yet.
>
> - Jon
>
> [1]
> http://mailman.icsi.berkeley.edu/pipermail/bro-dev/2013-January/005607.html
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140127/f95f7457/attachment.html