在Centos 7上安装barnyard2

安装 

关闭SELinux，不关闭sytemd服务不能启动

vi /etc/selinux/config

将SELINUX=enforcing改为SELINUX=disabled

设置后需要重启才能生效

网上可以搜索到为CentOS 7提供的rpm软件包，只需使用以下命令即可安装： 

yum install http://rnd.rajven.net/centos/7/os/x86_64/barnyard2-1.9-26.2.x86_64.rpm

修改/etc/snort/snort.conf配置，配置output unified2: filename merged.log, limit 128
vi /etc/snort/snort.conf
###################################################
# Step #6: Configure output plugins
# For more information, see Snort Manual, Configuring Snort - Output Modules
###################################################

# unified2 
# Recommended for most installs
output unified2: filename merged.log, limit 128

# Additional configuration for specific types of installs
# output alert_unified2: filename snort.alert, limit 128, nostamp
# output log_unified2: filename snort.log, limit 128, nostamp 

# syslog
# output alert_syslog: LOG_AUTH LOG_ALERT

# pcap
# output log_tcpdump: tcpdump.log

# metadata reference data.  do not modify these lines
include classification.config
include reference.config

修改/etc/sysconfig/snort配置，注释掉#ALERTMODE=fast，#BINARY_LOG=1

vim /etc/sysconfig/snort

# /etc/sysconfig/snort
# $Id$

# All of these options with the exception of -c, which tells Snort where
# the configuration file is, may be specified in that configuration file as
# well as the command line. Both the command line and config file options
# are listed here for reference.

#### General Configuration

# What interface should snort listen on?  [Pick only 1 of the next 3!]
# This is -i {interface} on the command line
# This is the snort.conf config interface: {interface} directive
INTERFACE=ens33
#
# The following two options are not directly supported on the command line
# or in the conf file and assume the same Snort configuration for all
# instances
#
# To listen on all interfaces use this:
#INTERFACE=ALL
#
# To listen only on given interfaces use this:
#INTERFACE="eth1 eth2 eth3 eth4 eth5"

# Where is Snort's configuration file?
# -c {/path/to/snort.conf}
CONF=/etc/snort/snort.conf

# What user and group should Snort drop to after starting? This user and
# group should have very few privileges.
# -u {user} -g {group}
# config set_uid: user
# config set_gid: group
USER=snort
GROUP=snort

# Should Snort change the order in which the rules are applied to packets.
# Instead of being applied in the standard Alert->Pass->Log order, this will
# apply them in Pass->Alert->Log order.
# -o
# config order: {actions in order}
# e.g. config order: log alert pass activation dynamic suspicious redalert
PASS_FIRST=0

#### Logging & Alerting

# NOTE: NO_PACKET_LOG and BINARY_LOG, ALERTMODE, etc. are mutually
# exclusive. Use either NO_PACKET_LOG or any/all of the other logging
# options. But the more logging options use you, the slower Snort will run.

# Where should Snort log?
# -l {/path/to/logdir}
# config logdir: {/path/to/logdir}
LOGDIR=/var/log/snort

# How should Snort alert? Valid alert modes include fast, full, none, and
# unsock.  Fast writes alerts to the default "alert" file in a single-line,
# syslog style alert message.  Full writes the alert to the "alert" file
# with the full decoded header as well as the alert message.  None turns off
# alerting. Unsock is an experimental mode that sends the alert information
# out over a UNIX socket to another process that attaches to that socket.
# -A {alert-mode}
# output alert_{type}: {options}
#ALERTMODE=fast

# Should Snort dump the application layer data when displaying packets in
# verbose or packet logging mode.
# -d
# config dump_payload
DUMP_APP=1

# Should Snort keep binary (AKA pcap, AKA tcpdump) logs also? This is
# recommended as it provides very useful information for investigations.
# -b
# output log_tcpdump: {log name}
#BINARY_LOG=1

# Should Snort turn off packet logging?  The program still generates
# alerts normally.
# -N
# config nolog
NO_PACKET_LOG=0

# Print out the receiving interface name in alerts.
# -I
# config alert_with_interface_name
PRINT_INTERFACE=0

# When dumping the stats, what log file should we look in
SYSLOG=/var/log/messages

# When dumping the stats, how long to wait to make sure that syslog can
# flush data to disk
SECS=5

# To add a BPF filter to the command line uncomment the following variable
# syntax corresponds to tcpdump(8)
#BPF="not host 192.168.1.1"

# To use an external BPF filter file uncomment the following variable
# syntax corresponds to tcpdump(8)
# -F {/path/to/bpf_file}
# config bpf_file: /path/to/bpf_file
#BPFFILE=/etc/snort/bpf_file

修改/etc/snort/barnyard2配置，配置output database: log, mysql, user=snort password=pass dbname=snort host=localhost

#-------------------------------------------------------------
#  Barnyard2 configuration file
#
#  http://www.securixlive.com/barnyard2
#   
#  Contact: [email protected]
#-------------------------------------------------------------

#
# This file contains a sample barnyard2 configuration. 
# You can take the following steps to create your own custom configuration:
#
#   1) Configure the variable declarations
#   2) Setup the input plugins
#   3) Setup the output plugins
#

# Step 1: configure the variable declarations
#
# in order to keep from having a commandline that uses every letter in the
# alphabet most configuration options are set here.

# use UTC for timestamps
#
#config utc

# set the appropriate paths to the file(s) your Snort process is using.
#
config reference_file:        /etc/snort/reference.config
config classification_file: /etc/snort/classification.config
config gen_file:            /etc/snort/gen-msg.map
config sid_file:            /etc/snort/sid-msg.map

# define dedicated references similar to that of snort.
#
#config reference: mybugs http://www.mybugs.com/?s=

# define explicit classifications similar to that of snort.
#
#config classification: shortname, short description, priority

# set the directory for any output logging
#
#config logdir: /tmp

# to ensure that any plugins requiring some level of uniqueness in their output
# the alert_with_interface_name, interface and hostname directives are provided.
# An example of usage would be to configure them to the values of the associated
# snort process whose unified files you are reading.
#
# Example:
#   For a snort process as follows:
#     snort -i eth0 -c /etc/snort.conf
#
#   Typical options would be:
#     config hostname:    thor
#     config interface: eth0
#     config alert_with_interface_name
#
#config hostname:    thor
#config interface:    eth0

# enable printing of the interface name when alerting.
#
#config alert_with_interface_name

# at times snort will alert on a packet within a stream and dump that stream to
# the unified output. barnyard2 can generate output on each packet of that 
# stream or the first packet only.
#
#config alert_on_each_packet_in_stream

# enable daemon mode
#
#config daemon

# make barnyard2 process chroot to directory after initialisation.
#
#config chroot: /var/spool/barnyard2

# specifiy the group or GID for barnyard2 to run as after initialisation.
#
#config set_gid: 999

# specifiy the user or UID for barnyard2 to run as after initialisation.
#
#config set_uid: 999

# specify the directory for the barnyard2 PID file.
#
#config pidpath: /var/run/by2.pid

# enable decoding of the data link (or second level headers).
#
#config decode_data_link

# dump the application data
#
#config dump_payload

# dump the application data as chars only
#
#config dump_chars_only

# enable verbose dumping of payload information in log style output plugins.
#
#config dump_payload_verbose

# enable obfuscation of logged IP addresses.
#
#config obfuscate

# enable the year being shown in timestamps
#
#config show_year

# set the umask for all files created by the barnyard2 process (eg. log files).
#
#config umask: 066

# enable verbose logging
#
#config verbose

# quiet down some of the output
#
#config quiet

# define the full waldo filepath.
#
#config waldo_file: /tmp/waldo

# specificy the maximum length of the MPLS label chain
#
#config max_mpls_labelchain_len: 64

# specify the protocol (ie ipv4, ipv6, ethernet) that is encapsulated by MPLS.
#
#config mpls_payload_type: ipv4

# set the reference network or homenet which is predominantly used by the
# log_ascii plugin.
#
#config reference_net: 192.168.0.0/24

#
# CONTINOUS MODE 
#

# set the archive directory for use with continous mode
#
#config archivedir: /tmp

# when in operating in continous mode, only process new records and ignore any
# existing unified files
#
#config process_new_records_only

# Step 2: setup the input plugins
#
# this is not hard, only unified2 is supported ;)
input unified2

# Step 3: setup the output plugins

# alert_cef
#-----------------------------
#
# Purpose:
#  This output module provides the abilty to output alert information to a
# remote network host as well as the local host using the open standard
# Common Event Format (CEF).
#
# Arguments: host=hostname[:port], severity facility
#            arguments should be comma delimited.
#   host        - specify a remote hostname or IP with optional port number
#                 this is only specific to WIN32 (and is not yet fully supported)
#    severity    - as defined in RFC 3164 (eg. LOG_WARN, LOG_INFO)
#    facility    - as defined in RFC 3164 (eg. LOG_AUTH, LOG_LOCAL0)
#
# Examples:
#    output alert_cef
#    output alert_cef: host=192.168.10.1
#    output alert_cef: host=sysserver.com:1001
#    output alert_cef: LOG_AUTH LOG_INFO
#

# alert_bro
#-----------------------------
# 
# Purpose: Send alerts to a Bro-IDS instance.
#
# Arguments: hostname:port
#
# Examples:
#    output alert_bro: 127.0.0.1:47757

# alert_fast
#-----------------------------
# Purpose: Converts data to an approximation of Snort's "fast alert" mode.
# 
# Arguments: file <file>, stdout
#            arguments should be comma delimited.
#   file - specifiy alert file
#   stdout - no alert file, just print to screen
# 
# Examples:
#   output alert_fast
#   output alert_fast: stdout
#
#output alert_fast: stdout

# prelude: log to the Prelude Hybrid IDS system
# ---------------------------------------------
#
# Purpose:
#  This output module provides logging to the Prelude Hybrid IDS system
#
# Arguments: profile=snort-profile
#   snort-profile    - name of the Prelude profile to use (default is snort).
#
# Snort priority to IDMEF severity mappings:
# high < medium < low < info
#
# These are the default mapped from classification.config:
# info   = 4
# low    = 3
# medium = 2
# high   = anything below medium
#
# Examples:
#   output alert_prelude
#   output alert_prelude: profile=snort-profile-name
#

# alert_syslog
#-----------------------------
#
# Purpose:
#  This output module provides the abilty to output alert information to a
# remote network host as well as the local host.
#
# Arguments: host=hostname[:port], severity facility
#            arguments should be comma delimited.
#   host        - specify a remote hostname or IP with optional port number
#                 this is only specific to WIN32 (and is not yet fully supported)
#    severity    - as defined in RFC 3164 (eg. LOG_WARN, LOG_INFO)
#    facility    - as defined in RFC 3164 (eg. LOG_AUTH, LOG_LOCAL0)
#
# Examples:
#    output alert_syslog
#    output alert_syslog: host=192.168.10.1
#    output alert_syslog: host=sysserver.com:1001
#    output alert_syslog: LOG_AUTH LOG_INFO
#

# log_ascii
#-----------------------------
# 
# Purpose: This output module provides the default packet logging funtionality
#
# Arguments: None.
#   
# Examples:
#   output log_ascii
#

# log_tcpdump
# -------------------------------------------------
#
# Purpose
#  This output module logs packets in binary tcpdump format
#
# Arguments:
#   The only argument is the output file name.
#
# Examples:
#   output log_tcpdump: tcpdump.log
#

# sguil
#-----------------------------
# 
# Purpose: This output module provides logging ability for the sguil interface
# See doc/README.sguil
#
# Arguments: agent_port <port>, sensor_name <name>
#            arguments should be comma delimited.
#   agent_port    - explicitly set the sguil agent listening port 
#                  (default: 7736)
#   sensor_name - explicitly set the sensor name 
#                  (default: machine hostname)
# 
# Examples:
#   output sguil
#   output sguil: agent_port=7000
#   output sguil: sensor_name=argyle
#   output sguil: agent_port=7000, sensor_name=argyle
#

# database: log to a variety of databases
# ---------------------------------------
#
# Purpose: This output module provides logging ability to a variety of databases
# See doc/README.database for additional information.
#
# Examples:
output database: log, mysql, user=snort password=pass dbname=snort host=localhost
#   output database: alert, postgresql, user=snort dbname=snort
#   output database: log, odbc, user=snort dbname=snort
#   output database: log, mssql, dbname=snort user=snort password=test
#   output database: log, oracle, dbname=snort user=snort password=test
#

创建barnyard2 systemd服务

vi /lib/systemd/system/barnyard2.service

[Unit]

Description=barnyard2 Daemon
After=syslog.target network.target

[Service]
Type=simple
ExecStart=/usr/local/bin/barnyard2 -D -c /etc/snort/barnyard2.conf -d /var/log/snort -f  merged.log -w /var/log/snort/barnyard2.waldo  -u snort -g snort

[Install]
WantedBy=multi-user.target

现在我们告诉systemd该服务应该在引导时启动：

systemctl enable barnyard2

并启动barnyard2服务：

systemctl start barnyard2

验证服务正在运行

systemctl status barnyard2

systemctl daemon-reload

BASE 安装配置比较简单，下载程序包解压到/var/www/html/base和/var/www/html/adodb下，安装依赖环境就可。略。