• Home
  • History
  • Annotate
Name Date Size #Lines LOC

..03-May-2022-

doc/H27-May-2013-944697

etc/H03-May-2022-38414

m4/H27-May-2013-196178

rpm/H27-May-2013-326222

schemas/H27-May-2013-1,110917

src/H03-May-2022-65,75144,740

tools/H27-May-2013-178130

.gitignoreH A D27-May-2013315 2524

COPYINGH A D27-May-201320.5 KiB395324

LICENSEH A D27-May-201317.6 KiB340281

Makefile.amH A D27-May-2013209 115

READMEH A D27-May-20137.1 KiB172127

RELEASE.NOTESH A D27-May-201312.8 KiB332238

autogen.shH A D27-May-2013471 1612

configure.inH A D27-May-201333.4 KiB1,157998

README

1
2------------------------------------------------------------------------------
30. SUMMARY
4------------------------------------------------------------------------------
5
6Barnyard2 - version 2-1.13
7
8This README contains some quick information about how to set up and
9configure barnyard2 to ensure it works as it should.
10
11Distribution Site:
12http://www.securixlive.com
13http://www.github.com/firnsy/barnyard2
14
15
16------------------------------------------------------------------------------
171. COPYRIGHT
18------------------------------------------------------------------------------
19
20Copyright (C)2008-2013 Ian Firns     <firnsy@securixlive.com>
21Copyright (C)2008-2010 SecurixLive   <dev@securixlive.com>
22
23This program is free software; you can redistribute it and/or modify
24it under the terms of the GNU General Public License Version 2 as
25published by the Free Software Foundation.  You may not use, modify or
26distribute this program under any other version of the GNU General
27Public License.
28
29This program is distributed in the hope that it will be useful,
30but WITHOUT ANY WARRANTY; without even the implied warranty of
31MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
32GNU General Public License for more details.
33
34You should have received a copy of the GNU General Public License
35along with this program; if not, write to the Free Software
36Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
37
38Some of this code has been taken from Snort, which was developed by
39Martin Roesch and The Snort Team (http://www.snort.org/team.html).
40
41Some of this code has been taken from barnyard, which was developed by
42Martin Roesch and Andrew R. Baker.
43
44Some of this code has been taken from tcpdump, which was developed
45by the Network Research Group at Lawrence Berkeley National Lab,
46and is copyrighted by the University of California Regents.
47
48
49------------------------------------------------------------------------------
502. DESCRIPTION
51------------------------------------------------------------------------------
52
53Barnyard2 is an open source interpreter for Snort unified2 binary output files.
54Its primary use is allowing Snort to write to disk in an efficient manner and
55leaving the task of parsing binary data into various formats to a separate
56process that will not cause Snort to miss network traffic.
57
58Barnyard2 has 3 modes of operation:
59  1. batch (or one-shot),
60  2. continual, and
61  3. continual w/ bookmark.
62
63In batch (or one-shot) mode, barnyard2 will process the explicitly specified
64file(s) and exit.
65
66In continual mode, barnyard2 will start with a location to look and a specified
67file pattern and continue to process new data (and new spool files) as they
68appear.
69
70Continual mode w/ bookmarking will also use a checkpoint file (or waldo file in
71the snort world) to track where it is. In the event the barnyard2 process ends
72while a waldo file is in use, barnyard2 will resume processing at the last
73entry as listed in the waldo file.
74
75The "-f", "-w", and "-o" options are used to determine which mode barnyard2
76will run in.  It is legal for both the "-f" and "-w" options to be used on the
77command line at the same time, however any data that exists in the waldo file
78will override the command line data from the "-f" and "-d" options. See the
79command directives section below for more detail.
80
81Barnyard2 processing is controlled by two main types of directives: input
82processors and output plugins. The input processors read information in from a
83specific format ( currently the spo_unified2 output module of Snort ) and
84output them in one of several ways.
85
86
87------------------------------------------------------------------------------
883. USAGE
89------------------------------------------------------------------------------
90
91Command line:
92
93    barnyard2 [-options]
94
95
96    Gernal Options:
97
98        -c <file>  Use configuration file <file>
99        -C <file>  Read the classification map from <file>
100        -D         Run barnyard2 in background (daemon) mode
101        -e         Display the second layer header info
102        -E         Log alert messages to NT Eventlog. (Win32 only)
103        -F         Turn off fflush() calls after binary log writes
104        -g <gname> Run barnyard2 gid as <gname> group (or gid) after initialization
105        -G <file>  Read the gen-msg map from <file>
106        -h <name>  Define the hostname <name>. For logging purposes only
107        -i <if>    Define the interface <if>. For logging purposes only
108        -I         Add Interface name to alert output
109        -l <ld>    Log to directory <ld>
110        -m <umask> Set umask = <umask>
111        -O         Obfuscate the logged IP addresses
112        -q         Quiet. Don't show banner and status report
113        -r <id>    Include 'id' in barnyard2_intf<id>.pid file name
114        -R <file>  Read the reference map from <file>
115        -S <file>  Read the sid-msg map from <file>
116        -t <dir>   Chroots process to <dir> after initialization
117        -T         Test and report on the current barnyard2 configuration
118        -u <uname> Run barnyard2 uid as <uname> user (or uid) after initialization
119        -U         Use UTC for timestamps
120        -v         Be verbose
121        -V         Show version number
122        -?         Show this information
123
124    Continual Processing Options:
125        -a <dir>   Archive processed files to <dir>
126        -f <base>  Use <base> as the base filename pattern
127        -d <dir>   Spool files from <dir>
128        -n         Only process new events
129        -w <file>  Enable bookmarking using <file>
130
131    Batch Processing Mode Options:
132        -o         Enable batch processing mode
133
134
135    Longname options and their corresponding single char version
136        --reference <file>                Same as -R
137        --classification <file>           Same as -C
138        --gen-msg <file>                  Same as -G
139        --sid-msg <file>                  Same as -S
140        --alert-on-each-packet-in-stream  Call output plugins on each packet in an alert stream
141        --process-new-records-only        Same as -n
142        --pid-path <dir>                  Specify the directory for the barnyard2 PID file
143        --help                            Same as -?
144        --version                         Same as -V
145        --create-pidfile                  Create PID file, even when not in Daemon mode
146        --nolock-pidfile                  Do not try to lock barnyard2 PID file
147        --max-mpls-labelchain-len         Specify the max MPLS label chain
148        --mpls-payload-type               Specify the protocol (ipv4, ipv6, ethernet) that is encapsulated by MPLS
149
150
151Examples:
152
153  1. Using barnyard2 in continuous mode with a waldo file
154
155    # ./barnyard2 -c /etc/barnyard2.conf -d /var/snort -f snort.u2 -w /var/snort/snort.waldo
156
157  2. Using barnyard2 in batch mode
158
159    # ./barnyard2 -c /etc/barnyard2.conf -o file1.u2 file2.u2 file3.u2
160
161
162------------------------------------------------------------------------------
1634. CONTACT
164------------------------------------------------------------------------------
165
166You can contact the barnyard2 team and user base for question/help debugging issue concerning barnyard2 by using our mailing lists.
167
168barnyard2-users@googlegroups.com
169AND
170barnyard2-devel@googlegroups.com
171
172