If you can't find an answer to your question here why then get in touch via the mailing list and we'll get cracking on it. You can also send as a private message if you would like. See the contacts page for details.
How do I convert my existing Snort->Database setup to a Snort->Barnyard2->Database setup?
A.
This is the most common situation users appear to be in before trialling barnyard2. It shouldn't take too much time to do the conversion and fortunately the configuration syntax should be reasonably familiar.
We are assuming you are using a mysql database, know how to compile and have downloaded the barnyard2 source. So the first thing is to compile the source and let barnyard2 that you want mysql awareness.
$ ./configure --with-mysql
$ make
$ make install
Similar to Snort this will place the barnyard2 binary in /usr/local/bin by default. Now we have to setup the barnyard2 configuration file. This file is easiest when co-located with your snort.conf file and will typcially be found in /etc/snort
The barnyard2 configuration file uses similar syntax to that of Snort. In the following example we will assume Snort is logging on an interface "eth0" and we want to override the hostname with the value "thor".
The output database line should look exactly as it currently does in your snort configuration file, after all it is essentially the same output plugin.
Now that we have the barnyard2 configuration file setup we need to modfiy the existing snort configuration file. We will be removing (or commenting out) the existing database output plugin definition and replace it with a unified2 output plugin definition.
The above modifications will cause Snort to generate unified2 log files named "snort.u2.<timestamp> (eg snort.u2.1245910233), limited to 128MB each, and place them in /var/log/snort. You can now run Snort the same way you always have and the unified2 files should be visible.
The final thing is to start up the barnyard2 process telling it where to look for the unified2 files. We will also tell it to use a waldo (bookmarking) file so it knows where it stopped in the event the barnyard2 process is terminated or restarted. In our example the command line would be:
