c nerd blog — Barnyard 2 & Snort 2.9.3.1 on OpenBSD 5.2

dirt

Barnyard2 was the most troublesome installation. It’s required for snort, & is a first degree sod.

The default configuration file, modified for mysql, fails mysteriously. I wrote my own, and then found a number of strange behaviours because there are some edge cases not mentioned in the documentation. In particular, make sure your archive directory is not the same as your snort directory.

I spent a couple of weeks trying to get it working, and the bloody thing kept dying with one or other weird error. I finally gave up and spent two days fragging those artificial things that deserve to be fragged, only to log in to the machine two days later to find barnyard2 working.

However, since then, I have found that whether barnyard 2 runs or not is unpredictable. It fails with errors that are entirely recoverable. It fails to process a lot of snort output data. To put it bluntly, it doesn’t work under OpenBSD: I’ve no clue whether it misfires just as badly under other systems. It is too brittle, and not at all resilient. For example, if it wants to write a record to a database, and finds that record is already written, it crashes. It doesn’t do the obvious, and check to see if what it wants to write is already written, it just crashes. It doesn't log a problem, it crashes. This is poor quality code.

The only good thing that’s come out of this misadventure arises because Barnyard2 requires MySQL (or another database). I’m very impressed that MySQL seems to run quite happily on a eight year old SBC with 128M of memory and an ancient 60G disk drive. Kudos to MySQL for that. Even so, I expect I’ll need to move the database to more serious hardware when I start using snort in anger.

ADDED: I’ve abandoned barnyard2 and am trying a simpler route: swatch.