pkg install snort apache22 mysql56-server mod_php5 base wget

Barnyard2 needs to be built from port to have mysql support

cd /usr/ports/security/barnyard2
make config (enable mysql)
make install

Edit /etc/rc.conf

/etc/rc.conf

...
snort_enable="YES"
barnyard2_enable="YES"
barnyard2_flags="-d /var/log/snort -f snort.log"
apache24_enable="YES"
mysql_enable="YES"
...

1. Go to https://www.snort.org/users/sign_in
2. Sign in or register
3. Go to https://www.snort.org/oinkcodes
4. Get your oinkcode from the line “https://www.snort.org/rules/snortrules-snapshot-2956.tar.gz?oinkcode=########”

• Be sure to replace the Oinkcode
• We are using snort 2.9.6.2 so we are downloading snortrules-snapshot-2962.tar.gz

update_snort_rules.sh

#!/bin/sh
 
cd /tmp
wget --no-check-certificate https://www.snort.org/downloads/community/community-rules.tar.gz
tar xzf community-rules.tar.gz -C /usr/local/etc/snort/rules/
rm community-rules.tar.gz
 
wget --no-check-certificate https://www.snort.org/rules/snortrules-snapshot-2962.tar.gz?oinkcode=068c4616106479c8d9a55d11fc5eff4c9fbaaf6d
tar xzf snortrules-snapshot-2962.tar.gz?oinkcode=<Oinkcode from above> -C /usr/local/etc/snort/
rm snortrules-snapshot-2962.tar.gz?oinkcode=<Oinkcode from above>
 
rm /usr/local/etc/snort/etc/snort.conf
rm /usr/local/etc/snort/etc/threshold.conf
cd /usr/local/etc/snort/etc
mv * ../
rm -r /usr/local/etc/snort/etc

Edit /usr/local/etc/snort/snort.conf

/usr/local/etc/snort/snort.conf

...
# Setup the network addresses you are protecting
ipvar HOME_NET 10.1.0.22,192.168.111.0/24,127.0.0.1
 
# Set up the external network addresses. Leave as "any" in most situations
ipvar  EXTERNAL_NET 209.81.120.225/27,216.189.128.9/30
...
# unified2
# Recommended for most installs
output unified2: filename snort.log, limit 128, mpls_event_types, vlan_event_types
...

Edit /usr/local/etc/snort/threshold.conf

/usr/local/etc/snort/threshold.conf

...
suppress gen_id 1, sig_id 536
suppress gen_id 1, sig_id 648
suppress gen_id 1, sig_id 8375
suppress gen_id 1, sig_id 11192
suppress gen_id 1, sig_id 12286
suppress gen_id 1, sig_id 15147
suppress gen_id 1, sig_id 15306
suppress gen_id 1, sig_id 15362
suppress gen_id 1, sig_id 17458
suppress gen_id 1, sig_id 20583
suppress gen_id 1, sig_id 2000334
suppress gen_id 1, sig_id 2010516
suppress gen_id 1, sig_id 2012088
suppress gen_id 1, sig_id 2013222
suppress gen_id 1, sig_id 2014819
suppress gen_id 1, sig_id 2014520
suppress gen_id 1, sig_id 2101390
suppress gen_id 1, sig_id 2103134
suppress gen_id 1, sig_id 2500056
suppress gen_id 119, sig_id 2
suppress gen_id 119, sig_id 4
suppress gen_id 119, sig_id 14
suppress gen_id 119, sig_id 15
suppress gen_id 119, sig_id 19
suppress gen_id 119, sig_id 31
suppress gen_id 119, sig_id 32
suppress gen_id 119, sig_id 33
suppress gen_id 120, sig_id 2
suppress gen_id 120, sig_id 3
suppress gen_id 120, sig_id 4
suppress gen_id 120, sig_id 6
suppress gen_id 120, sig_id 8
suppress gen_id 120, sig_id 9
suppress gen_id 122, sig_id 19
suppress gen_id 122, sig_id 21
suppress gen_id 122, sig_id 22
suppress gen_id 122, sig_id 23
suppress gen_id 122, sig_id 26
suppress gen_id 129, sig_id 3
suppress gen_id 129, sig_id 12
suppress gen_id 129, sig_id 15
suppress gen_id 129, sig_id 17
suppress gen_id 137, sig_id 1
suppress gen_id 145, sig_id 2
# Sensitive Data disable
# # Credit Card Numbers
suppress gen_id 138, sig_id 2
# # U.S. Social Security Numbers (with dashes)
suppress gen_id 138, sig_id 3
# # U.S. Social Security Numbers (w/out dashes)
suppress gen_id 138, sig_id 4
# # Email Addresses
suppress gen_id 138, sig_id 5
# # U.S. Phone Numbers
suppress gen_id 138, sig_id 6
 
suppress gen_id 139, sig_id 1
 
# Global event filter to limit events from a unique src to 1 in 60 seconds
# Disabled by default turn on if you want this functionality
#
 
# event_filter gen_id 0, sig_id 0, type limit, track by_src, count 1, seconds 60
 
...

Start MySQL

/usr/local/etc/rc.d/mysql start

Create Database

mysql
create database snort;
quit;

Populate Database

mysql snort < /usr/local/share/examples/barnyard2/create_mysql

Create Database user

mysql
CREATE USER 'snort'@'localhost' IDENTIFIED BY 'snortpass';
GRANT ALL PRIVILEGES ON snort.* TO 'snort'@'localhost' WITH GRANT OPTION;

/usr/local/etc/barnyard2.conf

...
# Examples:
#   output alert_fast
#   output alert_fast: stdout
#
output alert_fast
...
# Examples:
output database: log, mysql, user=snort password=snortpass dbname=snort host=localhost
#   output database: alert, postgresql, user=snort dbname=snort
#   output database: log, odbc, user=snort dbname=snort
#   output database: log, mssql, dbname=snort user=snort password=test
#   output database: log, oracle, dbname=snort user=snort password=test
#
...

/usr/local/etc/rc.d/snort start
/usr/local/etc/rc.d/barnyard2 start

• edit /usr/local/etc/apache24/httpd.conf

...
LoadModule php5_module        libexec/apache24/libphp5.so

AddType application/x-httpd-php .php
AddType application/x-httpd-php-source .phps
...
#
# DirectoryIndex: sets the file that Apache will serve if a directory
# is requested.
#
<IfModule dir_module>
    DirectoryIndex index.php index.html
</IfModule>
...

cd /usr/local/www/
cp -rv base apache24/data/
cd apache24/data/
chown -R www base

1. Navigate on a web browser to http://127.0.0.1/base/setup/index.php
2. Set adodb Path to /usr/local/share/adodb
3. Use the Database setting we used above (mysql, database_name, username, password)