Barnyard is a tool which is a companion to the IDS software Snort. Recent versions of Snort have introduced an important improvement -- the detection of an event and its formatting for reporting have been separated. So, Snort now writes out compact efficient binary files for its logs and the conversion to human readable form or ingestion into a database is left to a separated tool. Barnyard is the most widely know tool for handling the conversion and ingestion stage of the data processing stream.

Building and installing Barnyard is straightforward. There are no exotic pre-requesite packages to be installed beforehand and the standard:

./configure
make
make install

Getting Barnyard to usefully run is another matter. Some clue of what sorts of problems will be encountered by noting the version number of the current barnyard, 0.2.0 -- its still in very early release.

Even being relatively new it is already infamous for having probably the most confusing and verbose command line argument set of any application on the Internet. The long list of required parameters on the command line can be handled to some degree by setting those parameters in the startup config file. The only problem with that is that the documentation on that is incomplete, so just what parameters can be set in the config file and the syntax for doing so mostly requires analyzing the source code to know how.

The biggest trouble with barnyard is that it is very twitchy when it comes to the combination of (or missing) configuration parameter settings and the format of the configuration and various input files. It responds to most of these problems the same way: it uncerimoniously seg faults and crashes.

Tracking down the source of these seg faults is difficult since barnyard is completely silent about what went wrong. Fortunately there is an easy to use external tool which will save you from many hours of aggrevation and grief: strace. strace keeps track of system calls and signal calls of an application.

Running strace is very simple. Just put strace ahead of the barnyard command, so that for example

 barnyard -v -c /etc/snort/barnyard.eth2X.conf -o /var/log/snort.eth2/snort.alert.*

 strace  barnyard -v -c /etc/snort/barnyard.eth2X.conf -o /var/log/snort.eth2/snort.alert.*

open("/etc/snort/gen-msg.map", O_RDONLY) = 5
fstat64(5, {st_mode=S_IFREG|0644, st_size=8971, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7f4b000
read(5, "# $Id: gen-msg.map,v 1.16.2.2.2."..., 4096) = 4096
read(5, " Options\n116 || 5 || snort_decod"..., 4096) = 4096
read(5, "ortscan: UDP Filtered Portscan\n1"..., 4096) = 779
read(5, "", 4096)                       = 0
open("/usr/local/etc/snort_rules/classification.config", O_RDONLY) = 6
fstat64(6, {st_mode=S_IFREG|0640, st_size=4469, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7f4a000
read(6, "# $Id: classification.config,v 1"..., 4096) = 4096
--- SIGSEGV (Segmentation fault) @ 0 (0) ---
+++ killed by SIGSEGV +++

In this example, clearly barnyard had an issue with my classification.config file. Sure enough, I had a custom classification.config file with a syntax error in it. Whereas Snort had no issue with it, barnyard had some serious problems with it. Knowing where to look, the problem was solved in just a few minutes time and barnyard was up and running as desired.

I repeat: