Change Snort Barnyard interface on Insta Snorby 0.5 - Snorby/snorby GitHub Wiki

This article is for changing the Snort and Barnyard interface. System used: Insta-Snorby 0.5

##Change the IP address on promiscuous interface. This is the one Snort will listen on. ###vim /etc/network/interfaces auto eth1 iface eth1 inet static address 10.0.0.1 netmask 255.255.255.0 network 10.0.0.0 broadcast 10.0.0.255

###Restart networking /etc/init.d/networking restart

##Edit Snort ###Change the interface of Snort Edit vim /usr/lib/inithooks/everyboot.d/88snortstart

Add '-i eth1' where eth1 is the new interface name. -#Start snort /usr/local/bin/snort -g snort -u snort -c /etc/snort/snort.conf -i eth1 -D

##Edit Barnyard ###un-comment (if commented) (add if missing) config interfaces and change to eth1 vim /etc/snort/barnyard2.conf config interface: eth1

###Kill snort and barnyard by their PID ps aux | grep snort

###Start them back using the commands (to test) ###Start Snort /usr/local/bin/snort -g snort -u snort -c /etc/snort/snort.conf -i eth1 -D

###Start Barnyard /usr/local/bin/barnyard2 -c /etc/snort/barnyard2.conf
-G /etc/snort/gen-msg.map
-S /etc/sid-msg.map
-d /var/log/snort
-f snort.u2
-w /var/log/snort/barnyard2.waldo
-D

Testing

Log back into the Snorby web interface and see if it worked. Click administration, administration menu and then sensors.

##Troubleshooting Can't star barnyard without error? rm -f /var/log/snort/snort.*