barnyard2's error: "Unknown output plugin: "alert_bro" " (snort + barnyard2 + bro)

Zeek
1

Hi,

I’am trying barnyard2-1.9 to send snort alerts as events to bro instance.

When building barnyard2, everything looks OK.
(For successfully compiling spo_alert_bro.c, I deleted the “#ifdef BROCCOLI” statement in spo_alert_bro.c, and added the dir of broccoli.h to INCLUDE)

However, when barnyard2 started up, “alert_bro” plugin can not be found:(

What’s wrong with this? Any answer is appreciated.

Thanks,
Quan

This is the details when compiling and runinig:

[root@sneat barnyard2-1.9]# make

…(omit something)

make[3]: Entering directory `/res/workspace/bro/barnyard2-1.9/src/output-plugins’
gcc -DHAVE_CONFIG_H -I. -I…/… -I… -I …/sfutil -I/usr/local/bro/include -g -O2 -fno-strict-aliasing -Wall -c spo_alert_bro.c
gcc -DHAVE_CONFIG_H -I. -I…/… -I… -I …/sfutil -I/usr/local/bro/include -g -O2 -fno-strict-aliasing -Wall -c spo_alert_cef.c

…(omit something)

rm -f libspo.a
ar cru libspo.a spo_alert_arubaaction.o spo_alert_bro.o spo_alert_cef.o spo_alert_csv.o spo_alert_fast.o spo_alert_full.o spo_alert_prelude.o spo_alert_syslog.o spo_alert_test.o spo_alert_unixsock.o spo_common.o spo_log_ascii.o spo_log_null.o spo_log_tcpdump.o spo_platypus.o spo_sguil.o spo_database.o
ranlib libspo.a

…(omit something)

/bin/sh …/libtool --tag=CC --mode=link gcc -g -O2 -fno-strict-aliasing -Wall -o barnyard2 barnyard2.o debug.o decode.o log.o log_text.o map.o mstring.o parser.o plugbase.o spooler.o strlcatu.o strlcpyu.o util.o output-plugins/libspo.a input-plugins/libspi.a sfutil/libsfutil.a -lpcap -lnsl -lm -lm
libtool: link: gcc -g -O2 -fno-strict-aliasing -Wall -o barnyard2 barnyard2.o debug.o decode.o log.o log_text.o map.o mstring.o parser.o plugbase.o spooler.o strlcatu.o strlcpyu.o util.o output-plugins/libspo.a input-plugins/libspi.a sfutil/libsfutil.a -lpcap -lnsl -lm

[root@sneat barnyard2-1.9]# ./src/barnyard2 -c /usr/local/etc/barnyard2.conf -d /var/log/snort/ -f /var/log/snort/merged.log -w /var/log/snort/snort.waldo
Running in Continuous mode

–== Initializing Barnyard2 ==–
Initializing Input Plugins!
Initializing Output Plugins!
Parsing config file “/usr/local/etc/barnyard2.conf”
Log directory = /var/log/barnyard2
ERROR: /usr/local/etc/barnyard2.conf(204) Unknown output plugin: "alert_bro"
Fatal Error, Quitting…

2

I'am trying barnyard2-1.9 to send snort alerts as events to bro instance.

When building barnyard2, everything looks OK.
(For successfully compiling spo_alert_bro.c, I deleted the "#ifdef BROCCOLI" statement in spo_alert_bro.c, and added the dir of broccoli.h to INCLUDE)

However, when barnyard2 started up, "alert_bro" plugin can not be found:(

There should be another "#ifdef BROCCOLI" in plugbase.c that you might have missed. However, you shouldn't have to modify code directly if you use the configure options to enable the bro output plugin:

    ./configure --enable-bro --with-broccoli=/usr/local/bro

There were also some bugs I found in the Bro output plugin that prevent it from working with the Bro 2.0 release, but I think I have then fixed and have a pending pull request here:

    Fixes for the Bro output plugin. by jsiwek · Pull Request #25 · firnsy/barnyard2 · GitHub

So if you'd still want to play around with getting this to work, use my git version of Barnyard2 and the current git version of Bro.

The other thing that's not well documented anywhere is how to configure the listening Bro node to request the right events from the Barnyard2 Broccoli client. Here's the Bro script I used when testing:

    @load policy/frameworks/communication/listen
    @load policy/integration/barnyard2
    redef Communication::nodes += {
        ["local"] = [$host=127.0.0.1, $class="barnyard", $events=/Barnyard2::barnyard_alert/, $connect = F]
    };

+Jon