Monday, June 16, 2014

New Barnyard2, NSM, rule-update, and securityonion-server packages

You may have noticed previously that when barnyard2 started up, it would consume a large amount of CPU (on both the sensor and the server) for a while (more than a minute in some cases) while it updated Snorby's reference table.  Multiply this by several barnyard instances per interface and several interfaces per physical sensor and you now have multiple instances fighting each other for scarce CPU resources.

To alleviate this, the barnyard2 folks introduced a new option called disable_signature_reference_table that allows you to disable the reference table update on all sensors, leaving just one barnyard2 instance on the server itself to update Snorby's reference table, avoiding the duplication of effort.  I packaged the latest version of barnyard2 (version 2.1.13 Build 333) which contains this option and also updated the NSM scripts to add the new option to all barnyard2.conf files on all sensors. rule-update has been modified such that right after the master downloads new rules from the Internet, it will use barnyard2 to update Snorby's reference table.  Finally, since we're now forcing the server to use barnyard2 to update Snorby's reference table, I updated the securityonion-server metapackage to require securityonion-barnyard2 as a dependency.

The updated package versions are as follows:
securityonion-barnyard2 - 20140531-0ubuntu0securityonion1
securityonion-nsmnow-admin-scripts - 20120724-0ubuntu0securityonion76
securityonion-rule-update - 20120726-0ubuntu0securityonion15
securityonion-server - 20120722-0ubuntu0securityonion11

These new packages have been tested by the following (thanks!):
Eddy Simons
David Zawdie
Kevin Branch

Issues Resolved
Issue 294: Barnyard2-1.13

Issue 550: securityonion-server: add barnyard2 as a dependency

Issue 411: NSM: have only one copy of barnyard2 that updates signature
reference table

Issue 551: rule-update: have server use barnyard2 to update Snorby
reference table

Issue 399: rule-update should allow LOCAL_NIDS_RULE_TUNING to be yes or true

Issue 544: rule-update: notify user if LOCAL_NIDS_RULE_TUNING=true

The new packages are now available in our stable repo.  Please see the following page for full update instructions:

If you have any questions or problems, please use our security-onion mailing list:

Want to get the most out of your Security Onion deployment?  Check out our 2-day training class:

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:

We especially need help in answering support questions on the mailing list:

We also need help testing new packages:



Hurgh said...

Hi Doug,

So does this mean we should go and modify all our barnyard2 config files and add "disable_signature_reference_table"

I noticed now that when I run "rule-update" it runs a barnyard2 instance, with s separate config file. Also this now takes an extremely long time, is there any way to speed this up?


Doug Burks said...

Hi Hurgh,

No, you do not need to manually modify your barnyard2 config files to add "disable_signature_reference_table". As mentioned in the blog post, the updated NSM scripts should automatically do that for you.

Yes, rule-update now runs its own barnyard2 instance (also mentioned in the blog post).

We have an updated version of rule-update coming soon which should speed this up.

If you have any further questions or problems, please use our mailing list.


Search This Blog

Featured Post

Celebrating 10 Years of Security Onion Solutions and Announcing Security Onion Pro!

From Doug Burks, Founder and CEO of Security Onion Solutions:  There’s an old saying that it takes ten years to be an overnight success. Tha...

Popular Posts

Blog Archive