Pigsty is parser and output plugin framework for your Snort unified2 files.
We wanted something that was a little more extensible than Barnyard2. Thus, Pigsty was born.
Pigsty's output architecture is plugin based. You must install Pigsty, then install and configure any output plugins you need.
Pigsty requires libpcap (
apt get install libpcap-dev on ubuntu).
You also need to install node.js for your platform. We recommend v.10.x.
Instructions for doing so are here: https://github.com/joyent/node/wiki/Installing-Node.js-via-package-manager
$ install node.js for your platform $ npm install pigsty -g $ sudo pigsty setup $ <edit /etc/pigsty/pigsty.config.js> $ npm install pigsty-<pluginname> -g # repeat for any plugins you need $ pigsty # run pigsty!
$ install node.js for your platform $ git clone email@example.com:threatstack/pigsty.git $ cd ./pigsty && npm install $ pigsty setup # setup your config. $ ./bin/pigsty
Currently, the following plugins are available:
To install, type
npm install <plugin> -g, e.g.
npm install pigsty-mysql -g
To upgrade pigsty to the latest version, run
npm update -g pigsty.
To upgrade any output plugin, please run
npm update -g <plugin_name>.
,.(_|,.,' /, )_______ ___j o``-' `.'-)'(") '`-j |`-._( /|_ |--^. //_]'|_| /_)_//_]' /_]'Pigsty by Threat Stack, IncUsage: pigsty [-options]-c, --config Pigsty configuration file. Default path: /etc/pigsty.config.js-D, --daemon Run Pigsty in daemon mode.--validate Check your Pigsty configuration file for errors.-P, --pid Specify a pid file (daemon mode only).-V, --verbose Turn on verbose logging.-v, --version Application version.-h, --help Application usage.Sensor Information:-n, --name Sensor name.-i, --interface Sensor interface.Log Configurations-d, --dir Log directory.-m, --match Logs file must match express to be processed.-M, --mode Processing mode (continuous|read). Default: continuous-b, --bookmark Bookmark file path.References:-R, --reference Reference file.-C, --classification Classification file.-G, --gen-msg Gen-msg.map file.-S, --sid-msg Sid-msg.map file.Example: pigsty -i en1 -n "Pigsty" -d /logs/ -m unified2.alert.* -c ~/pigsty.config.js -D
Add a section 'archiver' under logs to enable archving to an alternative directory after processing.
logs:...archiver:action: 'move' // can also be 'delete'dst: '/tmp/snort/processed' // where to move logs
Currently, the unified2 spooler reads at about 7000eps. Running w/ the pigsty-mysql output plugin, you'll get ~1000eps. This should be more than adequate for most installations, but we're actively working to make this faster.
To write your own output plugin, please refer to: https://github.com/threatstack/pigsty-example-plugin
Full documentation on writing plugins coming soon.
make: Entering directory `/usr/lib/node_modules/pigsty/node_modules/unified2/node_modules/pcap/build'CXX(target) Release/obj.target/pcap_binding/pcap_binding.o../pcap_binding.cc:5:23: fatal error: pcap/pcap.h: No such file or directorycompilation terminated.make: *** [Release/obj.target/pcap_binding/pcap_binding.o] Error 1make: Leaving directory `/usr/lib/node_modules/pigsty/node_modules/unified2/node_modules/pcap/build'gyp ERR! build errorgyp ERR! stack Error: `make` failed with exit code: 2gyp ERR! stack at ChildProcess.onExit (/usr/lib/node_modules/npm/node_modules/node-gyp/lib/build.js:267:23)gyp ERR! stack at ChildProcess.EventEmitter.emit (events.js:98:17)gyp ERR! stack at Process.ChildProcess._handle.onexit (child_process.js:789:12)gyp ERR! System Linux 3.5.0-17-genericSOLINK_MODULE(target) Release/obj.target/binding.node
A. Make sure you install libpcap
A. Usually, it will get symlinked to /usr/bin. Depending on your platform, npm bin/ path is probably not in your path.
You can look for it using
find / -name "pigsty".
Use the git issues, or send an email to firstname.lastname@example.org
Copyright (C) 2013 Threat Stack, Inc (https://www.threatstack.com)
This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
You should have received a copy of the GNU General Public License along with this program. If not, see http://www.gnu.org/licenses/.