Permalink
Browse files

fixed: conflict when cherry picking #51

  • Loading branch information...
1 parent 6de736d commit 709b5c093b4f89c192be081f8004626f814bf2f1 @binf committed Oct 24, 2012
Showing with 82 additions and 35 deletions.
  1. +5 −0 etc/barnyard2.conf
  2. +38 −16 src/barnyard2.c
  3. +10 −1 src/barnyard2.h
  4. +2 −7 src/output-plugins/spo_database.h
  5. +17 −4 src/parser.c
  6. +1 −0 src/parser.h
  7. +3 −2 src/spooler.c
  8. +0 −5 src/util.c
  9. +6 −0 src/util.h
View
5 etc/barnyard2.conf
@@ -29,6 +29,11 @@ config classification_file: /etc/snort/classification.config
config gen_file: /etc/snort/gen-msg.map
config sid_file: /etc/snort/sid-msg.map
+# Set the event cache size to defined max value before recycling of event occur.
+#
+#
+#config event_cache_size: 4096
+
# define dedicated references similar to that of snort.
#
#config reference: mybugs http://www.mybugs.com/?s=
View
54 src/barnyard2.c
@@ -186,6 +186,7 @@ static struct option long_options[] =
{"reference", LONGOPT_ARG_REQUIRED, NULL, 'R'},
{"classification", LONGOPT_ARG_REQUIRED, NULL, 'C'},
{"disable-alert-on-each-packet-in-stream", LONGOPT_ARG_NONE, NULL, DISABLE_ALERT_ON_EACH_PACKET_IN_STREAM},
+ {"event-cache-size", LONGOPT_ARG_REQUIRED, NULL, EVENT_CACHE_SIZE},
{"alert-on-each-packet-in-stream", LONGOPT_ARG_NONE, NULL, ALERT_ON_EACH_PACKET_IN_STREAM},
{"process-new-records-only", LONGOPT_ARG_NONE, NULL, 'n'},
@@ -489,17 +490,18 @@ static int ShowUsage(char *program_name)
FPUTS_BOTH ("\n");
FPUTS_BOTH ("Longname options and their corresponding single char version\n");
- FPUTS_BOTH (" --reference <file> Same as -R\n");
- FPUTS_BOTH (" --classification <file> Same as -C\n");
- FPUTS_BOTH (" --gen-msg <file> Same as -G\n");
- FPUTS_BOTH (" --sid-msg <file> Same as -S\n");
- FPUTS_BOTH (" --alert-on-each-packet-in-stream Call output plugins on each packet in an alert stream\n");
- FPUTS_BOTH (" --process-new-records-only Same as -n\n");
- FPUTS_BOTH (" --pid-path <dir> Specify the directory for the barnyard2 PID file\n");
- FPUTS_BOTH (" --help Same as -?\n");
- FPUTS_BOTH (" --version Same as -V\n");
- FPUTS_UNIX (" --create-pidfile Create PID file, even when not in Daemon mode\n");
- FPUTS_UNIX (" --nolock-pidfile Do not try to lock barnyard2 PID file\n");
+ FPUTS_BOTH (" --disable-alert-on-each-packet-in-stream Alert once per event\n");
+ FPUTS_BOTH (" --event-cache-size <integer> Set Spooler MAX event cache size \n");
+ FPUTS_BOTH (" --reference <file> Same as -R\n");
+ FPUTS_BOTH (" --classification <file> Same as -C\n");
+ FPUTS_BOTH (" --gen-msg <file> Same as -G\n");
+ FPUTS_BOTH (" --sid-msg <file> Same as -S\n");
+ FPUTS_BOTH (" --process-new-records-only Same as -n\n");
+ FPUTS_BOTH (" --pid-path <dir> Specify the directory for the barnyard2 PID file\n");
+ FPUTS_BOTH (" --help Same as -?\n");
+ FPUTS_BOTH (" --version Same as -V\n");
+ FPUTS_UNIX (" --create-pidfile Create PID file, even when not in Daemon mode\n");
+ FPUTS_UNIX (" --nolock-pidfile Do not try to lock barnyard2 PID file\n");
#ifdef MPLS
FPUTS_BOTH (" --max-mpls-labelchain-len Specify the max MPLS label chain\n");
FPUTS_BOTH (" --mpls-payload-type Specify the protocol (ipv4, ipv6, ethernet) that is encapsulated by MPLS\n");
@@ -630,10 +632,9 @@ static void ParseCmdLine(int argc, char **argv)
ConfigNoLoggingTimestamps(bc, NULL);
break;
- case ALERT_ON_EACH_PACKET_IN_STREAM:
- ConfigAlertOnEachPacketInStream(bc, NULL);
- break;
-
+ case EVENT_CACHE_SIZE:
+ ConfigSetEventCacheSize(bc,optarg);
+ break;
#ifdef MPLS
case MAX_MPLS_LABELCHAIN_LEN:
ConfigMaxMplsLabelChain(bc, optarg);
@@ -1523,10 +1524,17 @@ static Barnyard2Config * MergeBarnyard2Confs(Barnyard2Config *cmd_line, Barnyard
config_file->log_dir = SnortStrdup(cmd_line->log_dir);
}
-
+
if (config_file == NULL)
return cmd_line;
+ if( cmd_line->event_cache_size > config_file->event_cache_size)
+ {
+ config_file->event_cache_size = cmd_line->event_cache_size;
+ }
+
+
+
/* Used because of a potential chroot */
config_file->orig_log_dir = SnortStrdup(config_file->log_dir);
@@ -1721,6 +1729,20 @@ static void Barnyard2Init(int argc, char **argv)
bc->config_dir = strdup(barnyard2_conf_dir);
bc->config_file = strdup(barnyard2_conf_file);
+
+ /* Merge the command line and config file confs to take care of
+ * command line overriding config file.
+ * Set the global barnyard2_conf that will be used during run time */
+ barnyard2_conf = MergeBarnyard2Confs(barnyard2_cmd_line_conf, bc);
+
+ if(barnyard2_conf->event_cache_size == 0)
+ {
+ barnyard2_conf->event_cache_size = 2048;
+ }
+
+ LogMessage("Barnyard2 spooler: Event cache size set to [%u] \n",
+ barnyard2_conf->event_cache_size);
+
}
ConfigureInputPlugins(bc);
View
11 src/barnyard2.h
@@ -61,7 +61,6 @@
/* I N C L U D E S **********************************************************/
/* D E F I N E S ************************************************************/
-
#define PROGRAM_NAME "Barnyard"
#define VER_MAJOR "2"
#define VER_MINOR "2"
@@ -165,6 +164,7 @@ typedef enum _GetOptLongIds
CONF_ERROR_OUT,
DISABLE_ALERT_ON_EACH_PACKET_IN_STREAM,
ALERT_ON_EACH_PACKET_IN_STREAM,
+ EVENT_CACHE_SIZE,
#ifdef MPLS
MAX_MPLS_LABELCHAIN_LEN,
@@ -301,8 +301,17 @@ typedef struct _Barnyard2Config
int run_flags;
int output_flags;
int logging_flags;
+<<<<<<< HEAD
VarEntry *var_table;
+=======
+// int log_tcpdump;
+// int no_log;
+
+ unsigned int event_cache_size;
+
+ VarEntry *var_table;
+>>>>>>> fixed: conflict when cherry picking #51
#ifdef SUP_IP6
vartable_t *ip_vartable;
#endif
View
9 src/output-plugins/spo_database.h
@@ -103,16 +103,11 @@ typedef SQLCHAR ODBC_SQLCHAR;
#include "plugbase.h"
#ifndef DATABASE_MAX_ESCAPE_STATIC_BUFFER_LEN
-#define DATABASE_MAX_ESCAPE_STATIC_BUFFER_LEN 32768 /* Should theorically be enough to escape ....alot of queries */
+#define DATABASE_MAX_ESCAPE_STATIC_BUFFER_LEN MAX_QUERY_LENGTH /* Should theorically be enough to escape ....alot of queries */
#endif /* DATABASE_MAX_ESCAPE_STATIC_BUFFER_LEN */
-#ifndef MAX_QUERY_LENGTH
-//#define MAX_QUERY_LENGTH 8192
-#define MAX_QUERY_LENGTH (65536 * 2) /* Lets add some space for payload decoding and query esaping..*/
-#endif /* MAX_QUERY_LENGTH */
-
#ifndef MAX_SQL_QUERY_OPS
-#define MAX_SQL_QUERY_OPS 20
+#define MAX_SQL_QUERY_OPS 50 /* In case we get a IP packet with 40 options */
#endif /* MAX_SQL_QUERY_OPS */
View
21 src/parser.c
@@ -189,9 +189,10 @@ static const KeywordFunc barnyard2_conf_keywords[] =
static const ConfigFunc config_opts[] =
{
-
//{ CONFIG_OPT__ALERT_ON_EACH_PACKET_IN_STREAM, 0, 1, ConfigAlertOnEachPacketInStream },
//{ CONFIG_OPT__ALERT_WITH_IFACE_NAME, 0, 1, ConfigAlertWithInterfaceName },
+ { CONFIG_OPT__DISABLE_ALERT_ON_EACH_PACKET_IN_STREAM, 0, 1, ConfigDisableAlertOnEachPacketInStream },
+ { CONFIG_OPT__EVENT_CACHE_SIZE, 0, 1, ConfigSetEventCacheSize },
{ CONFIG_OPT__ARCHIVE_DIR, 1, 1, ConfigArchiveDir },
{ CONFIG_OPT__CHROOT_DIR, 1, 1, ConfigChrootDir },
{ CONFIG_OPT__CLASSIFICATION, 1, 0, ConfigClassification },
@@ -1604,15 +1605,27 @@ void ConfigAlertOnEachPacketInStream(Barnyard2Config *bc, char *args)
{
if (bc == NULL)
return;
-
+
LogMessage("INFO: Alerting on each packet associated with an event: is now enabled by default. \n"
" use: command line argument --disable-alert-on-each-packet-in-stream or \n"
- " configure file argument disable-alert-on-each-packet-in-stream to disable the feature \n");
-
+ " configure file argument disable-alert-on-each-packet-in-stream to disable the feature \n");
+
return;
}
+void ConfigSetEventCacheSize(Barnyard2Config *bc, char *args)
+{
+ if( (bc == NULL) ||
+ (args == NULL))
+ {
+ return;
+ }
+
+ bc->event_cache_size = strtoul(args,NULL,10);
+ return;
+}
+
void ConfigDisableAlertOnEachPacketInStream(Barnyard2Config *bc, char *args)
{
if (bc == NULL)
View
1 src/parser.h
@@ -44,6 +44,7 @@
/* Config options */
#define CONFIG_OPT__DISABLE_ALERT_ON_EACH_PACKET_IN_STREAM "disable_alert_on_each_packet_in_stream"
+#define CONFIG_OPT__EVENT_CACHE_SIZE "event_cache_size"
#define CONFIG_OPT__ALERT_ON_EACH_PACKET_IN_STREAM "alert_on_each_packet_in_stream"
#define CONFIG_OPT__ALERT_WITH_IFACE_NAME "alert_with_interface_name"
#define CONFIG_OPT__ARCHIVE_DIR "archivedir"
View
5 src/spooler.c
@@ -43,7 +43,7 @@
#include "barnyard2.h"
#include "debug.h"
-#define CACHED_EVENTS_MAX 256
+
int ProcessContinuous(InputConfig *);
int ProcessContinuousWithWaldo(InputConfig *);
@@ -1172,6 +1172,7 @@ int ProcessContinuous(InputConfig *iContext)
/* This is where the actual processing occur or data was appended. */
else
{
+
spooler->max_read_size = ((Unified2InputPluginContext *)iContext->context)->read_size;
spooler->read_buffer = ((Unified2InputPluginContext *)iContext->context)->read_buffer;
@@ -1522,7 +1523,7 @@ int spoolerEventCacheClean(Spooler *spooler)
ernPrev = spooler->event_cache;
ernCurrent = spooler->event_cache;
- while (ernCurrent != NULL && spooler->events_cached > CACHED_EVENTS_MAX )
+ while (ernCurrent != NULL && spooler->events_cached > barnyard2_conf->event_cache_size )
{
ernNext = ernCurrent->next;
View
5 src/util.c
@@ -97,11 +97,6 @@ static char _PATH_VARRUN[STD_BUF];
#define FILE_MAX_UTIL (PATH_MAX_UTIL + NAME_MAX_UTIL)
-#ifndef MAX_QUERY_LENGTH
-//#define MAX_QUERY_LENGTH 8192
-#define MAX_QUERY_LENGTH 65536 /* Lets add some space for payload decoding and query esaping..*/
-#endif /* MAX_QUERY_LENGTH */
-
/****************************************************************************
*
View
6 src/util.h
@@ -78,6 +78,12 @@
#define DETAIL_FAST 0
#define DETAIL_FULL 1
+#ifndef MAX_QUERY_LENGTH
+#define MAX_QUERY_LENGTH ((65536 * 2) + 4096) /* Lets add some space for payload decoding and query esaping..*/
+#endif /* MAX_QUERY_LENGTH */
+
+
+
/* Externs ********************************************************************/
extern uint32_t *netmasks;

0 comments on commit 709b5c0

Please sign in to comment.