Version 2-1.11

Bumped: revision to 316

Fix: Added config directive event_cache_size and/or command line
     argument --event-cache-size to allow to define spooler cache max size,
     if the command line argument or the config directive are not
     defined the default cache size is set to 2048

Fix: enable alert-on-each-packet-in-stream by default, to disable use
     --disable-alert-on-each-packet-in-stream or use
     config disable_alert_on_each_packet_in_stream

Fix: spo_database.c:
      Was never resolved shared object (SO_RULE) signature message.

Fix: Call to GetSigByGidSid now use event revision and generate correct
     Snort Alert [gid:sid:rev] messages.

Fix: spo_syslog_full
     i)  operation_mode complete display ip in doted notation instead
         of host alligned integers for alert_ and log_
     ii) Signature will also by default be prefixed with
         [gid:sid:rev] block
     iii) missing break statement that was causing the output plugin to
          output ALERT AND LOG in complete mode.

etc/barnyard2.conf

@@ -29,6 +29,11 @@ config classification_file: /etc/snort/classification.config
 config gen_file:            /etc/snort/gen-msg.map
 config sid_file:            /etc/snort/sid-msg.map
 
+# Set the event cache size to defined max value before recycling of event occur.
+#
+#
+#config event_cache_size: 4096
+
 # define dedicated references similar to that of snort.
 #
 #config reference: mybugs http://www.mybugs.com/?s=

src/barnyard2.c

@@ -189,6 +189,8 @@ static struct option long_options[] =
    {"sid-msg", LONGOPT_ARG_REQUIRED, NULL, 'S'},
    {"reference", LONGOPT_ARG_REQUIRED, NULL, 'R'},
    {"classification", LONGOPT_ARG_REQUIRED, NULL, 'C'},
+   {"disable-alert-on-each-packet-in-stream", LONGOPT_ARG_NONE, NULL, DISABLE_ALERT_ON_EACH_PACKET_IN_STREAM},
+   {"event-cache-size", LONGOPT_ARG_REQUIRED, NULL, EVENT_CACHE_SIZE},
    {"alert-on-each-packet-in-stream", LONGOPT_ARG_NONE, NULL, ALERT_ON_EACH_PACKET_IN_STREAM},
    {"process-new-records-only", LONGOPT_ARG_NONE, NULL, 'n'},
 
@@ -500,11 +502,12 @@ static int ShowUsage(char *program_name)
 	FPUTS_BOTH ("\n");
 
     FPUTS_BOTH ("Longname options and their corresponding single char version\n");
+    FPUTS_BOTH ("   --disable-alert-on-each-packet-in-stream  Alert once per event\n");
+    FPUTS_BOTH ("   --event-cache-size <integer>      Set Spooler MAX event cache size \n");
     FPUTS_BOTH ("   --reference <file>                Same as -R\n");
     FPUTS_BOTH ("   --classification <file>           Same as -C\n");
     FPUTS_BOTH ("   --gen-msg <file>                  Same as -G\n");
     FPUTS_BOTH ("   --sid-msg <file>                  Same as -S\n");
-    FPUTS_BOTH ("   --alert-on-each-packet-in-stream  Call output plugins on each packet in an alert stream\n");
     FPUTS_BOTH ("   --process-new-records-only        Same as -n\n");
     FPUTS_BOTH ("   --pid-path <dir>                  Specify the directory for the barnyard2 PID file\n");
     FPUTS_BOTH ("   --help                            Same as -?\n");
@@ -563,7 +566,10 @@ static void ParseCmdLine(int argc, char **argv)
     barnyard2_cmd_line_conf = Barnyard2ConfNew();
     barnyard2_conf = barnyard2_cmd_line_conf;     /* Set the global for log messages */
     bc = barnyard2_cmd_line_conf;
-
+
+    /* alert_on_each_packet_in_stream_flag enabled by default */
+    bc->alert_on_each_packet_in_stream_flag = 1;
+
     /* Look for a -D and/or -M switch so we can start logging to syslog
      * with "barnyard2" tag right away */
     for (i = 0; i < argc; i++)
@@ -638,9 +644,17 @@ static void ParseCmdLine(int argc, char **argv)
                 ConfigNoLoggingTimestamps(bc, NULL);
                 break;
 
+            case DISABLE_ALERT_ON_EACH_PACKET_IN_STREAM:
+                ConfigDisableAlertOnEachPacketInStream(bc, NULL);
+                break;
+
+	    case EVENT_CACHE_SIZE:
+	        ConfigSetEventCacheSize(bc,optarg);
+		break;
+
             case ALERT_ON_EACH_PACKET_IN_STREAM:
                 ConfigAlertOnEachPacketInStream(bc, NULL);
-                break;
+		break;
 
 #ifdef MPLS
             case MAX_MPLS_LABELCHAIN_LEN:
@@ -1538,10 +1552,18 @@ static Barnyard2Config * MergeBarnyard2Confs(Barnyard2Config *cmd_line, Barnyard
 
         config_file->log_dir = SnortStrdup(cmd_line->log_dir);
     }
-
+    
     if (config_file == NULL)
         return cmd_line;
+
+
+    if( cmd_line->event_cache_size > config_file->event_cache_size)
+    {
+	config_file->event_cache_size = cmd_line->event_cache_size;
+    }
+
 
+
     /* Used because of a potential chroot */
     config_file->orig_log_dir = SnortStrdup(config_file->log_dir);
 
@@ -1745,6 +1767,15 @@ static void Barnyard2Init(int argc, char **argv)
          * command line overriding config file.
          * Set the global barnyard2_conf that will be used during run time */
         barnyard2_conf = MergeBarnyard2Confs(barnyard2_cmd_line_conf, bc);
+
+	if(barnyard2_conf->event_cache_size == 0)
+	{
+	    barnyard2_conf->event_cache_size = 2048;
+	}
+
+	LogMessage("Barnyard2 spooler: Event cache size set to [%u] \n",
+		   barnyard2_conf->event_cache_size);
+
     }
 
     /* pcap_snaplen is already initialized to SNAPLEN */

src/barnyard2.h

@@ -60,10 +60,10 @@
 
 /*  D E F I N E S  ************************************************************/
 #define PROGRAM_NAME	"Barnyard"
-#define VER_MAJOR		"2"
-#define VER_MINOR		"1"
-#define VER_REVISION	"10"
-#define VER_BUILD		"313"
+#define VER_MAJOR	"2"
+#define VER_MINOR	"1"
+#define VER_REVISION	"11"
+#define VER_BUILD	"316"
 
 #define STD_BUF  1024
 
@@ -159,7 +159,9 @@ typedef enum _GetOptLongIds
 
     DETECTION_SEARCH_METHOD,
     CONF_ERROR_OUT,
+    DISABLE_ALERT_ON_EACH_PACKET_IN_STREAM,
     ALERT_ON_EACH_PACKET_IN_STREAM,
+    EVENT_CACHE_SIZE,
 
 #ifdef MPLS
     MAX_MPLS_LABELCHAIN_LEN,
@@ -296,22 +298,24 @@ typedef struct _Barnyard2Config
     int logging_flags;
 //    int log_tcpdump;
 //    int no_log;
+
+    unsigned int event_cache_size;
 
     VarEntry            *var_table;
 #ifdef SUP_IP6
     vartable_t          *ip_vartable;
 #endif
 
-	/* staging - snort specific variables */
-	int					checksums_mode;
-	char				ignore_ports[0x10000];
-
+    /* staging - snort specific variables */
+    int					checksums_mode;
+    char				ignore_ports[0x10000];
+    
     /* general variables */
     char				*config_file;           /* -c */
     char				*config_dir;
-
-	char				*hostname;		        /* -h or config hostname */
-	char				*interface;		        /* -i or config interface */
+    
+    char				*hostname;		        /* -h or config hostname */
+    char				*interface;		        /* -i or config interface */
 
     char				*class_file;            /* -C or config class_map */
     char				*sid_msg_file;          /* -S or config sid_map */
@@ -328,36 +332,36 @@ typedef struct _Barnyard2Config
 
     int					quiet_flag;
     int					verbose_flag;
-	int					verbose_bytedump_flag;
-	int					show2hdr_flag;
-	int					char_data_flag;
-	int					data_flag;
-	int					obfuscation_flag;
+    int					verbose_bytedump_flag;
+    int					show2hdr_flag;
+    int					char_data_flag;
+    int					data_flag;
+    int					obfuscation_flag;
     int                 alert_on_each_packet_in_stream_flag;
-
-	int					logtosyslog_flag;
-	int					test_mode_flag;
-	
-	int					use_utc;
-	int					include_year;
-	
+    
+    int					logtosyslog_flag;
+    int					test_mode_flag;
+    
+    int					use_utc;
+    int					include_year;
+    
     int					line_buffer_flag;
     char				nostamp;
 
-
+    
     int                 user_id;
     int                 group_id;
     mode_t              file_mask;
-
+    
     /* -h and -B */
 #ifdef SUP_IP6
-	sfip_t				homenet;
-	sfip_t				obfuscation_net;
+    sfip_t				homenet;
+    sfip_t				obfuscation_net;
 #else
-	u_long				homenet;
-	u_long				netmask;
-	uint32_t			obfuscation_net;
-	uint32_t			obfuscation_mask;
+    u_long				homenet;
+    u_long				netmask;
+    uint32_t			obfuscation_net;
+    uint32_t			obfuscation_mask;
 #endif
 
 #ifdef MPLS
@@ -367,12 +371,12 @@ typedef struct _Barnyard2Config
 
 	/* batch mode options */
     int					batch_mode_flag;
-	int					batch_total_files;
-	char				**batch_filelist;
-
+    int					batch_total_files;
+    char				**batch_filelist;
+    
     /* continual mode options */
-	int					process_new_records_only_flag;
-	Waldo				waldo;
+    int					process_new_records_only_flag;
+    Waldo				waldo;
     char				*archive_dir;
     int					daemon_flag;
     int					daemon_restart_flag;

src/map.c

@@ -632,34 +632,34 @@ void ParseSidMapLine(Barnyard2Config *bc, char *data)
     return;
 }
 
-SigNode *GetSigByGidSid(u_int32_t gid, u_int32_t sid)
+SigNode *GetSigByGidSid(u_int32_t gid, u_int32_t sid,u_int32_t revision)
 {
-  /* set temp node pointer to the Sid map list head */
+    /* set temp node pointer to the Sid map list head */
     SigNode *sn = sigTypes;
-
-  /* a snort general rule (gid=1) and a snort dynamic rule (gid=3) use the  */
-  /* the same sids and thus can be considered one in the same. */
-  if (gid == 3)
-    gid = 1;
-
+    
+    /* a snort general rule (gid=1) and a snort dynamic rule (gid=3) use the  */
+    /* the same sids and thus can be considered one in the same. */
+    if (gid == 3)
+	gid = 1;
+    
     /* find any existing Snort ID's that match */
     while (sn != NULL)
     {
         if (sn->generator == gid && sn->id == sid)
         {
             return sn;
         }
-
+	
         sn = sn->next;
     }
 
   /* create a default message since we didn't find any match */
     sn = CreateSigNode(&sigTypes);
     sn->generator = gid;
     sn->id = sid;
-    sn->rev = 0;
+    sn->rev = revision;
     sn->msg = (char *)SnortAlloc(42);
-    snprintf(sn->msg, 42, "Snort Alert [%u:%u:%u]", gid, sid, 0);
+    snprintf(sn->msg, 42, "Snort Alert [%u:%u:%u]", gid, sid, revision);
 
     return sn;
 }

src/map.h

@@ -123,7 +123,7 @@ void ParseClassificationConfig(struct _Barnyard2Config *, char *args);
 
 void DeleteClassTypes();
 
-SigNode *GetSigByGidSid(uint32_t, uint32_t);
+SigNode *GetSigByGidSid(uint32_t, uint32_t, uint32_t);
 
 int ReadSidFile(struct _Barnyard2Config *, const char *);
 void ParseSidMapLine(struct _Barnyard2Config *, char *);

src/output-plugins/spo_alert_bro.c

@@ -168,7 +168,8 @@ void AlertBro(Packet *p, void *event, u_int32_t event_type, void *arg)
     }
 
     sn = GetSigByGidSid(ntohl(uevent->generator_id),
-                        ntohl(uevent->signature_id));
+                        ntohl(uevent->signature_id),
+	                ntohl(uevent->signature_revision));
 
     if(p && IPH_IS_VALID(p))
     {

src/output-plugins/spo_alert_cef.c

@@ -506,7 +506,9 @@ void AlertCEF(Packet *p, void *event, u_int32_t event_type, void *arg)
 
 	data = (CEFData *)arg;
 	sn = GetSigByGidSid(ntohl(((Unified2EventCommon *)event)->generator_id),
-						ntohl(((Unified2EventCommon *)event)->signature_id));
+			    ntohl(((Unified2EventCommon *)event)->signature_id),
+			    ntohl(((Unified2EventCommon *)event)->signature_revision));
+
 	cn = ClassTypeLookupById(barnyard2_conf, ntohl(((Unified2EventCommon *)event)->classification_id));
 
     /* Remove this check when we support IPv6 below. */

src/output-plugins/spo_alert_csv.c

@@ -347,7 +347,8 @@ static void RealAlertCSV(Packet * p, void *event, uint32_t event_type,
             if ( event != NULL )
             {
                 sn = GetSigByGidSid(ntohl(((Unified2EventCommon *)event)->generator_id),
-                                ntohl(((Unified2EventCommon *)event)->signature_id));
+				    ntohl(((Unified2EventCommon *)event)->signature_id),
+				    ntohl(((Unified2EventCommon *)event)->signature_revision));
 
                 if (sn != NULL)
                 {

src/output-plugins/spo_alert_fast.c

@@ -158,7 +158,8 @@ static void AlertFast(Packet *p, void *event, uint32_t event_type, void *arg)
 
     data = (SpoAlertFastData *)arg;
     sn = GetSigByGidSid(ntohl(((Unified2EventCommon *)event)->generator_id),
-                        ntohl(((Unified2EventCommon *)event)->signature_id));
+                        ntohl(((Unified2EventCommon *)event)->signature_id),
+			ntohl(((Unified2EventCommon *)event)->signature_revision));
 
     LogTimeStamp(data->log, p);
 

src/output-plugins/spo_alert_full.c

@@ -149,7 +149,9 @@ static void AlertFull(Packet *p, void *event, uint32_t event_type, void *arg)
 
     data = (SpoAlertFullData *)arg;
 	sn = GetSigByGidSid(ntohl(((Unified2EventCommon *)event)->generator_id),
-						ntohl(((Unified2EventCommon *)event)->signature_id));
+			    ntohl(((Unified2EventCommon *)event)->signature_id),
+			    ntohl(((Unified2EventCommon *)event)->signature_revision));
+
 
 
     if(sn != NULL)

src/output-plugins/spo_alert_fwsam.c

@@ -1017,7 +1017,9 @@ void AlertFWsam(Packet *p, void *event, uint32_t event_type, void *arg)
 
     optp=NULL;
     sn = GetSigByGidSid(ntohl(((Unified2EventCommon *)event)->generator_id),
-                        ntohl(((Unified2EventCommon *)event)->signature_id));
+                        ntohl(((Unified2EventCommon *)event)->signature_id),
+			ntohl(((Unified2EventCommon *)event)->signature_revision));
+
     cn = ClassTypeLookupById(barnyard2_conf, ntohl(((Unified2EventCommon *)event)->classification_id));
 
     if(FWsamOptionField)            /* If using the file (field present), let's use that */

src/output-plugins/spo_alert_prelude.c

@@ -574,7 +574,9 @@ static int event_to_reference(void *event, idmef_classification_t *class)
      * return if we have no information about the rule.
      */
 	sn = GetSigByGidSid(ntohl(((Unified2EventCommon *)event)->generator_id),
-						ntohl(((Unified2EventCommon *)event)->signature_id));
+			    ntohl(((Unified2EventCommon *)event)->signature_id),
+			    ntohl(((Unified2EventCommon *)event)->signature_revision));
+
 
 	if (sn == NULL)
         return 0;
@@ -623,7 +625,8 @@ void snort_alert_prelude(Packet *p, void *event, u_int32_t event_type, void *dat
             return;
 
 		sn = GetSigByGidSid(ntohl(((Unified2EventCommon *)event)->generator_id),
-							ntohl(((Unified2EventCommon *)event)->signature_id));
+				    ntohl(((Unified2EventCommon *)event)->signature_id),
+				    ntohl(((Unified2EventCommon *)event)->signature_revision));
 
 		if (sn == NULL)
 			return;

src/output-plugins/spo_alert_syslog.c

@@ -517,7 +517,10 @@ void AlertSyslog(Packet *p, void *event, uint32_t event_type, void *arg)
 
 	data = (SyslogData *)arg;
 	sn = GetSigByGidSid(ntohl(((Unified2EventCommon *)event)->generator_id),
-						ntohl(((Unified2EventCommon *)event)->signature_id));
+			    ntohl(((Unified2EventCommon *)event)->signature_id),
+			    ntohl(((Unified2EventCommon *)event)->signature_revision));
+
+
 	cn = ClassTypeLookupById(barnyard2_conf, ntohl(((Unified2EventCommon *)event)->classification_id));
     event_string[0] = '\0';
 

src/output-plugins/spo_alert_test.c

@@ -178,7 +178,8 @@ void AlertTest(Packet *p, void *event, u_int32_t event_type, void *arg)
     if (data->flags & TEST_FLAG_MSG)
     {
 		sn = GetSigByGidSid(ntohl(((Unified2EventCommon *)event)->generator_id),
-							ntohl(((Unified2EventCommon *)event)->signature_id));
+				    ntohl(((Unified2EventCommon *)event)->signature_id),
+				    ntohl(((Unified2EventCommon *)event)->signature_revision));
 
         if(sn != NULL)
         {