diff --git a/etc/barnyard2.conf b/etc/barnyard2.conf index fc14b16..9423e44 100644 --- a/etc/barnyard2.conf +++ b/etc/barnyard2.conf @@ -29,6 +29,11 @@ config classification_file: /etc/snort/classification.config config gen_file: /etc/snort/gen-msg.map config sid_file: /etc/snort/sid-msg.map +# Set the event cache size to defined max value before recycling of event occur. +# +# +#config event_cache_size: 4096 + # define dedicated references similar to that of snort. # #config reference: mybugs http://www.mybugs.com/?s= diff --git a/src/barnyard2.c b/src/barnyard2.c index 77bd4e7..0504a62 100644 --- a/src/barnyard2.c +++ b/src/barnyard2.c @@ -189,6 +189,8 @@ static struct option long_options[] = {"sid-msg", LONGOPT_ARG_REQUIRED, NULL, 'S'}, {"reference", LONGOPT_ARG_REQUIRED, NULL, 'R'}, {"classification", LONGOPT_ARG_REQUIRED, NULL, 'C'}, + {"disable-alert-on-each-packet-in-stream", LONGOPT_ARG_NONE, NULL, DISABLE_ALERT_ON_EACH_PACKET_IN_STREAM}, + {"event-cache-size", LONGOPT_ARG_REQUIRED, NULL, EVENT_CACHE_SIZE}, {"alert-on-each-packet-in-stream", LONGOPT_ARG_NONE, NULL, ALERT_ON_EACH_PACKET_IN_STREAM}, {"process-new-records-only", LONGOPT_ARG_NONE, NULL, 'n'}, @@ -500,11 +502,12 @@ static int ShowUsage(char *program_name) FPUTS_BOTH ("\n"); FPUTS_BOTH ("Longname options and their corresponding single char version\n"); + FPUTS_BOTH (" --disable-alert-on-each-packet-in-stream Alert once per event\n"); + FPUTS_BOTH (" --event-cache-size Set Spooler MAX event cache size \n"); FPUTS_BOTH (" --reference Same as -R\n"); FPUTS_BOTH (" --classification Same as -C\n"); FPUTS_BOTH (" --gen-msg Same as -G\n"); FPUTS_BOTH (" --sid-msg Same as -S\n"); - FPUTS_BOTH (" --alert-on-each-packet-in-stream Call output plugins on each packet in an alert stream\n"); FPUTS_BOTH (" --process-new-records-only Same as -n\n"); FPUTS_BOTH (" --pid-path Specify the directory for the barnyard2 PID file\n"); FPUTS_BOTH (" --help Same as -?\n"); @@ -563,7 +566,10 @@ static void ParseCmdLine(int argc, char **argv) barnyard2_cmd_line_conf = Barnyard2ConfNew(); barnyard2_conf = barnyard2_cmd_line_conf; /* Set the global for log messages */ bc = barnyard2_cmd_line_conf; - + + /* alert_on_each_packet_in_stream_flag enabled by default */ + bc->alert_on_each_packet_in_stream_flag = 1; + /* Look for a -D and/or -M switch so we can start logging to syslog * with "barnyard2" tag right away */ for (i = 0; i < argc; i++) @@ -638,9 +644,17 @@ static void ParseCmdLine(int argc, char **argv) ConfigNoLoggingTimestamps(bc, NULL); break; + case DISABLE_ALERT_ON_EACH_PACKET_IN_STREAM: + ConfigDisableAlertOnEachPacketInStream(bc, NULL); + break; + + case EVENT_CACHE_SIZE: + ConfigSetEventCacheSize(bc,optarg); + break; + case ALERT_ON_EACH_PACKET_IN_STREAM: ConfigAlertOnEachPacketInStream(bc, NULL); - break; + break; #ifdef MPLS case MAX_MPLS_LABELCHAIN_LEN: @@ -1538,10 +1552,18 @@ static Barnyard2Config * MergeBarnyard2Confs(Barnyard2Config *cmd_line, Barnyard config_file->log_dir = SnortStrdup(cmd_line->log_dir); } - + if (config_file == NULL) return cmd_line; + + + if( cmd_line->event_cache_size > config_file->event_cache_size) + { + config_file->event_cache_size = cmd_line->event_cache_size; + } + + /* Used because of a potential chroot */ config_file->orig_log_dir = SnortStrdup(config_file->log_dir); @@ -1745,6 +1767,15 @@ static void Barnyard2Init(int argc, char **argv) * command line overriding config file. * Set the global barnyard2_conf that will be used during run time */ barnyard2_conf = MergeBarnyard2Confs(barnyard2_cmd_line_conf, bc); + + if(barnyard2_conf->event_cache_size == 0) + { + barnyard2_conf->event_cache_size = 2048; + } + + LogMessage("Barnyard2 spooler: Event cache size set to [%u] \n", + barnyard2_conf->event_cache_size); + } /* pcap_snaplen is already initialized to SNAPLEN */ diff --git a/src/barnyard2.h b/src/barnyard2.h index bfa5e68..9e10394 100644 --- a/src/barnyard2.h +++ b/src/barnyard2.h @@ -60,10 +60,10 @@ /* D E F I N E S ************************************************************/ #define PROGRAM_NAME "Barnyard" -#define VER_MAJOR "2" -#define VER_MINOR "1" -#define VER_REVISION "10" -#define VER_BUILD "313" +#define VER_MAJOR "2" +#define VER_MINOR "1" +#define VER_REVISION "11" +#define VER_BUILD "316" #define STD_BUF 1024 @@ -159,7 +159,9 @@ typedef enum _GetOptLongIds DETECTION_SEARCH_METHOD, CONF_ERROR_OUT, + DISABLE_ALERT_ON_EACH_PACKET_IN_STREAM, ALERT_ON_EACH_PACKET_IN_STREAM, + EVENT_CACHE_SIZE, #ifdef MPLS MAX_MPLS_LABELCHAIN_LEN, @@ -296,22 +298,24 @@ typedef struct _Barnyard2Config int logging_flags; // int log_tcpdump; // int no_log; + + unsigned int event_cache_size; VarEntry *var_table; #ifdef SUP_IP6 vartable_t *ip_vartable; #endif - /* staging - snort specific variables */ - int checksums_mode; - char ignore_ports[0x10000]; - + /* staging - snort specific variables */ + int checksums_mode; + char ignore_ports[0x10000]; + /* general variables */ char *config_file; /* -c */ char *config_dir; - - char *hostname; /* -h or config hostname */ - char *interface; /* -i or config interface */ + + char *hostname; /* -h or config hostname */ + char *interface; /* -i or config interface */ char *class_file; /* -C or config class_map */ char *sid_msg_file; /* -S or config sid_map */ @@ -328,36 +332,36 @@ typedef struct _Barnyard2Config int quiet_flag; int verbose_flag; - int verbose_bytedump_flag; - int show2hdr_flag; - int char_data_flag; - int data_flag; - int obfuscation_flag; + int verbose_bytedump_flag; + int show2hdr_flag; + int char_data_flag; + int data_flag; + int obfuscation_flag; int alert_on_each_packet_in_stream_flag; - - int logtosyslog_flag; - int test_mode_flag; - - int use_utc; - int include_year; - + + int logtosyslog_flag; + int test_mode_flag; + + int use_utc; + int include_year; + int line_buffer_flag; char nostamp; - + int user_id; int group_id; mode_t file_mask; - + /* -h and -B */ #ifdef SUP_IP6 - sfip_t homenet; - sfip_t obfuscation_net; + sfip_t homenet; + sfip_t obfuscation_net; #else - u_long homenet; - u_long netmask; - uint32_t obfuscation_net; - uint32_t obfuscation_mask; + u_long homenet; + u_long netmask; + uint32_t obfuscation_net; + uint32_t obfuscation_mask; #endif #ifdef MPLS @@ -367,12 +371,12 @@ typedef struct _Barnyard2Config /* batch mode options */ int batch_mode_flag; - int batch_total_files; - char **batch_filelist; - + int batch_total_files; + char **batch_filelist; + /* continual mode options */ - int process_new_records_only_flag; - Waldo waldo; + int process_new_records_only_flag; + Waldo waldo; char *archive_dir; int daemon_flag; int daemon_restart_flag; diff --git a/src/map.c b/src/map.c index 3dee447..bbb9c48 100644 --- a/src/map.c +++ b/src/map.c @@ -632,16 +632,16 @@ void ParseSidMapLine(Barnyard2Config *bc, char *data) return; } -SigNode *GetSigByGidSid(u_int32_t gid, u_int32_t sid) +SigNode *GetSigByGidSid(u_int32_t gid, u_int32_t sid,u_int32_t revision) { - /* set temp node pointer to the Sid map list head */ + /* set temp node pointer to the Sid map list head */ SigNode *sn = sigTypes; - - /* a snort general rule (gid=1) and a snort dynamic rule (gid=3) use the */ - /* the same sids and thus can be considered one in the same. */ - if (gid == 3) - gid = 1; - + + /* a snort general rule (gid=1) and a snort dynamic rule (gid=3) use the */ + /* the same sids and thus can be considered one in the same. */ + if (gid == 3) + gid = 1; + /* find any existing Snort ID's that match */ while (sn != NULL) { @@ -649,7 +649,7 @@ SigNode *GetSigByGidSid(u_int32_t gid, u_int32_t sid) { return sn; } - + sn = sn->next; } @@ -657,9 +657,9 @@ SigNode *GetSigByGidSid(u_int32_t gid, u_int32_t sid) sn = CreateSigNode(&sigTypes); sn->generator = gid; sn->id = sid; - sn->rev = 0; + sn->rev = revision; sn->msg = (char *)SnortAlloc(42); - snprintf(sn->msg, 42, "Snort Alert [%u:%u:%u]", gid, sid, 0); + snprintf(sn->msg, 42, "Snort Alert [%u:%u:%u]", gid, sid, revision); return sn; } diff --git a/src/map.h b/src/map.h index 161c5ab..b04802a 100644 --- a/src/map.h +++ b/src/map.h @@ -123,7 +123,7 @@ void ParseClassificationConfig(struct _Barnyard2Config *, char *args); void DeleteClassTypes(); -SigNode *GetSigByGidSid(uint32_t, uint32_t); +SigNode *GetSigByGidSid(uint32_t, uint32_t, uint32_t); int ReadSidFile(struct _Barnyard2Config *, const char *); void ParseSidMapLine(struct _Barnyard2Config *, char *); diff --git a/src/output-plugins/spo_alert_bro.c b/src/output-plugins/spo_alert_bro.c index 6fca8bb..dc9937b 100644 --- a/src/output-plugins/spo_alert_bro.c +++ b/src/output-plugins/spo_alert_bro.c @@ -168,7 +168,8 @@ void AlertBro(Packet *p, void *event, u_int32_t event_type, void *arg) } sn = GetSigByGidSid(ntohl(uevent->generator_id), - ntohl(uevent->signature_id)); + ntohl(uevent->signature_id), + ntohl(uevent->signature_revision)); if(p && IPH_IS_VALID(p)) { diff --git a/src/output-plugins/spo_alert_cef.c b/src/output-plugins/spo_alert_cef.c index f7ca783..566919b 100644 --- a/src/output-plugins/spo_alert_cef.c +++ b/src/output-plugins/spo_alert_cef.c @@ -506,7 +506,9 @@ void AlertCEF(Packet *p, void *event, u_int32_t event_type, void *arg) data = (CEFData *)arg; sn = GetSigByGidSid(ntohl(((Unified2EventCommon *)event)->generator_id), - ntohl(((Unified2EventCommon *)event)->signature_id)); + ntohl(((Unified2EventCommon *)event)->signature_id), + ntohl(((Unified2EventCommon *)event)->signature_revision)); + cn = ClassTypeLookupById(barnyard2_conf, ntohl(((Unified2EventCommon *)event)->classification_id)); /* Remove this check when we support IPv6 below. */ diff --git a/src/output-plugins/spo_alert_csv.c b/src/output-plugins/spo_alert_csv.c index 8e9f6fe..66b5de9 100644 --- a/src/output-plugins/spo_alert_csv.c +++ b/src/output-plugins/spo_alert_csv.c @@ -347,7 +347,8 @@ static void RealAlertCSV(Packet * p, void *event, uint32_t event_type, if ( event != NULL ) { sn = GetSigByGidSid(ntohl(((Unified2EventCommon *)event)->generator_id), - ntohl(((Unified2EventCommon *)event)->signature_id)); + ntohl(((Unified2EventCommon *)event)->signature_id), + ntohl(((Unified2EventCommon *)event)->signature_revision)); if (sn != NULL) { diff --git a/src/output-plugins/spo_alert_fast.c b/src/output-plugins/spo_alert_fast.c index fa8752b..7512a33 100644 --- a/src/output-plugins/spo_alert_fast.c +++ b/src/output-plugins/spo_alert_fast.c @@ -158,7 +158,8 @@ static void AlertFast(Packet *p, void *event, uint32_t event_type, void *arg) data = (SpoAlertFastData *)arg; sn = GetSigByGidSid(ntohl(((Unified2EventCommon *)event)->generator_id), - ntohl(((Unified2EventCommon *)event)->signature_id)); + ntohl(((Unified2EventCommon *)event)->signature_id), + ntohl(((Unified2EventCommon *)event)->signature_revision)); LogTimeStamp(data->log, p); diff --git a/src/output-plugins/spo_alert_full.c b/src/output-plugins/spo_alert_full.c index d297d8d..be9092f 100644 --- a/src/output-plugins/spo_alert_full.c +++ b/src/output-plugins/spo_alert_full.c @@ -149,7 +149,9 @@ static void AlertFull(Packet *p, void *event, uint32_t event_type, void *arg) data = (SpoAlertFullData *)arg; sn = GetSigByGidSid(ntohl(((Unified2EventCommon *)event)->generator_id), - ntohl(((Unified2EventCommon *)event)->signature_id)); + ntohl(((Unified2EventCommon *)event)->signature_id), + ntohl(((Unified2EventCommon *)event)->signature_revision)); + if(sn != NULL) diff --git a/src/output-plugins/spo_alert_fwsam.c b/src/output-plugins/spo_alert_fwsam.c index 859c5f3..3223274 100644 --- a/src/output-plugins/spo_alert_fwsam.c +++ b/src/output-plugins/spo_alert_fwsam.c @@ -1017,7 +1017,9 @@ void AlertFWsam(Packet *p, void *event, uint32_t event_type, void *arg) optp=NULL; sn = GetSigByGidSid(ntohl(((Unified2EventCommon *)event)->generator_id), - ntohl(((Unified2EventCommon *)event)->signature_id)); + ntohl(((Unified2EventCommon *)event)->signature_id), + ntohl(((Unified2EventCommon *)event)->signature_revision)); + cn = ClassTypeLookupById(barnyard2_conf, ntohl(((Unified2EventCommon *)event)->classification_id)); if(FWsamOptionField) /* If using the file (field present), let's use that */ diff --git a/src/output-plugins/spo_alert_prelude.c b/src/output-plugins/spo_alert_prelude.c index 6b55940..2868aa2 100644 --- a/src/output-plugins/spo_alert_prelude.c +++ b/src/output-plugins/spo_alert_prelude.c @@ -574,7 +574,9 @@ static int event_to_reference(void *event, idmef_classification_t *class) * return if we have no information about the rule. */ sn = GetSigByGidSid(ntohl(((Unified2EventCommon *)event)->generator_id), - ntohl(((Unified2EventCommon *)event)->signature_id)); + ntohl(((Unified2EventCommon *)event)->signature_id), + ntohl(((Unified2EventCommon *)event)->signature_revision)); + if (sn == NULL) return 0; @@ -623,7 +625,8 @@ void snort_alert_prelude(Packet *p, void *event, u_int32_t event_type, void *dat return; sn = GetSigByGidSid(ntohl(((Unified2EventCommon *)event)->generator_id), - ntohl(((Unified2EventCommon *)event)->signature_id)); + ntohl(((Unified2EventCommon *)event)->signature_id), + ntohl(((Unified2EventCommon *)event)->signature_revision)); if (sn == NULL) return; diff --git a/src/output-plugins/spo_alert_syslog.c b/src/output-plugins/spo_alert_syslog.c index 6dceb75..96d79c1 100644 --- a/src/output-plugins/spo_alert_syslog.c +++ b/src/output-plugins/spo_alert_syslog.c @@ -517,7 +517,10 @@ void AlertSyslog(Packet *p, void *event, uint32_t event_type, void *arg) data = (SyslogData *)arg; sn = GetSigByGidSid(ntohl(((Unified2EventCommon *)event)->generator_id), - ntohl(((Unified2EventCommon *)event)->signature_id)); + ntohl(((Unified2EventCommon *)event)->signature_id), + ntohl(((Unified2EventCommon *)event)->signature_revision)); + + cn = ClassTypeLookupById(barnyard2_conf, ntohl(((Unified2EventCommon *)event)->classification_id)); event_string[0] = '\0'; diff --git a/src/output-plugins/spo_alert_test.c b/src/output-plugins/spo_alert_test.c index f67353b..9165d5c 100644 --- a/src/output-plugins/spo_alert_test.c +++ b/src/output-plugins/spo_alert_test.c @@ -178,7 +178,8 @@ void AlertTest(Packet *p, void *event, u_int32_t event_type, void *arg) if (data->flags & TEST_FLAG_MSG) { sn = GetSigByGidSid(ntohl(((Unified2EventCommon *)event)->generator_id), - ntohl(((Unified2EventCommon *)event)->signature_id)); + ntohl(((Unified2EventCommon *)event)->signature_id), + ntohl(((Unified2EventCommon *)event)->signature_revision)); if(sn != NULL) { diff --git a/src/output-plugins/spo_alert_unixsock.c b/src/output-plugins/spo_alert_unixsock.c index 2a9040c..9f88c7d 100644 --- a/src/output-plugins/spo_alert_unixsock.c +++ b/src/output-plugins/spo_alert_unixsock.c @@ -193,7 +193,9 @@ void AlertUnixSock(Packet *p, void *event, uint32_t event_type, void *arg) alertpkt.val|=NOPACKET_STRUCT; sn = GetSigByGidSid(ntohl(((Unified2EventCommon *)event)->generator_id), - ntohl(((Unified2EventCommon *)event)->signature_id)); + ntohl(((Unified2EventCommon *)event)->signature_id), + ntohl(((Unified2EventCommon *)event)->signature_revision)); + if (sn != NULL) { diff --git a/src/output-plugins/spo_database.c b/src/output-plugins/spo_database.c index 77ea7fe..f0edf31 100644 --- a/src/output-plugins/spo_database.c +++ b/src/output-plugins/spo_database.c @@ -1442,6 +1442,15 @@ int dbProcessSignatureInformation(DatabaseData *data,void *event, u_int32_t even priority = ntohl(((Unified2EventCommon *)event)->priority_id); classification = ntohl(((Unified2EventCommon *)event)->classification_id); + /* Originaly forgot about this, since + those signature messages will be put in sid-msg.map by programs like pulledpork */ + /* map.c + a snort general rule (gid=1) and a snort dynamic rule (gid=3) use the + the same sids and thus can be considered one in the same. */ + if (gid == 3) + { + gid = 1; + } /* NOTE: elz For sanity purpose the sig_class table SHOULD have internal classification id to prevent possible diff --git a/src/output-plugins/spo_log_ascii.c b/src/output-plugins/spo_log_ascii.c index 2552524..03c7c20 100644 --- a/src/output-plugins/spo_log_ascii.c +++ b/src/output-plugins/spo_log_ascii.c @@ -117,7 +117,8 @@ void LogAscii(Packet *p, void *event, uint32_t event_type, void *arg) } sn = GetSigByGidSid(ntohl(((Unified2EventCommon *)event)->generator_id), - ntohl(((Unified2EventCommon *)event)->signature_id)); + ntohl(((Unified2EventCommon *)event)->signature_id), + ntohl(((Unified2EventCommon *)event)->signature_revision)); if(p) { diff --git a/src/output-plugins/spo_platypus.c b/src/output-plugins/spo_platypus.c index 3d80ef1..edfdd6f 100644 --- a/src/output-plugins/spo_platypus.c +++ b/src/output-plugins/spo_platypus.c @@ -195,7 +195,9 @@ void Platypus(Packet *p, void *event, u_int32_t event_type, void *arg) /* grab the appropriate signature and classification information */ sn = GetSigByGidSid(ntohl(((Unified2EventCommon *)event)->generator_id), - ntohl(((Unified2EventCommon *)event)->signature_id)); + ntohl(((Unified2EventCommon *)event)->signature_id), + ntohl(((Unified2EventCommon *)event)->signature_revision)); + cn = ClassTypeLookupById(barnyard2_conf, ntohl(((Unified2EventCommon *)event)->classification_id)); /* diff --git a/src/output-plugins/spo_sguil.c b/src/output-plugins/spo_sguil.c index d44074d..260b586 100644 --- a/src/output-plugins/spo_sguil.c +++ b/src/output-plugins/spo_sguil.c @@ -251,7 +251,9 @@ void Sguil(Packet *p, void *event, uint32_t event_type, void *arg) /* grab the appropriate signature and classification information */ sn = GetSigByGidSid(ntohl(((Unified2EventCommon *)event)->generator_id), - ntohl(((Unified2EventCommon *)event)->signature_id)); + ntohl(((Unified2EventCommon *)event)->signature_id), + ntohl(((Unified2EventCommon *)event)->signature_revision)); + cn = ClassTypeLookupById(barnyard2_conf, ntohl(((Unified2EventCommon *)event)->classification_id)); /* Here we build our RT event to send to sguild. The event is built with a diff --git a/src/output-plugins/spo_syslog_full.c b/src/output-plugins/spo_syslog_full.c index ce677a1..e3f5315 100644 --- a/src/output-plugins/spo_syslog_full.c +++ b/src/output-plugins/spo_syslog_full.c @@ -70,7 +70,6 @@ static int NetTestSocket(OpSyslog_Data *op_data); extern Barnyard2Config *barnyard2_conf; -int SyslogLogContext; char *db_proto[] = {"udp", "tcp", NULL}; @@ -85,16 +84,14 @@ void OpSyslog_Setup(void) /* Log Init Context wrapping function */ void OpSyslog_InitLog(char *args) { - SyslogLogContext = OUTPUT_TYPE_FLAG__LOG; - OpSyslog_Init(args); + OpSyslog_Init(args,OUTPUT_TYPE_FLAG__LOG); return; } /* Alert Init Context wrapping function */ void OpSyslog_InitAlert(char *args) { - SyslogLogContext = OUTPUT_TYPE_FLAG__ALERT; - OpSyslog_Init(args); + OpSyslog_Init(args,OUTPUT_TYPE_FLAG__ALERT); return; } @@ -102,7 +99,7 @@ void OpSyslog_InitAlert(char *args) * init the output plugin, process any arguments, link the functions to * the output functional node */ -void OpSyslog_Init(char *args) +void OpSyslog_Init(char *args,u_int8_t context) { OpSyslog_Data *syslogContext; @@ -121,16 +118,18 @@ void OpSyslog_Init(char *args) FatalError("OpSyslog_Init(): Error parsing output plugin arguments, bailing.\n"); } + syslogContext->log_context = context; + AddFuncToCleanExitList(OpSyslog_Exit,(void *)syslogContext); AddFuncToShutdownList(OpSyslog_Exit,(void *)syslogContext); - switch(SyslogLogContext) + switch(syslogContext->log_context) { case OUTPUT_TYPE_FLAG__LOG: switch(syslogContext->operation_mode) { - case OUT_MODE_FULL: + case OUT_MODE_FULL: AddFuncToOutputList(OpSyslog_Log, OUTPUT_TYPE__LOG, (void *)syslogContext); break; @@ -141,6 +140,7 @@ void OpSyslog_Init(char *args) AddFuncToOutputList(OpSyslog_Alert, OUTPUT_TYPE__ALERT, (void *)syslogContext); break; } + break; case OUTPUT_TYPE_FLAG__ALERT: AddFuncToOutputList(OpSyslog_Alert, OUTPUT_TYPE__ALERT, (void *)syslogContext); @@ -422,14 +422,16 @@ static int Syslog_FormatTrigger(OpSyslog_Data *syslogData, Unified2EventCommon * ntohl(pEvent->signature_revision)); sn = GetSigByGidSid(ntohl(pEvent->generator_id), - ntohl(pEvent->signature_id)); + ntohl(pEvent->signature_id), + ntohl(pEvent->signature_revision)); cn = ClassTypeLookupById(barnyard2_conf, ntohl(pEvent->classification_id)); - if( (syslogData->format_current_pos += snprintf(syslogData->formatBuffer,SYSLOG_MAX_QUERY_SIZE,"%s%c%u%c%s", + if( (syslogData->format_current_pos += snprintf(syslogData->formatBuffer,SYSLOG_MAX_QUERY_SIZE,"%s%c%u%c[%u:%u:%u]%c%s", timestamp_string,syslogData->field_separators, ntohl(pEvent->priority_id),syslogData->field_separators, + ntohl(pEvent->generator_id),ntohl(pEvent->signature_id),ntohl(pEvent->signature_revision),syslogData->field_separators, sn != NULL ? sn->msg : tSigBuf)) >= SYSLOG_MAX_QUERY_SIZE) { /* XXX */ @@ -522,6 +524,10 @@ static int Syslog_FormatIPHeaderLog(OpSyslog_Data *data, Packet *p) unsigned int s, d, proto, ver, hlen, tos, len, id, off, ttl, csum; s=d=proto=ver=hlen=tos=len=id=off=ttl=csum=0; + char sip[16] = {0}; + char dip[16] = {0}; + + if(p->iph) { if(p->iph->ip_src.s_addr) @@ -547,12 +553,30 @@ static int Syslog_FormatIPHeaderLog(OpSyslog_Data *data, Packet *p) if(p->iph->ip_csum) ttl = htons(p->iph->ip_csum); } + + if (strlcpy(sip, inet_ntoa(GET_SRC_ADDR(p)), sizeof(sip)) >= sizeof(sip)) + { + FatalError("[%s()], strlcpy() error , bailing \n", + __FUNCTION__); + return 1; + } + + + if (strlcpy(dip, inet_ntoa(GET_DST_ADDR(p)), sizeof(dip)) >= sizeof(dip)) + { + FatalError("[%s()], strlcpy() error , bailing \n", + __FUNCTION__); + return 1; + } + if( (data->format_current_pos += snprintf(data->formatBuffer,SYSLOG_MAX_QUERY_SIZE, - "%u%c%u%c%u%c%u%c%u%c%u%c%u%c%u%c%u%c%u%c%u%c%u", + "%u%c%s%c%s%c%u%c%u%c%u%c%u%c%u%c%u%c%u%c%u%c%u", proto,data->field_separators, - s, data->field_separators, - d, data->field_separators, + sip, data->field_separators, + //s, data->field_separators, + dip, data->field_separators, + //d, data->field_separators, ver, data->field_separators, hlen, data->field_separators, tos, data->field_separators, @@ -880,7 +904,8 @@ void OpSyslog_Alert(Packet *p, void *event, uint32_t event_type, void *arg) } sn = GetSigByGidSid(ntohl(iEvent->generator_id), - ntohl(iEvent->signature_id)); + ntohl(iEvent->signature_id), + ntohl(iEvent->signature_revision)); cn = ClassTypeLookupById(barnyard2_conf, ntohl(iEvent->classification_id)); @@ -888,8 +913,8 @@ void OpSyslog_Alert(Packet *p, void *event, uint32_t event_type, void *arg) if( (syslogContext->format_current_pos += snprintf(syslogContext->formatBuffer,SYSLOG_MAX_QUERY_SIZE, "[%u:%u:%u] ", ntohl(iEvent->generator_id), - ntohl(iEvent->signature_id), - ntohl(iEvent->signature_revision))) >= SYSLOG_MAX_QUERY_SIZE) + ntohl(iEvent->signature_id), + ntohl(iEvent->signature_revision))) >= SYSLOG_MAX_QUERY_SIZE) { /* XXX */ FatalError("[%s()], failed call to snprintf \n", diff --git a/src/output-plugins/spo_syslog_full.h b/src/output-plugins/spo_syslog_full.h index 5c1a246..eb3148e 100644 --- a/src/output-plugins/spo_syslog_full.h +++ b/src/output-plugins/spo_syslog_full.h @@ -54,6 +54,8 @@ typedef struct _OpSyslog_Data { char *server; char *sensor_name; + + u_int8_t log_context; u_int8_t operation_mode; u_int8_t local_logging; @@ -83,7 +85,7 @@ typedef struct _OpSyslog_Data } OpSyslog_Data; void OpSyslog_Setup(void); -void OpSyslog_Init(char *args); +void OpSyslog_Init(char *args,u_int8_t context); #define SYSLOG_MAX_QUERY_SIZE 65535 /* This could be easely filled in log mode with the full packet payload, we issue a warning if payload is truncated in log mode diff --git a/src/parser.c b/src/parser.c index 957c274..76aae85 100644 --- a/src/parser.c +++ b/src/parser.c @@ -189,6 +189,8 @@ static const KeywordFunc barnyard2_conf_keywords[] = static const ConfigFunc config_opts[] = { + { CONFIG_OPT__DISABLE_ALERT_ON_EACH_PACKET_IN_STREAM, 0, 1, ConfigDisableAlertOnEachPacketInStream }, + { CONFIG_OPT__EVENT_CACHE_SIZE, 0, 1, ConfigSetEventCacheSize }, { CONFIG_OPT__ALERT_ON_EACH_PACKET_IN_STREAM, 0, 1, ConfigAlertOnEachPacketInStream }, { CONFIG_OPT__ALERT_WITH_IFACE_NAME, 0, 1, ConfigAlertWithInterfaceName }, { CONFIG_OPT__ARCHIVE_DIR, 1, 1, ConfigArchiveDir }, @@ -1585,12 +1587,38 @@ static int ContinuationCheck(char *rule) return 0; } + void ConfigAlertOnEachPacketInStream(Barnyard2Config *bc, char *args) +{ + if (bc == NULL) + return; + + LogMessage("INFO: Alerting on each packet associated with an event: is now enabled by default. \n" + " use: command line argument --disable-alert-on-each-packet-in-stream or \n" + " configure file argument disable-alert-on-each-packet-in-stream to disable the feature \n"); + + return; +} + + +void ConfigSetEventCacheSize(Barnyard2Config *bc, char *args) +{ + if( (bc == NULL) || + (args == NULL)) + { + return; + } + + bc->event_cache_size = strtoul(args,NULL,10); + return; +} + +void ConfigDisableAlertOnEachPacketInStream(Barnyard2Config *bc, char *args) { if (bc == NULL) return; - bc->alert_on_each_packet_in_stream_flag = 1; + bc->alert_on_each_packet_in_stream_flag = 0; } void ConfigArchiveDir(Barnyard2Config *bc, char *args) diff --git a/src/parser.h b/src/parser.h index 6f49254..4a04efc 100644 --- a/src/parser.h +++ b/src/parser.h @@ -43,6 +43,8 @@ #define BARNYARD2_CONF_KEYWORD__VERSION "version" /* Config options */ +#define CONFIG_OPT__DISABLE_ALERT_ON_EACH_PACKET_IN_STREAM "disable_alert_on_each_packet_in_stream" +#define CONFIG_OPT__EVENT_CACHE_SIZE "event_cache_size" #define CONFIG_OPT__ALERT_ON_EACH_PACKET_IN_STREAM "alert_on_each_packet_in_stream" #define CONFIG_OPT__ALERT_WITH_IFACE_NAME "alert_with_interface_name" #define CONFIG_OPT__ARCHIVE_DIR "archivedir" @@ -107,6 +109,7 @@ void ConfigureOutputPlugins(Barnyard2Config *); NORETURN void ParseError(const char *, ...); void ParseMessage(const char *, ...); +void ConfigDisableAlertOnEachPacketInStream(Barnyard2Config *, char *); void ConfigAlertOnEachPacketInStream(Barnyard2Config *, char *); void ConfigAlertWithInterfaceName(Barnyard2Config *, char *); void ConfigArchiveDir(Barnyard2Config *, char *); @@ -143,6 +146,7 @@ void ConfigUmask(Barnyard2Config *, char *); void ConfigUtc(Barnyard2Config *, char *); void ConfigVerbose(Barnyard2Config *, char *); void ConfigWaldoFile(Barnyard2Config *, char *); +void ConfigSetEventCacheSize(Barnyard2Config *, char *); #ifdef MPLS void ConfigMaxMplsLabelChain(Barnyard2Config *, char *); void ConfigMplsPayloadType(Barnyard2Config *, char *); diff --git a/src/spooler.c b/src/spooler.c index 7b13e61..e59a719 100644 --- a/src/spooler.c +++ b/src/spooler.c @@ -41,7 +41,7 @@ #include "unified2.h" #include "util.h" -#define CACHED_EVENTS_MAX 256 + /* ** PRIVATE FUNCTIONS @@ -875,7 +875,7 @@ int spoolerEventCacheClean(Spooler *spooler) ernPrev = spooler->event_cache; ernCurrent = spooler->event_cache; - while (ernCurrent != NULL && spooler->events_cached > CACHED_EVENTS_MAX ) + while (ernCurrent != NULL && spooler->events_cached > barnyard2_conf->event_cache_size ) { ernNext = ernCurrent->next;