Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

initial import.

  • Loading branch information...
commit 1912fdf7cf142173ec5e39052731d4fad0df6b41 0 parents
Ian Firns authored
Showing with 42,090 additions and 0 deletions.
  1. +394 −0 COPYING
  2. +339 −0 LICENSE
  3. +8 −0 Makefile.am
  4. +274 −0 RELEASE.NOTES
  5. +1,026 −0 configure.in
  6. +111 −0 doc/INSTALL
  7. +4 −0 doc/Makefile.am
  8. +162 −0 doc/README
  9. +196 −0 doc/README.aruba
  10. +395 −0 doc/README.database
  11. +57 −0 doc/README.sguil
  12. +6 −0 etc/Makefile.am
  13. +316 −0 etc/barnyard2.conf
  14. +5 −0 m4/Makefile.am
  15. +176 −0 m4/libprelude.m4
  16. +7 −0 rpm/Makefile.am
  17. +101 −0 rpm/barnyard2
  18. +11 −0 rpm/barnyard2.config
  19. +174 −0 rpm/barnyard2.spec
  20. +9 −0 schemas/Makefile.am
  21. +168 −0 schemas/create_db2
  22. +205 −0 schemas/create_mssql
  23. +169 −0 schemas/create_mysql
  24. +290 −0 schemas/create_oracle.sql
  25. +168 −0 schemas/create_postgresql
  26. +36 −0 src/Makefile.am
  27. +1,938 −0 src/barnyard2.c
  28. +729 −0 src/barnyard2.h
  29. +184 −0 src/bounds.h
  30. +569 −0 src/checksum.h
  31. +161 −0 src/debug.c
  32. +99 −0 src/debug.h
  33. +5,284 −0 src/decode.c
  34. +1,811 −0 src/decode.h
  35. +40 −0 src/fatal.h
  36. +527 −0 src/generators.h
  37. +8 −0 src/input-plugins/Makefile.am
  38. +455 −0 src/input-plugins/spi_unified2.c
  39. +28 −0 src/input-plugins/spi_unified2.h
  40. +204 −0 src/ipv6_port.h
  41. +2,189 −0 src/log.c
  42. +88 −0 src/log.h
  43. +1,678 −0 src/log_text.c
  44. +88 −0 src/log_text.h
  45. +765 −0 src/map.c
  46. +134 −0 src/map.h
  47. +1,127 −0 src/mstring.c
  48. +41 −0 src/mstring.h
  49. +24 −0 src/output-plugins/Makefile.am
  50. +656 −0 src/output-plugins/spo_alert_arubaaction.c
  51. +28 −0 src/output-plugins/spo_alert_arubaaction.h
  52. +574 −0 src/output-plugins/spo_alert_cef.c
  53. +34 −0 src/output-plugins/spo_alert_cef.h
  54. +423 −0 src/output-plugins/spo_alert_fast.c
  55. +36 −0 src/output-plugins/spo_alert_fast.h
  56. +343 −0 src/output-plugins/spo_alert_full.c
  57. +36 −0 src/output-plugins/spo_alert_full.h
  58. +825 −0 src/output-plugins/spo_alert_prelude.c
  59. +27 −0 src/output-plugins/spo_alert_prelude.h
  60. +485 −0 src/output-plugins/spo_alert_sf_socket.c
  61. +26 −0 src/output-plugins/spo_alert_sf_socket.h
  62. +669 −0 src/output-plugins/spo_alert_syslog.c
  63. +34 −0 src/output-plugins/spo_alert_syslog.h
  64. +369 −0 src/output-plugins/spo_alert_test.c
  65. +34 −0 src/output-plugins/spo_alert_test.h
  66. +324 −0 src/output-plugins/spo_alert_unixsock.c
  67. +59 −0 src/output-plugins/spo_alert_unixsock.h
  68. +54 −0 src/output-plugins/spo_common.c
  69. +17 −0 src/output-plugins/spo_common.h
  70. +539 −0 src/output-plugins/spo_csv.c
  71. +35 −0 src/output-plugins/spo_csv.h
  72. +3,661 −0 src/output-plugins/spo_database.c
  73. +30 −0 src/output-plugins/spo_database.h
  74. +485 −0 src/output-plugins/spo_log_ascii.c
  75. +31 −0 src/output-plugins/spo_log_ascii.h
  76. +95 −0 src/output-plugins/spo_log_null.c
  77. +29 −0 src/output-plugins/spo_log_null.h
  78. +599 −0 src/output-plugins/spo_log_tcpdump.c
  79. +35 −0 src/output-plugins/spo_log_tcpdump.h
  80. +894 −0 src/output-plugins/spo_platypus.c
  81. +28 −0 src/output-plugins/spo_platypus.h
  82. +1,132 −0 src/output-plugins/spo_sguil.c
  83. +29 −0 src/output-plugins/spo_sguil.h
  84. +2,443 −0 src/parser.c
  85. +158 −0 src/parser.h
  86. +61 −0 src/pcap_pkthdr32.h
  87. +656 −0 src/plugbase.c
  88. +191 −0 src/plugbase.h
  89. +347 −0 src/rules.h
  90. +182 −0 src/sf_types.h
  91. +18 −0 src/sfutil/Makefile.am
  92. +42 −0 src/sfutil/bitop.h
  93. +37 −0 src/sfutil/getopt.h
  94. +130 −0 src/sfutil/getopt1.h
  95. +698 −0 src/sfutil/getopt_long.c
  96. +577 −0 src/sfutil/sf_ip.c
  97. +431 −0 src/sfutil/sf_ip.h
  98. +438 −0 src/sfutil/sf_iph.c
  99. +28 −0 src/sfutil/sf_iph.h
Sorry, we could not display the entire diff because it was too big.
394 COPYING
@@ -0,0 +1,394 @@
+*****************************************************************************
+The text that follows is the GNU General Public License, Version 2 (GPL V2)
+and governs your use, modification and/or distribution of SNORT.
+
+Section 9 of the GPL V2 acknowledges that the Free Software Foundation may
+publish revised and/or new versions of the GPL V2 from time to time. Section 9
+further states that a licensee of a program subject to the GPL V2 could be
+free to use any such revised and/or new versions under two different scenarios:
+
+1. "Failure to Specify." Section 9 of the GPL V2 allows a licensee of a
+program governed by an unspecified version of the General Public License to
+choose any version of the General Public License ever published by the Free
+Software Foundation to govern his or her use of such program.
+
+This provision is not applicable to your use of SNORT because we have
+expressly stated in a number of instances that any third party's use,
+modification or distribution of SNORT is governed by GPL V2.
+
+2. "Any Later Version." At the end of the terms and condition of the GPL V2 is
+a section called "How to Apply these Terms to Your New Program," which
+provides guidance to a developer on how to apply the GPL V2 to a third party's
+use, modification and/or distribution of his/her program. Among other things,
+this guidance suggests that the developer attach certain notices to the
+program. Of particular importance is the following notice:
+
+"This program is free software; you can redistribute it and/or modify it under
+the terms of the GNU General Public License as published by the Free Software
+Foundation; either version 2 of the License, or (at your option) any later
+version."
+
+Thus if a developer follows strictly the guidance provided by the Free
+Software Foundation, Section 9 of the GPL V2 provides the licensee the option
+to either use, modify or distribute the program under GPL V2 or under any
+later version published by the Free Software Foundation.
+
+SNORT is an open source project that is governed exclusively by the GPL V2
+and any third party desiring to use, modify or distribute SNORT must do so by
+strictly following the terms and conditions of GPL V2. Anyone using, modifying
+or distributing SNORT does not have the option to chose to use, modify or
+distribute SNORT under any revised or new version of the GPL, including
+without limitation, the GNU General Public License Version 3.
+
+For ease of reference, the comparable notice that is used with SNORT
+(contained in the 'README' file) is as follows:
+
+"This program is free software; you can redistribute it and/or modify it under
+the terms of the GNU General Public License Version 2 as published by the Free
+Software Foundation. You may not use, modify or distribute this program under
+any other version of the GNU General Public License."
+
+If you have any questions about this statement, please feel free to email
+snort-info@snort.org.
+*****************************************************************************
+
+ GNU GENERAL PUBLIC LICENSE
+ Version 2, June 1991
+
+ Copyright (C) 1989, 1991 Free Software Foundation, Inc.
+ 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ Everyone is permitted to copy and distribute verbatim copies
+ of this license document, but changing it is not allowed.
+
+ Preamble
+
+ The licenses for most software are designed to take away your
+freedom to share and change it. By contrast, the GNU General Public
+License is intended to guarantee your freedom to share and change free
+software--to make sure the software is free for all its users. This
+General Public License applies to most of the Free Software
+Foundation's software and to any other program whose authors commit to
+using it. (Some other Free Software Foundation software is covered by
+the GNU Library General Public License instead.) You can apply it to
+your programs, too.
+
+ When we speak of free software, we are referring to freedom, not
+price. Our General Public Licenses are designed to make sure that you
+have the freedom to distribute copies of free software (and charge for
+this service if you wish), that you receive source code or can get it
+if you want it, that you can change the software or use pieces of it
+in new free programs; and that you know you can do these things.
+
+ To protect your rights, we need to make restrictions that forbid
+anyone to deny you these rights or to ask you to surrender the rights.
+These restrictions translate to certain responsibilities for you if you
+distribute copies of the software, or if you modify it.
+
+ For example, if you distribute copies of such a program, whether
+gratis or for a fee, you must give the recipients all the rights that
+you have. You must make sure that they, too, receive or can get the
+source code. And you must show them these terms so they know their
+rights.
+
+ We protect your rights with two steps: (1) copyright the software, and
+(2) offer you this license which gives you legal permission to copy,
+distribute and/or modify the software.
+
+ Also, for each author's protection and ours, we want to make certain
+that everyone understands that there is no warranty for this free
+software. If the software is modified by someone else and passed on, we
+want its recipients to know that what they have is not the original, so
+that any problems introduced by others will not reflect on the original
+authors' reputations.
+
+ Finally, any free program is threatened constantly by software
+patents. We wish to avoid the danger that redistributors of a free
+program will individually obtain patent licenses, in effect making the
+program proprietary. To prevent this, we have made it clear that any
+patent must be licensed for everyone's free use or not licensed at all.
+
+ The precise terms and conditions for copying, distribution and
+modification follow.
+
+ GNU GENERAL PUBLIC LICENSE
+ TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
+
+ 0. This License applies to any program or other work which contains
+a notice placed by the copyright holder saying it may be distributed
+under the terms of this General Public License. The "Program", below,
+refers to any such program or work, and a "work based on the Program"
+means either the Program or any derivative work under copyright law:
+that is to say, a work containing the Program or a portion of it,
+either verbatim or with modifications and/or translated into another
+language. (Hereinafter, translation is included without limitation in
+the term "modification".) Each licensee is addressed as "you".
+
+Activities other than copying, distribution and modification are not
+covered by this License; they are outside its scope. The act of
+running the Program is not restricted, and the output from the Program
+is covered only if its contents constitute a work based on the
+Program (independent of having been made by running the Program).
+Whether that is true depends on what the Program does.
+
+ 1. You may copy and distribute verbatim copies of the Program's
+source code as you receive it, in any medium, provided that you
+conspicuously and appropriately publish on each copy an appropriate
+copyright notice and disclaimer of warranty; keep intact all the
+notices that refer to this License and to the absence of any warranty;
+and give any other recipients of the Program a copy of this License
+along with the Program.
+
+You may charge a fee for the physical act of transferring a copy, and
+you may at your option offer warranty protection in exchange for a fee.
+
+ 2. You may modify your copy or copies of the Program or any portion
+of it, thus forming a work based on the Program, and copy and
+distribute such modifications or work under the terms of Section 1
+above, provided that you also meet all of these conditions:
+
+ a) You must cause the modified files to carry prominent notices
+ stating that you changed the files and the date of any change.
+
+ b) You must cause any work that you distribute or publish, that in
+ whole or in part contains or is derived from the Program or any
+ part thereof, to be licensed as a whole at no charge to all third
+ parties under the terms of this License.
+
+ c) If the modified program normally reads commands interactively
+ when run, you must cause it, when started running for such
+ interactive use in the most ordinary way, to print or display an
+ announcement including an appropriate copyright notice and a
+ notice that there is no warranty (or else, saying that you provide
+ a warranty) and that users may redistribute the program under
+ these conditions, and telling the user how to view a copy of this
+ License. (Exception: if the Program itself is interactive but
+ does not normally print such an announcement, your work based on
+ the Program is not required to print an announcement.)
+
+These requirements apply to the modified work as a whole. If
+identifiable sections of that work are not derived from the Program,
+and can be reasonably considered independent and separate works in
+themselves, then this License, and its terms, do not apply to those
+sections when you distribute them as separate works. But when you
+distribute the same sections as part of a whole which is a work based
+on the Program, the distribution of the whole must be on the terms of
+this License, whose permissions for other licensees extend to the
+entire whole, and thus to each and every part regardless of who wrote it.
+
+Thus, it is not the intent of this section to claim rights or contest
+your rights to work written entirely by you; rather, the intent is to
+exercise the right to control the distribution of derivative or
+collective works based on the Program.
+
+In addition, mere aggregation of another work not based on the Program
+with the Program (or with a work based on the Program) on a volume of
+a storage or distribution medium does not bring the other work under
+the scope of this License.
+
+ 3. You may copy and distribute the Program (or a work based on it,
+under Section 2) in object code or executable form under the terms of
+Sections 1 and 2 above provided that you also do one of the following:
+
+ a) Accompany it with the complete corresponding machine-readable
+ source code, which must be distributed under the terms of Sections
+ 1 and 2 above on a medium customarily used for software interchange; or,
+
+ b) Accompany it with a written offer, valid for at least three
+ years, to give any third party, for a charge no more than your
+ cost of physically performing source distribution, a complete
+ machine-readable copy of the corresponding source code, to be
+ distributed under the terms of Sections 1 and 2 above on a medium
+ customarily used for software interchange; or,
+
+ c) Accompany it with the information you received as to the offer
+ to distribute corresponding source code. (This alternative is
+ allowed only for noncommercial distribution and only if you
+ received the program in object code or executable form with such
+ an offer, in accord with Subsection b above.)
+
+The source code for a work means the preferred form of the work for
+making modifications to it. For an executable work, complete source
+code means all the source code for all modules it contains, plus any
+associated interface definition files, plus the scripts used to
+control compilation and installation of the executable. However, as a
+special exception, the source code distributed need not include
+anything that is normally distributed (in either source or binary
+form) with the major components (compiler, kernel, and so on) of the
+operating system on which the executable runs, unless that component
+itself accompanies the executable.
+
+If distribution of executable or object code is made by offering
+access to copy from a designated place, then offering equivalent
+access to copy the source code from the same place counts as
+distribution of the source code, even though third parties are not
+compelled to copy the source along with the object code.
+
+ 4. You may not copy, modify, sublicense, or distribute the Program
+except as expressly provided under this License. Any attempt
+otherwise to copy, modify, sublicense or distribute the Program is
+void, and will automatically terminate your rights under this License.
+However, parties who have received copies, or rights, from you under
+this License will not have their licenses terminated so long as such
+parties remain in full compliance.
+
+ 5. You are not required to accept this License, since you have not
+signed it. However, nothing else grants you permission to modify or
+distribute the Program or its derivative works. These actions are
+prohibited by law if you do not accept this License. Therefore, by
+modifying or distributing the Program (or any work based on the
+Program), you indicate your acceptance of this License to do so, and
+all its terms and conditions for copying, distributing or modifying
+the Program or works based on it.
+
+ 6. Each time you redistribute the Program (or any work based on the
+Program), the recipient automatically receives a license from the
+original licensor to copy, distribute or modify the Program subject to
+these terms and conditions. You may not impose any further
+restrictions on the recipients' exercise of the rights granted herein.
+You are not responsible for enforcing compliance by third parties to
+this License.
+
+ 7. If, as a consequence of a court judgment or allegation of patent
+infringement or for any other reason (not limited to patent issues),
+conditions are imposed on you (whether by court order, agreement or
+otherwise) that contradict the conditions of this License, they do not
+excuse you from the conditions of this License. If you cannot
+distribute so as to satisfy simultaneously your obligations under this
+License and any other pertinent obligations, then as a consequence you
+may not distribute the Program at all. For example, if a patent
+license would not permit royalty-free redistribution of the Program by
+all those who receive copies directly or indirectly through you, then
+the only way you could satisfy both it and this License would be to
+refrain entirely from distribution of the Program.
+
+If any portion of this section is held invalid or unenforceable under
+any particular circumstance, the balance of the section is intended to
+apply and the section as a whole is intended to apply in other
+circumstances.
+
+It is not the purpose of this section to induce you to infringe any
+patents or other property right claims or to contest validity of any
+such claims; this section has the sole purpose of protecting the
+integrity of the free software distribution system, which is
+implemented by public license practices. Many people have made
+generous contributions to the wide range of software distributed
+through that system in reliance on consistent application of that
+system; it is up to the author/donor to decide if he or she is willing
+to distribute software through any other system and a licensee cannot
+impose that choice.
+
+This section is intended to make thoroughly clear what is believed to
+be a consequence of the rest of this License.
+
+ 8. If the distribution and/or use of the Program is restricted in
+certain countries either by patents or by copyrighted interfaces, the
+original copyright holder who places the Program under this License
+may add an explicit geographical distribution limitation excluding
+those countries, so that distribution is permitted only in or among
+countries not thus excluded. In such case, this License incorporates
+the limitation as if written in the body of this License.
+
+ 9. The Free Software Foundation may publish revised and/or new versions
+of the General Public License from time to time. Such new versions will
+be similar in spirit to the present version, but may differ in detail to
+address new problems or concerns.
+
+Each version is given a distinguishing version number. If the Program
+specifies a version number of this License which applies to it and "any
+later version", you have the option of following the terms and conditions
+either of that version or of any later version published by the Free
+Software Foundation. If the Program does not specify a version number of
+this License, you may choose any version ever published by the Free Software
+Foundation.
+
+ 10. If you wish to incorporate parts of the Program into other free
+programs whose distribution conditions are different, write to the author
+to ask for permission. For software which is copyrighted by the Free
+Software Foundation, write to the Free Software Foundation; we sometimes
+make exceptions for this. Our decision will be guided by the two goals
+of preserving the free status of all derivatives of our free software and
+of promoting the sharing and reuse of software generally.
+
+ NO WARRANTY
+
+ 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
+FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN
+OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
+PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
+OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS
+TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE
+PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
+REPAIR OR CORRECTION.
+
+ 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
+WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
+REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
+INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
+OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
+TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
+YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
+PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
+POSSIBILITY OF SUCH DAMAGES.
+
+ END OF TERMS AND CONDITIONS
+
+ How to Apply These Terms to Your New Programs
+
+ If you develop a new program, and you want it to be of the greatest
+possible use to the public, the best way to achieve this is to make it
+free software which everyone can redistribute and change under these terms.
+
+ To do so, attach the following notices to the program. It is safest
+to attach them to the start of each source file to most effectively
+convey the exclusion of warranty; and each file should have at least
+the "copyright" line and a pointer to where the full notice is found.
+
+ <one line to give the program's name and a brief idea of what it does.>
+ Copyright (C) 19yy <name of author>
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 2 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program; if not, write to the Free Software
+ Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+
+
+Also add information on how to contact you by electronic and paper mail.
+
+If the program is interactive, make it output a short notice like this
+when it starts in an interactive mode:
+
+ Gnomovision version 69, Copyright (C) 19yy name of author
+ Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
+ This is free software, and you are welcome to redistribute it
+ under certain conditions; type `show c' for details.
+
+The hypothetical commands `show w' and `show c' should show the appropriate
+parts of the General Public License. Of course, the commands you use may
+be called something other than `show w' and `show c'; they could even be
+mouse-clicks or menu items--whatever suits your program.
+
+You should also get your employer (if you work as a programmer) or your
+school, if any, to sign a "copyright disclaimer" for the program, if
+necessary. Here is a sample; alter the names:
+
+ Yoyodyne, Inc., hereby disclaims all copyright interest in the program
+ `Gnomovision' (which makes passes at compilers) written by James Hacker.
+
+ <signature of Ty Coon>, 1 April 1989
+ Ty Coon, President of Vice
+
+This General Public License does not permit incorporating your program into
+proprietary programs. If your program is a subroutine library, you may
+consider it more useful to permit linking proprietary applications with the
+library. If this is what you want to do, use the GNU Library General
+Public License instead of this License.
339 LICENSE
@@ -0,0 +1,339 @@
+ GNU GENERAL PUBLIC LICENSE
+ Version 2, June 1991
+
+ Copyright (C) 1989, 1991 Free Software Foundation, Inc.,
+ 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
+ Everyone is permitted to copy and distribute verbatim copies
+ of this license document, but changing it is not allowed.
+
+ Preamble
+
+ The licenses for most software are designed to take away your
+freedom to share and change it. By contrast, the GNU General Public
+License is intended to guarantee your freedom to share and change free
+software--to make sure the software is free for all its users. This
+General Public License applies to most of the Free Software
+Foundation's software and to any other program whose authors commit to
+using it. (Some other Free Software Foundation software is covered by
+the GNU Lesser General Public License instead.) You can apply it to
+your programs, too.
+
+ When we speak of free software, we are referring to freedom, not
+price. Our General Public Licenses are designed to make sure that you
+have the freedom to distribute copies of free software (and charge for
+this service if you wish), that you receive source code or can get it
+if you want it, that you can change the software or use pieces of it
+in new free programs; and that you know you can do these things.
+
+ To protect your rights, we need to make restrictions that forbid
+anyone to deny you these rights or to ask you to surrender the rights.
+These restrictions translate to certain responsibilities for you if you
+distribute copies of the software, or if you modify it.
+
+ For example, if you distribute copies of such a program, whether
+gratis or for a fee, you must give the recipients all the rights that
+you have. You must make sure that they, too, receive or can get the
+source code. And you must show them these terms so they know their
+rights.
+
+ We protect your rights with two steps: (1) copyright the software, and
+(2) offer you this license which gives you legal permission to copy,
+distribute and/or modify the software.
+
+ Also, for each author's protection and ours, we want to make certain
+that everyone understands that there is no warranty for this free
+software. If the software is modified by someone else and passed on, we
+want its recipients to know that what they have is not the original, so
+that any problems introduced by others will not reflect on the original
+authors' reputations.
+
+ Finally, any free program is threatened constantly by software
+patents. We wish to avoid the danger that redistributors of a free
+program will individually obtain patent licenses, in effect making the
+program proprietary. To prevent this, we have made it clear that any
+patent must be licensed for everyone's free use or not licensed at all.
+
+ The precise terms and conditions for copying, distribution and
+modification follow.
+
+ GNU GENERAL PUBLIC LICENSE
+ TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
+
+ 0. This License applies to any program or other work which contains
+a notice placed by the copyright holder saying it may be distributed
+under the terms of this General Public License. The "Program", below,
+refers to any such program or work, and a "work based on the Program"
+means either the Program or any derivative work under copyright law:
+that is to say, a work containing the Program or a portion of it,
+either verbatim or with modifications and/or translated into another
+language. (Hereinafter, translation is included without limitation in
+the term "modification".) Each licensee is addressed as "you".
+
+Activities other than copying, distribution and modification are not
+covered by this License; they are outside its scope. The act of
+running the Program is not restricted, and the output from the Program
+is covered only if its contents constitute a work based on the
+Program (independent of having been made by running the Program).
+Whether that is true depends on what the Program does.
+
+ 1. You may copy and distribute verbatim copies of the Program's
+source code as you receive it, in any medium, provided that you
+conspicuously and appropriately publish on each copy an appropriate
+copyright notice and disclaimer of warranty; keep intact all the
+notices that refer to this License and to the absence of any warranty;
+and give any other recipients of the Program a copy of this License
+along with the Program.
+
+You may charge a fee for the physical act of transferring a copy, and
+you may at your option offer warranty protection in exchange for a fee.
+
+ 2. You may modify your copy or copies of the Program or any portion
+of it, thus forming a work based on the Program, and copy and
+distribute such modifications or work under the terms of Section 1
+above, provided that you also meet all of these conditions:
+
+ a) You must cause the modified files to carry prominent notices
+ stating that you changed the files and the date of any change.
+
+ b) You must cause any work that you distribute or publish, that in
+ whole or in part contains or is derived from the Program or any
+ part thereof, to be licensed as a whole at no charge to all third
+ parties under the terms of this License.
+
+ c) If the modified program normally reads commands interactively
+ when run, you must cause it, when started running for such
+ interactive use in the most ordinary way, to print or display an
+ announcement including an appropriate copyright notice and a
+ notice that there is no warranty (or else, saying that you provide
+ a warranty) and that users may redistribute the program under
+ these conditions, and telling the user how to view a copy of this
+ License. (Exception: if the Program itself is interactive but
+ does not normally print such an announcement, your work based on
+ the Program is not required to print an announcement.)
+
+These requirements apply to the modified work as a whole. If
+identifiable sections of that work are not derived from the Program,
+and can be reasonably considered independent and separate works in
+themselves, then this License, and its terms, do not apply to those
+sections when you distribute them as separate works. But when you
+distribute the same sections as part of a whole which is a work based
+on the Program, the distribution of the whole must be on the terms of
+this License, whose permissions for other licensees extend to the
+entire whole, and thus to each and every part regardless of who wrote it.
+
+Thus, it is not the intent of this section to claim rights or contest
+your rights to work written entirely by you; rather, the intent is to
+exercise the right to control the distribution of derivative or
+collective works based on the Program.
+
+In addition, mere aggregation of another work not based on the Program
+with the Program (or with a work based on the Program) on a volume of
+a storage or distribution medium does not bring the other work under
+the scope of this License.
+
+ 3. You may copy and distribute the Program (or a work based on it,
+under Section 2) in object code or executable form under the terms of
+Sections 1 and 2 above provided that you also do one of the following:
+
+ a) Accompany it with the complete corresponding machine-readable
+ source code, which must be distributed under the terms of Sections
+ 1 and 2 above on a medium customarily used for software interchange; or,
+
+ b) Accompany it with a written offer, valid for at least three
+ years, to give any third party, for a charge no more than your
+ cost of physically performing source distribution, a complete
+ machine-readable copy of the corresponding source code, to be
+ distributed under the terms of Sections 1 and 2 above on a medium
+ customarily used for software interchange; or,
+
+ c) Accompany it with the information you received as to the offer
+ to distribute corresponding source code. (This alternative is
+ allowed only for noncommercial distribution and only if you
+ received the program in object code or executable form with such
+ an offer, in accord with Subsection b above.)
+
+The source code for a work means the preferred form of the work for
+making modifications to it. For an executable work, complete source
+code means all the source code for all modules it contains, plus any
+associated interface definition files, plus the scripts used to
+control compilation and installation of the executable. However, as a
+special exception, the source code distributed need not include
+anything that is normally distributed (in either source or binary
+form) with the major components (compiler, kernel, and so on) of the
+operating system on which the executable runs, unless that component
+itself accompanies the executable.
+
+If distribution of executable or object code is made by offering
+access to copy from a designated place, then offering equivalent
+access to copy the source code from the same place counts as
+distribution of the source code, even though third parties are not
+compelled to copy the source along with the object code.
+
+ 4. You may not copy, modify, sublicense, or distribute the Program
+except as expressly provided under this License. Any attempt
+otherwise to copy, modify, sublicense or distribute the Program is
+void, and will automatically terminate your rights under this License.
+However, parties who have received copies, or rights, from you under
+this License will not have their licenses terminated so long as such
+parties remain in full compliance.
+
+ 5. You are not required to accept this License, since you have not
+signed it. However, nothing else grants you permission to modify or
+distribute the Program or its derivative works. These actions are
+prohibited by law if you do not accept this License. Therefore, by
+modifying or distributing the Program (or any work based on the
+Program), you indicate your acceptance of this License to do so, and
+all its terms and conditions for copying, distributing or modifying
+the Program or works based on it.
+
+ 6. Each time you redistribute the Program (or any work based on the
+Program), the recipient automatically receives a license from the
+original licensor to copy, distribute or modify the Program subject to
+these terms and conditions. You may not impose any further
+restrictions on the recipients' exercise of the rights granted herein.
+You are not responsible for enforcing compliance by third parties to
+this License.
+
+ 7. If, as a consequence of a court judgment or allegation of patent
+infringement or for any other reason (not limited to patent issues),
+conditions are imposed on you (whether by court order, agreement or
+otherwise) that contradict the conditions of this License, they do not
+excuse you from the conditions of this License. If you cannot
+distribute so as to satisfy simultaneously your obligations under this
+License and any other pertinent obligations, then as a consequence you
+may not distribute the Program at all. For example, if a patent
+license would not permit royalty-free redistribution of the Program by
+all those who receive copies directly or indirectly through you, then
+the only way you could satisfy both it and this License would be to
+refrain entirely from distribution of the Program.
+
+If any portion of this section is held invalid or unenforceable under
+any particular circumstance, the balance of the section is intended to
+apply and the section as a whole is intended to apply in other
+circumstances.
+
+It is not the purpose of this section to induce you to infringe any
+patents or other property right claims or to contest validity of any
+such claims; this section has the sole purpose of protecting the
+integrity of the free software distribution system, which is
+implemented by public license practices. Many people have made
+generous contributions to the wide range of software distributed
+through that system in reliance on consistent application of that
+system; it is up to the author/donor to decide if he or she is willing
+to distribute software through any other system and a licensee cannot
+impose that choice.
+
+This section is intended to make thoroughly clear what is believed to
+be a consequence of the rest of this License.
+
+ 8. If the distribution and/or use of the Program is restricted in
+certain countries either by patents or by copyrighted interfaces, the
+original copyright holder who places the Program under this License
+may add an explicit geographical distribution limitation excluding
+those countries, so that distribution is permitted only in or among
+countries not thus excluded. In such case, this License incorporates
+the limitation as if written in the body of this License.
+
+ 9. The Free Software Foundation may publish revised and/or new versions
+of the General Public License from time to time. Such new versions will
+be similar in spirit to the present version, but may differ in detail to
+address new problems or concerns.
+
+Each version is given a distinguishing version number. If the Program
+specifies a version number of this License which applies to it and "any
+later version", you have the option of following the terms and conditions
+either of that version or of any later version published by the Free
+Software Foundation. If the Program does not specify a version number of
+this License, you may choose any version ever published by the Free Software
+Foundation.
+
+ 10. If you wish to incorporate parts of the Program into other free
+programs whose distribution conditions are different, write to the author
+to ask for permission. For software which is copyrighted by the Free
+Software Foundation, write to the Free Software Foundation; we sometimes
+make exceptions for this. Our decision will be guided by the two goals
+of preserving the free status of all derivatives of our free software and
+of promoting the sharing and reuse of software generally.
+
+ NO WARRANTY
+
+ 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
+FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN
+OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
+PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
+OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS
+TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE
+PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
+REPAIR OR CORRECTION.
+
+ 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
+WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
+REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
+INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
+OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
+TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
+YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
+PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
+POSSIBILITY OF SUCH DAMAGES.
+
+ END OF TERMS AND CONDITIONS
+
+ How to Apply These Terms to Your New Programs
+
+ If you develop a new program, and you want it to be of the greatest
+possible use to the public, the best way to achieve this is to make it
+free software which everyone can redistribute and change under these terms.
+
+ To do so, attach the following notices to the program. It is safest
+to attach them to the start of each source file to most effectively
+convey the exclusion of warranty; and each file should have at least
+the "copyright" line and a pointer to where the full notice is found.
+
+ <one line to give the program's name and a brief idea of what it does.>
+ Copyright (C) <year> <name of author>
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 2 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License along
+ with this program; if not, write to the Free Software Foundation, Inc.,
+ 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+
+Also add information on how to contact you by electronic and paper mail.
+
+If the program is interactive, make it output a short notice like this
+when it starts in an interactive mode:
+
+ Gnomovision version 69, Copyright (C) year name of author
+ Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
+ This is free software, and you are welcome to redistribute it
+ under certain conditions; type `show c' for details.
+
+The hypothetical commands `show w' and `show c' should show the appropriate
+parts of the General Public License. Of course, the commands you use may
+be called something other than `show w' and `show c'; they could even be
+mouse-clicks or menu items--whatever suits your program.
+
+You should also get your employer (if you work as a programmer) or your
+school, if any, to sign a "copyright disclaimer" for the program, if
+necessary. Here is a sample; alter the names:
+
+ Yoyodyne, Inc., hereby disclaims all copyright interest in the program
+ `Gnomovision' (which makes passes at compilers) written by James Hacker.
+
+ <signature of Ty Coon>, 1 April 1989
+ Ty Coon, President of Vice
+
+This General Public License does not permit incorporating your program into
+proprietary programs. If your program is a subroutine library, you may
+consider it more useful to permit linking proprietary applications with the
+library. If this is what you want to do, use the GNU Lesser General
+Public License instead of this License.
8 Makefile.am
@@ -0,0 +1,8 @@
+## $Id$
+AUTOMAKE_OPTIONS = foreign no-dependencies
+
+SUBDIRS = src etc doc rpm schemas m4
+
+INCLUDES = @INCLUDES@
+
+EXTRA_DIST = COPYING LICENSE RELEASE.NOTES ltmain.sh
274 RELEASE.NOTES
@@ -0,0 +1,274 @@
+2010-XX-YY - Barnyard 2.1.9-beta1
+ [*] Additions
+ * spo_database. Support of encrypted connections to postgresql is now
+ available. See README.database for the appropriate options.
+
+ * spo_sguil. Fixed issue with duplication of alerts.
+
+ [*] Improvements
+
+ * spooler. Fixed early termination of non-readable files, causing the
+ dreaded SEGFAULT.
+
+ * classifications. Tweaked output for classification identification if the
+ appropriate node can't be found.
+
+
+2010-03-05 - Barnyard 2.1.8
+ [*] Additions
+ * spo_database. Support of encrypted connections to mysql is now available.
+ See the example configuration file for the appropriate options.
+
+ * spo_sguil. Fixed issue with duplication of alerts.
+
+ [*] Improvements
+ * OpenBSD. Thanks to Markus Lude, we now stomped a few bugs that prevented
+ a clean build on OpenBSD platforms. Thanks mate!
+
+ * Log Files. Fixed missing command line parameter "-l" testing to enable
+ log file setting form the command line.
+
+ * Status Returns. The status return codes should now be a little saner when
+ scripting the barnyard2 process. We welcome any suggestions for
+ improvements to these return codes.
+
+ * spooler. The spooler now incorporates an improved event cache that will
+ in time facilitate improved correlation for TCP portscans and similar
+ events.
+
+
+2009-11-06 - Barnyard 2.1.7
+ [*] Additions
+ * Statistics. Similar to that of Snort, barnyard2 will now print a number
+ of statistics upon application termination.
+
+ [*] Improvements
+ * core. Barnyard2 has had the appropriate changes from snort 2.8.5.1 pushed
+ into the core.
+
+ * database. Fixed a duplication issue introduced with the alignment of the
+ snort 2.8.4.1 code base. Thanks to Jonathan Tullet.
+
+ * spooler. Fixed issue with duplicate processing due to waldo file not
+ being updated.
+
+ * alert_cef. Fixed crumping of the alert_cef plugin that was caused by a
+ recent alignment to Snort's output plugins.
+
+ * alert_fast. Small clean up in alert_fast to remove unused portions.
+
+ * RPM spec. The RPM spec has been updated thanks to Tom McLaughlin.
+
+ * log_tcpdump. The output of tcpdump will now match the linktype being
+ used by the packet. The output format can be explicitly defined or auto
+ adapting.
+
+
+2009-07-15 - Barnyard 2.1.6
+ [*] Improvements
+ * Waldo Files. Waldo files not being honoured has been fixed. The issue of
+ no new waldo files being created or updated was caused by a number of key
+ logical checks not being performed.
+
+ * Reference Files. The reference file can NOW be specified on the command
+ line via the "-R" option.
+
+ * Map Files. The core logic parsing of map files has been improved to avoid
+ splitting inappropriately. The WARNING about "command attempt" should no
+ longer raise its ugly head.
+
+ * spo_database. The sleeping logic in MySQL has been modified to make use
+ of nanosleep() and not sleep(). This should allow trapping of signals a
+ little easier.
+
+
+2009-05-30 - Barnyard 2.1.5
+ [*] Additions
+ * Output Plugins. We are now attempting to support all Snort output plugins
+ except for alert_sf_socket.
+
+ * Reference System. A new config directive "reference-map" has been added
+ in order to better align with Snort's Reference System. The list of
+ references is typically stored in reference.config. This directive is
+ required to be defined in the configuration file or at the command line.
+
+ [*] Improvements
+ * core. Barnyard2 has had the appropriate changes from snort 2.8.4.1 pushed
+ into the core.
+
+ In addition an issue with non-unique pid files being generated when
+ multiple instances were running has been fixed. Thanks to Jon. B. Bayer
+
+ * maps. The maps have now been restructured to provide more consistency to
+ the Snort structures.
+
+ * spooler. The spooler function has been reworked and now provides the
+ appropriate event caching and correlation that was being performed in
+ individual output plugins. The end result is less code in the output
+ plugins and easier maintenance.
+
+ In addition an issue with referencing a free'd pointer has been found
+ and fixed. Thanks to Jon. B. Bayer.
+
+ * spo_database. MySQL reconnection support is more robust with continuing
+ reconnection attempts.
+ NOTE: The reconnection is blocking if other output plugins are enabled.
+
+
+2009-04-18 - Barnyard 2.1.4
+ [*] Improvements
+ * core. Barnyard2 has had the appropriate changes from snort 2.8.4 pushed
+ into the core.
+
+ * map. The retrieval of sid messages from the map structures has been
+ updated and does not restrict to specific generator id's. This will be
+ re-addressed if sid to gid maps ever happen. Thanks to Jason Wallace.
+
+ * spooler. Fixed an issue with blank permissions when creating waldo
+ files from scratch. Thanks to Jason Wallace.
+
+
+2009-03-07 - Barnyard 2.1.3
+ [*] Improvements
+ * spooler. Fixed regression with waldo file operations, where unreliable
+ creation, reading and writing would cause unexpected SEGFAULTs. I hate
+ SEGFAULTS!
+
+
+2009-02-20 - Barnyard 2.1.2
+ [*] Improvements
+ * spo_alert_syslog. Fixed whitespace issues in output to allow for easier
+ parsing using command line or external scripts.
+
+ * spo_database. Ensure alert events are not flagged when packet info is
+ available. There is no indication of what mode Snort is in (alert, or
+ log) when information is written to the file.
+
+ * spooler. Fixed overly verbose spooler messages when using waldo files.
+
+
+2009-01-29 - Barnyard 2.1.1
+ [*] Improvements
+ * spo_alert_syslog. Ability to add hostname to displayed log events has
+ been included. This is useful for multiple snort instances on different
+ sensors logging to the same syslog server.
+
+ * spo_sguil. Fixed inconsistencies between the documentated and the actual
+ configuration requirements for the sguil output plugin. The parameters
+ can be either comma (",") or space (" ") separated. The documentation
+ refers to space separated only.
+
+
+2008-12-04 - Barnyard 2.1.0
+ [*] Improvements
+ * core. Barnyard2 has been completely rewritten from the snort-2.8.3.1
+ code base to enable a complete GPL version. If there are any remaining
+ issues or concerns regarding licensing then please let us know. All
+ Snort wrapper functions are inhereted throughout. Yay Snort!!!
+
+ * spooler. The spooler has been re-organised, cleaned up and has had some
+ optimisation tweaks provided.
+
+ * Waldo. Waldo support has been completely revamped. I/O is now performed
+ as the file descriptor level and uses the fixed WaldoData structure
+ format defined in spooler.h
+
+ * spo_sguil. Significant overhaul and also released, with permission from
+ Bamm Vischer under GPL.
+
+
+2008-11-11 - Barnyard 2.0.5
+ [*] Improvements
+ * spo_sguil. Modifed the parameter parsing of the configuration to now
+ expect "key=value" pairs and not "key value" pairs. This aligns with
+ traditional spo_database plugin.
+
+ * FreeBSD. A number of bugs have been discovered and subsequently squished
+ on FreeBSD systems. Slowly getting a hang of the autotools framework ;)
+
+ * Spooling. Fixed a bug preventing batch processing of files defined by
+ relative addressing.
+
+ * Xrefs. When Xref data is explicitly requested by the "xref" flag but an
+ alert does not have any it will now explicityly indicate similarly as
+ shown: "Xref => none".
+
+
+2008-07-06 - Barnyard 2.0.4
+ [*] Additions
+ * Syslog support. Two new syslog output plugins have been added to the
+ collection. The plugins allow logging to either the local machines
+ syslog daemon or alternatively to a remote syslog daemon over UDP.
+
+ * CEF support. One of the aforementioned syslog plugins use the open
+ standard Common Event Format (CEF) from ArcSight. I obtained the CEF
+ message structure from Colin Grady, because I'm still waiting for
+ ArcSight to send me their "open" standard after numerous emails :(
+
+ [*] Improvements
+ * spo_sguil. Removed two instances of while(1) loops that would cause a
+ lockup when the sguil daemon was not up or not responding. It now
+ listens for global signals and should exit cleanly when told to do so.
+
+ * Spooling. Some minor cleanup was performed in the spooling section to
+ improve code layout and readability.
+
+
+2008-06-02 - Barnyard 2.0.3
+ [*] Additions
+ * spo_sguil. Added post init configuration ability to allow testing of the
+ sguil plugin. Work in progress.
+
+ [*] Improvements
+ * spo_sguil. Fixed major incompatibilities with the sguil communications
+ channel including:
+ - network/host byte order mismatch of event ID's, and
+ - timestamp rendering
+
+ * GetUniqueName. Modified the prioritisation of obtaining/configuring the
+ ability to generate a unique machine name. Order of priority is now:
+ 1. hostname directive
+ 2. actual machine name
+
+
+2008-06-01 - Barnyard 2.0.2
+ [*] Additions
+ * More databases (experimental). The spo_databsae plugin was able to be
+ ported across with little effort. This means there is now database
+ support for MSSQL, MYSQL, Postgresql, any unixOBDC and Oracle. Awesome!
+
+ * Sguil support (experimental). We have started converting the original
+ Sguil plugin to the new API. This is a big milestone as it will now
+ allow us to start working on a more contemporary frontend for Sguil.
+
+ * Waldo files. The waldo file is now supported providing bookmarking for
+ file processing in the event of a barnyard crash or similar.
+
+ [*] Improvements
+ * Fixed segfault bugs in the event spooling routines of in spo_log_ascii
+ and spo_sguil.
+
+ * Cleaned up output format of spo_alert_fast.
+
+
+2008-05-10 - Barnyard 2.0.1
+ [*] Additions
+ * Unified2 support. Since the release of Snort 2.8.0 a new output plugin
+ named 'unified2' will address all the shortfalls of the original
+ unified output plugin. The new format supports multiple records in the
+ one format as well as expansion for additional records such as packet
+ statistics, etc in the future.
+
+ * 64-bit support. Support for 64-bit systems has been considered from the
+ outset. However, given that we don't have any 64-bit machines to test
+ the current builds on we will wait for community feedback on this.
+
+ [*] Improvements
+ * Plugin structure. Given that we initially fused majority of the current
+ Snort core with the original barnyard code and improved from there we
+ have attained/retained a similar output plugin API to that of Snort.
+ This requires only slight modification to existing Snort output plugins
+ to work with Barnyard. This may change to full compatibility in the
+ future depending on feedback.
+
+
1,026 configure.in
@@ -0,0 +1,1026 @@
+# -*- Autoconf -*-
+# Process this file with autoconf to produce a configure script.
+
+AC_PREREQ(2.50)
+AC_INIT(src/barnyard2.c)
+AM_CONFIG_HEADER(config.h)
+AM_INIT_AUTOMAKE(barnyard2,1.9-beta1)
+
+NO_OPTIMIZE="no"
+ADD_WERROR="no"
+
+# Test for -Werror and sed it out for now since some of the auto tests,
+# for example AC_CHECK_LIB, will fail because of
+# warning: conflicting types for built-in function <func>
+if eval "echo $CFLAGS | grep -e -Werror"; then
+ CFLAGS=`echo $CFLAGS | sed -e "s/-Werror//g"`
+ ADD_WERROR="yes"
+fi
+
+# Disable annoying practice of recursively re-running the autotools
+AM_MAINTAINER_MODE
+AC_PROG_CC_STDC
+AC_PROG_CC
+AC_PROG_LIBTOOL
+AC_PROG_RANLIB
+AC_C_BIGENDIAN
+
+#AC_CANONICAL_HOST
+linux="no"
+sunos4="no"
+
+case "$host" in
+ *-openbsd2.6|*-openbsd2.5|*-openbsd2.4|*-openbsd2.3*)
+ AC_DEFINE([OPENBSD],[1],[Define if OpenBSD])
+ AC_DEFINE([BROKEN_SIOCGIFMTU],[1],[Define if BROKEN_SIOCGIFMTU])
+
+ ;;
+ *-openbsd*)
+ AC_DEFINE([OPENBSD],[1],[Define if OpenBSD < 2.3])
+
+ ;;
+ *-sgi-irix5*)
+ AC_DEFINE([IRIX],[1],[Define if Irix 5])
+ no_libsocket="yes"
+ no_libnsl="yes"
+ if test -z "$GCC"; then
+ sgi_cc="yes"
+ fi
+ LDFLAGS="${LDFLAGS} -L/usr/local/lib"
+ extra_incl="-I/usr/local/include"
+ ;;
+ *-sgi-irix6*)
+ AC_DEFINE([IRIX],[1],[Define if Irix 6])
+ no_libsocket="yes"
+ no_libnsl="yes"
+ if test -z "$GCC"; then
+ sgi_cc="yes"
+ fi
+ LDFLAGS="${LDFLAGS} -L/usr/local/lib"
+ extra_incl="-I/usr/local/include"
+ ;;
+ *-solaris*)
+ AC_DEFINE([SOLARIS],[1],[Define if Solaris])
+ CPPFLAGS="${CPPFLAGS} -DBSD_COMP -D_REENTRANT"
+ ;;
+ *-sunos*)
+ AC_DEFINE([SUNOS],[1],[Define if SunOS])
+ sunos4="yes"
+ ;;
+ *-linux*)
+ linux="yes"
+ AC_DEFINE([LINUX],[1],[Define if Linux])
+ # libpcap doesn't even LOOK at the timeout you give it under Linux
+ AC_DEFINE([PCAP_TIMEOUT_IGNORED],[1],[Define if pcap timeout is ignored])
+ AC_SUBST(extra_incl)
+ extra_incl="-I/usr/include/pcap"
+ ;;
+ *-hpux10*|*-hpux11*)
+ AC_DEFINE([HPUX],[1],[Define if HP-UX 10 or 11])
+ AC_DEFINE([WORDS_BIGENDIAN],[1],[Define if words are big endian])
+ AC_SUBST(extra_incl)
+ extra_incl="-I/usr/local/include"
+ ;;
+
+ *-freebsd*)
+ AC_DEFINE([FREEBSD],[1],[Define if FreeBSD])
+
+ ;;
+ *-bsdi*)
+ AC_DEFINE([BSDI],[1],[Define if BSDi])
+ ;;
+ *-aix*)
+ AC_DEFINE([AIX],[1],[Define if AIX])
+ ;;
+ *-osf4*)
+ AC_DEFINE([OSF1],[1],[Define if OSF-4])
+ ;;
+ *-osf5.1*)
+ AC_DEFINE([OSF1],[1],[Define if OSF-5.1])
+ ;;
+ *-tru64*)
+ AC_DEFINE([OSF1],[1],[Define if Tru64])
+ ;;
+# it is actually <platform>-apple-darwin1.2 or <platform>-apple-rhapsody5.x but lets stick with this for the moment
+ *-apple*)
+ AC_DEFINE([MACOS],[1],[Define if MacOS])
+ AC_DEFINE([BROKEN_SIOCGIFMTU],[1],[Define if broken SIOCGIFMTU])
+ LDFLAGS="${LDFLAGS} -L/sw/lib"
+ extra_incl="-I/sw/include"
+esac
+
+# This is really meant for Solaris Sparc v9 where it has 32bit and 64bit
+# capability but builds 32bit by default
+AC_ARG_ENABLE(64bit-gcc,
+[ --enable-64bit-gcc Try to compile 64bit (only tested on Sparc Solaris 9 and 10).],
+ enable_64bit_gcc="$enableval", enable_64bit_gcc="no")
+if test "x$enable_64bit_gcc" = "xyes"; then
+ CFLAGS="$CFLAGS -m64"
+fi
+
+# AC_PROG_YACC defaults to "yacc" when not found
+# this check defaults to "none"
+AC_CHECK_PROGS(YACC,bison yacc,none)
+# AC_PROG_YACC includes the -y arg if bison is found
+if test "x$YACC" = "xbison"; then
+ YACC="$YACC -y"
+fi
+
+# AC_PROG_LEX defaults to ":" when not found
+# this check defaults to "none"
+# We're using flex specific options so we don't support lex
+AC_CHECK_PROGS(LEX,flex,none)
+
+#
+
+dnl checking headers
+AC_CHECK_HEADERS([strings.h string.h stdlib.h unistd.h sys/sockio.h paths.h inttypes.h wchar.h math.h])
+AC_CHECK_LIB([m],[floor])
+AC_CHECK_LIB([m],[ceil])
+
+dnl make sure we've got all our libraries
+if test -z "$no_libnsl"; then
+AC_CHECK_LIB(nsl, inet_ntoa)
+fi
+
+if test -z "$no_libsocket"; then
+AC_CHECK_LIB(socket, socket)
+fi
+
+# SunOS4 has several things `broken'
+if test "$sunos4" != "no"; then
+AC_CHECK_FUNCS(vsnprintf,, LIBS="$LIBS -ldb")
+AC_CHECK_FUNCS(strtoul,, LIBS="$LIBS -l44bsd")
+fi
+
+# some funky macro to be backwards compatible with earlier autoconfs
+# in current they have AC_CHECK_DECLS
+
+AC_DEFUN([SN_CHECK_DECL],[
+AC_MSG_CHECKING([whether $1 must be declared])
+AC_CACHE_VAL(sn_cv_decl_needed_$1,
+[AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
+#include <stdio.h>
+#ifdef HAVE_STRING_H
+#include <string.h>
+#endif
+#ifdef HAVE_STRINGS_H
+#include <strings.h>
+#endif
+#ifdef HAVE_STDLIB_H
+#include <stdlib.h>
+#endif
+#ifdef HAVE_UNISTD_H
+#include <unistd.h>
+#endif
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <syslog.h>
+]], [[char *(*pfn); pfn = (char *(*)) $1;]])],[eval "sn_cv_decl_needed_$1=no"],[eval "sn_cv_decl_needed_$1=yes"]) ])
+
+if eval "test \"`echo '$sn_cv_decl_needed_'$1`\" != no"; then
+ AC_MSG_RESULT(yes)
+ ifelse([$2], , :, [$2])
+else
+ AC_MSG_RESULT(no)
+ ifelse([$3], , ,[$3])
+fi
+])dnl
+
+AC_DEFUN([SN_CHECK_DECLS],
+[for sn_decl in $1
+do
+sn_def_decl=`echo $sn_decl | tr [a-z] [A-Z]`
+SN_CHECK_DECL($sn_decl,
+[
+AC_DEFINE_UNQUOTED(NEED_DECL_$sn_def_decl, 1,
+ [you have this cuz autoheader is dumb])
+$2], $3)dnl
+done
+])
+
+# some stuff for declarations which were missed on sunos4 platform too.
+#
+# add `#undef NEED_DECL_FUNCTIONAME to acconfig.h` because autoheader
+# fails to work properly with custom macroses.
+# you will see also #undef for each SN_CHECK_DECLS macros invocation
+# because autoheader doesn't execute shell script commands.
+# it is possible to make loops using m4 but the code would look even
+# more confusing..
+SN_CHECK_DECLS(printf fprintf syslog puts fputs fputc fopen \
+ fclose fwrite fflush getopt bzero bcopy memset strtol \
+ strcasecmp strncasecmp strerror perror socket sendto \
+ vsnprintf snprintf strtoul)
+
+AC_CHECK_FUNCS([snprintf strlcpy strlcat strerror vswprintf wprintf])
+
+AC_CHECK_SIZEOF([char])
+AC_CHECK_SIZEOF([short])
+AC_CHECK_SIZEOF([int])
+AC_CHECK_SIZEOF([long int])
+AC_CHECK_SIZEOF([long long int])
+AC_CHECK_SIZEOF([unsigned int])
+AC_CHECK_SIZEOF([unsigned long int])
+AC_CHECK_SIZEOF([unsigned long long int])
+
+# Check for int types
+AC_CHECK_TYPES([u_int8_t,u_int16_t,u_int32_t,u_int64_t,uint8_t,uint16_t,uint32_t,uint64_t])
+AC_CHECK_TYPES([int8_t,int16_t,int32_t,int64_t])
+
+# In case INADDR_NONE is not defined (like on Solaris)
+have_inaddr_none="no"
+AC_MSG_CHECKING([for INADDR_NONE])
+AC_RUN_IFELSE(
+[AC_LANG_PROGRAM(
+[[
+#include <sys/types.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+]],
+[[
+ if (inet_addr("10,5,2") == INADDR_NONE);
+ return 0;
+]])],
+[have_inaddr_none="yes"],
+[have_inaddr_none="no"])
+AC_MSG_RESULT($have_inaddr_none)
+if test "x$have_inaddr_none" = "xno"; then
+ AC_DEFINE([INADDR_NONE],[-1],[For INADDR_NONE definition])
+fi
+
+AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
+#include <stdio.h>
+]], [[const char *foo; foo = sys_errlist[0];]])],[AC_DEFINE(ERRLIST_PREDEFINED,1,Define if errlist is predefined)],[])
+
+AC_MSG_CHECKING(for __FUNCTION__)
+AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
+#include <stdio.h>
+]], [[printf ("%s", __FUNCTION__);]])],[sn_cv_have___FUNCTION__=yes],[sn_cv__have___FUNCTION__=no])
+if test "x$sn_cv_have___FUNCTION__" = "xyes"; then
+ AC_MSG_RESULT(yes)
+ AC_DEFINE([HAVE___FUNCTION__],[1],[Define if the compiler understands __FUNCTION__.])
+else
+ AC_MSG_RESULT(no)
+ AC_MSG_CHECKING(for __func__)
+ AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
+#include <stdio.h>
+]], [[printf ("%s", __func__);]])],[sn_cv_have___func__=yes],[sn_cv__have___func__=no])
+ if test "x$sn_cv_have___func__" = "xyes"; then
+ AC_MSG_RESULT(yes)
+ AC_DEFINE([HAVE___func__],[1],[Define if the compiler understands __func__.])
+ AC_DEFINE([__FUNCTION__],[__func__],[Define __FUNCTION__ as required.])
+ else
+ AC_MSG_RESULT(no)
+ AC_DEFINE([__FUNCTION__],["mystery function"])
+ fi
+fi
+
+AC_ARG_WITH(libpcap_includes,
+ [ --with-libpcap-includes=DIR libpcap include directory],
+ [with_libpcap_includes="$withval"],[with_libpcap_includes="no"])
+
+AC_ARG_WITH(libpcap_libraries,
+ [ --with-libpcap-libraries=DIR libpcap library directory],
+ [with_libpcap_libraries="$withval"],[with_libpcap_libraries="no"])
+
+
+if test "x$with_libpcap_includes" != "xno"; then
+ CPPFLAGS="${CPPFLAGS} -I${with_libpcap_includes}"
+fi
+
+if test "x$with_libpcap_libraries" != "xno"; then
+ LDFLAGS="${LDFLAGS} -L${with_libpcap_libraries}"
+fi
+
+# --with-libpfring-* options
+AC_ARG_WITH(libpfring_includes,
+ [ --with-libpfring-includes=DIR libpfring include directory],
+ [with_libpfring_includes="$withval"],[with_libpfring_includes="no"])
+
+AC_ARG_WITH(libpfring_libraries,
+ [ --with-libpfring-libraries=DIR libpfring library directory],
+ [with_libpfring_libraries="$withval"],[with_libpfring_libraries="no"])
+
+if test "x$with_libpfring_includes" != "xno"; then
+ CPPFLAGS="${CPPFLAGS} -I${with_libpfring_includes}"
+fi
+
+if test "x$with_libpfring_libraries" != "xno"; then
+ LDFLAGS="${LDFLAGS} -L${with_libpfring_libraries}"
+fi
+
+LPCAP=""
+AC_CHECK_LIB(pcap, pcap_datalink,, LPCAP="no")
+
+# If the normal AC_CHECK_LIB for pcap fails then check to see if we are
+# using a pfring-enabled pcap.
+if test "x$LPCAP" = "xno"; then
+ PFRING_H=""
+ AC_CHECK_HEADERS(pfring.h,, PFRING_H="no")
+
+# It is important to have the AC_CHECK_LIB for the pfring library BEFORE
+# the one for pfring-enabled pcap. When the Makefile is created, all the
+# libraries used during linking are added to the LIBS variable in the
+# Makefile in the opposite orded that their AC_CHECK_LIB macros appear
+# in configure.in. Durring linking, the pfring library (-lpfring) MUST come
+# _after_ the libpcap library (-lpcap) or linking will fail.
+ PFRING_L=""
+ AC_CHECK_LIB(pfring, pfring_open,, PFRING_L="no")
+
+ LPFRING_PCAP=""
+ AC_CHECK_LIB(pcap, pfring_open,, LPFRING_PCAP="no",-lpfring)
+fi
+
+# If both the AC_CHECK_LIB for normal pcap and pfring-enabled pcap fail then exit.
+if test "x$LPCAP" = "xno"; then
+ if test "x$LPFRING_PCAP" = "xno"; then
+ echo
+ echo " ERROR! Libpcap library/headers (libpcap.a (or .so)/pcap.h)"
+ echo " not found, go get it from http://www.tcpdump.org"
+ echo " or use the --with-libpcap-* options, if you have it installed"
+ echo " in unusual place. Also check if your libpcap depends on another"
+ echo " shared library that may be installed in an unusual place"
+ exit 1
+ fi
+fi
+
+AC_DEFUN([FAIL_MESSAGE],[
+ echo
+ echo
+ echo "**********************************************"
+ echo " ERROR: unable to find" $1
+ echo " checked in the following places"
+ for i in `echo $2`; do
+ echo " $i"
+ done
+ echo "**********************************************"
+ echo
+ exit 1
+])
+
+# any sparc platform has to have this one defined.
+AC_MSG_CHECKING(for sparc)
+if eval "echo $host_cpu|grep -i sparc >/dev/null"; then
+ AC_DEFINE([WORDS_MUSTALIGN],[1],[Define if words must align])
+ AC_MSG_RESULT(yes)
+
+ # gcc, sparc and optimization not so good
+ if test -n "$GCC"; then
+ NO_OPTIMIZE="yes"
+ fi
+else
+ AC_MSG_RESULT(no)
+fi
+
+# check for sparc %time register
+if eval "echo $host_cpu|grep -i sparc >/dev/null"; then
+ OLD_CFLAGS="$CFLAGS"
+ CFLAGS="$CFLAGS -mcpu=v9 "
+ AC_MSG_CHECKING([for sparc %time register])
+ AC_RUN_IFELSE(
+ [AC_LANG_PROGRAM(
+ [[]],
+ [[
+ int val;
+ __asm__ __volatile__("rd %%tick, %0" : "=r"(val));
+ ]])],
+ [sparcv9="yes"],
+ [sparcv9="no"])
+ AC_MSG_RESULT($sparcv9)
+ if test "x$sparcv9" = "xyes"; then
+ AC_DEFINE([SPARCV9],[1],[For sparc v9 with %time register])
+ else
+ CFLAGS="$OLD_CFLAGS"
+ fi
+fi
+
+AC_ARG_ENABLE(ipv6,
+[ --enable-ipv6 Enable IPv6 support],
+ enable_ipv6="$enableval", enable_ipv6="no")
+if test "x$enable_ipv6" = "xyes"; then
+ CPPFLAGS="$CPPFLAGS -DSUP_IP6"
+fi
+AM_CONDITIONAL(HAVE_SUP_IP6, test "x$enable_ipv6" = "xyes")
+
+AC_ARG_ENABLE(gre,
+[ --enable-gre Enable GRE and IP in IP encapsulation support],
+ enable_gre="$enableval", enable_gre="no")
+if test "x$enable_gre" = "xyes"; then
+ CPPFLAGS="$CPPFLAGS -DGRE"
+fi
+
+AC_ARG_ENABLE(mpls,
+[ --enable-mpls Enable MPLS support],
+ enable_mpls="$enableval", enable_mpls="no")
+if test "x$enable_mpls" = "xyes"; then
+ CPPFLAGS="$CPPFLAGS -DMPLS"
+fi
+
+AC_ARG_ENABLE(prelude,
+[ --enable-prelude Enable Prelude Hybrid IDS support],
+ enable_prelude="$enableval", enable_prelude="no")
+if test "x$enable_prelude" = "xyes"; then
+ AM_PATH_LIBPRELUDE(0.9.6, use_prelude="yes", use_prelude="no")
+ if test "$use_prelude" = "yes"; then
+ LDFLAGS="${LDFLAGS} ${LIBPRELUDE_LDFLAGS}"
+ LIBS="$LIBS ${LIBPRELUDE_LIBS}"
+ CFLAGS="$CFLAGS ${LIBPRELUDE_PTHREAD_CFLAGS}"
+ AC_DEFINE([HAVE_LIBPRELUDE],[1],[Define whether Prelude support is enabled])
+ fi
+fi
+
+AC_ARG_ENABLE(debug,
+[ --enable-debug Enable debugging options (bugreports and developers only)],
+ enable_debug="$enableval", enable_debug="no")
+if test "x$enable_debug" = "xyes"; then
+ NO_OPTIMIZE="yes"
+ CPPFLAGS="$CPPFLAGS -DDEBUG"
+
+ # in case user override doesn't include -g
+ if echo $CFLAGS | grep -qve -g ; then
+ CFLAGS="$CFLAGS -g"
+ fi
+fi
+
+# Checking for Tcl support (required by spo_sguil)
+AC_ARG_WITH(tcl,
+ [ --with-tcl=DIR support for Tcl],
+ [ with_tcl="$withval"],
+ [ with_tcl=no ])
+
+if test "$with_tcl" != "no"; then
+ # prioritise manual definition of the Tcl library.
+ if test -d "$with_tcl"; then
+ tclpath="$with_tcl"
+ else
+ # let tclsh tell us where it was installed (prefer new Tcl versions).
+ AC_CHECK_PROGS(TCLSH, tclsh8.4 tclsh8.3 tclsh8.2 tclsh8.1 tclsh8.0 tclsh)
+ if test "$TCLSH" != ""; then
+ tclpath=`echo 'puts [[lindex $tcl_pkgPath 0]]' | $TCLSH`
+ fi
+ fi
+
+ # check, if tclConfig.sh can be found in tclsh's installation directory.
+ if test ! -r $tclpath/tclConfig.sh; then
+ AC_MSG_RESULT(
+ [
+ Can't find Tcl libraries. Use --with-tcl to specify
+ the directory containing tclConfig.sh on your system.
+ Continuing build without Tcl support.])
+ else
+ # source tclsh's configuration file and tell the user about the version.
+ . $tclpath/tclConfig.sh
+ AC_MSG_CHECKING([for the tcl version number])
+ AC_MSG_RESULT([$TCL_VERSION, patchlevel $TCL_PATCH_LEVEL])
+ LIBS="$LIBS $TCL_LIBS $TCL_LIB_SPEC"
+ TCL_INCLUDE="$TCL_PREFIX/include/tcl$TCL_VERSION"
+ CPPFLAGS="$CPPFLAGS -I$TCL_INCLUDE -DENABLE_TCL";
+ fi
+fi
+
+AC_ARG_WITH(mysql,
+ [ --with-mysql=DIR Support for MySQL],
+ [ with_mysql="$withval"],
+ [ with_mysql="no" ])
+
+AC_ARG_WITH(mysql_includes,
+ [ --with-mysql-includes=DIR MySQL include directory],
+ [with_mysql_includes="$withval"; with_mysql="yes"],[with_mysql_includes="no"])
+
+AC_ARG_WITH(mysql_libraries,
+ [ --with-mysql-libraries=DIR MySQL library directory],
+ [with_mysql_libraries="$withval"; with_mysql="yes"],[with_mysql_libraries="no"])
+
+default_directory="/usr /usr/local"
+if test "x$with_mysql" != "xno"; then
+ if test "x$with_mysql" = "xyes"; then
+ if test "x$with_mysql_includes" != "xno"; then
+ mysql_inc_directory="$with_mysql_includes";
+ else
+ mysql_inc_directory="$default_directory";
+ fi
+ if test "x$with_mysql_libraries" != "xno"; then
+ mysql_lib_directory="$with_mysql_libraries";
+ else
+ mysql_lib_directory="$default_directory";
+ fi
+ mysql_fail="yes"
+ elif test -d "$withval"; then
+ AC_MSG_WARN(Providing a directory for the --with-mysql option)
+ AC_MSG_WARN(will be deprecated in the future in favour of)
+ AC_MSG_WARN(--with-mysql-libraries and --with-mysql-includes)
+ AC_MSG_WARN(options to address issues with non-standard)
+ AC_MSG_WARN(installations and 64bit platforms.)
+ mysql_inc_directory="$withval"
+ mysql_lib_directory="$withval"
+ mysql_fail="yes"
+ elif test "x$with_mysql" = "x"; then
+ mysql_inc_directory="$default_directory"
+ mysql_lib_directory="$default_directory"
+ mysql_fail="yes"
+ fi
+
+ AC_MSG_CHECKING(for mysql)
+
+ for i in $mysql_inc_directory; do
+ if test -r "$i/mysql.h"; then
+ MYSQL_INC_DIR="$i"
+ elif test -r "$i/include/mysql.h"; then
+ MYSQL_INC_DIR="$i/include"
+ elif test -r "$i/include/mysql/mysql.h"; then
+ MYSQL_INC_DIR="$i/include/mysql"
+ elif test -r "$i/mysql/mysql.h"; then
+ MYSQL_INC_DIR="$i/mysql"
+ elif test -r "$i/mysql/include/mysql.h"; then
+ MYSQL_INC_DIR="$i/mysql/include"
+ fi
+ done
+
+ for i in $mysql_lib_directory; do
+ if test -z "$MYSQL_LIB_DIR"; then
+ str="$i/libmysqlclient.*"
+ for j in `echo $str`; do
+ if test -r $j; then
+ MYSQL_LIB_DIR=$i
+ break 2
+ fi
+ done
+ fi
+ if test -z "$MYSQL_LIB_DIR"; then
+ str="$i/lib/libmysqlclient.*"
+ for j in `echo $str`; do
+ if test -r "$j"; then
+ MYSQL_LIB_DIR="$i/lib"
+ break 2
+ fi
+ done
+ fi
+ if test -z "$MYSQL_LIB_DIR"; then
+ str="$i/mysql/libmysqlclient.*"
+ for j in `echo $str`; do
+ if test -r "$j"; then
+ MYSQL_LIB_DIR="$i/mysql"
+ break 2
+ fi
+ done
+ fi
+ if test -z "$MYSQL_LIB_DIR"; then
+ str="$i/mysql/lib/libmysqlclient.*"
+ for j in `echo $str`; do
+ if test -r "$j"; then
+ MYSQL_LIB_DIR="$i/mysql/lib"
+ break 2
+ fi
+ done
+ fi
+ if test -z "$MYSQL_LIB_DIR"; then
+ str="$i/lib/mysql/libmysqlclient.*"
+ for j in `echo $str`; do
+ if test -r "$j"; then
+ MYSQL_LIB_DIR="$i/lib/mysql"
+ break 2
+ fi
+ done
+ fi
+ done
+
+ if test -z "$MYSQL_INC_DIR"; then
+ if test "x$mysql_fail" != "xno"; then
+ tmp=""
+ for i in $mysql_inc_directory; do
+ tmp="$tmp $i $i/include $i/include/mysql $i/mysql $i/mysql/include"
+ done
+ FAIL_MESSAGE("mysql headers (mysql.h)", $tmp)
+ else
+ AC_MSG_RESULT(no)
+ fi
+ else
+
+ if test -z "$MYSQL_LIB_DIR"; then
+ if test "x$mysql_fail" != "xno"; then
+ tmp=""
+ for i in $mysql_lib_directory; do
+ tmp="$tmp $i $i/lib $i/mysql $i/mysql/lib $i/lib/mysql"
+ done
+ FAIL_MESSAGE("mysqlclient library (libmysqlclient.*)", $tmp)
+ else
+ AC_MSG_RESULT(no)
+ fi
+ else
+ AC_MSG_RESULT(yes)
+ LDFLAGS="${LDFLAGS} -L${MYSQL_LIB_DIR}"
+ CPPFLAGS="${CPPFLAGS} -I${MYSQL_INC_DIR} -DENABLE_MYSQL"
+ AC_CHECK_LIB(z, compress)
+ LIBS="-lmysqlclient ${LIBS}"
+ fi
+ fi
+
+ AC_MSG_CHECKING([for mysql default client reconnect])
+
+ AC_RUN_IFELSE(
+ [AC_LANG_PROGRAM(
+ [[
+ #include <mysql.h>
+ ]],
+ [[
+ if (mysql_get_client_version() < 50003)
+ return 1;
+ ]])],
+ [mysql_default_reconnect="no"],
+ [mysql_default_reconnect="yes"])
+
+ AC_MSG_RESULT($mysql_default_reconnect)
+
+ if test "x$mysql_default_reconnect" = "xno"; then
+ AC_MSG_CHECKING([for mysql reconnect option])
+
+ AC_RUN_IFELSE(
+ [AC_LANG_PROGRAM(
+ [[
+ #include <mysql.h>
+ ]],
+ [[
+ if (mysql_get_client_version() < 50013)
+ return 1;
+ ]])],
+ [mysql_has_reconnect="yes"],
+ [mysql_has_reconnect="no"])
+
+ AC_MSG_RESULT($mysql_has_reconnect)
+
+ if test "x$mysql_has_reconnect" = "xyes"; then
+ AC_DEFINE([MYSQL_HAS_OPT_RECONNECT],[1],[For MySQL versions 5.0.13 and greater])
+
+ AC_MSG_CHECKING([for mysql setting of reconnect option before connect bug])
+
+ AC_RUN_IFELSE(
+ [AC_LANG_PROGRAM(
+ [[
+ #include <mysql.h>
+ ]],
+ [[
+ if (mysql_get_client_version() < 50019)
+ return 1;
+ ]])],
+ [mysql_has_reconnect_bug="no"],
+ [mysql_has_reconnect_bug="yes"])
+
+ AC_MSG_RESULT($mysql_has_reconnect_bug)
+
+ if test "x$mysql_has_reconnect_bug" = "xyes"; then
+ AC_DEFINE([MYSQL_HAS_OPT_RECONNECT_BUG],[1],[For MySQL versions 5.0.13 to 5.0.18])
+ fi
+ fi
+ fi
+fi
+
+AC_ARG_ENABLE(mysql-ssl-support,
+[ --enable-mysql-ssl-support Enable support for mysql SSL connections (experimental)],
+ enable_mysql_ssl_support="$enableval", enable_debug="no")
+if test "x$enable_mysql_ssl_support" = "xyes"; then
+ CPPFLAGS="$CPPFLAGS -DMYSQL_SSL_SUPPORT"
+
+ # in case user override doesn't include -g
+# if echo $CFLAGS | grep -qve -g ; then
+# CFLAGS="$CFLAGS -g"
+# fi
+fi
+
+AC_ARG_WITH(odbc,
+ [ --with-odbc=DIR Support for ODBC],
+ [ with_odbc="$withval" ],
+ [ with_odbc="no" ])
+
+if test "x$with_odbc" != "xno"; then
+ if test "x$with_odbc" = "xyes"; then
+ odbc_directory="$default_directory"
+ odbc_fail="yes"
+ elif test -d $withval; then
+ odbc_directory="$withval $default_directory";
+ odbc_fail="yes"
+ elif test "x$with_odbc" = "x"; then
+ odbc_directory="$default_directory"
+ odbc_fail="no"
+ fi
+
+ AC_MSG_CHECKING("for odbc")
+
+ for i in $odbc_directory; do
+ if test -r "$i/include/sql.h"; then
+ if test -r "$i/include/sqlext.h"; then
+ if test -r "$i/include/sqltypes.h"; then
+ ODBC_DIR="$i"
+ ODBC_INC_DIR="$i/include"
+ fi fi fi
+ done
+
+ if test -z "$ODBC_DIR"; then
+ if test "x$odbc_fail" != "xno"; then
+ tmp=""
+ for i in $odbc_directory; do
+ tmp="$tmp $i/include"
+ done
+ FAIL_MESSAGE("odbc headers (sql.h sqlext.h sqltypes.h)", $tmp)
+ else
+ AC_MSG_RESULT(no)
+ fi
+ else
+
+ str="$ODBC_DIR/lib/libodbc.*"
+ for j in `echo $str`; do
+ if test -r "$j"; then
+ ODBC_LIB_DIR="$ODBC_DIR/lib"
+ ODBC_LIB="odbc"
+ fi
+ done
+
+dnl if test -z "$ODBC_LIB_DIR"; then
+dnl str="$ODBC_DIR/lib/libiodbc.*"
+dnl for j in `echo $str`; do
+dnl if test -r $j; then
+dnl ODBC_LIB_DIR="$ODBC_DIR/lib"
+dnl ODBC_LIB="iodbc"
+dnl fi
+dnl done
+dnl fi
+
+ if test -z "$ODBC_LIB_DIR"; then
+ if test "x$odbc_fail" != "xno"; then
+ FAIL_MESSAGE("odbc library (libodbc)", "$ODBC_DIR/lib")
+ else
+ AC_MSG_RESULT(no)
+ fi
+ else
+ AC_MSG_RESULT(yes)
+ LDFLAGS="${LDFLAGS} -L${ODBC_LIB_DIR}"
+ CPPFLAGS="${CPPFLAGS} -I${ODBC_INC_DIR} -DENABLE_ODBC"
+ LIBS="${LIBS} -l$ODBC_LIB"
+ fi
+ fi
+fi
+
+AC_ARG_WITH(postgresql,
+ [ --with-postgresql=DIR Support for PostgreSQL],
+ [ with_postgresql="$withval" ],
+ [ with_postgresql="no" ])
+
+AC_ARG_WITH(pgsql_includes,
+ [ --with-pgsql-includes=DIR PostgreSQL include directory],
+ [with_pgsql_includes="$withval" ],
+ [with_pgsql_includes="no" ])
+
+if test "x$with_postgresql" != "xno"; then
+ if test "x$with_postgresql" = "xyes"; then
+ postgresql_directory="$default_directory /usr/local/pgsql /usr/pgsql /usr/local"
+ postgresql_fail="yes"
+ elif test -d $withval; then
+ postgresql_directory="$withval $default_directory /usr/local/pgsql /usr/pgsql"
+ postgresql_fail="yes"
+ elif test "$with_postgresql" = ""; then
+ postgresql_directory="$default_directory /usr/local/pgsql /usr/pgsql"
+ postgresql_fail="no"
+ fi
+
+ AC_MSG_CHECKING(for postgresql)
+
+ if test "x$with_pgsql_includes" != "xno"; then
+ for i in $with_pgsql_includes $postgresql_directory; do
+ if test -r "$i/libpq-fe.h"; then
+ POSTGRESQL_INC_DIR="$i"
+ elif test -r "$i/include/pgsql/libpq-fe.h"; then
+ POSTGRESQL_INC_DIR="$i/include/pgsql"
+ elif test -r "$i/include/libpq-fe.h"; then
+ POSTGRESQL_INC_DIR="$i/include"
+ elif test -r "$i/include/postgresql/libpq-fe.h"; then
+ POSTGRESQL_INC_DIR="$i/include/postgresql"
+ fi
+ done
+ fi
+
+ if test -z "$POSTGRESQL_INC_DIR"; then
+ for i in $postgresql_directory; do
+ if test -r "$i/include/pgsql/libpq-fe.h"; then
+ POSTGRESQL_DIR="$i"
+ POSTGRESQL_INC_DIR="$i/include/pgsql"
+ elif test -r "$i/include/libpq-fe.h"; then
+ POSTGRESQL_DIR="$i"
+ POSTGRESQL_INC_DIR="$i/include"
+ elif test -r "$i/include/postgresql/libpq-fe.h"; then
+ POSTGRESQL_DIR="$i"
+ POSTGRESQL_INC_DIR="$i/include/postgresql"
+ fi
+ done
+ fi
+
+ if test -z "$POSTGRESQL_INC_DIR"; then
+ if test "x$postgresql_fail" != "xno"; then
+ tmp=""
+ if test "x$with_pgsql_includes" != "xno"; then
+ tmp="$tmp $with_pgsql_includes"
+ fi
+ for i in $postgresql_directory; do
+ tmp="$tmp $i/include $i/include/pgsql"
+ done
+ FAIL_MESSAGE("postgresql header file (libpq-fe.h)", $tmp)
+ else
+ AC_MSG_RESULT(no)
+ fi
+ fi
+
+ if test -z "$POSTGRESQL_DIR"; then
+ for dir in $postgresql_directory; do
+ for i in "lib" "lib/pgsql"; do
+ str="$dir/$i/libpq.*"
+ for j in `echo $str`; do
+ if test -r $j; then
+ POSTGRESQL_LIB_DIR="$dir/$i"
+ break 2
+ fi
+ done
+ done
+ done
+ else
+ POSTGRESQL_LIB_DIR="$POSTGRESQL_DIR/lib"
+ fi
+
+ if test -z "$POSTGRESQL_LIB_DIR"; then
+ if test "$postgresql_fail" != "no"; then
+ FAIL_MESSAGE("postgresql library libpq",
+ "$POSTGRESQL_DIR/lib $POSTGRESQL_DIR/lib/pgsql")
+ else
+ AC_MSG_RESULT(no);
+ fi
+ else
+ AC_MSG_RESULT(yes)
+ LDFLAGS="${LDFLAGS} -L${POSTGRESQL_LIB_DIR}"
+ CPPFLAGS="${CPPFLAGS} -I${POSTGRESQL_INC_DIR} -DENABLE_POSTGRESQL"
+ AC_CHECK_LIB(pq, PQexec,, PQLIB="no")
+ if test "x$PQLIB" != "xno"; then
+ LIBS="${LIBS} -lpq"
+ else
+ echo
+ echo " ERROR! libpq (postgresql) not found!"
+ echo
+ exit 1
+ fi
+ fi
+fi
+
+AC_ARG_WITH(oracle,
+ [ --with-oracle=DIR Support for Oracle],
+ [ with_oracle="$withval" ],
+ [ with_oracle="no" ])
+
+if test "x$with_oracle" != "xno"; then
+ if test "x$with_oracle" = "xyes"; then
+ oracle_directory="$default_directory ${ORACLE_HOME}"
+ oracle_fail="yes"
+ elif test -d $withval; then
+ oracle_directory="$withval $default_directory ${ORACLE_HOME}"
+ oracle_fail="yes"
+ elif test "x$with_oracle" = "x"; then
+ oracle_directory="$default_directory ${ORACLE_HOME}"
+ oracle_fail="no"
+ fi
+
+ AC_MSG_CHECKING(for oracle)
+
+ for i in $oracle_directory; do
+ if test -r "$i/rdbms/demo/oci.h"; then
+ ORACLE_DIR="$i"
+ fi
+ done
+
+ if test -z "$ORACLE_DIR"; then
+ if test "x$oracle_fail" != "xno"; then
+ tmp=""
+ for i in $oracle_directory; do
+ tmp="$tmp $i/rdbms/demo"
+ done
+ FAIL_MESSAGE("OCI header file (oci.h)", $tmp)
+ else
+ AC_MSG_RESULT(no)
+ fi
+ else
+ for i in "rdbms/demo" "rdbms/public" "network/public"; do
+ ORACLE_CPP_FLAGS="$ORACLE_CPP_FLAGS -I$ORACLE_DIR/$i"
+ done
+ ORACLE_LIB_DIR="$ORACLE_DIR/lib"
+ AC_MSG_RESULT(yes)
+
+ LDFLAGS="${LDFLAGS} -L${ORACLE_LIB_DIR}"
+ CPPFLAGS="${CPPFLAGS} ${ORACLE_CPP_FLAGS} -DENABLE_ORACLE"
+
+ ORACLE_LIBS="-lclntsh"
+ if test -r "$ORACLE_LIB_DIR/libwtc9.so"; then
+ ORACLE_LIBS="${ORACLE_LIBS} -lwtc9"
+ elif test -r "$ORACLE_LIB_DIR/libwtc8.so"; then
+ ORACLE_LIBS="${ORACLE_LIBS} -lwtc8"
+ fi
+ LIBS="${LIBS} ${ORACLE_LIBS}"
+ fi
+fi
+
+AC_ARG_ENABLE(aruba,
+[ --enable-aruba Enable Aruba output plugin],
+ enable_aruba="$enableval", enable_aruba="no")
+if test "x$enable_aruba" = "xyes"; then
+ CPPFLAGS="$CPPFLAGS -DARUBA"
+fi
+
+# let's make some fixes..
+
+CFLAGS=`echo $CFLAGS | sed -e 's/-I\/usr\/include //g'`
+CPPFLAGS=`echo $CPPFLAGS | sed -e 's/-I\/usr\/include //g'`
+
+if test "x$GCC" = "xyes" ; then
+ echo `$CC -v 2>&1` | grep "version 4" > /dev/null
+ if test $? = 0 ; then
+ CFLAGS="$CFLAGS -fno-strict-aliasing"
+ fi
+fi
+
+if test "x$linux" = "xyes"; then
+ AC_MSG_CHECKING(for linuxthreads)
+ tstr=`getconf GNU_LIBPTHREAD_VERSION 2>&1`
+ if test $? = 0; then # GNU_LIBPTHREAD_VERSION is a valid system variable
+ echo $tstr | grep -i linuxthreads > /dev/null 2>&1
+ if test $? = 0; then
+ AC_DEFINE([HAVE_LINUXTHREADS],[1],[Define whether linuxthreads is being used])
+ AC_MSG_RESULT(yes)
+ else
+ AC_MSG_RESULT(no)
+ fi
+ else
+ # Use libc.so to see if linuxthreads is being used
+ $( ldd `which --skip-alias ls` | grep libc.so | awk '{print $3}' ) | grep -i linuxthreads > /dev/null 2>&1
+ if test $? = 0; then
+ AC_DEFINE([HAVE_LINUXTHREADS],[1],[Define whether linuxthreads is being used])
+ AC_MSG_RESULT(yes)
+ else
+ AC_MSG_RESULT(no)
+ fi
+ fi
+fi
+
+# Set to no optimization regardless of what user or autostuff set
+if test "x$NO_OPTIMIZE" = "xyes"; then
+ CFLAGS=`echo $CFLAGS | sed -e "s/-O./-O0/"`
+
+ # in case user override doesn't include -O
+ if echo $CFLAGS | grep -qve -O0 ; then
+ CFLAGS="$CFLAGS -O0"
+ fi
+fi
+
+if test "x$ADD_WERROR" = "xyes"; then
+ CFLAGS="$CFLAGS -Werror"
+fi
+
+if test -n "$GCC"; then
+ CFLAGS="$CFLAGS -Wall"
+fi
+
+echo $CFLAGS > cflags.out
+echo $CPPFLAGS > cppflags.out
+
+INCLUDES='-I$(top_srcdir) -I$(top_srcdir)/src -I$(top_srcdir)/src/sfutil $(extra_incl) -I$(top_srcdir)/src/output-plugins -I$(top_srcdir)/src/input-plugins'
+
+AC_SUBST(INCLUDES)
+
+AC_PROG_INSTALL
+AC_CONFIG_FILES([ \
+Makefile \
+src/Makefile \
+src/sfutil/Makefile \
+src/input-plugins/Makefile \
+src/output-plugins/Makefile \
+etc/Makefile \
+doc/Makefile \
+rpm/Makefile \
+schemas/Makefile \
+m4/Makefile])
+AC_OUTPUT
+
+if test "x$mysql_has_reconnect" = "xno"; then
+cat <<EOF
+
+********************************************************************************
+ MySQL version warning
+
+ The MySQL client version you are using does not by default reconnect to the
+ server if the connection is lost and does not have the option to configure
+ this for the client. Snort, for security reasons, erases the connection
+ password from memory, so it cannot explicity reconnect at runtime. Please
+ update your version of MySQL to 5.0.13 or greater or you risk connections
+ timing out because of inactivity resulting in the inablilty of Snort to write
+ alerts to the database. If you can't upgrade, try setting the 'wait-timeout'
+ configuration parameter to the maximum value possible in the @<:@mysqld@:>@
+ section of my.cnf, e.g. wait-timeout=31536000. This should give you a good
+ year of inactivity before the server terminates the connection ... if your
+ network is this clean, you probably don't need to use Snort.
+
+********************************************************************************
+
+EOF
+fi
111 doc/INSTALL
@@ -0,0 +1,111 @@
+
+-------------------------------------------------------------------------------
+0. BARNYARD2 QUICK INSTALL
+-------------------------------------------------------------------------------
+
+The "generic" notes for putting this thing together are below. Here's the
+short version.
+
+The quick install notes for getting people up and running in with minimal fuss
+are below. Detailed instructions will follow later.
+
+1. *** Make sure you have libpcap HEADERS installed!!! ***
+2. ./configure
+3. make
+4. make install
+5. Create a sample rules file (eg. look at etc/barnyard2.conf)
+6. barnyard2 -?
+7. If you've used barnyard before, there may be a little variance in the
+ commandline parameters.
+8. Have fun!
+
+
+-------------------------------------------------------------------------------
+1. BARNYARD2 CONFIGURE-TIME SWITCHES
+-------------------------------------------------------------------------------
+
+`--enable-debug'
+ Enable debugging options (bugreports and developers only).
+
+`--with-tcl=DIR'
+ Support for Tcl, turn this on if you want to use the Sguil plugin. An
+ alternative location can be supplied for non-standard Tcl installs.
+
+`--with-libpcap-includes=DIR'
+ Specify location for pcap header files.
+
+`--with-mysql=DIR'
+ Support for mysql, turn this on if you want to use ACID/BASE with MySQL.
+ NOTE: Specifying a directory will be deprecated in the future.
+
+`--with-mysql-libraries=DIR'
+ Specify location for mysql client library.
+
+`--with-mysql-includes=DIR'
+ Specify location for mysql header files.
+
+`--with-odbc=DIR'
+ Support for ODBC databases, turn this on if you want to use ACID/BASE with
+ a non-listed DB.
+
+`--with-postgresql=DIR'
+ Support for Postgresql databases, turn this on if you want to use ACID/BASE
+ with PostgreSQL.
+
+`--with-oracle=DIR'
+ Support for Oracle databases, turn this on if you want to use ACID/BASE
+ with Oracle.
+
+
+-------------------------------------------------------------------------------
+2. BASIC INSTALLATION
+-------------------------------------------------------------------------------
+
+ These are generic installation instructions.
+
+ The `configure' shell script attempts to guess correct values for various
+system-dependent variables used during compilation. It uses those values to
+create a `Makefile' in each directory of the package. It may also create one or
+more `.h' files containing system-dependent definitions. Finally, it creates a
+shell script `config.status' that you can run in the future to recreate the
+current configuration, a file `config.cache' that saves the results of its
+tests to speed up reconfiguring, and a file `config.log' containing compiler
+output (useful mainly for debugging `configure').
+
+ If you need to do unusual things to compile the package, please try to
+figure out how `configure' could check whether to do them, and mail diffs or
+instructions to the address given in the `README' so they can be considered for
+the next release. If at some point `config.cache' contains results you don't
+want to keep, you may remove or edit it.
+
+ The file `configure.in' is used to create `configure' by a program called
+`autoconf'. You only need `configure.in' if you want to change it or
+regenerate `configure' using a newer version of `autoconf'.
+
+The simplest way to compile this package is:
+
+ 1. `cd' to the directory containing the package's source code and type
+ `./configure' to configure the package for your system. If you're using
+ `csh' on an old version of System V, you might need to type
+ `sh ./configure' instead to prevent `csh' from trying to execute
+ `configure' itself.
+
+ Running `configure' takes awhile. While running, it prints some messages
+ telling which features it is checking for.
+
+ 2. Type `make' to compile the package.
+
+ 3. Optionally, type `make check' to run any self-tests that come with the
+ package.
+
+ 4. Type `make install' to install the programs and any data files and
+ documentation.
+
+ 5. You can remove the program binaries and object files from the source code
+ directory by typing `make clean'. To also remove the files that
+ `configure' created (so you can compile the package for a different kind
+ of computer), type `make distclean'. There is also a
+ `make maintainer-clean' target, but that is intended mainly for the
+ package's developers. If you use it, you may have to get all sorts of
+ other programs in order to regenerate files that came with the
+ distribution.
4 doc/Makefile.am
@@ -0,0 +1,4 @@
+## $Id$
+AUTOMAKE_OPTIONS=foreign no-dependencies
+
+EXTRA_DIST = INSTALL README README.aruba README.database README.sguil
162 doc/README
@@ -0,0 +1,162 @@
+
+------------------------------------------------------------------------------
+0. SUMMARY
+------------------------------------------------------------------------------
+
+Barnyard2 - version 2-1.8
+
+This README contains some quick information about how to set up and
+configure barnyard2 to ensure it works as it should.
+
+If you have any questions or comments about the barnyard2 then please direct
+them to the SecurixLive.com Team <dev@securixlive.com>.
+
+Distribution Site:
+http://www.securixlive.com/barnyard2
+
+
+------------------------------------------------------------------------------
+1. COPYRIGHT
+------------------------------------------------------------------------------
+
+Copyright (C)2008-2010 Ian Firns <firnsy@securixlive.com>
+Copyright (C)2008-2010 SecurixLive <dev@securixlive.com>
+
+This program is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License Version 2 as
+published by the Free Software Foundation. You may not use, modify or
+distribute this program under any other version of the GNU General
+Public License.
+
+This program is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with this program; if not, write to the Free Software
+Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
+
+Some of this code has been taken from Snort, which was developed by
+Martin Roesch and The Snort Team (http://www.snort.org/team.html).
+
+Some of this code has been taken from barnyard, which was developed by
+Martin Roesch and Andrew R. Baker.
+
+Some of this code has been taken from tcpdump, which was developed
+by the Network Research Group at Lawrence Berkeley National Lab,
+and is copyrighted by the University of California Regents.
+
+
+------------------------------------------------------------------------------
+2. DESCRIPTION
+------------------------------------------------------------------------------
+
+Barnyard2 is an open source interpreter for Snort unified2 binary output files.
+Its primary use is allowing Snort to write to disk in an efficient manner and
+leaving the task of parsing binary data into various formats to a separate
+process that will not cause Snort to miss network traffic.
+
+Barnyard2 has 3 modes of operation:
+ 1. batch (or one-shot),
+ 2. continual, and
+ 3. continual w/ bookmark.
+
+In batch (or one-shot) mode, barnyard2 will process the explicitly specified
+file(s) and exit.
+
+In continual mode, barnyard2 will start with a location to look and a specified
+file pattern and continue to process new data (and new spool files) as they
+appear.
+
+Continual mode w/ bookmarking will also use a checkpoint file (or waldo file in
+the snort world) to track where it is. In the event the barnyard2 process ends
+while a waldo file is in use, barnyard2 will resume processing at the last
+entry as listed in the waldo file.
+
+The "-f", "-w", and "-o" options are used to determine which mode barnyard2
+will run in. It is legal for both the "-f" and "-w" options to be used on the
+command line at the same time, however any data that exists in the waldo file
+will override the command line data from the "-f" and "-d" options. See the
+command directives section below for more detail.
+
+Barnyard2 processing is controlled by two main types of directives: input
+processors and output plugins. The input processors read information in from a
+specific format ( currently the spo_unified2 output module of Snort ) and
+output them in one of several ways.
+
+
+------------------------------------------------------------------------------
+3. USAGE
+------------------------------------------------------------------------------
+
+Command line:
+
+ barnyard2 [-options]
+
+
+ Gernal Options:
+
+ -c <file> Use configuration file <file>
+ -C <file> Read the classification map from <file>
+ -D Run barnyard2 in background (daemon) mode
+ -e Display the second layer header info
+ -E Log alert messages to NT Eventlog. (Win32 only)
+ -F Turn off fflush() calls after binary log writes
+ -g <gname> Run barnyard2 gid as <gname> group (or gid) after initialization
+ -G <file> Read the gen-msg map from <file>
+ -h <name> Define the hostname <name>. For logging purposes only
+ -i <if> Define the interface <if>. For logging purposes only
+ -I Add Interface name to alert output
+ -l <ld> Log to directory <ld>
+ -m <umask> Set umask = <umask>
+ -O Obfuscate the logged IP addresses
+ -q Quiet. Don't show banner and status report
+ -r <id> Include 'id' in barnyard2_intf<id>.pid file name
+ -R <file> Read the reference map from <file>
+ -S <file> Read the sid-msg map from <file>
+ -t <dir> Chroots process to <dir> after initialization
+ -T Test and report on the current barnyard2 configuration
+ -u <uname> Run barnyard2 uid as <uname> user (or uid) after initialization
+ -U Use UTC for timestamps
+ -v Be verbose
+ -V Show version number
+ -? Show this information
+
+ Continual Processing Options:
+ -a <dir> Archive processed files to <dir>
+ -f <base> Use <base> as the base filename pattern
+ -d <dir> Spool files from <dir>
+ -n Only process new events
+ -w <file> Enable bookmarking using <file>
+
+ Batch Processing Mode Options:
+ -o Enable batch processing mode
+
+
+ Longname options and their corresponding single char version
+ --reference <file> Same as -R
+ --classification <file> Same as -C
+ --gen-msg <file> Same as -G
+ --sid-msg <file> Same as -S
+ --alert-on-each-packet-in-stream Call output plugins on each packet in an alert stream
+ --process-new-records-only Same as -n
+ --pid-path <dir> Specify the directory for the barnyard2 PID file
+ --help Same as -?
+ --version Same as -V
+ --create-pidfile Create PID file, even when not in Daemon mode
+ --nolock-pidfile Do not try to lock barnyard2 PID file
+ --max-mpls-labelchain-len Specify the max MPLS label chain
+ --mpls-payload-type Specify the protocol (ipv4, ipv6, ethernet) that is encapsulated by MPLS
+
+
+Examples:
+
+ 1. Using barnyard2 in continuous mode with a waldo file
+
+ # ./barnyard2 -c /etc/barnyard2.conf -d /var/snort -f snort.u2 -w /var/snort/snort.waldo
+
+ 2. Using barnyard2 in batch mode
+
+ # ./barnyard2 -c /etc/barnyard2.conf -o file1.u2 file2.u2 file3.u2
+
196 doc/README.aruba
@@ -0,0 +1,196 @@
+Aruba Networks Integration
+==========================
+Joshua Wright <jwright@arubanetworks.com>
+05-SEP-2006
+
+-- Overview --
+As a centralized-processing wireless transport system, an Aruba Networks
+Mobility Controller (MC) has visibility into all wireless traffic including
+dynamic encryption keys. This architecture allows users to easily integrate
+with Snort for centralized monitoring of all wireless network traffic.
+
+In addition to traffic reporting capabilities, an Aruba Networks MC can enforce
+dynamic role-based access controls to restrict or limit accessibility into the
+network. When integrated with Snort's powerful rules language functionality,
+users can dynamically modify access permissions to the wireless network based
+on any matching rules. This allows an administrator to blacklist a user if
+their workstation appears to be infected with a worm, or limit access to
+network resources if spyware is detected, or any of several configuration
+possibilities.
+
+The ability to modify a user's role (and by association, access permissions) or
+to blacklist a user is provided in the alert_aruba_action output plugin. This
+document describes the features, implementation and configuration of this
+output plugin.
+
+
+-- Features --
+The alert_aruba_action output plugin allows a Snort administrator to create
+custom rule types that modify the access permissions for wireless users when
+triggered. By configuring an Aruba MC to mirror all wireless traffic to a
+designated Snort box, Snort can assess all wireless traffic and interact with
+the Aruba MC to quarantine problematic sources within the network.
+
+Using the alert_aruba_action output plugin, an administrator can specify the
+action to take when a specified alert is triggered:
+
+ blacklist: When a Snort alert is triggered, the source IP address
+ becomes blacklisted on the Aruba MC, stopping all wireless access for the
+ station.
+
+ setrole: When a Snort alert is triggered, the source IP address has their
+ role changed from the currently derived role to one of the administrator's
+ choosing. This is often deployed as a "quarantine role", where restricted
+ access is granted to the network for the station.
+
+
+-- Implementation --
+In order to use this plugin effectively, the Aruba MC must be able to mirror a
+copy of wireless traffic to a Snort sensor as a directly connected (SPAN port)
+station, or the termination endpoint of a GRE tunnel (see Configuration for
+details). Also, the Snort sensor must be able to reach the Aruba MC on TCP/80
+to blacklist or modify the role assignments for users.
+
+-- Configuration --
+
+Configuration requires modification to the snort.conf file for the
+alert_aruba_action plugin, as well as configuration statements on the Aruba MC
+to authenticate Snort when changing client access permissions. The Snort
+sensor and the Aruba MC share a secret passphrase for authentication, and the
+Aruba MC must specify the source IP address of the Snort sensor.
+
+
+--- alert_aruba_action ---
+
+The configuration options are described below:
+
+* <controller address> *
+Specifies the IP address or hostname of the Aruba MC that will be responsible
+for modifying user role assignments, or blacklisting users. Mandatory.
+
+* secrettype *
+Specifies the type of secret used for the Snort sensor to authenticate to the
+Aruba MC, one of:
+
+ sha1 - The shared secret, represented as a SHA1 hash. You can generate
+ this string with the openssl tool as
+ "echo password | openssl dgst -sha1", changing the string
+ "password" to the shared secret string.
+ md5 - The shared secret, represented as a MD5 hash. You can generate
+ this string with the openssl tool as
+ "echo password | openssl dgst -md5", changing the string
+ "password" to the shared secret string.
+ cleartext - The shared secret in plaintext.
+
+* secret *
+Specified the secret shared between the Snort sensor and the Aruba MC. Must
+be represented to match the secret type setting (SHA1, MD5 or cleartext).
+
+* action *
+Specifies the action that the Aruba MC will take against the source MAC
+address of the station reported by the Snort sensor, one of:
+
+ blacklist - Terminate all network access for the wireless user,
+ placing them on the blacklist. Station will be unable
+ to access the wireless network until the blacklist
+ duration expires.
+ setrole:<rolename> - Modify the user's role assignment to the specified role
+ name. The new role can be configured to restrict or
+ grant access to the network as needed by the
+ administrator.
+
+Example:
+
+In this example snort.conf file, we create a new rule type that has two output
+mechanisms; a local syslog entry and an Aruba action command:
+
+ruletype aruba_quarantine {
+ type alert
+ output alert_aruba_action: 172.16.0.252 cleartext foo setrole:snort_quarantine
+ output alert_syslog: LOG_AUTH LOG_ALERT
+}
+
+
+Once the new rule type is created, the Snort administrator can specify the
+Snort rules that will take this action. For example, if the organization wants
+to prohibit the use of the ICQ chat protocol, we can use the following
+snort.conf entry to complete the output actions in the aruba_quarantine rule
+specified above:
+
+aruba_quarantine tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"CHAT ICQ access"; flow:to_server,established; content:"User-Agent|3A|ICQ"; classtype:policy-violation; sid:541; rev:9;)
+
+
+--- Aruba MC ---
+
+In order to accept role change commands and blacklist events from the Snort
+sensor, the Aruba MC must be configured to recognize the Snort sensor by IP
+address and through the shared secret. The Aruba MC must also be configured
+with the appropriate roles if the alert_aruba_action plugin is configured with
+the "settype" action; the blacklist action is always available and does not
+require additional configuration.
+
+The following example configures the Aruba MC to accept role changes or
+blacklist events from the Snort sensor at 10.10.10.10 using the shared secret
+"pedantic":
+
+(Aruba200) >en
+Password:********
+(Aruba200) #configure terminal
+Enter Configuration commands, one per line. End with CNTL/Z
+
+(Aruba200) (config) #aaa xml-api client 10.10.10.10
+(Aruba200) (ecp-client) #key pedantic
+
+(Aruba200) (ecp-client) #end
+(Aruba200) #copy running-config startup-config
+
+
+You can verify the configuration using the "show aaa xml-api" commands:
+
+
+(Aruba200) #show aaa xml-api clients
+
+XML-API Client Configuration
+----------------------------
+ IP Key
+ ----------- ---
+ 10.10.10.10 *****
+ 172.16.0.106 *****
+
+(Aruba200) #show aaa xml-api statistics
+
+XML-API Statistics
+------------------
+Statistics 10.10.10.10
+---------- -----------
+user_authenticate 0 (0)
+user_add 0 (0)
+user_delete 0 (0)
+user_blacklist 0 (0)
+user_query 0 (0)
+unknown user 0 (0)
+unknown role 0 (0)
+unknown external agent 0 (0)
+authentication failed 0 (0)
+invalid command 0 (0)
+invalid message authentication method 0 (0)
+invalid message digest 0 (0)
+missing message authentication 0 (0)
+missing or invalid version number 0 (0)
+Cant use VLAN IP 0 (0)
+Invalid IP 0 (0)
+
+Packets received from unknown clients : 0 (0)
+Packets received with unknown request : 0 (0)
+Requests Received/Success/Failed : 0/0/0 (0/0/0)
+
+
+Also ensure that any roles specified with the "setrole:rolename" action exist
+on the Aruba MC:
+
+(Aruba200) #show configuration | include snort_quarantine
+user-role snort_quarantine
+
+
+For additional information on configuring the Aruba MC, please see the ArubaOS
+Reference Guide or contact Aruba Customer Support.
395 doc/README.database
@@ -0,0 +1,395 @@
+I. Summary
+
+The database output plug-in enables snort to log to
+
+ - Postgresql,
+ - MySQL,
+ - any unixODBC database,
+ - MS SQL Server and
+ - Oracle.
+
+This README contains some quick information about how to set up and
+configure database logging with in snort. More complete and
+update to date documentation about this plugin can be found at:
+
+ Documentation:
+
+ http://www.andrew.cmu.edu/~rdanyliw/snort/snortdb/snortdb.html
+
+ FAQ:
+
+ http://www.andrew.cmu.edu/~rdanyliw/snort/snortdb/snortdb_faq.html
+
+Questions or comments about the database plugin can be directed to
+Roman Danyliw <roman@danyliw.com> or to the snort-users mailing
+list.
+
+II. Database Setup
+
+To get this plug-in working you must have a database set up and
+configured properly. Take the the following steps to get things
+working.
+
+ 1) Install MySQL, Postgresql, Oracle, MS SQL Server or
+ (unixODBC + some other RDBMS)
+ MySQL => http://www.mysql.org
+ Postgresql => http://www.postgesql.org
+ unixODBC => http://www.unixodbc.org
+ Oracle => http://www.oracle.com
+ SQL Server => http://www.microsoft.com
+
+ 2) Follow directions from your database vendor to be sure your
+ RDBMS is properly configured and secured.
+
+ 3) Follow directions from your vendor to create a database for
+ snort.
+
+ MySQL example
+ % echo "CREATE DATABASE snort;" | mysql -u root -p
+
+ 4) Create a user that has privileges to INSERT and SELECT
+ on that database.
+
+ example
+ - First create a user - for this example we will use "snortusr"
+ - now grant the right privileges for that user
+ > grant INSERT,SELECT on snort.* to snortusr@localhost;
+ - In addition, grant that user the UPDATE privilege on the
+ 'sensor' table
+ > grant INSERT,SELECT,UPDATE on snort.sensor to snortusr@localhost;
+
+ 5) Build the structure of the database according to files supplied
+ with snort in the "schemas" directory as the user created in
+ step 4.
+
+ Do this while in the snort source directory.
+
+ For MySQL
+ % mysql -D snort -u root -p < ./schemas/create_mysql
+
+ For Postgresql
+ % psql snort < ./schemas/create_postgresql
+
+ For Oracle
+ The file "./schemas/create_oracle.sql" contains the database
+ structure.
+
+ For MS SQL Server
+ The file "./schemas/create_mssql" contains the database
+ structure.
+
+ If you are using unixODBC, be sure to properly configure and
+ test that you can connect to your data source (DSN) with isql
+ before trying to run snort.
+
+ For RDBMS other than MySQL and Postgresql that are accessed
+ through ODBC you will need to create the database
+ structure yourself because data types vary for different
+ databases. You will need to have the same column names and
+ functionality for each column as in the mysql and
+ postgresql examples. The mysql file is the best example to
+ follow since it is optimized (given that mysql supports tiny
+ ints and unsigned ints). I intend to document this process
+ better in the future to make this process easier.
+
+ As you create database structure files for new RDBMS mail
+ them in so they can be included as part of the distribution.
+
+III. Plugin Configuration
+
+You must add some information to the snort configuration file
+to enable database logging. The configuration file distributed
+with snort has some sample configuration lines.
+
+The configuration line will be of the following format:
+
+ output database: [log | alert], [type of database], [parameter list]
+
+Arguments:
+
+ [log | alert] - specify log or alert to connect the database
+ plugin to the log or alert facility. In most cases you will
+ likely want to use the log facility.
+
+ [type of database] - You must supply the type of database. The
+ possible values are mysql, postgresql, odbc, mssql, and oracle.
+
+ [parameter list] - The parameter list consists of key value
+ pairs. The proper format is a list of key=value pairs each
+ separated a space.
+
+ The only parameter that is absolutely necessary is "dbname".
+ All other parameters are optional but may be necessary
+ depending on how you have configured your RDBMS.
+
+ dbname - the name of the database you are connecting to
+
+ host - the host the RDBMS is on
+
+ port - the port number the RDBMS is listening on
+
+ user - connect to the database as this user
+
+ password - the password for given user
+
+ sensor_name - specify your own name for this snort
+ sensor. If you do not specify a name one will be
+ generated automatically.
+
+ encoding - Because the packet payload and option data is
+ binary, there is no one simple and portable way to
+ store it in a database. BLOBS are not used because they
+ are not portable across databases. So I leave the
+ encoding option to you. You can choose from the
+ following options. Each has its own advantages and
+ disadvantages:
+
+ hex: (default) Represent binary data as a hex string.
+
+ storage requirements - 2x the size of the binary
+
+ searchability....... - very good
+
+ human readability... - not readable unless you
+ are a true geek
+ requires post processing
+
+ base64: Represent binary data as a base64 string.
+
+ storage requirements - ~1.3x the size of the binary
+
+ searchability....... - impossible without post
+ processing
+
+ human readability... - not readable
+ requires post processing
+
+ ascii: Represent binary data as an ascii string. This is
+ the only option where you will actually loose data.
+ Non ascii data is represented as a ".". If you choose
+ this option then data for ip and tcp options will
+ still be represented as "hex" because it does not
+ make any sense for that data to be ascii.
+
+ storage requirements - Slightly larger than the
+ binary because some characters
+ are escaped (&,<,>)
+
+ searchability....... - very good for searching for
+ a text string
+ impossible if you want to
+ search for binary
+
+ human readability... - very good
+
+ detail - How much detailed data do you want to store? The options
+ are:
+
+ full: (default) log all details of a packet that
+ caused an alert (including ip/tcp options and
+ the payload)
+
+ fast: log only a minimum amount of data. You severely
+ limit the potential of some analysis
+ applications if you choose this option, but
+ this is still the best choice for some
+ applications. The following fields are logged
+ - (timestamp, signature, source ip,
+ destination ip, source port, destination
+ port, tcp flags, and protocol)
+
+ ignore_bpf - Do we want to create a new sensor definition every time
+ the BPF filter is changed? The options are:
+
+ [no|0]: (default) Create a new sensor definition if BPF
+ filter has been modified
+
+ [yes|1]: Ignore the BPF part when looking for the server
+ definition
+
+
+
+ MYSQL ONLY
+
+ ssl_key - the name of the SSL key file to use for establishing a secure
+ connection.
+
+ ssl_cert - the path of the SSL certificate file to user for establishing
+ a secure connection.
+
+ ssl_ca - the path to a file that contains a list of trusted SSL CAs.
+
+ ssl_ca_path - The path to a directory that contains trusted SSL CA
+ certificates in PEM format.
+
+ ssl_cipher - A list of allowable ciphers to user for SSL encryption. For
+ greatest portability, the cipher list should be of one or more
+ cipher namges, separated by colons. Examples:
+
+ ssl_cipher=AES128-SHA
+ ssl_cipher=DHE-RSA-AES256-SHA:AES128-SHA
+
+ If no cipher in the list is supported, SSL connections will not work.
+