Permalink
Browse files

Version 2-1.11

Bumped: revision to 315

Fix: enable alert-on-each-packet-in-stream by default, to disable use
     --disable-alert-on-each-packet-in-stream or use
     config disable_alert_on_each_packet_in_stream

Fix: spo_database.c:
      Was never resolved shared object (SO_RULE) signature message.

Fix: Call to GetSigByGidSid now use event revision and generate correct
     Snort Alert [gid:sid:rev] messages.

Fix: spo_syslog_full
     i)  operation_mode complete display ip in doted notation instead
         of host alligned integers for alert_ and log_
     ii) Signature will also by default be prefixed with
         [gid:sid:rev] block
     iii) missing break statement that was causing the output plugin to
          output ALERT AND LOG in complete mode.
  • Loading branch information...
1 parent 163caf6 commit 8de8124fd19f4a43cc55208da920638a61d95968 @binf binf committed Oct 24, 2012
View
@@ -189,6 +189,7 @@ static struct option long_options[] =
{"sid-msg", LONGOPT_ARG_REQUIRED, NULL, 'S'},
{"reference", LONGOPT_ARG_REQUIRED, NULL, 'R'},
{"classification", LONGOPT_ARG_REQUIRED, NULL, 'C'},
+ {"disable-alert-on-each-packet-in-stream", LONGOPT_ARG_NONE, NULL, DISABLE_ALERT_ON_EACH_PACKET_IN_STREAM},
{"alert-on-each-packet-in-stream", LONGOPT_ARG_NONE, NULL, ALERT_ON_EACH_PACKET_IN_STREAM},
{"process-new-records-only", LONGOPT_ARG_NONE, NULL, 'n'},
@@ -500,11 +501,11 @@ static int ShowUsage(char *program_name)
FPUTS_BOTH ("\n");
FPUTS_BOTH ("Longname options and their corresponding single char version\n");
+ FPUTS_BOTH (" --disable-alert-on-each-packet-in-stream Alert once per event\n");
FPUTS_BOTH (" --reference <file> Same as -R\n");
FPUTS_BOTH (" --classification <file> Same as -C\n");
FPUTS_BOTH (" --gen-msg <file> Same as -G\n");
FPUTS_BOTH (" --sid-msg <file> Same as -S\n");
- FPUTS_BOTH (" --alert-on-each-packet-in-stream Call output plugins on each packet in an alert stream\n");
FPUTS_BOTH (" --process-new-records-only Same as -n\n");
FPUTS_BOTH (" --pid-path <dir> Specify the directory for the barnyard2 PID file\n");
FPUTS_BOTH (" --help Same as -?\n");
@@ -563,7 +564,10 @@ static void ParseCmdLine(int argc, char **argv)
barnyard2_cmd_line_conf = Barnyard2ConfNew();
barnyard2_conf = barnyard2_cmd_line_conf; /* Set the global for log messages */
bc = barnyard2_cmd_line_conf;
-
+
+ /* alert_on_each_packet_in_stream_flag enabled by default */
+ bc->alert_on_each_packet_in_stream_flag = 1;
+
/* Look for a -D and/or -M switch so we can start logging to syslog
* with "barnyard2" tag right away */
for (i = 0; i < argc; i++)
@@ -638,9 +642,13 @@ static void ParseCmdLine(int argc, char **argv)
ConfigNoLoggingTimestamps(bc, NULL);
break;
+ case DISABLE_ALERT_ON_EACH_PACKET_IN_STREAM:
+ ConfigDisableAlertOnEachPacketInStream(bc, NULL);
+ break;
+
case ALERT_ON_EACH_PACKET_IN_STREAM:
ConfigAlertOnEachPacketInStream(bc, NULL);
- break;
+ break;
#ifdef MPLS
case MAX_MPLS_LABELCHAIN_LEN:
View
@@ -60,10 +60,10 @@
/* D E F I N E S ************************************************************/
#define PROGRAM_NAME "Barnyard"
-#define VER_MAJOR "2"
-#define VER_MINOR "1"
-#define VER_REVISION "10"
-#define VER_BUILD "313"
+#define VER_MAJOR "2"
+#define VER_MINOR "1"
+#define VER_REVISION "11"
+#define VER_BUILD "315"
#define STD_BUF 1024
@@ -159,6 +159,7 @@ typedef enum _GetOptLongIds
DETECTION_SEARCH_METHOD,
CONF_ERROR_OUT,
+ DISABLE_ALERT_ON_EACH_PACKET_IN_STREAM,
ALERT_ON_EACH_PACKET_IN_STREAM,
#ifdef MPLS
@@ -302,16 +303,16 @@ typedef struct _Barnyard2Config
vartable_t *ip_vartable;
#endif
- /* staging - snort specific variables */
- int checksums_mode;
- char ignore_ports[0x10000];
-
+ /* staging - snort specific variables */
+ int checksums_mode;
+ char ignore_ports[0x10000];
+
/* general variables */
char *config_file; /* -c */
char *config_dir;
-
- char *hostname; /* -h or config hostname */
- char *interface; /* -i or config interface */
+
+ char *hostname; /* -h or config hostname */
+ char *interface; /* -i or config interface */
char *class_file; /* -C or config class_map */
char *sid_msg_file; /* -S or config sid_map */
@@ -328,36 +329,36 @@ typedef struct _Barnyard2Config
int quiet_flag;
int verbose_flag;
- int verbose_bytedump_flag;
- int show2hdr_flag;
- int char_data_flag;
- int data_flag;
- int obfuscation_flag;
+ int verbose_bytedump_flag;
+ int show2hdr_flag;
+ int char_data_flag;
+ int data_flag;
+ int obfuscation_flag;
int alert_on_each_packet_in_stream_flag;
-
- int logtosyslog_flag;
- int test_mode_flag;
-
- int use_utc;
- int include_year;
-
+
+ int logtosyslog_flag;
+ int test_mode_flag;
+
+ int use_utc;
+ int include_year;
+
int line_buffer_flag;
char nostamp;
-
+
int user_id;
int group_id;
mode_t file_mask;
-
+
/* -h and -B */
#ifdef SUP_IP6
- sfip_t homenet;
- sfip_t obfuscation_net;
+ sfip_t homenet;
+ sfip_t obfuscation_net;
#else
- u_long homenet;
- u_long netmask;
- uint32_t obfuscation_net;
- uint32_t obfuscation_mask;
+ u_long homenet;
+ u_long netmask;
+ uint32_t obfuscation_net;
+ uint32_t obfuscation_mask;
#endif
#ifdef MPLS
@@ -367,12 +368,12 @@ typedef struct _Barnyard2Config
/* batch mode options */
int batch_mode_flag;
- int batch_total_files;
- char **batch_filelist;
-
+ int batch_total_files;
+ char **batch_filelist;
+
/* continual mode options */
- int process_new_records_only_flag;
- Waldo waldo;
+ int process_new_records_only_flag;
+ Waldo waldo;
char *archive_dir;
int daemon_flag;
int daemon_restart_flag;
View
@@ -632,34 +632,34 @@ void ParseSidMapLine(Barnyard2Config *bc, char *data)
return;
}
-SigNode *GetSigByGidSid(u_int32_t gid, u_int32_t sid)
+SigNode *GetSigByGidSid(u_int32_t gid, u_int32_t sid,u_int32_t revision)
{
- /* set temp node pointer to the Sid map list head */
+ /* set temp node pointer to the Sid map list head */
SigNode *sn = sigTypes;
-
- /* a snort general rule (gid=1) and a snort dynamic rule (gid=3) use the */
- /* the same sids and thus can be considered one in the same. */
- if (gid == 3)
- gid = 1;
-
+
+ /* a snort general rule (gid=1) and a snort dynamic rule (gid=3) use the */
+ /* the same sids and thus can be considered one in the same. */
+ if (gid == 3)
+ gid = 1;
+
/* find any existing Snort ID's that match */
while (sn != NULL)
{
if (sn->generator == gid && sn->id == sid)
{
return sn;
}
-
+
sn = sn->next;
}
/* create a default message since we didn't find any match */
sn = CreateSigNode(&sigTypes);
sn->generator = gid;
sn->id = sid;
- sn->rev = 0;
+ sn->rev = revision;
sn->msg = (char *)SnortAlloc(42);
- snprintf(sn->msg, 42, "Snort Alert [%u:%u:%u]", gid, sid, 0);
+ snprintf(sn->msg, 42, "Snort Alert [%u:%u:%u]", gid, sid, revision);
return sn;
}
View
@@ -123,7 +123,7 @@ void ParseClassificationConfig(struct _Barnyard2Config *, char *args);
void DeleteClassTypes();
-SigNode *GetSigByGidSid(uint32_t, uint32_t);
+SigNode *GetSigByGidSid(uint32_t, uint32_t, uint32_t);
int ReadSidFile(struct _Barnyard2Config *, const char *);
void ParseSidMapLine(struct _Barnyard2Config *, char *);
@@ -168,7 +168,8 @@ void AlertBro(Packet *p, void *event, u_int32_t event_type, void *arg)
}
sn = GetSigByGidSid(ntohl(uevent->generator_id),
- ntohl(uevent->signature_id));
+ ntohl(uevent->signature_id),
+ ntohl(uevent->signature_revision));
if(p && IPH_IS_VALID(p))
{
@@ -506,7 +506,9 @@ void AlertCEF(Packet *p, void *event, u_int32_t event_type, void *arg)
data = (CEFData *)arg;
sn = GetSigByGidSid(ntohl(((Unified2EventCommon *)event)->generator_id),
- ntohl(((Unified2EventCommon *)event)->signature_id));
+ ntohl(((Unified2EventCommon *)event)->signature_id),
+ ntohl(((Unified2EventCommon *)event)->signature_revision));
+
cn = ClassTypeLookupById(barnyard2_conf, ntohl(((Unified2EventCommon *)event)->classification_id));
/* Remove this check when we support IPv6 below. */
@@ -347,7 +347,8 @@ static void RealAlertCSV(Packet * p, void *event, uint32_t event_type,
if ( event != NULL )
{
sn = GetSigByGidSid(ntohl(((Unified2EventCommon *)event)->generator_id),
- ntohl(((Unified2EventCommon *)event)->signature_id));
+ ntohl(((Unified2EventCommon *)event)->signature_id),
+ ntohl(((Unified2EventCommon *)event)->signature_revision));
if (sn != NULL)
{
@@ -158,7 +158,8 @@ static void AlertFast(Packet *p, void *event, uint32_t event_type, void *arg)
data = (SpoAlertFastData *)arg;
sn = GetSigByGidSid(ntohl(((Unified2EventCommon *)event)->generator_id),
- ntohl(((Unified2EventCommon *)event)->signature_id));
+ ntohl(((Unified2EventCommon *)event)->signature_id),
+ ntohl(((Unified2EventCommon *)event)->signature_revision));
LogTimeStamp(data->log, p);
@@ -149,7 +149,9 @@ static void AlertFull(Packet *p, void *event, uint32_t event_type, void *arg)
data = (SpoAlertFullData *)arg;
sn = GetSigByGidSid(ntohl(((Unified2EventCommon *)event)->generator_id),
- ntohl(((Unified2EventCommon *)event)->signature_id));
+ ntohl(((Unified2EventCommon *)event)->signature_id),
+ ntohl(((Unified2EventCommon *)event)->signature_revision));
+
if(sn != NULL)
@@ -1017,7 +1017,9 @@ void AlertFWsam(Packet *p, void *event, uint32_t event_type, void *arg)
optp=NULL;
sn = GetSigByGidSid(ntohl(((Unified2EventCommon *)event)->generator_id),
- ntohl(((Unified2EventCommon *)event)->signature_id));
+ ntohl(((Unified2EventCommon *)event)->signature_id),
+ ntohl(((Unified2EventCommon *)event)->signature_revision));
+
cn = ClassTypeLookupById(barnyard2_conf, ntohl(((Unified2EventCommon *)event)->classification_id));
if(FWsamOptionField) /* If using the file (field present), let's use that */
@@ -574,7 +574,9 @@ static int event_to_reference(void *event, idmef_classification_t *class)
* return if we have no information about the rule.
*/
sn = GetSigByGidSid(ntohl(((Unified2EventCommon *)event)->generator_id),
- ntohl(((Unified2EventCommon *)event)->signature_id));
+ ntohl(((Unified2EventCommon *)event)->signature_id),
+ ntohl(((Unified2EventCommon *)event)->signature_revision));
+
if (sn == NULL)
return 0;
@@ -623,7 +625,8 @@ void snort_alert_prelude(Packet *p, void *event, u_int32_t event_type, void *dat
return;
sn = GetSigByGidSid(ntohl(((Unified2EventCommon *)event)->generator_id),
- ntohl(((Unified2EventCommon *)event)->signature_id));
+ ntohl(((Unified2EventCommon *)event)->signature_id),
+ ntohl(((Unified2EventCommon *)event)->signature_revision));
if (sn == NULL)
return;
@@ -517,7 +517,10 @@ void AlertSyslog(Packet *p, void *event, uint32_t event_type, void *arg)
data = (SyslogData *)arg;
sn = GetSigByGidSid(ntohl(((Unified2EventCommon *)event)->generator_id),
- ntohl(((Unified2EventCommon *)event)->signature_id));
+ ntohl(((Unified2EventCommon *)event)->signature_id),
+ ntohl(((Unified2EventCommon *)event)->signature_revision));
+
+
cn = ClassTypeLookupById(barnyard2_conf, ntohl(((Unified2EventCommon *)event)->classification_id));
event_string[0] = '\0';
@@ -178,7 +178,8 @@ void AlertTest(Packet *p, void *event, u_int32_t event_type, void *arg)
if (data->flags & TEST_FLAG_MSG)
{
sn = GetSigByGidSid(ntohl(((Unified2EventCommon *)event)->generator_id),
- ntohl(((Unified2EventCommon *)event)->signature_id));
+ ntohl(((Unified2EventCommon *)event)->signature_id),
+ ntohl(((Unified2EventCommon *)event)->signature_revision));
if(sn != NULL)
{
@@ -193,7 +193,9 @@ void AlertUnixSock(Packet *p, void *event, uint32_t event_type, void *arg)
alertpkt.val|=NOPACKET_STRUCT;
sn = GetSigByGidSid(ntohl(((Unified2EventCommon *)event)->generator_id),
- ntohl(((Unified2EventCommon *)event)->signature_id));
+ ntohl(((Unified2EventCommon *)event)->signature_id),
+ ntohl(((Unified2EventCommon *)event)->signature_revision));
+
if (sn != NULL)
{
@@ -1442,6 +1442,15 @@ int dbProcessSignatureInformation(DatabaseData *data,void *event, u_int32_t even
priority = ntohl(((Unified2EventCommon *)event)->priority_id);
classification = ntohl(((Unified2EventCommon *)event)->classification_id);
+ /* Originaly forgot about this, since
+ those signature messages will be put in sid-msg.map by programs like pulledpork */
+ /* map.c
+ a snort general rule (gid=1) and a snort dynamic rule (gid=3) use the
+ the same sids and thus can be considered one in the same. */
+ if (gid == 3)
+ {
+ gid = 1;
+ }
/* NOTE: elz
For sanity purpose the sig_class table SHOULD have internal classification id to prevent possible
@@ -117,7 +117,8 @@ void LogAscii(Packet *p, void *event, uint32_t event_type, void *arg)
}
sn = GetSigByGidSid(ntohl(((Unified2EventCommon *)event)->generator_id),
- ntohl(((Unified2EventCommon *)event)->signature_id));
+ ntohl(((Unified2EventCommon *)event)->signature_id),
+ ntohl(((Unified2EventCommon *)event)->signature_revision));
if(p)
{
@@ -195,7 +195,9 @@ void Platypus(Packet *p, void *event, u_int32_t event_type, void *arg)
/* grab the appropriate signature and classification information */
sn = GetSigByGidSid(ntohl(((Unified2EventCommon *)event)->generator_id),
- ntohl(((Unified2EventCommon *)event)->signature_id));
+ ntohl(((Unified2EventCommon *)event)->signature_id),
+ ntohl(((Unified2EventCommon *)event)->signature_revision));
+
cn = ClassTypeLookupById(barnyard2_conf, ntohl(((Unified2EventCommon *)event)->classification_id));
/*
@@ -251,7 +251,9 @@ void Sguil(Packet *p, void *event, uint32_t event_type, void *arg)
/* grab the appropriate signature and classification information */
sn = GetSigByGidSid(ntohl(((Unified2EventCommon *)event)->generator_id),
- ntohl(((Unified2EventCommon *)event)->signature_id));
+ ntohl(((Unified2EventCommon *)event)->signature_id),
+ ntohl(((Unified2EventCommon *)event)->signature_revision));
+
cn = ClassTypeLookupById(barnyard2_conf, ntohl(((Unified2EventCommon *)event)->classification_id));
/* Here we build our RT event to send to sguild. The event is built with a
Oops, something went wrong.

0 comments on commit 8de8124

Please sign in to comment.