Permalink
Browse files

fixed: conflict when cherry picking #51

  • Loading branch information...
1 parent ff1d027 commit f6928e913b9b65ba3ad47327dab1e3e7b3f783bc @binf binf committed with Oct 24, 2012
Showing with 67 additions and 23 deletions.
  1. +5 −0 etc/barnyard2.conf
  2. +25 −2 src/barnyard2.c
  3. +4 −1 src/barnyard2.h
  4. +2 −7 src/output-plugins/spo_database.h
  5. +16 −3 src/parser.c
  6. +2 −0 src/parser.h
  7. +7 −5 src/spooler.c
  8. +0 −5 src/util.c
  9. +6 −0 src/util.h
View
@@ -29,6 +29,11 @@ config classification_file: /etc/snort/classification.config
config gen_file: /etc/snort/gen-msg.map
config sid_file: /etc/snort/sid-msg.map
+# Set the event cache size to defined max value before recycling of event occur.
+#
+#
+#config event_cache_size: 4096
+
# define dedicated references similar to that of snort.
#
#config reference: mybugs http://www.mybugs.com/?s=
View
@@ -190,6 +190,7 @@ static struct option long_options[] =
{"reference", LONGOPT_ARG_REQUIRED, NULL, 'R'},
{"classification", LONGOPT_ARG_REQUIRED, NULL, 'C'},
{"disable-alert-on-each-packet-in-stream", LONGOPT_ARG_NONE, NULL, DISABLE_ALERT_ON_EACH_PACKET_IN_STREAM},
+ {"event-cache-size", LONGOPT_ARG_REQUIRED, NULL, EVENT_CACHE_SIZE},
{"alert-on-each-packet-in-stream", LONGOPT_ARG_NONE, NULL, ALERT_ON_EACH_PACKET_IN_STREAM},
{"process-new-records-only", LONGOPT_ARG_NONE, NULL, 'n'},
@@ -502,6 +503,7 @@ static int ShowUsage(char *program_name)
FPUTS_BOTH ("Longname options and their corresponding single char version\n");
FPUTS_BOTH (" --disable-alert-on-each-packet-in-stream Alert once per event\n");
+ FPUTS_BOTH (" --event-cache-size <integer> Set Spooler MAX event cache size \n");
FPUTS_BOTH (" --reference <file> Same as -R\n");
FPUTS_BOTH (" --classification <file> Same as -C\n");
FPUTS_BOTH (" --gen-msg <file> Same as -G\n");
@@ -646,9 +648,13 @@ static void ParseCmdLine(int argc, char **argv)
ConfigDisableAlertOnEachPacketInStream(bc, NULL);
break;
+ case EVENT_CACHE_SIZE:
+ ConfigSetEventCacheSize(bc,optarg);
+ break;
+
case ALERT_ON_EACH_PACKET_IN_STREAM:
ConfigAlertOnEachPacketInStream(bc, NULL);
- break;
+ break;
#ifdef MPLS
case MAX_MPLS_LABELCHAIN_LEN:
@@ -1546,10 +1552,18 @@ static Barnyard2Config * MergeBarnyard2Confs(Barnyard2Config *cmd_line, Barnyard
config_file->log_dir = SnortStrdup(cmd_line->log_dir);
}
-
+
if (config_file == NULL)
return cmd_line;
+
+ if( cmd_line->event_cache_size > config_file->event_cache_size)
+ {
+ config_file->event_cache_size = cmd_line->event_cache_size;
+ }
+
+
+
/* Used because of a potential chroot */
config_file->orig_log_dir = SnortStrdup(config_file->log_dir);
@@ -1753,6 +1767,15 @@ static void Barnyard2Init(int argc, char **argv)
* command line overriding config file.
* Set the global barnyard2_conf that will be used during run time */
barnyard2_conf = MergeBarnyard2Confs(barnyard2_cmd_line_conf, bc);
+
+ if(barnyard2_conf->event_cache_size == 0)
+ {
+ barnyard2_conf->event_cache_size = 2048;
+ }
+
+ LogMessage("Barnyard2 spooler: Event cache size set to [%u] \n",
+ barnyard2_conf->event_cache_size);
+
}
/* pcap_snaplen is already initialized to SNAPLEN */
View
@@ -63,7 +63,7 @@
#define VER_MAJOR "2"
#define VER_MINOR "1"
#define VER_REVISION "11"
-#define VER_BUILD "315"
+#define VER_BUILD "317"
#define STD_BUF 1024
@@ -161,6 +161,7 @@ typedef enum _GetOptLongIds
CONF_ERROR_OUT,
DISABLE_ALERT_ON_EACH_PACKET_IN_STREAM,
ALERT_ON_EACH_PACKET_IN_STREAM,
+ EVENT_CACHE_SIZE,
#ifdef MPLS
MAX_MPLS_LABELCHAIN_LEN,
@@ -297,6 +298,8 @@ typedef struct _Barnyard2Config
int logging_flags;
// int log_tcpdump;
// int no_log;
+
+ unsigned int event_cache_size;
VarEntry *var_table;
#ifdef SUP_IP6
@@ -103,16 +103,11 @@ typedef SQLCHAR ODBC_SQLCHAR;
#include "plugbase.h"
#ifndef DATABASE_MAX_ESCAPE_STATIC_BUFFER_LEN
-#define DATABASE_MAX_ESCAPE_STATIC_BUFFER_LEN 32768 /* Should theorically be enough to escape ....alot of queries */
+#define DATABASE_MAX_ESCAPE_STATIC_BUFFER_LEN MAX_QUERY_LENGTH /* Should theorically be enough to escape ....alot of queries */
#endif /* DATABASE_MAX_ESCAPE_STATIC_BUFFER_LEN */
-#ifndef MAX_QUERY_LENGTH
-//#define MAX_QUERY_LENGTH 8192
-#define MAX_QUERY_LENGTH (65536 * 2) /* Lets add some space for payload decoding and query esaping..*/
-#endif /* MAX_QUERY_LENGTH */
-
#ifndef MAX_SQL_QUERY_OPS
-#define MAX_SQL_QUERY_OPS 20
+#define MAX_SQL_QUERY_OPS 50 /* In case we get a IP packet with 40 options */
#endif /* MAX_SQL_QUERY_OPS */
View
@@ -190,6 +190,7 @@ static const KeywordFunc barnyard2_conf_keywords[] =
static const ConfigFunc config_opts[] =
{
{ CONFIG_OPT__DISABLE_ALERT_ON_EACH_PACKET_IN_STREAM, 0, 1, ConfigDisableAlertOnEachPacketInStream },
+ { CONFIG_OPT__EVENT_CACHE_SIZE, 0, 1, ConfigSetEventCacheSize },
{ CONFIG_OPT__ALERT_ON_EACH_PACKET_IN_STREAM, 0, 1, ConfigAlertOnEachPacketInStream },
{ CONFIG_OPT__ALERT_WITH_IFACE_NAME, 0, 1, ConfigAlertWithInterfaceName },
{ CONFIG_OPT__ARCHIVE_DIR, 1, 1, ConfigArchiveDir },
@@ -1591,15 +1592,27 @@ void ConfigAlertOnEachPacketInStream(Barnyard2Config *bc, char *args)
{
if (bc == NULL)
return;
-
+
LogMessage("INFO: Alerting on each packet associated with an event: is now enabled by default. \n"
" use: command line argument --disable-alert-on-each-packet-in-stream or \n"
- " configure file argument disable-alert-on-each-packet-in-stream to disable the feature \n");
-
+ " configure file argument disable-alert-on-each-packet-in-stream to disable the feature \n");
+
return;
}
+void ConfigSetEventCacheSize(Barnyard2Config *bc, char *args)
+{
+ if( (bc == NULL) ||
+ (args == NULL))
+ {
+ return;
+ }
+
+ bc->event_cache_size = strtoul(args,NULL,10);
+ return;
+}
+
void ConfigDisableAlertOnEachPacketInStream(Barnyard2Config *bc, char *args)
{
if (bc == NULL)
View
@@ -44,6 +44,7 @@
/* Config options */
#define CONFIG_OPT__DISABLE_ALERT_ON_EACH_PACKET_IN_STREAM "disable_alert_on_each_packet_in_stream"
+#define CONFIG_OPT__EVENT_CACHE_SIZE "event_cache_size"
#define CONFIG_OPT__ALERT_ON_EACH_PACKET_IN_STREAM "alert_on_each_packet_in_stream"
#define CONFIG_OPT__ALERT_WITH_IFACE_NAME "alert_with_interface_name"
#define CONFIG_OPT__ARCHIVE_DIR "archivedir"
@@ -145,6 +146,7 @@ void ConfigUmask(Barnyard2Config *, char *);
void ConfigUtc(Barnyard2Config *, char *);
void ConfigVerbose(Barnyard2Config *, char *);
void ConfigWaldoFile(Barnyard2Config *, char *);
+void ConfigSetEventCacheSize(Barnyard2Config *, char *);
#ifdef MPLS
void ConfigMaxMplsLabelChain(Barnyard2Config *, char *);
void ConfigMplsPayloadType(Barnyard2Config *, char *);
View
@@ -41,7 +41,7 @@
#include "unified2.h"
#include "util.h"
-#define CACHED_EVENTS_MAX 256
+
/*
** PRIVATE FUNCTIONS
@@ -455,9 +455,11 @@ int ProcessContinuous(const char *dirpath, const char *filebase,
else
{
/* Make sure we create a new waldo even if we did not have processed an event */
- spooler->record_idx = 0;
- spoolerWriteWaldo(&barnyard2_conf->waldo, spooler);
-
+ if(waldo_timestamp != extension)
+ {
+ spooler->record_idx = 0;
+ spoolerWriteWaldo(&barnyard2_conf->waldo, spooler);
+ }
waiting_logged = 0;
/* set timestamp to ensure we look for a newer file next time */
@@ -875,7 +877,7 @@ int spoolerEventCacheClean(Spooler *spooler)
ernPrev = spooler->event_cache;
ernCurrent = spooler->event_cache;
- while (ernCurrent != NULL && spooler->events_cached > CACHED_EVENTS_MAX )
+ while (ernCurrent != NULL && spooler->events_cached > barnyard2_conf->event_cache_size )
{
ernNext = ernCurrent->next;
View
@@ -96,11 +96,6 @@ static char _PATH_VARRUN[STD_BUF];
#define FILE_MAX_UTIL (PATH_MAX_UTIL + NAME_MAX_UTIL)
-#ifndef MAX_QUERY_LENGTH
-//#define MAX_QUERY_LENGTH 8192
-#define MAX_QUERY_LENGTH 65536 /* Lets add some space for payload decoding and query esaping..*/
-#endif /* MAX_QUERY_LENGTH */
-
/****************************************************************************
*
View
@@ -78,6 +78,12 @@
#define DETAIL_FAST 0
#define DETAIL_FULL 1
+#ifndef MAX_QUERY_LENGTH
+#define MAX_QUERY_LENGTH ((65536 * 2) + 4096) /* Lets add some space for payload decoding and query esaping..*/
+#endif /* MAX_QUERY_LENGTH */
+
+
+
/* Externs ********************************************************************/
extern uint32_t *netmasks;

0 comments on commit f6928e9

Please sign in to comment.