Permalink
Browse files

Add: After initialization, free unused cache memory (reference and sy…

…stem and sigref)

Fix: Signature will now heritate message from latest revision if it exist in cache instead of Snort Alert [gid:sid:rev]
Fix: Balance reference for signature with same gid:sid and different revision (no logic, raw compare, need to be present in file (sid-msg.map)
Bumped build to 306.
  • Loading branch information...
1 parent e8e110a commit f837263e7faaa486e188627c8f0820e3063df20f @binf binf committed Aug 27, 2012
View
@@ -63,7 +63,7 @@
#define VER_MAJOR "2"
#define VER_MINOR "1"
#define VER_REVISION "10"
-#define VER_BUILD "305"
+#define VER_BUILD "306"
#define STD_BUF 1024
@@ -30,8 +30,8 @@
* documentation or the snortdb web site for configuration
* information
*
- * Special thanks to: Rusell Fuleton <russell.fulton@gmail.com> for helping us stress test
- * this in production produce the required fix for bugs experienced.
+ * Special thanks to: Rusell Fuleton <russell.fulton@gmail.com> for helping us stress test
+ * this in production for us.
*
*/
@@ -1425,6 +1425,10 @@ int dbProcessSignatureInformation(DatabaseData *data,void *event, u_int32_t even
u_int32_t oldRevision = 0;
+ u_int32_t sigMsgLen = 0;
+
+ u_int8_t reuseSigMsg = 0;
+
if( (data == NULL) ||
(event == NULL) ||
(psig_id == NULL))
@@ -1531,9 +1535,19 @@ int dbProcessSignatureInformation(DatabaseData *data,void *event, u_int32_t even
for(x = 0 ; x < sigMatchCount ; x++)
{
/* If we have an "uninitialized signature save it */
- if(data->mc.plgSigCompare[x].cacheSigObj->obj.rev == 0)
+ if( data->mc.plgSigCompare[x].cacheSigObj->obj.rev == 0 ||
+ data->mc.plgSigCompare[x].cacheSigObj->obj.rev < revision)
{
memcpy(&unInitSig,data->mc.plgSigCompare[x].cacheSigObj,sizeof(cacheSignatureObj));
+
+ /* We assume that we have the same signature, but with a smaller revision
+ ** set the unInitSig db_id to 0 for post processing if we do not find a matching
+ ** signature.
+ */
+ if( data->mc.plgSigCompare[x].cacheSigObj->obj.rev < revision)
+ {
+ unInitSig.obj.db_id = 0;
+ }
}
if( (data->mc.plgSigCompare[x].cacheSigObj->obj.rev == revision) &&
@@ -1542,7 +1556,7 @@ int dbProcessSignatureInformation(DatabaseData *data,void *event, u_int32_t even
{
/* Added for bugcheck */
assert( data->mc.plgSigCompare[x].cacheSigObj->obj.db_id != 0);
-
+
*psig_id = data->mc.plgSigCompare[x].cacheSigObj->obj.db_id;
return 0;
}
@@ -1573,7 +1587,7 @@ int dbProcessSignatureInformation(DatabaseData *data,void *event, u_int32_t even
"[gid :%u] [sid: %u] [rev: %u] __ [upd rev: %u] [upd class: %u] [upd pri %u]\n",
__FUNCTION__,
__LINE__,
- gid,
+ gid,\
sid,
oldRevision,
revision,
@@ -1591,10 +1605,12 @@ int dbProcessSignatureInformation(DatabaseData *data,void *event, u_int32_t even
}
}
-
- /* To avoid possible collision with an older barnyard process or avoid signature insertion race condition
- we will look in the database if the signature exist, if it does, we will insert it in
- cache else we will insert in db and cache */
+ /*
+ To avoid possible collision with an older barnyard process or
+ avoid signature insertion race condition we will look in the
+ database if the signature exist, if it does, we will insert it in
+ cache else we will insert in db and cache
+ */
sigInsertObj.sid = sid;
sigInsertObj.gid = gid;
@@ -1604,28 +1620,67 @@ int dbProcessSignatureInformation(DatabaseData *data,void *event, u_int32_t even
if( SignatureLookupDatabase(data,&sigInsertObj))
{
- /* The signature was not found we will have to insert it */
- LogMessage("WARNING [%s()]: [Event: %u] with [gid: %u] [sid: %u] [rev: %u] [classification: %u] [priority: %u]\n"
- "\t sas not found in barnyard2 signature cache, this could lead to display inconsistency.\n"
- "\t To prevent this warning, make sure that your sid-msg.map and gen-msg.map file are up to date with the snort process logging to the spool file.\n"
- "\t The new inserted signature will not have its information present in the sig_reference table. \n"
- "\t Note that the message inserted in the signature table will be snort default message \"Snort Alert [gid:sid:revision]\" \n"
- "\t You can allways update the message via a SQL query if you want it to be displayed correctly by your favorite interface\n\n",
- __FUNCTION__,
- ntohl(((Unified2EventCommon *)event)->event_id),
- gid,
- sid,
- revision,
- db_classification_id,
- priority);
-
- if( SnortSnprintf(sigInsertObj.message,SIG_MSG_LEN,"Snort Alert [%u:%u:%u]",
- gid,sid,revision))
+ if(unInitSig.obj.sid != 0 && unInitSig.obj.gid != 0)
{
- /* XXX */
- return 1;
+ sigMsgLen = strlen(unInitSig.obj.message);
+
+ if( (sigMsgLen > 1) &&
+ (sigMsgLen < SIG_MSG_LEN))
+ {
+ reuseSigMsg = 1;
+ }
}
+ if(reuseSigMsg)
+ {
+ /* The signature was not found we will have to insert it */
+ LogMessage("WARNING [%s()]: [Event: %u] with [gid: %u] [sid: %u] [rev: %u] [classification: %u] [priority: %u] Signature Message -> \"[%s]\"\n"
+ "\t was not found in barnyard2 signature cache, this could mean its is the first time the signature is processed, and will be inserted\n"
+ "\t in the database with the above information, this message should only be printed once for each signature that is not present in the database\n"
+ "\t The new inserted signature will not have its information present in the sig_reference table,it should be present on restart\n"
+ "\t if the information is present in the sid-msg.map file. \n"
+ "\t You can allways update the message via a SQL query if you want it to be displayed correctly by your favorite interface\n\n",
+ __FUNCTION__,
+ ntohl(((Unified2EventCommon *)event)->event_id),
+ gid,
+ sid,
+ revision,
+ db_classification_id,
+ priority,
+ unInitSig.obj.message);
+
+ if( SnortSnprintf(sigInsertObj.message,SIG_MSG_LEN,"%s",
+ unInitSig.obj.message))
+ {
+ /* XXX */
+ return 1;
+ }
+ }
+ else
+ {
+ /* The signature does not exist we will have to insert it */
+ LogMessage("WARNING [%s()]: [Event: %u] with [gid: %u] [sid: %u] [rev: %u] [classification: %u] [priority: %u]\n"
+ "\t was not found in barnyard2 signature cache, this could lead to display inconsistency.\n"
+ "\t To prevent this warning, make sure that your sid-msg.map and gen-msg.map file are up to date with the snort process logging to the spool file.\n"
+ "\t The new inserted signature will not have its information present in the sig_reference table. \n"
+ "\t Note that the message inserted in the signature table will be snort default message \"Snort Alert [gid:sid:revision]\" \n"
+ "\t You can allways update the message via a SQL query if you want it to be displayed correctly by your favorite interface\n\n",
+ __FUNCTION__,
+ ntohl(((Unified2EventCommon *)event)->event_id),
+ gid,
+ sid,
+ revision,
+ db_classification_id,
+ priority);
+
+
+ if( SnortSnprintf(sigInsertObj.message,SIG_MSG_LEN,"Snort Alert [%u:%u:%u]",
+ gid,sid,revision))
+ {
+ /* XXX */
+ return 1;
+ }
+ }
if( (SignatureCacheInsertObj(&sigInsertObj,&data->mc,0)))
{
@@ -4383,7 +4438,7 @@ void SpoDatabaseCleanExitFunction(int signal, void *arg)
resetTransactionState(&data->dbRH[data->dbtype_id]);
- MasterCacheFlush(data);
+ MasterCacheFlush(data,CACHE_FLUSH_ALL);
SQL_Finalize(data);
@@ -4422,8 +4477,8 @@ void SpoDatabaseRestartFunction(int signal, void *arg)
if(data != NULL)
{
- MasterCacheFlush(data);
-
+ MasterCacheFlush(data,CACHE_FLUSH_ALL);
+
resetTransactionState(&data->dbRH[data->dbtype_id]);
UpdateLastCid(data,
@@ -19,8 +19,10 @@
** along with this program; if not, write to the Free Software
** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
-* Special thanks to: Rusell Fuleton <russell.fulton@gmail.com> for helping us stress test
-* this in production produce the required fix for bugs experienced.
+**
+** Special thanks to: Rusell Fuleton <russell.fulton@gmail.com> for helping us stress test
+** this in production for us.
+**
*/
@@ -608,7 +610,7 @@ u_int32_t cacheEventSignatureLookup(cacheSignatureObj *iHead,
u_int32_t SignatureCacheInsertObj(dbSignatureObj *iSigObj,MasterCache *iMasterCache,u_int32_t from);
u_int32_t SignaturePopulateDatabase(DatabaseData *data,cacheSignatureObj *cacheHead,int inTransac);
u_int32_t SignatureLookupDatabase(DatabaseData *data,dbSignatureObj *sObj);
-void MasterCacheFlush(DatabaseData *data);
+void MasterCacheFlush(DatabaseData *data,u_int32_t flushFlag);
u_int32_t dbConnectionStatusPOSTGRESQL(dbReliabilityHandle *pdbRH);
u_int32_t dbConnectionStatusODBC(dbReliabilityHandle *pdbRH);
Oops, something went wrong.

0 comments on commit f837263

Please sign in to comment.