alert_fwsam output plugin is called late

[stephane-chazelas]

Hello,

Trying to figure out why there was such a delay (varying from a few milliseconds to a few seconds) between a snort alert and the corresponding IP address being blocked by snortsam, I noticed that barnyard2 calls the output plugins in sequence and the alert_fwsam one last in my case (after "Database" and "Sguil" which are potentially slow ones).

Moving the "output" line in barnyard2.conf for alert_fwsam to the top didn't help.

Then, I looked at the code, and noticed that the "alert" type plugins were called first, and then the "log" ones.

If I modify the source code

--- output-plugins/spo_alert_fwsam.c~   2012-05-01 09:51:52.592711406 +0100
+++ output-plugins/spo_alert_fwsam.c    2012-05-01 09:52:05.348792507 +0100
@@ -593,7 +593,7 @@
 #endif

     /* Set the preprocessor function into the function list */
-    AddFuncToOutputList(AlertFWsam, OUTPUT_TYPE__LOG, fwsamlist);
+    AddFuncToOutputList(AlertFWsam, OUTPUT_TYPE__ALERT, fwsamlist);
     AddFuncToCleanExitList(AlertFWsamCleanExitFunc, fwsamlist);
     AddFuncToRestartList(AlertFWsamRestartFunc, fwsamlist);
 }

Then, it still works, and I'm able to have alert_fwsam be called first, which reduces the delay.

The other source of delay seems to be the "tail -f" way that barnyard2 reads the snort unified2 file. I'll raise a feature request issue for that.

[binf]

What other output plugin do you use?
What version of barnyard2?

[stephane-chazelas]

Hi Eric. As said above: mysql and sguil (both "OUTPUT_TYPE__ALERT" ones, while fwsam was OUTPUT_TYPE__LOG.

Version is git head I believe (securityonion).

[binf]

I updated my pre-stable branch with a fix for the issue.

binf@40a6293

[binf]

close issue.