Trying to figure out why there was such a delay (varying from a few milliseconds to a few seconds) between a snort alert and the corresponding IP address being blocked by snortsam, I noticed that barnyard2 calls the output plugins in sequence and the alert_fwsam one last in my case (after "Database" and "Sguil" which are potentially slow ones).
Moving the "output" line in barnyard2.conf for alert_fwsam to the top didn't help.
Then, I looked at the code, and noticed that the "alert" type plugins were called first, and then the "log" ones.
If I modify the source code
--- output-plugins/spo_alert_fwsam.c~ 2012-05-01 09:51:52.592711406 +0100
+++ output-plugins/spo_alert_fwsam.c 2012-05-01 09:52:05.348792507 +0100
@@ -593,7 +593,7 @@
/* Set the preprocessor function into the function list */
- AddFuncToOutputList(AlertFWsam, OUTPUT_TYPE__LOG, fwsamlist);
+ AddFuncToOutputList(AlertFWsam, OUTPUT_TYPE__ALERT, fwsamlist);
Then, it still works, and I'm able to have alert_fwsam be called first, which reduces the delay.
The other source of delay seems to be the "tail -f" way that barnyard2 reads the snort unified2 file. I'll raise a feature request issue for that.
What other output plugin do you use?
What version of barnyard2?
Hi Eric. As said above: mysql and sguil (both "OUTPUT_TYPE__ALERT" ones, while fwsam was OUTPUT_TYPE__LOG.
Version is git head I believe (securityonion).
I updated my pre-stable branch with a fix for the issue.