feature request: use inotify to read snort alerts more quickly #27

Closed
stephane-chazelas opened this Issue May 1, 2012 · 4 comments

Projects

None yet

2 participants

@stephane-chazelas

At least on Linux,

looking at strace(1) output on the barnyard2 process, we see it sleep one second, and then read the snort unified2 output, and then sleep one second again in a loop. barnyard2 works like "tail -f" has traditionally been working.

That means there can be a delay of up to one second between an alert being generated by snort and it being processed by barnyard2.

It would be better for it to work like "inotail -f", that is to be told by the system as soon as there's new data to be read.

Most Unix-like operating systems at least have a mechanism for that.

On Linux, it's called "inotify" (formerly dnotify). An alternative is to use the more portable "fam" or "gamin" daemons (that typically use inotify underneath on Linux).

This way, barnyard2 would process alerts as soon as they are generated by snort.

@binf
Collaborator
binf commented May 9, 2012

The spooler will get re-written , i have worked with inotify but since its linux only and the code would need to be adapted for *bsd and other nix and probably windows i do not think its a good design decision, the new spooler code will read-ahead and process event faster tho :)

@stephane-chazelas

Thanks. What about using http://en.wikipedia.org/wiki/Gamin then? You could replace the call for "sleep()" with something that does inotify/gamin if available or sleep otherwise.

Would you accept a patch for this? (not that I could provide any any time soon).

I think, especially for plugins like fwsam that it's quite important that barnyard2's response to an alert be as quick as possible.

@binf
Collaborator
binf commented May 10, 2012

Wait for the new spooler code since it will read-ahead there is not need to use inotify or an external library and it will be smoking fast.

Also note that you might notice lag if you use the default db output plugin, i would suggest you move to the pre-stable branch and see if you have improvements.

@binf
Collaborator
binf commented Dec 28, 2012

Can be closed

@binf binf added a commit to binf/barnyard2 that referenced this issue Apr 26, 2013
@binf binf Last minute commit for a long waited needed feature and some little fix.
Add: Support for SIGHUP

Fixed: Compile issue when debug was enabled (missing , in some
DEBUG_WRAP code.

Fixed: Changed a few places where the snort literal was used instead of
barnyard2 and this could confuse some first time barnyard2 users.

Fixed: RPM spec file to point to good version (when needed)

Bumped: Build to 326

--github specific
Fixes #81
Fixes #73
Fixes #75

Close #82
Close #83
Close #80
Close #79
Close #78
Close #27
--github specific
36e5485
@binf binf added a commit to binf/barnyard2 that referenced this issue Apr 26, 2013
@binf binf Last minute commit for a long waited needed feature and some little fix.
Add: Support for proper signal handling.

Fixed: Compile issue when debug was enabled (missing , in some
DEBUG_WRAP code.

Fixed: Changed a few places where the snort literal was used instead of
barnyard2 and this could confuse some first time barnyard2 users.

Fixed: RPM spec file to point to good version (when needed)

Bumped: Build to 326

--github specific
Fixes #81
Fixes #73
Fixes #75

Close #82
Close #83
Close #80
Close #79
Close #78
Close #27
--github specific
a7cbdca
@firnsy firnsy pushed a commit that closed this issue May 7, 2013
@binf binf Last minute commit for a long waited needed feature and some little fix.
Add: Support for proper signal handling.
Add: README info for google mailing lists.

Fixed: Compile issue when debug was enabled (missing , in some
DEBUG_WRAP code.

Fixed: Changed a few places where the snort literal was used instead of
barnyard2 and this could confuse some first time barnyard2 users.

Fixed: RPM spec file to point to good version (when needed)

Bumped: Build to 326

--github specific
Fixes #81
Fixes #73
Fixes #75

Close #82
Close #83
Close #80
Close #79
Close #78
Close #27
--github specific
f764921
@firnsy firnsy closed this in f764921 May 7, 2013
@binf binf added a commit to binf/barnyard2 that referenced this issue May 9, 2013
@binf binf Last minute commit for a long waited needed feature and some little fix.
Add: Support for proper signal handling.
Add: README info for google mailing lists.

Fixed: Compile issue when debug was enabled (missing , in some
DEBUG_WRAP code.

Fixed: Changed a few places where the snort literal was used instead of
barnyard2 and this could confuse some first time barnyard2 users.

Fixed: RPM spec file to point to good version (when needed)

Bumped: Build to 326

--github specific
Fixes #81
Fixes #73
Fixes #75

Close #82
Close #83
Close #80
Close #79
Close #78
Close #27
--github specific
a34029d
@binf binf added a commit to binf/barnyard2 that referenced this issue May 10, 2013
@binf binf Last minute commit for a long waited needed feature and some little fix.
Add: Support for proper signal handling.
Add: README info for google mailing lists.

Fixed: Compile issue when debug was enabled (missing , in some
DEBUG_WRAP code.

Fixed: Changed a few places where the snort literal was used instead of
barnyard2 and this could confuse some first time barnyard2 users.

Fixed: RPM spec file to point to good version (when needed)

Bumped: Build to 326

--github specific
Fixes #81
Fixes #73
Fixes #75

Close #82
Close #83
Close #80
Close #79
Close #78
Close #27
--github specific
e53a951
@binf binf added a commit to binf/barnyard2 that referenced this issue Jun 16, 2013
@binf binf Last minute commit for a long waited needed feature and some little fix.
Add: Support for proper signal handling.
Add: README info for google mailing lists.

Fixed: Compile issue when debug was enabled (missing , in some
DEBUG_WRAP code.

Fixed: Changed a few places where the snort literal was used instead of
barnyard2 and this could confuse some first time barnyard2 users.

Fixed: RPM spec file to point to good version (when needed)

Bumped: Build to 326

--github specific
Fixes #81
Fixes #73
Fixes #75

Close #82
Close #83
Close #80
Close #79
Close #78
Close #27
--github specific
40a692c
@eugpermar eugpermar added a commit to redBorder/barnyard2 that referenced this issue Jul 4, 2013
@binf binf Last minute commit for a long waited needed feature and some little fix.
Add: Support for proper signal handling.
Add: README info for google mailing lists.

Fixed: Compile issue when debug was enabled (missing , in some
DEBUG_WRAP code.

Fixed: Changed a few places where the snort literal was used instead of
barnyard2 and this could confuse some first time barnyard2 users.

Fixed: RPM spec file to point to good version (when needed)

Bumped: Build to 326

--github specific
Fixes #81
Fixes #73
Fixes #75

Close #82
Close #83
Close #80
Close #79
Close #78
Close #27
--github specific
5796f03
@netsiphon netsiphon pushed a commit to netsiphon/barnyard2 that referenced this issue Oct 18, 2016
@binf binf Last minute commit for a long waited needed feature and some little fix.
Add: Support for proper signal handling.
Add: README info for google mailing lists.

Fixed: Compile issue when debug was enabled (missing , in some
DEBUG_WRAP code.

Fixed: Changed a few places where the snort literal was used instead of
barnyard2 and this could confuse some first time barnyard2 users.

Fixed: RPM spec file to point to good version (when needed)

Bumped: Build to 326

--github specific
Fixes #81
Fixes #73
Fixes #75

Close #82
Close #83
Close #80
Close #79
Close #78
Close #27
--github specific
f8f24df
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment