-
Notifications
You must be signed in to change notification settings - Fork 190
feature request: disablesid type functionality #35
Comments
does what I want it to, but possibly not what anybody else does. That goes into Database() in spo_database.c, about line 2415 or so, depending on versions etc. I'm putting the patch here since I nearly lost it from the last time beenph and I created it. |
Well a better place for this would be to exist at the spooler level, so that as soon as the event is read from unified2 its not even cached and not sent to any output plugin. This is something that could be usefull and will probably have extented configuration syntax. To accomodate multiples ranges or single sid or lists. But a quick and dirty if/elseif/else patch can do the job quickly without an issue also. |
Well the guy (by the guy I meant you :P obviously referring as a 3rd party make it more interesting) I have prototyped something that I would like you to test ...if you ever have time. Its still "experimental" thus it could crash even if I have stress tested it a bit and all, but adjustment could be made. I will commit it to my branch pretty soon so lookup for my sidv2 https://github.com/binf/barnyard2/tree/sid-msgv2 In the configuration file you can do the following. config sig_suppress: (GID):(SID) GID is optional config sig_suppress: 10-40 You can define overlapping interval and theorically from my tests If you have two range a large one and a small one the small one will not be inserted, config sig_suppress: 1:10,20,1:30,2:90-102 So with the example above the final list is the following: +[ Signature Suppress list ]+-- Element type:[RANGE ] gid:[2] sid min:[90] sid max:[122] -- Element type:[SINGLE] gid:[1] sid min:[2101623] sid max:[2101623]+[ Signature Suppress list ]+ You can try to poke around hard, and let me know how it goes. Right now the check happened in plugbase, the best place where I could quickly patch it without breaking the spooler, but in the future the hook would be somewhere in the spooler, since with a better event cache, if the event is tagged as suppressed it lookup in the suppress signature will not happen. Cheers, |
available in 2-1.13-beta can close issue. |
I sometimes have occasion to rebuild my database from historical unified2 logs. It would be nice if I could tell barnyard2 to ignore particular SIDs which are present in the u2 logs but which I no longer wish to see as historical alerts from the database.
I think it would be possible to rewrite the u2 logs such that they simply do not contain alerts for these SIDs, but it would be more convenient if by2 could just ignore them for me.
I may try to submit a patch for this, although my C is terrible so I wouldn't expect it would be very good quality. :-)
The text was updated successfully, but these errors were encountered: