2-1.11 build 216 #51

Closed
wants to merge 1 commit into
from
View
@@ -29,6 +29,11 @@ config classification_file: /etc/snort/classification.config
config gen_file: /etc/snort/gen-msg.map
config sid_file: /etc/snort/sid-msg.map
+# Set the event cache size to defined max value before recycling of event occur.
+#
+#
+#config event_cache_size: 4096
+
# define dedicated references similar to that of snort.
#
#config reference: mybugs http://www.mybugs.com/?s=
View
@@ -189,6 +189,8 @@ static struct option long_options[] =
{"sid-msg", LONGOPT_ARG_REQUIRED, NULL, 'S'},
{"reference", LONGOPT_ARG_REQUIRED, NULL, 'R'},
{"classification", LONGOPT_ARG_REQUIRED, NULL, 'C'},
+ {"disable-alert-on-each-packet-in-stream", LONGOPT_ARG_NONE, NULL, DISABLE_ALERT_ON_EACH_PACKET_IN_STREAM},
+ {"event-cache-size", LONGOPT_ARG_REQUIRED, NULL, EVENT_CACHE_SIZE},
{"alert-on-each-packet-in-stream", LONGOPT_ARG_NONE, NULL, ALERT_ON_EACH_PACKET_IN_STREAM},
{"process-new-records-only", LONGOPT_ARG_NONE, NULL, 'n'},
@@ -500,11 +502,12 @@ static int ShowUsage(char *program_name)
FPUTS_BOTH ("\n");
FPUTS_BOTH ("Longname options and their corresponding single char version\n");
+ FPUTS_BOTH (" --disable-alert-on-each-packet-in-stream Alert once per event\n");
+ FPUTS_BOTH (" --event-cache-size <integer> Set Spooler MAX event cache size \n");
FPUTS_BOTH (" --reference <file> Same as -R\n");
FPUTS_BOTH (" --classification <file> Same as -C\n");
FPUTS_BOTH (" --gen-msg <file> Same as -G\n");
FPUTS_BOTH (" --sid-msg <file> Same as -S\n");
- FPUTS_BOTH (" --alert-on-each-packet-in-stream Call output plugins on each packet in an alert stream\n");
FPUTS_BOTH (" --process-new-records-only Same as -n\n");
FPUTS_BOTH (" --pid-path <dir> Specify the directory for the barnyard2 PID file\n");
FPUTS_BOTH (" --help Same as -?\n");
@@ -563,7 +566,10 @@ static void ParseCmdLine(int argc, char **argv)
barnyard2_cmd_line_conf = Barnyard2ConfNew();
barnyard2_conf = barnyard2_cmd_line_conf; /* Set the global for log messages */
bc = barnyard2_cmd_line_conf;
-
+
+ /* alert_on_each_packet_in_stream_flag enabled by default */
+ bc->alert_on_each_packet_in_stream_flag = 1;
+
/* Look for a -D and/or -M switch so we can start logging to syslog
* with "barnyard2" tag right away */
for (i = 0; i < argc; i++)
@@ -638,9 +644,17 @@ static void ParseCmdLine(int argc, char **argv)
ConfigNoLoggingTimestamps(bc, NULL);
break;
+ case DISABLE_ALERT_ON_EACH_PACKET_IN_STREAM:
+ ConfigDisableAlertOnEachPacketInStream(bc, NULL);
+ break;
+
+ case EVENT_CACHE_SIZE:
+ ConfigSetEventCacheSize(bc,optarg);
+ break;
+
case ALERT_ON_EACH_PACKET_IN_STREAM:
ConfigAlertOnEachPacketInStream(bc, NULL);
- break;
+ break;
#ifdef MPLS
case MAX_MPLS_LABELCHAIN_LEN:
@@ -1538,10 +1552,18 @@ static Barnyard2Config * MergeBarnyard2Confs(Barnyard2Config *cmd_line, Barnyard
config_file->log_dir = SnortStrdup(cmd_line->log_dir);
}
-
+
if (config_file == NULL)
return cmd_line;
+
+
+ if( cmd_line->event_cache_size > config_file->event_cache_size)
+ {
+ config_file->event_cache_size = cmd_line->event_cache_size;
+ }
+
+
/* Used because of a potential chroot */
config_file->orig_log_dir = SnortStrdup(config_file->log_dir);
@@ -1745,6 +1767,15 @@ static void Barnyard2Init(int argc, char **argv)
* command line overriding config file.
* Set the global barnyard2_conf that will be used during run time */
barnyard2_conf = MergeBarnyard2Confs(barnyard2_cmd_line_conf, bc);
+
+ if(barnyard2_conf->event_cache_size == 0)
+ {
+ barnyard2_conf->event_cache_size = 2048;
+ }
+
+ LogMessage("Barnyard2 spooler: Event cache size set to [%u] \n",
+ barnyard2_conf->event_cache_size);
+
}
/* pcap_snaplen is already initialized to SNAPLEN */
View
@@ -60,10 +60,10 @@
/* D E F I N E S ************************************************************/
#define PROGRAM_NAME "Barnyard"
-#define VER_MAJOR "2"
-#define VER_MINOR "1"
-#define VER_REVISION "10"
-#define VER_BUILD "313"
+#define VER_MAJOR "2"
+#define VER_MINOR "1"
+#define VER_REVISION "11"
+#define VER_BUILD "316"
#define STD_BUF 1024
@@ -159,7 +159,9 @@ typedef enum _GetOptLongIds
DETECTION_SEARCH_METHOD,
CONF_ERROR_OUT,
+ DISABLE_ALERT_ON_EACH_PACKET_IN_STREAM,
ALERT_ON_EACH_PACKET_IN_STREAM,
+ EVENT_CACHE_SIZE,
#ifdef MPLS
MAX_MPLS_LABELCHAIN_LEN,
@@ -296,22 +298,24 @@ typedef struct _Barnyard2Config
int logging_flags;
// int log_tcpdump;
// int no_log;
+
+ unsigned int event_cache_size;
VarEntry *var_table;
#ifdef SUP_IP6
vartable_t *ip_vartable;
#endif
- /* staging - snort specific variables */
- int checksums_mode;
- char ignore_ports[0x10000];
-
+ /* staging - snort specific variables */
+ int checksums_mode;
+ char ignore_ports[0x10000];
+
/* general variables */
char *config_file; /* -c */
char *config_dir;
-
- char *hostname; /* -h or config hostname */
- char *interface; /* -i or config interface */
+
+ char *hostname; /* -h or config hostname */
+ char *interface; /* -i or config interface */
char *class_file; /* -C or config class_map */
char *sid_msg_file; /* -S or config sid_map */
@@ -328,36 +332,36 @@ typedef struct _Barnyard2Config
int quiet_flag;
int verbose_flag;
- int verbose_bytedump_flag;
- int show2hdr_flag;
- int char_data_flag;
- int data_flag;
- int obfuscation_flag;
+ int verbose_bytedump_flag;
+ int show2hdr_flag;
+ int char_data_flag;
+ int data_flag;
+ int obfuscation_flag;
int alert_on_each_packet_in_stream_flag;
-
- int logtosyslog_flag;
- int test_mode_flag;
-
- int use_utc;
- int include_year;
-
+
+ int logtosyslog_flag;
+ int test_mode_flag;
+
+ int use_utc;
+ int include_year;
+
int line_buffer_flag;
char nostamp;
-
+
int user_id;
int group_id;
mode_t file_mask;
-
+
/* -h and -B */
#ifdef SUP_IP6
- sfip_t homenet;
- sfip_t obfuscation_net;
+ sfip_t homenet;
+ sfip_t obfuscation_net;
#else
- u_long homenet;
- u_long netmask;
- uint32_t obfuscation_net;
- uint32_t obfuscation_mask;
+ u_long homenet;
+ u_long netmask;
+ uint32_t obfuscation_net;
+ uint32_t obfuscation_mask;
#endif
#ifdef MPLS
@@ -367,12 +371,12 @@ typedef struct _Barnyard2Config
/* batch mode options */
int batch_mode_flag;
- int batch_total_files;
- char **batch_filelist;
-
+ int batch_total_files;
+ char **batch_filelist;
+
/* continual mode options */
- int process_new_records_only_flag;
- Waldo waldo;
+ int process_new_records_only_flag;
+ Waldo waldo;
char *archive_dir;
int daemon_flag;
int daemon_restart_flag;
View
@@ -632,34 +632,34 @@ void ParseSidMapLine(Barnyard2Config *bc, char *data)
return;
}
-SigNode *GetSigByGidSid(u_int32_t gid, u_int32_t sid)
+SigNode *GetSigByGidSid(u_int32_t gid, u_int32_t sid,u_int32_t revision)
{
- /* set temp node pointer to the Sid map list head */
+ /* set temp node pointer to the Sid map list head */
SigNode *sn = sigTypes;
-
- /* a snort general rule (gid=1) and a snort dynamic rule (gid=3) use the */
- /* the same sids and thus can be considered one in the same. */
- if (gid == 3)
- gid = 1;
-
+
+ /* a snort general rule (gid=1) and a snort dynamic rule (gid=3) use the */
+ /* the same sids and thus can be considered one in the same. */
+ if (gid == 3)
+ gid = 1;
+
/* find any existing Snort ID's that match */
while (sn != NULL)
{
if (sn->generator == gid && sn->id == sid)
{
return sn;
}
-
+
sn = sn->next;
}
/* create a default message since we didn't find any match */
sn = CreateSigNode(&sigTypes);
sn->generator = gid;
sn->id = sid;
- sn->rev = 0;
+ sn->rev = revision;
sn->msg = (char *)SnortAlloc(42);
- snprintf(sn->msg, 42, "Snort Alert [%u:%u:%u]", gid, sid, 0);
+ snprintf(sn->msg, 42, "Snort Alert [%u:%u:%u]", gid, sid, revision);
return sn;
}
View
@@ -123,7 +123,7 @@ void ParseClassificationConfig(struct _Barnyard2Config *, char *args);
void DeleteClassTypes();
-SigNode *GetSigByGidSid(uint32_t, uint32_t);
+SigNode *GetSigByGidSid(uint32_t, uint32_t, uint32_t);
int ReadSidFile(struct _Barnyard2Config *, const char *);
void ParseSidMapLine(struct _Barnyard2Config *, char *);
@@ -168,7 +168,8 @@ void AlertBro(Packet *p, void *event, u_int32_t event_type, void *arg)
}
sn = GetSigByGidSid(ntohl(uevent->generator_id),
- ntohl(uevent->signature_id));
+ ntohl(uevent->signature_id),
+ ntohl(uevent->signature_revision));
if(p && IPH_IS_VALID(p))
{
@@ -506,7 +506,9 @@ void AlertCEF(Packet *p, void *event, u_int32_t event_type, void *arg)
data = (CEFData *)arg;
sn = GetSigByGidSid(ntohl(((Unified2EventCommon *)event)->generator_id),
- ntohl(((Unified2EventCommon *)event)->signature_id));
+ ntohl(((Unified2EventCommon *)event)->signature_id),
+ ntohl(((Unified2EventCommon *)event)->signature_revision));
+
cn = ClassTypeLookupById(barnyard2_conf, ntohl(((Unified2EventCommon *)event)->classification_id));
/* Remove this check when we support IPv6 below. */
@@ -347,7 +347,8 @@ static void RealAlertCSV(Packet * p, void *event, uint32_t event_type,
if ( event != NULL )
{
sn = GetSigByGidSid(ntohl(((Unified2EventCommon *)event)->generator_id),
- ntohl(((Unified2EventCommon *)event)->signature_id));
+ ntohl(((Unified2EventCommon *)event)->signature_id),
+ ntohl(((Unified2EventCommon *)event)->signature_revision));
if (sn != NULL)
{
@@ -158,7 +158,8 @@ static void AlertFast(Packet *p, void *event, uint32_t event_type, void *arg)
data = (SpoAlertFastData *)arg;
sn = GetSigByGidSid(ntohl(((Unified2EventCommon *)event)->generator_id),
- ntohl(((Unified2EventCommon *)event)->signature_id));
+ ntohl(((Unified2EventCommon *)event)->signature_id),
+ ntohl(((Unified2EventCommon *)event)->signature_revision));
LogTimeStamp(data->log, p);
@@ -149,7 +149,9 @@ static void AlertFull(Packet *p, void *event, uint32_t event_type, void *arg)
data = (SpoAlertFullData *)arg;
sn = GetSigByGidSid(ntohl(((Unified2EventCommon *)event)->generator_id),
- ntohl(((Unified2EventCommon *)event)->signature_id));
+ ntohl(((Unified2EventCommon *)event)->signature_id),
+ ntohl(((Unified2EventCommon *)event)->signature_revision));
+
if(sn != NULL)
@@ -1017,7 +1017,9 @@ void AlertFWsam(Packet *p, void *event, uint32_t event_type, void *arg)
optp=NULL;
sn = GetSigByGidSid(ntohl(((Unified2EventCommon *)event)->generator_id),
- ntohl(((Unified2EventCommon *)event)->signature_id));
+ ntohl(((Unified2EventCommon *)event)->signature_id),
+ ntohl(((Unified2EventCommon *)event)->signature_revision));
+
cn = ClassTypeLookupById(barnyard2_conf, ntohl(((Unified2EventCommon *)event)->classification_id));
if(FWsamOptionField) /* If using the file (field present), let's use that */
@@ -574,7 +574,9 @@ static int event_to_reference(void *event, idmef_classification_t *class)
* return if we have no information about the rule.
*/
sn = GetSigByGidSid(ntohl(((Unified2EventCommon *)event)->generator_id),
- ntohl(((Unified2EventCommon *)event)->signature_id));
+ ntohl(((Unified2EventCommon *)event)->signature_id),
+ ntohl(((Unified2EventCommon *)event)->signature_revision));
+
if (sn == NULL)
return 0;
@@ -623,7 +625,8 @@ void snort_alert_prelude(Packet *p, void *event, u_int32_t event_type, void *dat
return;
sn = GetSigByGidSid(ntohl(((Unified2EventCommon *)event)->generator_id),
- ntohl(((Unified2EventCommon *)event)->signature_id));
+ ntohl(((Unified2EventCommon *)event)->signature_id),
+ ntohl(((Unified2EventCommon *)event)->signature_revision));
if (sn == NULL)
return;
@@ -517,7 +517,10 @@ void AlertSyslog(Packet *p, void *event, uint32_t event_type, void *arg)
data = (SyslogData *)arg;
sn = GetSigByGidSid(ntohl(((Unified2EventCommon *)event)->generator_id),
- ntohl(((Unified2EventCommon *)event)->signature_id));
+ ntohl(((Unified2EventCommon *)event)->signature_id),
+ ntohl(((Unified2EventCommon *)event)->signature_revision));
+
+
cn = ClassTypeLookupById(barnyard2_conf, ntohl(((Unified2EventCommon *)event)->classification_id));
event_string[0] = '\0';
@@ -178,7 +178,8 @@ void AlertTest(Packet *p, void *event, u_int32_t event_type, void *arg)
if (data->flags & TEST_FLAG_MSG)
{
sn = GetSigByGidSid(ntohl(((Unified2EventCommon *)event)->generator_id),
- ntohl(((Unified2EventCommon *)event)->signature_id));
+ ntohl(((Unified2EventCommon *)event)->signature_id),
+ ntohl(((Unified2EventCommon *)event)->signature_revision));
if(sn != NULL)
{
Oops, something went wrong.