Changing spo_alert_fwsam to be an alert output plugin

[acmarques]

The Snortsam output plugin is supposed to be an alert output plugin (spo_alert_fwsam), but in the output list configuration it's been set as a log output plugin. This fix follows the idea proposed on issue #26.

[binf]

Are you still experiencing alot of delay with the re-written database output pluggin?

I doubt the delay is more than just a few milisec...

[acmarques]

Initially I had 2 alert plugins enabled (syslog and database) besides fwsam. The delay to block on the local firewall was not that big (normally less than a sec), but with the fix and changing the plugins to log ones (syslog_full and database) the blocks happen much faster.

Besides, this fix keeps the same pattern we have on the rest of the output plugins: spo_alert_* use OUTPUT_TYPE__ALERT and spo_log_* use OUTPUT_TYPE__LOG.

[binf]

Obviously _ALERT will trigger before _LOG but you could also just move the
output plugin in the list its initialized to get the same result see
plugbase.c (void RegisterOutputPlugins(void)) line 321.

You could also modify void CallOutputPlugins(OutputType out_type, Packet *
packet, void *event, uint32_t event_type) so it call log output plugin
before alert output plugin.

At this point i do not consider the change being critical and i will let
firnsy choose if he want to integrate it or not.

Thanks Antonio.

On Wed, Mar 6, 2013 at 9:58 PM, Antonio Marques notifications@github.comwrote:

Initially I had 2 alert plugins enabled (syslog and database) besides
fwsam. The delay to block on the local firewall was not that big (normally
less than a sec), but with the fix and changing the plugins to log ones
(syslog_full and database) the blocks happen much faster.

Besides, this fix keeps the same pattern we have on the rest of the output
plugins: spo_alert_* use OUTPUT_TYPE__ALERT and spo_log_* use
OUTPUT_TYPE__LOG.

—
Reply to this email directly or view it on GitHubhttps://github.com//pull/74#issuecomment-14540348
.

[acmarques]

Agree with both possibilities Eric. I just decided not go this way because it would be a custom patch I would have to keep on my side. And since other people have reported the same behaviour I experimented, I thought it would make sense to send a pull request.

Btw, the precedence of plugin execution (partly defined on plugbase.c (void RegisterOutputPlugins(void))) is something that might be better being configurable, perhaps on barnyard2.conf. That would be useful on my setup, at least. What do you think?

Thanks for your help Eric.

[binf]

On Wed, Mar 6, 2013 at 10:20 PM, Antonio Marques
notifications@github.com wrote:

Agree with both possibilities Eric. I just decided not go this way because it would be a custom patch I would have
to keep on my side. And since other people have reported the same behaviour I experimented, I thought it would make sense to send a pull request.

Yup, what happens is that some changes was made to the
callOutputPlugins function, and some fix
in the spooler nullified some of the change that was made for the issue 26.

The fix was to process output LOG before output ALERT.

Btw, the precedence of plugin execution (partly defined on plugbase.c (void RegisterOutputPlugins(void))) is something that
might be better being configurable, perhaps on barnyard2.conf. That would be useful on my setup, at least. What do you think?

You can manualy change the order of output plugin by declaring it in
the configuration before the other.

So to uniformly apply the fix the code should look like this

in RegisterOutputPlugins(void)

if (out_type == OUTPUT_TYPE__SPECIAL)

{
idx = LogList;
while (idx != NULL)
{
idx->func(packet, event, event_type, idx->arg);
idx = idx->next;
}

idx = AlertList;
while (idx != NULL)
{
idx->func(packet, event, event_type, idx->arg);
idx = idx->next;
}

}

Instead of this
/*
if (out_type == OUTPUT_TYPE__SPECIAL)
{
idx = AlertList;
while (idx != NULL)
{
idx->func(packet, event, event_type, idx->arg);
idx = idx->next;
}

idx = LogList;
while (idx != NULL)
{
idx->func(packet, event, event_type, idx->arg);
idx = idx->next;
}
}
*/

So this would also make priority work for fwsam.

But without the code change if you just set it before the other output
plugin within its "log" category it
would fire correctly before the other.