[Snort-users] barnyard2 and bpf filters

Russell Fulton r.fulton at ...3809...
Wed Nov 3 00:01:17 EDT 2010


HI Folk

Coming to the end of my effort to move from oinkmaster and the old barnyard to PulledPork an barnyard2.

I have a couple of questions about barnyard2:

1/  Am I right in thinking that barnyard2 database plugin insists on getting the Sensor_id from the data base?
 (i'm pretty sure about this -- I have been reading the source ;)

2/ I have also been trying to figure out how to get a bpf filter string into barnyard2 -- anyone know how?

the bpf_filter is one of the things used to decide which sid to use but the docs are not consistent:  README makes no mention of the filter but barnyard2 -- help suggest that there is something called <filter options> on the command line but these are not described anywhere.

looking at the source suggests that it has been partially implemented but nothing actually gets the sets the filter string:

bluebottle:~ rful011$ grep  filter  tmp/barnyard2-1.8/src/*
tmp/barnyard2-1.8/src/barnyard2.c:    fprintf(stdout, "USAGE: %s [-options] <filter options>\n", program_name);
tmp/barnyard2-1.8/src/barnyard2.c:    fprintf(stdout, "       %s %s %s [-options] <filter options>\n", program_name
tmp/barnyard2-1.8/src/barnyard2.c:    char *pcap_filter = NULL;
tmp/barnyard2-1.8/src/barnyard2.c:    if (pcap_filter != NULL)
tmp/barnyard2-1.8/src/barnyard2.c:        free(pcap_filter);
tmp/barnyard2-1.8/src/barnyard2.c:    if (cmd_line->bpf_filter != NULL)
tmp/barnyard2-1.8/src/barnyard2.c:        config_file->bpf_filter = SnortStrdup(cmd_line->bpf_filter);
tmp/barnyard2-1.8/src/barnyard2.h:    char                *bpf_filter;            /* config bpf_filter */

Being able to set the filters would be useful for me.  I have worked around this issue but I could simplify my scripts a bit if I could tell get the bpf_filter set.

            ret = SnortSnprintf(select_sensor_id, MAX_QUERY_LENGTH, 
                                "SELECT sid "
                                "  FROM sensor "
                                " WHERE hostname = '%s' "
                                "   AND interface = '%s' "
                                "   AND filter ='%s' "
                                "   AND detail = %u "
                                "   AND encoding = %u ",
                                escapedSensorName, escapedInterfaceName,
                                escapedBPFFilter, data->detail, data->encoding);

At the moment having anything other than NULL in the filter column of the sensor table causes barnyard to allocate another sid.

Russell





More information about the Snort-users mailing list