[Snort-users] Barnyard2 2-1.13-BETA

beenph beenph at ...11827...
Wed Apr 10 08:52:53 EDT 2013

Greetings everyone,

 We are happy to announce the Availability of Barnyard2 2-1.13-BETA
 which can be downloaded from HERE: https://github.com/firnsy/barnyard2.git

This release is a bug fix release that also introduce a few new
 features and enhancements

 If you are upgrading to barnyard2 2-1.13 Build 325 or above from a
 previous version  that is not 2-1.13 and using the output database.

***** We highly recommend ******
 To delete every row in your sig_reference table. (DELETE FROM sig_reference;)
 The table will be re-populated at  process startup, and has no impact
on historical data.

 Feature request:
 Phil Daws:        Add interface and hostname field to spo_alert_csv if
 Jorge Pinto:      spo_syslog_full support for ASCII,BASE64 payload

 Jason Brvenik:  variables .....(a long time ago, sorry :P)

 Martin Olsson:  Remove some useless verbosity unless
                         ./configure --enable-debug is specified and proper
                          flag are used (spo_database and sid-msg.mapv2)

 *And all other barnyard2 users who help and contribute.

 Bug report:
 Martin Olsson:              - bug in sig_reference generation and good

 John Eure and others   - autogen.sh could cause some issue on some system so
                                        [autoreconf -fv --install] is
not set to autoreconf -fvi

 John Naggets               - spo_database: could stop barnyard2 from
                                         processing new event if some
packets with ip
                                         option where processed and
option_len  was null.

 Fäbu Hufi                     - spo_syslog_full: in complete mode was
                                        printing wrong ip version
information and ip header length.

*And all other barnyard2 users who help and contribute.

 New feature:

 Support for sid-msg.map Version 2 format.
 A new sig-msg.map format can be generated by pulledpok (upcoming release,
 already in svn). Detection of sid-msg.map version is done by a simple
 header in the  file that shouldn't be altered if you want it to be
processed correctly.

 sig-msg.map version 2 format extend the information already present in
 the sid-msg.map file created from rules.

This new format version allow signature  pre-population if users are
using output database method with  barnyard2 2-1.13 and above.
 sid-msg.map v1 format:
 SID || MSG || REF 1 || REF N
 sid := integer
 msg := string
 ref := string
 sid-msg.map v2 format:
 gid := integer
 sid := integer
 rev := integer
 classification := string (if NULL set to NOCLASS)
 priority := integer (if prio == 0, classification priority is used)
 msg := string
 ref := string
 generator (GID, gen-msg.map) are defaulted to the following value
 if their information is not overruled in sid-msg.map v2 file via
 processing of preprocessor.rules:
 revision 1
 classification 0
 priority 3
 If generator message is present in the sid-msg.map v2 file, and
 gen-msg.map message are longer
 (more comprehensive by string length),
 gen-msg.map messages are used instead of sid-msg.map v2 file
generator messages.

Signature/event logging suppression at spooler level
 Read doc/README.sig_suppression
 configuration file Variables:

Barnyard2 configuration Variables
 You can now use [var VARNAME value] in the barnyard2 configuration
 file and every
  instance of $VARNAME will get replaced by value.
  Note that variable declaration order is important only you include a
 variable in a variable.
  EX (is VALID):
  var INTERFACE ethX
  var PATH /var/log/IDS
  EX (is INVALID):
  var INTERFACE ethX
  var PATH /var/log/IDS

new output database configuration keyword

 Keywords connection_limit and reconnect_sleep_time where added in
 2-1.10 but where "undocumented" and shouldn't be modified unless
 you encounter connectivity issue.

 connection_limit <integer>: default 10  - The maximum number of time
                                           that barnyard2 will
tolerate a transaction
                                           failure and or database
connection failure.

 reconnect_sleep_time <integer> : default 5 - The number of seconds to sleep
                                              between connection retry.

 disable_signature_reference_table - Tell the output plugin not to synchronize
                                     the sig_reference table in the schema.
                                     This option will speedup the process,
                                     especially if you use sid-msg.mapv2
                                     file or  have a lot of signature already
                                     in databases. (Make sure that you
do not need that
                                     information before enabling this)

Enjoy and do not hesitate to send feedback/suggestion/feature request.

The barnyard2 team.

More information about the Snort-users mailing list