[Snort-users] Barnyard2 2-1.13-BETA

beenph beenph at ...11827...
Wed Apr 10 15:09:08 EDT 2013


Sorry for the noise.

But i forgot to say that if there is no  issue found,
we will remove beta tags and make it a release for
April 24. 2013.
*****************

-elz



On Wed, Apr 10, 2013 at 8:52 AM, beenph <beenph at ...11827...> wrote:

> Greetings everyone,
>
>  We are happy to announce the Availability of Barnyard2 2-1.13-BETA
>  which can be downloaded from HERE:
> https://github.com/firnsy/barnyard2.git
>
>
> This release is a bug fix release that also introduce a few new
>  features and enhancements
>
>
>  =====================
>  UPGRADING REQUIREMENT
>  =====================
>  ----------------------
>  If you are upgrading to barnyard2 2-1.13 Build 325 or above from a
>  previous version  that is not 2-1.13 and using the output database.
>
> ***** We highly recommend ******
>  To delete every row in your sig_reference table. (DELETE FROM
> sig_reference;)
>  The table will be re-populated at  process startup, and has no impact
> on historical data.
>  ----------------------
>  =====================
>  UPGRADING REQUIREMENT
>  =====================
>
>
>
>
>
>  Feature request:
>  ----------------
>  Phil Daws:        Add interface and hostname field to spo_alert_csv if
>                           specified.
>  Jorge Pinto:      spo_syslog_full support for ASCII,BASE64 payload
>
>  Jason Brvenik:  variables .....(a long time ago, sorry :P)
>
>  Martin Olsson:  Remove some useless verbosity unless
>                          ./configure --enable-debug is specified and proper
>                           flag are used (spo_database and sid-msg.mapv2)
>
>  *And all other barnyard2 users who help and contribute.
>
>  Bug report:
>  -----------
>  Martin Olsson:              - bug in sig_reference generation and good
>                                         discussions.
>
>  John Eure and others   - autogen.sh could cause some issue on some system
> so
>                                         [autoreconf -fv --install] is
> not set to autoreconf -fvi
>
>  John Naggets               - spo_database: could stop barnyard2 from
>                                          processing new event if some
> packets with ip
>                                          option where processed and
> option_len  was null.
>
>  Fäbu Hufi                     - spo_syslog_full: in complete mode was
>                                         printing wrong ip version
> information and ip header length.
>
> *And all other barnyard2 users who help and contribute.
>
>
>  New feature:
>  ------------
>
>
>  Support for sid-msg.map Version 2 format.
>  -------
>  A new sig-msg.map format can be generated by pulledpok (upcoming release,
>  already in svn). Detection of sid-msg.map version is done by a simple
>  header in the  file that shouldn't be altered if you want it to be
> processed correctly.
>
>  sig-msg.map version 2 format extend the information already present in
>  the sid-msg.map file created from rules.
>
> This new format version allow signature  pre-population if users are
> using output database method with  barnyard2 2-1.13 and above.
>  ______________________
>  sid-msg.map v1 format:
>  ______________________
>  SID || MSG || REF 1 || REF N
>  sid := integer
>  msg := string
>  ref := string
>  ______________________
>  sid-msg.map v2 format:
>  ______________________
>  GID || SID || REV || CLASSIFICATION || PRIORITY || MSG || REF 1 || REF N
>  gid := integer
>  sid := integer
>  rev := integer
>  classification := string (if NULL set to NOCLASS)
>  priority := integer (if prio == 0, classification priority is used)
>  msg := string
>  ref := string
>  =====================
>  generator (GID, gen-msg.map) are defaulted to the following value
>  if their information is not overruled in sid-msg.map v2 file via
>  processing of preprocessor.rules:
>  revision 1
>  classification 0
>  priority 3
>  If generator message is present in the sid-msg.map v2 file, and
>  gen-msg.map message are longer
>  (more comprehensive by string length),
>  gen-msg.map messages are used instead of sid-msg.map v2 file
> generator messages.
>  =====================
>   -------
>
>
> Signature/event logging suppression at spooler level
>  -------
>  Read doc/README.sig_suppression
>  configuration file Variables:
>  -------
>
> Barnyard2 configuration Variables
>   -------
>  You can now use [var VARNAME value] in the barnyard2 configuration
>  file and every
>   instance of $VARNAME will get replaced by value.
>   Note that variable declaration order is important only you include a
>  variable in a variable.
>   EX (is VALID):
>   var INTERFACE ethX
>   var PATH /var/log/IDS
>   var LOG $PATH/$INTERFACE/log
>   var ARCHIVE $PATH/$INTERFACE/archive
>   EX (is INVALID):
>   var LOG $PATH/$INTERFACE/log
>   var ARCHIVE $PATH/$INTERFACE/archive
>   var INTERFACE ethX
>   var PATH /var/log/IDS
>   -------
>
> new output database configuration keyword
>  -------
>
>  Keywords connection_limit and reconnect_sleep_time where added in
>  2-1.10 but where "undocumented" and shouldn't be modified unless
>  you encounter connectivity issue.
>
>  connection_limit <integer>: default 10  - The maximum number of time
>                                            that barnyard2 will
> tolerate a transaction
>                                            failure and or database
> connection failure.
>
>  reconnect_sleep_time <integer> : default 5 - The number of seconds to
> sleep
>                                               between connection retry.
>
>  disable_signature_reference_table - Tell the output plugin not to
> synchronize
>                                      the sig_reference table in the schema.
>                                      This option will speedup the process,
>                                      especially if you use sid-msg.mapv2
>                                      file or  have a lot of signature
> already
>                                      in databases. (Make sure that you
> do not need that
>                                      information before enabling this)
>   -------
>
>
> Enjoy and do not hesitate to send feedback/suggestion/feature request.
>
> The barnyard2 team.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130410/fbbcd8f6/attachment.html>


More information about the Snort-users mailing list