[Snort-users] Barnyard2 2-1.13-BETA

sumit kamboj sumitkamboj88 at ...11827...
Sat Apr 27 11:06:31 EDT 2013


Does db schema currently in uses with Barnyard2 2-1.13-BETA support IPV6? 
Is it capable to handle to alert generated by snort in IPv6 network?

On Wednesday, 10 April 2013 18:22:53 UTC+5:30, Eric Lauzon wrote:
>
> Greetings everyone, 
>
>  We are happy to announce the Availability of Barnyard2 2-1.13-BETA 
>  which can be downloaded from HERE: 
> https://github.com/firnsy/barnyard2.git 
>
>
> This release is a bug fix release that also introduce a few new 
>  features and enhancements 
>
>
>  ===================== 
>  UPGRADING REQUIREMENT 
>  ===================== 
>  ---------------------- 
>  If you are upgrading to barnyard2 2-1.13 Build 325 or above from a 
>  previous version  that is not 2-1.13 and using the output database. 
>
> ***** We highly recommend ****** 
>  To delete every row in your sig_reference table. (DELETE FROM 
> sig_reference;) 
>  The table will be re-populated at  process startup, and has no impact 
> on historical data. 
>  ---------------------- 
>  ===================== 
>  UPGRADING REQUIREMENT 
>  ===================== 
>
>
>
>
>
>  Feature request: 
>  ---------------- 
>  Phil Daws:        Add interface and hostname field to spo_alert_csv if 
>                           specified. 
>  Jorge Pinto:      spo_syslog_full support for ASCII,BASE64 payload 
>
>  Jason Brvenik:  variables .....(a long time ago, sorry :P) 
>
>  Martin Olsson:  Remove some useless verbosity unless 
>                          ./configure --enable-debug is specified and 
> proper 
>                           flag are used (spo_database and sid-msg.mapv2) 
>
>  *And all other barnyard2 users who help and contribute. 
>
>  Bug report: 
>  ----------- 
>  Martin Olsson:              - bug in sig_reference generation and good 
>                                         discussions. 
>
>  John Eure and others   - autogen.sh could cause some issue on some system 
> so 
>                                         [autoreconf -fv --install] is 
> not set to autoreconf -fvi 
>
>  John Naggets               - spo_database: could stop barnyard2 from 
>                                          processing new event if some 
> packets with ip 
>                                          option where processed and 
> option_len  was null. 
>
>  Fäbu Hufi                     - spo_syslog_full: in complete mode was 
>                                         printing wrong ip version 
> information and ip header length. 
>
> *And all other barnyard2 users who help and contribute. 
>
>
>  New feature: 
>  ------------ 
>
>
>  Support for sid-msg.map Version 2 format. 
>  ------- 
>  A new sig-msg.map format can be generated by pulledpok (upcoming release, 
>  already in svn). Detection of sid-msg.map version is done by a simple 
>  header in the  file that shouldn't be altered if you want it to be 
> processed correctly. 
>
>  sig-msg.map version 2 format extend the information already present in 
>  the sid-msg.map file created from rules. 
>
> This new format version allow signature  pre-population if users are 
> using output database method with  barnyard2 2-1.13 and above. 
>  ______________________ 
>  sid-msg.map v1 format: 
>  ______________________ 
>  SID || MSG || REF 1 || REF N 
>  sid := integer 
>  msg := string 
>  ref := string 
>  ______________________ 
>  sid-msg.map v2 format: 
>  ______________________ 
>  GID || SID || REV || CLASSIFICATION || PRIORITY || MSG || REF 1 || REF N 
>  gid := integer 
>  sid := integer 
>  rev := integer 
>  classification := string (if NULL set to NOCLASS) 
>  priority := integer (if prio == 0, classification priority is used) 
>  msg := string 
>  ref := string 
>  ===================== 
>  generator (GID, gen-msg.map) are defaulted to the following value 
>  if their information is not overruled in sid-msg.map v2 file via 
>  processing of preprocessor.rules: 
>  revision 1 
>  classification 0 
>  priority 3 
>  If generator message is present in the sid-msg.map v2 file, and 
>  gen-msg.map message are longer 
>  (more comprehensive by string length), 
>  gen-msg.map messages are used instead of sid-msg.map v2 file 
> generator messages. 
>  ===================== 
>   ------- 
>
>
> Signature/event logging suppression at spooler level 
>  ------- 
>  Read doc/README.sig_suppression 
>  configuration file Variables: 
>  ------- 
>
> Barnyard2 configuration Variables 
>   ------- 
>  You can now use [var VARNAME value] in the barnyard2 configuration 
>  file and every 
>   instance of $VARNAME will get replaced by value. 
>   Note that variable declaration order is important only you include a 
>  variable in a variable. 
>   EX (is VALID): 
>   var INTERFACE ethX 
>   var PATH /var/log/IDS 
>   var LOG $PATH/$INTERFACE/log 
>   var ARCHIVE $PATH/$INTERFACE/archive 
>   EX (is INVALID): 
>   var LOG $PATH/$INTERFACE/log 
>   var ARCHIVE $PATH/$INTERFACE/archive 
>   var INTERFACE ethX 
>   var PATH /var/log/IDS 
>   ------- 
>
> new output database configuration keyword 
>  ------- 
>
>  Keywords connection_limit and reconnect_sleep_time where added in 
>  2-1.10 but where "undocumented" and shouldn't be modified unless 
>  you encounter connectivity issue. 
>
>  connection_limit <integer>: default 10  - The maximum number of time 
>                                            that barnyard2 will 
> tolerate a transaction 
>                                            failure and or database 
> connection failure. 
>
>  reconnect_sleep_time <integer> : default 5 - The number of seconds to 
> sleep 
>                                               between connection retry. 
>
>  disable_signature_reference_table - Tell the output plugin not to 
> synchronize 
>                                      the sig_reference table in the 
> schema. 
>                                      This option will speedup the process, 
>                                      especially if you use sid-msg.mapv2 
>                                      file or  have a lot of signature 
> already 
>                                      in databases. (Make sure that you 
> do not need that 
>                                      information before enabling this) 
>   ------- 
>
>
> Enjoy and do not hesitate to send feedback/suggestion/feature request. 
>
> The barnyard2 team. 
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130427/c5817675/attachment.html>


More information about the Snort-users mailing list