[Snort-users] Barnyard2 alternatives?

Jim Hranicky jfh at ...5250...
Tue Aug 4 10:16:02 EDT 2015


On 08/04/2015 08:25 AM, Richard Monk wrote:
> Hi folks!
> 
> TL;DR: Barnyard2 takes forever to start and I have a hundred instances that need
> to start on a system.  Pigsty doesn't work, are there alternates?
[...]
> If you know of something that works but doesn't write to the snort DB schema,
> I'm OK with that as we have some internal tools that we are using that are
> slowly replacing Snorby.  Is there a patchset to barnyard2 maybe that does
> multiple sensors at once, or improves startup time?

I created a patch that disables the reference table. There's already a 
directive to disable the sig_reference table (we don't really use
either). You should be able to specify both like so after you install 
the patch. 

 output database: log, mysql, user=user dbname=snortdb host=localhost \
 disable_signature_reference_table=1 disable_reference_table=1

Barnyard starts up much quicker this way, within a couple of minutes. 

--
Jim Hranicky
Data Security Specialist
UF Information Technology
Information Security Office
-------------- next part --------------
diff --git a/src/output-plugins/spo_database.c b/src/output-plugins/spo_database.c
index 157ff70..756b7f6 100644
--- a/src/output-plugins/spo_database.c
+++ b/src/output-plugins/spo_database.c
@@ -1153,6 +1153,10 @@ void ParseDatabaseArgs(DatabaseData *data)
 	{
 	    data->dbRH[data->dbtype_id].disablesigref = 1;
 	}
+        if(!strncasecmp(dbarg,KEYWORD_DISABLE_REFTABLE,strlen(KEYWORD_DISABLE_REFTABLE)))
+        {
+            data->dbRH[data->dbtype_id].disableref = 1;
+        }
 
 #ifdef ENABLE_MYSQL
 	/* Option declared here should be forced to dbRH[DB_MYSQL] */
diff --git a/src/output-plugins/spo_database.h b/src/output-plugins/spo_database.h
index d5e21eb..2b91e00 100644
--- a/src/output-plugins/spo_database.h
+++ b/src/output-plugins/spo_database.h
@@ -343,6 +343,7 @@ typedef struct _dbReliabilityHandle
     u_int8_t transactionErrorCount; /* Number of transaction fail for a single transaction (Reset by sucessfull commit)*/
     u_int8_t transactionErrorThreshold; /* Consider the transaction threshold to be the same as reconnection maxiumum */
      
+    u_int8_t disableref; /* Allow user to prevent generation and creation of signature reference table */
     u_int8_t disablesigref; /* Allow user to prevent generation and creation of signature reference table */
     
     struct _DatabaseData *dbdata; /* Pointer to parent structure used for call clarity */
@@ -499,6 +500,7 @@ typedef struct _DatabaseData
 #define KEYWORD_CONNECTION_LIMIT "connection_limit"
 #define KEYWORD_RECONNECT_SLEEP_TIME "reconnect_sleep_time"
 #define KEYWORD_DISABLE_SIGREFTABLE "disable_signature_reference_table"
+#define KEYWORD_DISABLE_REFTABLE "disable_reference_table"
 
 #define KEYWORD_MYSQL_RECONNECT "mysql_reconnect"
 
diff --git a/src/output-plugins/spo_database_cache.c b/src/output-plugins/spo_database_cache.c
index 3206871..5ef6016 100644
--- a/src/output-plugins/spo_database_cache.c
+++ b/src/output-plugins/spo_database_cache.c
@@ -4508,21 +4508,23 @@ u_int32_t SystemCacheSynchronize(DatabaseData *data,cacheSystemObj **cacheHead)
 	goto func_fail;
     }
     
-    /* Update Reference cache */
-    SystemCacheElemPtr = *cacheHead;
-    
-    while(SystemCacheElemPtr != NULL)
-    {
-	if(SystemCacheElemPtr->obj.refList != NULL)
-	{
-	    if(ReferencePopulateDatabase(data,SystemCacheElemPtr->obj.refList))
-	    {
-		LogMessage("[%s()], Call to ReferencePopulateDatabase() failed \n",
-			   __FUNCTION__);
-		goto func_fail;
-	    }
-	}
-	SystemCacheElemPtr = SystemCacheElemPtr->next;
+    /* Update Reference cache unless config specifies otherwise*/
+    if (!data->dbRH[data->dbtype_id].disableref) {
+        SystemCacheElemPtr = *cacheHead;
+        
+        while(SystemCacheElemPtr != NULL)
+        {
+            if(SystemCacheElemPtr->obj.refList != NULL)
+            {
+                if(ReferencePopulateDatabase(data,SystemCacheElemPtr->obj.refList))
+                {
+                    LogMessage("[%s()], Call to ReferencePopulateDatabase() failed \n",
+                               __FUNCTION__);
+                    goto func_fail;
+                }
+            }
+            SystemCacheElemPtr = SystemCacheElemPtr->next;
+        }
     }
     
     if(dbRefArray != NULL)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 230 bytes
Desc: OpenPGP digital signature
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20150804/4d17ef05/attachment.sig>


More information about the Snort-users mailing list