Help me

.gitignore

@@ -0,0 +1,24 @@
+*~
+*.o
+aclocal.m4
+autom4te.cache/
+cflags.out
+/config.*
+configure
+cppflags.out
+install-sh
+libtool
+ltmain.sh
+m4/libtool.m4
+m4/lt~obsolete.m4
+m4/ltoptions.m4
+m4/ltsugar.m4
+m4/ltversion.m4
+Makefile
+Makefile.in
+missing
+src/barnyard2
+src/input-plugins/libspi.a
+src/output-plugins/libspo.a
+src/sfutil/libsfutil.a
+stamp-h1

Makefile.am

@@ -5,6 +5,6 @@ ACLOCAL_AMFLAGS = -I m4
 
 SUBDIRS = src etc doc rpm schemas m4
 
-INCLUDES = @INCLUDES@
+AM_CPPFLAGS = @INCLUDES@
 
 EXTRA_DIST = COPYING LICENSE README RELEASE.NOTES ltmain.sh autogen.sh

README

@@ -1,22 +1,23 @@
+It's been a minute, sadly I this project has not seen any love in nearly a
+decade and it's probably time to put it out to pasture. Thanks for the 
+memories <3
+
 
 ------------------------------------------------------------------------------
 0. SUMMARY
 ------------------------------------------------------------------------------
 
-Barnyard2 - version 2-1.10
+Barnyard2 - version 2-1.14
 
 This README contains some quick information about how to set up and
 configure barnyard2 to ensure it works as it should.
 
-Distribution Site:
-http://www.securixlive.com/barnyard2
-
 
 ------------------------------------------------------------------------------
 1. COPYRIGHT
 ------------------------------------------------------------------------------
 
-Copyright (C)2008-2012 Ian Firns     <firnsy@securixlive.com>
+Copyright (C)2008-2013 Ian Firns     <firnsy@securixlive.com>
 Copyright (C)2008-2010 SecurixLive   <dev@securixlive.com>
 
 This program is free software; you can redistribute it and/or modify
@@ -156,4 +157,3 @@ Examples:
   2. Using barnyard2 in batch mode
 
     # ./barnyard2 -c /etc/barnyard2.conf -o file1.u2 file2.u2 file3.u2
-

RELEASE.NOTES

@@ -1,3 +1,25 @@
+2013-02-15 - Barnyard 2.1.12
+  [*] Improvements
+     * spo_syslog_full. Added both ascii and base64 support.
+
+     * spo_database. Many tweaks and fixes.
+
+     * Fixed PQping detection on build.
+
+2012-11-29 - Barnyard 2.1.11
+  [*] Improvements
+     * spo_database. Keep-alive (via ping) for postgresql databases.
+
+     * Updated RPM spec file to support alternative pcap libraries and cleaned
+       some existing cruft. Thanks to Brent Woodruff.
+
+     * spo_alert_unixsock. Supports synchronisation, multiple connections and
+       improved error reporting. Thanks to Martijn van Oosterhaut.
+
+     * Many other general bug fixes and clean ups. Thanks to Jason Ish,
+       Thorsten Fischer, Brad Voth and Bill Parker.
+
+
 2012-10-24 - Barnyard 2.1.10
   [*] Additions
      * spo_database. Support of encrypted connections to postgresql is now

autogen.sh

@@ -10,5 +10,6 @@ else
   echo "Failed to find libtoolize or glibtoolize, please ensure it is installed and accessible via your PATH env variable"
   exit 1
 fi;
-autoreconf -fv --install
+#autoreconf -fv --install
+autoreconf -fvi
 echo "You can now run \"./configure\" and then \"make\"."

configure.in → configure.ac

@@ -2,9 +2,10 @@
 # Process this file with autoconf to produce a configure script.
 
 AC_PREREQ(2.50)
-AC_INIT(src/barnyard2.c)
+AC_INIT([barnyard2], [1.14])
+AC_CONFIG_SRCDIR([src/barnyard2.c])
 AM_CONFIG_HEADER(config.h)
-AM_INIT_AUTOMAKE(barnyard2,1.10)
+AM_INIT_AUTOMAKE
 AC_CONFIG_MACRO_DIR([m4])
 
 LT_INIT
@@ -15,10 +16,10 @@ ADD_WERROR="no"
 # Test for -Werror and sed it out for now since some of the auto tests,
 # for example AC_CHECK_LIB, will fail because of
 # warning: conflicting types for built-in function <func>
-if eval "echo $CFLAGS | grep -e -Werror"; then
-    CFLAGS=`echo $CFLAGS | sed -e "s/-Werror//g"`
-    ADD_WERROR="yes"
-fi
+#if eval "echo $CFLAGS | grep -e -Werror"; then
+#    CFLAGS=`echo $CFLAGS | sed -e "s/-Werror//g"`
+#    ADD_WERROR="yes"
+#fi
 
 # Disable annoying practice of recursively re-running the autotools
 AM_MAINTAINER_MODE
@@ -815,7 +816,8 @@ if test "x$with_postgresql" != "xno"; then
     postgresql_fail="no"
   fi
 
-  AC_MSG_CHECKING(for postgresql)
+
+    AC_MSG_CHECKING([for postgresql])
 
   if test "x$with_pgsql_includes" != "xno"; then
     for i in $with_pgsql_includes $postgresql_directory; do
@@ -861,6 +863,7 @@ if test "x$with_postgresql" != "xno"; then
     fi
   fi
 
+
   if test -z "$POSTGRESQL_DIR"; then
     for dir in $postgresql_directory; do
        for i in "lib" "lib/pgsql"; do
@@ -898,6 +901,10 @@ if test "x$with_postgresql" != "xno"; then
         exit 1
      fi
   fi
+
+AC_CHECK_FUNC([PQping], [AC_DEFINE([HAVE_PQPING], [1],
+			[Define if PQping exists.])])
+
 fi
 
 AC_ARG_WITH(oracle, 
@@ -1035,6 +1042,21 @@ if test "$with_tcl" != "no"; then
     fi
 fi
 
+#
+# OUTPUT PLUGIN - ECHIDNA
+
+AC_ARG_ENABLE(plugin-echidna,
+[  --enable-plugin-echidna           Enable echidna plugin (experimental)],
+       enable_plugin_echidna="$enableval", enable_plugin_echidna="no")
+if test "x$enable_plugin_echidna" = "xyes"; then
+    AC_CHECK_LIB([crypto], [SHA256_Init], [], [AC_MSG_ERROR([SHA256_Init was not found in libcrypto])])
+    AC_CHECK_LIB([curl], [curl_easy_setopt], [], [AC_MSG_ERROR([curl_easy_setopt was not found in libcurl])])
+    AC_CHECK_LIB([websockets], [libwebsocket_create_context], [], [AC_MSG_ERROR([libwebsocket_create_context was not found in libwebsockets])])
+    AC_CHECK_LIB([json], [json_tokener_parse], [], [AC_MSG_ERROR([json_tokener_parse was not found in libjson])])
+
+    CPPFLAGS="$CPPFLAGS -DENABLE_PLUGIN_ECHIDNA"
+    LIBS="$LIBS -lwebsockets -ljson -lcurl -lcrypto"
+fi
 
 
 # let's make some fixes..
@@ -1093,9 +1115,9 @@ fi
 echo $CFLAGS > cflags.out
 echo $CPPFLAGS > cppflags.out
 
-INCLUDES='-I$(top_srcdir) -I$(top_srcdir)/src -I$(top_srcdir)/src/sfutil $(extra_incl) -I$(top_srcdir)/src/output-plugins -I$(top_srcdir)/src/input-plugins'
+AM_CPPFLAGS='-I$(top_srcdir) -I$(top_srcdir)/src -I$(top_srcdir)/src/sfutil $(extra_incl) -I$(top_srcdir)/src/output-plugins -I$(top_srcdir)/src/input-plugins'
 
-AC_SUBST(INCLUDES)
+AC_SUBST(AM_CPPFLAGS)
 
 AC_PROG_INSTALL
 AC_CONFIG_FILES([ \
@@ -1119,15 +1141,15 @@ cat <<EOF
 
  The MySQL client version you are using does not by default reconnect to the
  server if the connection is lost and does not have the option to configure
- this for the client.  Snort, for security reasons, erases the connection
+ this for the client.  Barnyard2, for security reasons, erases the connection
  password from memory, so it cannot explicity reconnect at runtime.  Please
  update your version of MySQL to 5.0.13 or greater or you risk connections
- timing out because of inactivity resulting in the inablilty of Snort to write
+ timing out because of inactivity resulting in the inablilty of Barnyard2 to write
  alerts to the database.  If you can't upgrade, try setting the 'wait-timeout'
  configuration parameter to the maximum value possible in the @<:@mysqld@:>@
  section of my.cnf, e.g. wait-timeout=31536000.  This should give you a good
  year of inactivity before the server terminates the connection ... if your
- network is this clean, you probably don't need to use Snort.
+ network is this clean, you probably don't need to use Barnyard2.
 
 ********************************************************************************
 

doc/README.database

@@ -4,9 +4,11 @@ The database output plug-in enables snort to log to
 
   - Postgresql,
   - MySQL,
-  - any unixODBC database,
-  - MS SQL Server and
-  - Oracle.
+
+# Currently unsupported.
+#  - any unixODBC database,
+#  - MS SQL Server and
+#  - Oracle.
 
 This README contains some quick information about how to set up and
 configure database logging with in snort.  More complete and
@@ -34,9 +36,11 @@ working.
       (unixODBC + some other RDBMS)
         MySQL      => http://www.mysql.org
         Postgresql => http://www.postgesql.org
-        unixODBC   => http://www.unixodbc.org
-        Oracle     => http://www.oracle.com
-        SQL Server => http://www.microsoft.com
+
+# Currently Unsupported
+# unixODBC   => http://www.unixodbc.org
+# Oracle     => http://www.oracle.com
+# SQL Server => http://www.microsoft.com
 
    2) Follow directions from your database vendor to be sure your
       RDBMS is properly configured and secured.
@@ -207,7 +211,16 @@ Arguments:
                 [yes|1]: Ignore the BPF part when looking for the server
                          definition
 
+       connection_limit <integer>: default 10  - The maximum number of time that barnyard2 will tolerate a transaction faillure and or 
+                                                 database connection failure.
+
+       reconnect_sleep_time <integer> : default 5 - The number of seconds to sleep betwen connection retry.
 
+       disable_signature_reference_table - Tell the output plugin not to synchronize the sig_reference table in the schema. 
+				           This option will speedup the process, especialy if you use sid-msg.mapv2 file or
+					   have alot of signature already in databases. 
+					   (Make sure that you do not need that information before enablign this)
+
 
         MYSQL ONLY
 

doc/README.sig_suppress

@@ -0,0 +1,64 @@
+-=Barnyard2 Team=-
+<barnyard2-users@barnyard2-users@googlegroups.com>
+==================================================
+
+Barnyard2 support event suppression at the 
+spooler level using the configuration directive sig_suppress.
+
+Syntax:
+=======
+config sig_suppress: (GID):(SID)  
+
+Note:
+GID is optional and SID can be a single SID or a range (START)-(END) (see below).
+
+EX:
+=======
+config sig_suppress: 1:10 
+AND
+config sig_suppress: 10
+
+The above expressions ARE equivalent.
+
+config sig_suppress: 1:10
+AND
+config sig_suppress: 112:10
+
+The above expressions ARE NOT equivalent because one speficy gid 1 (alert) while the other speficy gid 112 (spp_arpspoof)
+
+config sig_suppress: 10-40 <= RANGE
+IS equivalent to
+    config sig_suppress: 1:10-40 <= RANGE
+AND ALSO equivalent to
+    config sig_suppress: 10,11,12,13,14,15,16....,38,39,40
+
+NOTE: single entries are less effective,especially if you have large lists.
+
+As the time of this writing, if you change the list you will need to restart the process (STOP/START) and not SIGHUP
+if you want the changes to be applied to event processing.
+
+If we define the following list (overlaping entries are ignored or replaced when a range covering them is encountered):
+config sig_suppress: 1:10,20,1:30,2:90-102
+config sig_suppress: 1:10,1:30-40,15,10-40,25
+config sig_suppress: 1:10,50-55,15,10-20,80,51-52,31-35
+config sig_suppress: 2:93,2:95,2:100-101,2:91-122,22-27,2008175,2657,2011766,9900009,2001972,2101623
+
+So with the example above the final list is the following:
+
+    +[ Signature Suppress list ]+
+    ----------------------------
+    -- Element type:[RANGE ] gid:[2] sid min:[90] sid max:[122]
+    -- Element type:[RANGE ] gid:[1] sid min:[30] sid max:[40]
+    -- Element type:[RANGE ] gid:[1] sid min:[50] sid max:[55]
+    -- Element type:[RANGE ] gid:[1] sid min:[10] sid max:[20]
+    -- Element type:[SINGLE] gid:[1] sid min:[80] sid max:[80]
+    -- Element type:[RANGE ] gid:[1] sid min:[22] sid max:[27]
+    -- Element type:[SINGLE] gid:[1] sid min:[2008175] sid max:[2008175]
+    -- Element type:[SINGLE] gid:[1] sid min:[2657] sid max:[2657]
+    -- Element type:[SINGLE] gid:[1] sid min:[2011766] sid max:[2011766]
+    -- Element type:[SINGLE] gid:[1] sid min:[9900009] sid max:[9900009]
+    -- Element type:[SINGLE] gid:[1] sid min:[2001972] sid max:[2001972]
+    -- Element type:[SINGLE] gid:[1] sid min:[2101623] sid max:[2101623]
+    ----------------------------
+    +[ Signature Suppress list ]+
+

etc/Makefile.am

@@ -4,4 +4,8 @@ AUTOMAKE_OPTIONS=foreign no-dependencies
 EXTRA_DIST = barnyard2.conf 
 
 install-data-am:
-	test -e $(sysconfdir)/barnyard2.conf || install -m 600 $(top_srcdir)/etc/barnyard2.conf $(sysconfdir)
+	test -e $(DESTDIR)$(sysconfdir) || \
+		$(mkinstalldirs) $(DESTDIR)$(sysconfdir)
+	test -e $(DESTDIR)$(sysconfdir)/barnyard2.conf || \
+		$(INSTALL_DATA) -m 600 $(top_srcdir)/etc/barnyard2.conf \
+		$(DESTDIR)$(sysconfdir)/barnyard2.conf

etc/barnyard2.conf

@@ -29,6 +29,18 @@ config classification_file: /etc/snort/classification.config
 config gen_file:            /etc/snort/gen-msg.map
 config sid_file:            /etc/snort/sid-msg.map
 
+
+# Configure signature suppression at the spooler level see doc/README.sig_suppress
+#
+#
+#config sig_suppress: 1:10
+
+
+# Set the event cache size to defined max value before recycling of event occur.
+#
+#
+#config event_cache_size: 4096
+
 # define dedicated references similar to that of snort.
 #
 #config reference: mybugs http://www.mybugs.com/?s=
@@ -221,8 +233,11 @@ output alert_fast: stdout
 # Purpose:
 #  This output module provides logging to the Prelude Hybrid IDS system
 #
-# Arguments: profile=snort-profile
-#   snort-profile   - name of the Prelude profile to use (default is snort).
+# Arguments:
+#   analyzer_name           - name of the Prelude analyzer (default is snort).
+#   analyzer_model          - model of the Prelude analyzer (default is Snort).
+#   analyzer_class          - class of the Prelude analyzer (default is NIDS).
+#   analyzer_manufacturer   - manufacturer of the Prelude anaylzer (default is http://www.snort.org).
 #
 # Snort priority to IDMEF severity mappings:
 # high < medium < low < info
@@ -235,8 +250,8 @@ output alert_fast: stdout
 #
 # Examples:
 #   output alert_prelude
-#   output alert_prelude: profile=snort-profile-name
-#
+#   output alert_prelude: analyzer_name=snort
+#   output alert_prelude: analyzer_name=sagan analyzer_model=sagan analyzer_class=Log\ Analyzer analyzer_manufacturer=http://sagan.quadrantsec.com
 
 
 # alert_syslog
@@ -267,6 +282,7 @@ output alert_fast: stdout
 #      operation_mode $operaion_mode    - default | complete : default mode is compatible with default snort syslog message, complete prints more information such as the raw packet (hexed)
 #      log_priority   $log_priority     - used by local option for syslog priority call. (man syslog(3) for supported options) (default: LOG_INFO)
 #      log_facility  $log_facility      - used by local option for syslog facility call. (man syslog(3) for supported options) (default: LOG_USER)
+#      payload_encoding                 - (default: hex)  support hex/ascii/base64 for log_syslog_full using operation_mode complete only.
 
 # Usage Examples:
 # output alert_syslog_full: sensor_name snortIds1-eth2, server xxx.xxx.xxx.xxx, protocol udp, port 514, operation_mode default

rpm/barnyard2

@@ -36,7 +36,7 @@ start() {
 		PIDFILE="/var/lock/subsys/barnyard2-$INT.pid"
 		ARCHIVEDIR="$SNORTDIR/$INT/archive"
 		WALDO_FILE="$SNORTDIR/$INT/barnyard2.waldo"
-		BARNYARD_OPTS="-D -c $CONF -d $SNORTDIR/${INT} -w $WALDO_FILE -L $SNORTDIR/${INT} -a $ARCHIVEDIR -f $LOG_FILE -X $PIDFILE $EXTRA_ARGS"
+		BARNYARD_OPTS="-D -c $CONF -d $SNORTDIR/${INT} -w $WALDO_FILE -l $SNORTDIR/${INT} -a $ARCHIVEDIR -f $LOG_FILE -X $PIDFILE $EXTRA_ARGS"
 		daemon $prog $BARNYARD_OPTS
 	done
 	RETVAL=$?