This repository has been archived by the owner on Jan 18, 2024. It is now read-only.
new alert_json plugin with kafka capabilities #88
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
modified: src/output-plugins/Makefile.am
modified: src/plugbase.c
new file: src/output-plugins/spo_alert_json.c
new file: src/output-plugins/spo_alert_json.h
…fault output names
modified: output-plugins/spo_alert_json.c
… printed
modified: output-plugins/spo_alert_json.c
modified: src/plugbase.c
librdkafka) modified: Makefile.am new file: output-plugins/kafka/librdkafka.a new file: output-plugins/kafka/rdkafka.h new file: output-plugins/librdkafka.a
time, next commit will fix that. Created sfutil/sf_kafka, to send kafka messages. Modify some makefile.am and added -lz, -lrt and -lpthread c flags, needed by kafka. Added rdkafka library too. modified: Makefile.am modified: output-plugins/spo_alert_json.c modified: sfutil/Makefile.am new file: sfutil/kafka/librdkafka.a new file: sfutil/kafka/rd.h new file: sfutil/kafka/rdaddr.h new file: sfutil/kafka/rdcrc32.h new file: sfutil/kafka/rdfile.h new file: sfutil/kafka/rdgz.h new file: sfutil/kafka/rdkafka.h new file: sfutil/kafka/rdrand.h new file: sfutil/kafka/rdtime.h new file: sfutil/kafka/rdtypes.h new file: sfutil/sf_kafka.c new file: sfutil/sf_kafka.h
modified: output-plugins/spo_alert_json.c
time now modified: output-plugins/spo_alert_json.c
fork() in that mode). modified: src/output-plugins/spo_alert_json.c modified: src/sfutil/sf_kafka.c modified: src/sfutil/sf_kafka.h
modified: src/output-plugins/spo_alert_json.c
…d let librdkafka free it. deleted: src/output-plugins/kafka/librdkafka.a deleted: src/output-plugins/kafka/rdkafka.h modified: src/sfutil/sf_kafka.c modified: src/sfutil/sf_kafka.h
contained a blank space in arguments, surrounded by commas (", ,"). Now,
if the alert's proto is not valid, we don't send the comma.
modified: src/output-plugins/spo_alert_json.c
Bumped: build to 325
Add: Full support for sid-msg v2 format which
enchanced by the following fields: gid,revision,classification,priority
for each entry which allow pre-population of signature metadata by
barnyard2 if database output is used.
Add: Signature Suppression support at the spooler level using
configuration directive. See doc/README.sig_suppress
Add: Variable resolving/support in configuration file
(generic variable.
Add: hostname and interface to possible CSV field
Feature requested by: Phil Daws
Add: spo_database configuration keyword "disable_signature_reference_table"
was added and reconnect_sleep_time, connection_limit defined in
doc/README.database.
Fixed: Added extra check when generating sig_reference cache.
(Martin Olsson)
Fixed: sid-msg.map and gen-msg.map double declaration issue (using
command line and directive is now prohibited) [ will bail
if both are used (-S and config sid_file OR -G and config
gen_file.]
Fixed: syslog_full in complete mode IP information (Fäbu Hufi)
Fixed: database, could stop processing event when some ip options where
null (John Naggets)
Fixed: Removed some database messages and move them to debug message if
the propre debug flag is used.
Add: Support for proper signal handling. Add: README info for google mailing lists. Fixed: Compile issue when debug was enabled (missing , in some DEBUG_WRAP code. Fixed: Changed a few places where the snort literal was used instead of barnyard2 and this could confuse some first time barnyard2 users. Fixed: RPM spec file to point to good version (when needed) Bumped: Build to 326 --github specific Fixes firnsy#81 Fixes firnsy#73 Fixes firnsy#75 Close firnsy#82 Close firnsy#83 Close firnsy#80 Close firnsy#79 Close firnsy#78 Close firnsy#27 --github specific
/opt/rb/etc/{hosts,networks} files
modified: output-plugins/spo_alert_json.c
modified: output-plugins/spo_alert_json.c
modified: Makefile.am modified: output-plugins/spo_alert_json.c
modified: src/sfutil/sf_kafka.c
configure script modified: configure.in modified: src/output-plugins/spo_alert_json.c
modified: sfutil/sf_kafka.c
Freeing memory at the end of barnyard2 execution
Exmaple: "email_sender": "ejimenez@redborder.net", Old format: "email_sender": "<ejimenez@redborder.net>",
Example: "email_destinations":"[\"rcpt1@redborder.net\",\"rcpt2@redborder.net\",\"rcpt3@redborder.net\"]" "email_destinations":"[\"malware@redborder.net>\"]"
Feature/email destinations
…der/barnyard2 into Feature/Managing_ExtraData_fields
Added more default options
Before of this, names with characters '\', '"' or control ones (<U+0020) in it's name would be printed as invalid JSON. With this escape function. With this escape function, the output will be a valid JSON.
Feature/managing extra data fields
…mock update process rpm creation
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Hi, we have created a new alert_json plugin that provides to barnyard2 the posibility of send alert in json format to a file or to kafka messaging system. The idea is to provide bigdata support to barnyard.
Please, review README and if you need more detail, contact us.