Wednesday, April 10, 2013

Barnyard2 2-1.13-BETA is now available!

We are happy to announce the Availability of Barnyard2 2-1.13-BETA which can be downloaded from HERE: https://github.com/firnsy/barnyard2.git

This release is a bug fix release that also introduce a few new features and enhancements


=====================
UPGRADING REQUIREMENT
=====================
----------------------
If you are upgrading to barnyard2 2-1.13 Build 325 or above from a previous version  that is not 2-1.13 and using the output database.

***** We highly recommend ******
To delete every row in your sig_reference table. (DELETE FROM sig_reference;) The table will be re-populated at  process startup, and has no impact on historical data.
----------------------
=====================
UPGRADING REQUIREMENT
=====================





Feature request:
----------------
Phil Daws:        Add interface and hostname field to spo_alert_csv if specified.

Jorge Pinto:      spo_syslog_full support for ASCII,BASE64 payload

Jason Brvenik:  variables .....(a long time ago, sorry :P)

Martin Olsson:  Remove some useless verbosity unless ./configure --enable-debug is specified and proper flag are used (spo_database and sid-msg.mapv2)

*And all other barnyard2 users who help and contribute.

Bug report:
-----------
Martin Olsson:              - bug in sig_reference generation and good discussions.

John Eure and others   - autogen.sh could cause some issue on some system so [autoreconf -fv --install] is not set to autoreconf -fvi

John Naggets               - spo_database: could stop barnyard2 from processing new event if some packets with ip option where processed and option_len  was null.

Fäbu Hufi                     - spo_syslog_full: in complete mode was printing wrong ip version information and ip header length.

*And all other barnyard2 users who help and contribute.


New feature:
------------


Support for sid-msg.map Version 2 format.
-------
A new sig-msg.map format can be generated by pulledpok (upcoming release, already in svn). Detection of sid-msg.map version is done by a simple header in the  file that shouldn't be altered if you want it to be processed correctly.

sig-msg.map version 2 format extend the information already present in the sid-msg.map file created from rules.

This new format version allow signature  pre-population if users are using output database method with  barnyard2 2-1.13 and above.
______________________
sid-msg.map v1 format:
______________________
SID || MSG || REF 1 || REF N
sid := integer
msg := string
ref := string
______________________
sid-msg.map v2 format:
______________________
GID || SID || REV || CLASSIFICATION || PRIORITY || MSG || REF 1 || REF N
gid := integer
sid := integer
rev := integer
classification := string (if NULL set to NOCLASS)
priority := integer (if prio == 0, classification priority is used)
msg := string
ref := string
=====================
generator (GID, gen-msg.map) are defaulted to the following value if their information is not overruled in sid-msg.map v2 file via processing of preprocessor.rules:
revision 1
classification 0
priority 3
If generator message is present in the sid-msg.map v2 file, and gen-msg.map message are longer (more comprehensive by string length), gen-msg.map messages are used instead of sid-msg.map v2 file generator messages.
=====================
 -------


Signature/event logging suppression at spooler level
-------
Read doc/README.sig_suppression
configuration file Variables:
-------

Barnyard2 configuration Variables
 -------
You can now use [var VARNAME value] in the barnyard2 configuration file and every instance of $VARNAME will get replaced by value.
Note that variable declaration order is important only you include a variable in a variable.
EX (is VALID):
 var INTERFACE ethX
 var PATH /var/log/IDS
 var LOG $PATH/$INTERFACE/log
 var ARCHIVE $PATH/$INTERFACE/archive
 EX (is INVALID):
 var LOG $PATH/$INTERFACE/log
 var ARCHIVE $PATH/$INTERFACE/archive
 var INTERFACE ethX
 var PATH /var/log/IDS
 -------

new output database configuration keyword
-------

Keywords connection_limit and reconnect_sleep_time where added in 2-1.10 but where "undocumented" and shouldn't be modified unless you encounter connectivity issue.

connection_limit <integer>: default 10  - The maximum number of time that barnyard2 will
tolerate a transaction failure and or database connection failure.

reconnect_sleep_time <integer> : default 5 - The number of seconds to sleep between connection retry.

disable_signature_reference_table - Tell the output plugin not to synchronize the sig_reference table in the schema. This option will speedup the process, especially if you use sid-msg.mapv2 file or  have a lot of signature already in databases. (Make sure that you
do not need that information before enabling this)
 -------


Enjoy and do not hesitate to send feedback/suggestion/feature request.

The barnyard2 team.

No comments:

Post a Comment