We are happy to announce the Availability of Barnyard2 2-1.13-BETA which can be downloaded from HERE: https://github.com/firnsy/barnyard2.git
This release is a bug fix release that also introduce a few new features and enhancements
=====================
UPGRADING REQUIREMENT
=====================
----------------------
If you are upgrading to barnyard2 2-1.13 Build 325 or above from a previous version that is not 2-1.13 and using the output database.
***** We highly recommend ******
To delete every row in your sig_reference table. (DELETE FROM sig_reference;) The table will be re-populated at process startup, and has no impact on historical data.
----------------------
=====================
UPGRADING REQUIREMENT
=====================
Feature request:
----------------
Phil Daws: Add interface and hostname field to spo_alert_csv if specified.
Jorge Pinto: spo_syslog_full support for ASCII,BASE64 payload
Jason Brvenik: variables .....(a long time ago, sorry :P)
Martin Olsson: Remove some useless verbosity unless ./configure --enable-debug is specified and proper flag are used (spo_database and sid-msg.mapv2)
*And all other barnyard2 users who help and contribute.
Bug report:
-----------
Martin Olsson: - bug in sig_reference generation and good discussions.
John Eure and others - autogen.sh could cause some issue on some system so [autoreconf -fv --install] is not set to autoreconf -fvi
John Naggets - spo_database: could stop barnyard2 from processing new event if some packets with ip option where processed and option_len was null.
Fäbu Hufi - spo_syslog_full: in complete mode was printing wrong ip version information and ip header length.
*And all other barnyard2 users who help and contribute.
New feature:
------------
Support for sid-msg.map Version 2 format.
-------
A new sig-msg.map format can be generated by pulledpok (upcoming release, already in svn). Detection of sid-msg.map version is done by a simple header in the file that shouldn't be altered if you want it to be processed correctly.
sig-msg.map version 2 format extend the information already present in the sid-msg.map file created from rules.
This new format version allow signature pre-population if users are using output database method with barnyard2 2-1.13 and above.
______________________
sid-msg.map v1 format:
______________________
SID || MSG || REF 1 || REF N
sid := integer
msg := string
ref := string
______________________
sid-msg.map v2 format:
______________________
GID || SID || REV || CLASSIFICATION || PRIORITY || MSG || REF 1 || REF N
gid := integer
sid := integer
rev := integer
classification := string (if NULL set to NOCLASS)
priority := integer (if prio == 0, classification priority is used)
msg := string
ref := string
=====================
generator (GID, gen-msg.map) are defaulted to the following value if their information is not overruled in sid-msg.map v2 file via processing of preprocessor.rules:
revision 1
classification 0
priority 3
If generator message is present in the sid-msg.map v2 file, and gen-msg.map message are longer (more comprehensive by string length), gen-msg.map messages are used instead of sid-msg.map v2 file generator messages.
=====================
-------
Signature/event logging suppression at spooler level
-------
Read doc/README.sig_suppression
configuration file Variables:
-------
Barnyard2 configuration Variables
-------
You can now use [var VARNAME value] in the barnyard2 configuration file and every instance of $VARNAME will get replaced by value.
Note that variable declaration order is important only you include a variable in a variable.
EX (is VALID):
var INTERFACE ethX
var PATH /var/log/IDS
var LOG $PATH/$INTERFACE/log
var ARCHIVE $PATH/$INTERFACE/archive
EX (is INVALID):
var LOG $PATH/$INTERFACE/log
var ARCHIVE $PATH/$INTERFACE/archive
var INTERFACE ethX
var PATH /var/log/IDS
-------
new output database configuration keyword
-------
Keywords connection_limit and reconnect_sleep_time where added in 2-1.10 but where "undocumented" and shouldn't be modified unless you encounter connectivity issue.
connection_limit <integer>: default 10 - The maximum number of time that barnyard2 will
tolerate a transaction failure and or database connection failure.
reconnect_sleep_time <integer> : default 5 - The number of seconds to sleep between connection retry.
disable_signature_reference_table - Tell the output plugin not to synchronize the sig_reference table in the schema. This option will speedup the process, especially if you use sid-msg.mapv2 file or have a lot of signature already in databases. (Make sure that you
do not need that information before enabling this)
-------
Enjoy and do not hesitate to send feedback/suggestion/feature request.
The barnyard2 team.
