From 00a9df19faed0d4d45c4be97b1048e95d2f6c091 Mon Sep 17 00:00:00 2001 From: Eric Lauzon Date: Fri, 23 Aug 2013 22:31:29 -0400 Subject: [PATCH 1/2] 2-1.13 Release fixes, Fix: fixed the presence of snort in a literal warning the users about the plugin beeing build without proper database support. Fix: fixed endianess return value of some error cases in int CheckDBVersion(DatabaseData * data) Esthetic: Rewrote a condition check in dbProcessSignatureInformation(), has no impact on evaluation of the if statement. Fix: compile of spo_alert_fwsam with --enable-debug and --enable-ipv6 Fix: Issue where stream was not completly logged due to a mergeconf boolean error Fix: Add handling for presence of #v1 tag in sid-msg.map file (pulledpork swine flu) Fix: cache lookup (all metadata) could be wrongly interpreted due to substring being looked up (either already cached data or lookup data). Added a function to return allways the largest string lenght, superseed previous incomplete fix applied only for reference. Bump: build version to 333. --- src/barnyard2.c | 15 +++++--- src/barnyard2.h | 5 ++- src/map.c | 6 ++- src/output-plugins/spo_alert_fwsam.c | 2 + src/output-plugins/spo_database.c | 18 ++++----- src/output-plugins/spo_database_cache.c | 49 ++++++++++++++++++++----- src/parser.c | 4 ++ 7 files changed, 73 insertions(+), 26 deletions(-) diff --git a/src/barnyard2.c b/src/barnyard2.c index d6f41e9..61f689e 100644 --- a/src/barnyard2.c +++ b/src/barnyard2.c @@ -1796,14 +1796,19 @@ static Barnyard2Config * MergeBarnyard2Confs(Barnyard2Config *cmd_line, Barnyard if (cmd_line->pid_path[0] != '\0') ConfigPidPath(config_file, cmd_line->pid_path); - if( (config_file->alert_on_each_packet_in_stream_flag == 0) && - (cmd_line->alert_on_each_packet_in_stream_flag == 1)) + if( config_file->alert_on_each_packet_in_stream_flag == 0) { - config_file->alert_on_each_packet_in_stream_flag = 0; + LogMessage("[INFO]: Alerting on each packet in stream has been disabled by configuration file,\n" + "\tevents will only be outputed for the first matching event/packet,\n" + "\tfurther packets matching previous processed events will be ignored"); } - else + else if( cmd_line->alert_on_each_packet_in_stream_flag == 0 ) { - config_file->alert_on_each_packet_in_stream_flag = cmd_line->alert_on_each_packet_in_stream_flag; + LogMessage("[INFO]: Alerting on each packet in stream has been disabled by command line option,\n" + "\tevents will only be outputed for the first matching event/packet,\n" + "\tfurther packets matching previous processed events will be ignored"); + + config_file->alert_on_each_packet_in_stream_flag = cmd_line->alert_on_each_packet_in_stream_flag; } config_file->process_new_records_only_flag = cmd_line->process_new_records_only_flag; diff --git a/src/barnyard2.h b/src/barnyard2.h index 0039d42..5a939f2 100644 --- a/src/barnyard2.h +++ b/src/barnyard2.h @@ -63,7 +63,7 @@ #define VER_MAJOR "2" #define VER_MINOR "1" #define VER_REVISION "13" -#define VER_BUILD "327" +#define VER_BUILD "333" #define STD_BUF 1024 @@ -132,7 +132,8 @@ /* SIDMAP V2 */ -#define SIDMAPV2STRING "v2\n" +#define SIDMAPV1STRING "v1" +#define SIDMAPV2STRING "v2" #define SIDMAPV1 0x01 #define SIDMAPV2 0x02 /* SIDMAP V2 */ diff --git a/src/map.c b/src/map.c index 7869001..95672c8 100644 --- a/src/map.c +++ b/src/map.c @@ -722,7 +722,11 @@ int ReadSidFile(Barnyard2Config *bc) if(*index == '#') { index++; - if( strncasecmp(index,SIDMAPV2STRING,strlen(SIDMAPV2STRING)) == 0) + if(strncasecmp(index,SIDMAPV1STRING,strlen(SIDMAPV1STRING)) == 0) + { + bc->sidmap_version=SIDMAPV1; + } + else if( strncasecmp(index,SIDMAPV2STRING,strlen(SIDMAPV2STRING)) == 0) { bc->sidmap_version=SIDMAPV2; continue; diff --git a/src/output-plugins/spo_alert_fwsam.c b/src/output-plugins/spo_alert_fwsam.c index 3223274..a900722 100644 --- a/src/output-plugins/spo_alert_fwsam.c +++ b/src/output-plugins/spo_alert_fwsam.c @@ -895,6 +895,7 @@ void FWsamNewStationKey(FWsamStation *station,FWsamPacket *packet) * unlike inet_ntoa which keeps only one. This is used for (s)printf's were two IP * addresses are printed. */ +/* char *inettoa(unsigned long ip) { struct in_addr ips; @@ -906,6 +907,7 @@ char *inettoa(unsigned long ip) strncpy(addr[toggle],inet_ntoa(ips),18); return addr[toggle]; } +*/ #endif diff --git a/src/output-plugins/spo_database.c b/src/output-plugins/spo_database.c index 5784a93..19d66fe 100644 --- a/src/output-plugins/spo_database.c +++ b/src/output-plugins/spo_database.c @@ -1043,7 +1043,7 @@ void ParseDatabaseArgs(DatabaseData *data) !strncasecmp(type, KEYWORD_MSSQL, strlen(KEYWORD_MSSQL)) || !strncasecmp(type, KEYWORD_ORACLE, strlen(KEYWORD_ORACLE)) ) { - ErrorMessage("ERROR database: '%s' support is not compiled into this build of snort\n\n", type); + ErrorMessage("ERROR database: '%s' support is not compiled into this build of barnyard2\n\n", type); FatalError(FATAL_NO_SUPPORT_1, type, type, type, FATAL_NO_SUPPORT_2); } else @@ -1501,14 +1501,14 @@ int dbProcessSignatureInformation(DatabaseData *data,void *event, u_int32_t even } /* If we have an "uninitialized signature save it */ - if( (data->mc.plgSigCompare[x].cacheSigObj->obj.rev == 0) || - (data->mc.plgSigCompare[x].cacheSigObj->obj.rev < revision) || + if( ( (data->mc.plgSigCompare[x].cacheSigObj->obj.rev == 0) || + (data->mc.plgSigCompare[x].cacheSigObj->obj.rev < revision)) || /* So we have a signature that was inserted, probably a preprocessor signature, but it has probably never been logged before lets set it as a temporary unassigned signature */ ((data->mc.plgSigCompare[x].cacheSigObj->obj.rev == revision) && - (data->mc.plgSigCompare[x].cacheSigObj->obj.class_id == 0 || - (data->mc.plgSigCompare[x].cacheSigObj->obj.priority_id == 0)))) + ( data->mc.plgSigCompare[x].cacheSigObj->obj.class_id == 0 || + data->mc.plgSigCompare[x].cacheSigObj->obj.priority_id == 0))) { memcpy(&unInitSig,data->mc.plgSigCompare[x].cacheSigObj,sizeof(cacheSignatureObj)); @@ -3130,7 +3130,7 @@ int CheckDBVersion(DatabaseData * data) if( (SnortSnprintf(data->SQL_SELECT, MAX_QUERY_LENGTH, "SELECT vseq FROM [schema]")) != SNORT_SNPRINTF_SUCCESS) { - return -1; + return 1; } } else @@ -3146,7 +3146,7 @@ int CheckDBVersion(DatabaseData * data) if( (SnortSnprintf(data->SQL_SELECT, MAX_QUERY_LENGTH, "SELECT vseq FROM `schema`")) != SNORT_SNPRINTF_SUCCESS) { - return -1; + return 1; } } else @@ -3155,7 +3155,7 @@ int CheckDBVersion(DatabaseData * data) if( (SnortSnprintf(data->SQL_SELECT, MAX_QUERY_LENGTH, "SELECT vseq FROM schema")) != SNORT_SNPRINTF_SUCCESS) { - return -1; + return 1; } } } @@ -4464,7 +4464,7 @@ void DatabasePrintUsage(void) puts(" The configuration I am currently using is MySQL with the database"); puts(" name of \"snort\". The user \"snortusr@localhost\" has INSERT and SELECT"); puts(" privileges on the \"snort\" database and does not require a password."); - puts(" The following line enables snort to log to this database.\n"); + puts(" The following line enables barnyard2 to log to this database.\n"); puts(" output database: log, mysql, dbname=snort user=snortusr host=localhost\n"); } diff --git a/src/output-plugins/spo_database_cache.c b/src/output-plugins/spo_database_cache.c index 4e7e838..3206871 100644 --- a/src/output-plugins/spo_database_cache.c +++ b/src/output-plugins/spo_database_cache.c @@ -106,8 +106,31 @@ u_int32_t CacheSynchronize(DatabaseData *data); void MasterCacheFlush(DatabaseData *data,u_int32_t flushFlag); /* Destructor */ +/* Return largest string lenght */ +inline u_int32_t glsl(char *a,char *b) +{ + u_int32_t alen = 0; + u_int32_t blen = 0; + + alen = strlen(a); + blen = strlen(b); + + if(alen > blen) + { + return alen; + } + else if(alen < blen) + { + return blen; + } + if(alen == blen) + { + return alen; + } - + abort(); + return 0; +} #if DEBUG u_int32_t file_reference_object_count = 0; @@ -235,7 +258,9 @@ u_int32_t cacheSignatureLookup(dbSignatureObj *iLookup,cacheSignatureObj *iHead) while(iHead != NULL) { - if( (strncasecmp(iLookup->message,iHead->obj.message,strlen(iHead->obj.message)) == 0) && + + if( (strncasecmp(iLookup->message,iHead->obj.message, + glsl(iLookup->message,iHead->obj.message)) == 0) && (iLookup->sid == iHead->obj.sid) && (iLookup->gid == iHead->obj.gid) && (iLookup->rev == iHead->obj.rev)) @@ -277,7 +302,8 @@ cacheSignatureObj * cacheSignatureGetObject(dbSignatureObj *iLookup,cacheSignatu while(iHead != NULL) { - if( (strncasecmp(iLookup->message,iHead->obj.message,strlen(iHead->obj.message)) == 0) && + if( (strncasecmp(iLookup->message,iHead->obj.message, + glsl(iLookup->message,iHead->obj.message)) == 0) && (iLookup->sid == iHead->obj.sid) && (iLookup->gid == iHead->obj.gid) && (iLookup->rev == iHead->obj.rev)) @@ -420,7 +446,8 @@ u_int32_t cacheReferenceLookup(dbReferenceObj *iLookup,cacheReferenceObj *iHead, while(iHead != NULL) { - if( (strncasecmp(iLookup->ref_tag,iHead->obj.ref_tag,strlen(iLookup->ref_tag)) == 0)) + if( (strncasecmp(iLookup->ref_tag,iHead->obj.ref_tag, + glsl(iLookup->ref_tag,iHead->obj.ref_tag)) == 0)) { /* Match */ *retRefLookupNode = iHead; @@ -526,7 +553,8 @@ u_int32_t dbReferenceLookup(dbReferenceObj *iLookup,cacheReferenceObj *iHead) while(iHead != NULL) { - if( (strncasecmp(iLookup->ref_tag,iHead->obj.ref_tag,strlen(iHead->obj.ref_tag)) == 0)) + if( (strncasecmp(iLookup->ref_tag,iHead->obj.ref_tag, + glsl(iLookup->ref_tag,iHead->obj.ref_tag))) == 0) { /* Found */ if(iHead->flag & CACHE_INTERNAL_ONLY) @@ -577,7 +605,8 @@ u_int32_t dbSystemLookup(dbSystemObj *iLookup,cacheSystemObj *iHead) while(iHead != NULL) { - if((strncasecmp(iLookup->ref_system_name,iHead->obj.ref_system_name,strlen(iHead->obj.ref_system_name)) == 0)) + if((strncasecmp(iLookup->ref_system_name,iHead->obj.ref_system_name, + glsl(iLookup->ref_system_name,iHead->obj.ref_system_name))) == 0) { /* Found */ if( iHead->flag & CACHE_INTERNAL_ONLY) @@ -631,7 +660,8 @@ u_int32_t dbSignatureLookup(dbSignatureObj *iLookup,cacheSignatureObj *iHead) while(iHead != NULL) { - if( (strncasecmp(iLookup->message,iHead->obj.message,strlen(iHead->obj.message)) == 0) && + if( (strncasecmp(iLookup->message,iHead->obj.message, + glsl(iLookup->message,iHead->obj.message)) == 0) && (iLookup->sid == iHead->obj.sid) && (iLookup->gid == iHead->obj.gid)) { @@ -718,7 +748,8 @@ u_int32_t dbClassificationLookup(dbClassificationObj *iLookup,cacheClassificatio while(iHead != NULL) { - if( (strncasecmp(iLookup->sig_class_name,iHead->obj.sig_class_name,strlen(iHead->obj.sig_class_name)) == 0)) + if( (strncasecmp(iLookup->sig_class_name,iHead->obj.sig_class_name, + glsl(iLookup->sig_class_name,iHead->obj.sig_class_name)) == 0)) { /* Found */ if( iHead->flag & CACHE_INTERNAL_ONLY) @@ -1810,7 +1841,7 @@ u_int32_t ClassificationPopulateDatabase(DatabaseData *data,cacheClassification { if(cacheHead->flag & CACHE_INTERNAL_ONLY) { - + #if DEBUG inserted_classification_object_count++; #endif diff --git a/src/parser.c b/src/parser.c index f0e85a1..13096f1 100644 --- a/src/parser.c +++ b/src/parser.c @@ -284,9 +284,13 @@ Barnyard2Config * ParseBarnyard2Conf(void) /* Need to set this for plugin configurations since they're using * lists of callbacks */ barnyard2_conf_for_parsing = bc; + InitParser(); + /* By default */ + bc->alert_on_each_packet_in_stream_flag=1; + /* We're not going to parse rules on the first pass */ parse_rules = 0; From ec11f84996d7c0648a447a2f40b42ef8fc2d7e9e Mon Sep 17 00:00:00 2001 From: Ovidiu Stanila Date: Tue, 10 Jun 2014 15:43:32 +0300 Subject: [PATCH 2/2] Implemented possibility to set MySQL wait_timeout using mysql_wait configuration variable. --- src/output-plugins/spo_database.c | 35 +++++++++++++++++++++++++++++++ src/output-plugins/spo_database.h | 5 +++-- 2 files changed, 38 insertions(+), 2 deletions(-) diff --git a/src/output-plugins/spo_database.c b/src/output-plugins/spo_database.c index 19d66fe..c1c8786 100644 --- a/src/output-plugins/spo_database.c +++ b/src/output-plugins/spo_database.c @@ -1188,6 +1188,11 @@ void ParseDatabaseArgs(DatabaseData *data) { data->dbRH[DB_MYSQL].mysql_reconnect =1; } + else if(!strncasecmp(dbarg, KEYWORD_MYSQL_WAIT, strlen(KEYWORD_MYSQL_WAIT))) + { + data->dbRH[DB_MYSQL].mysql_wait = strtoul(a1,NULL,10); + LogMessage("INFO database: Setting MySQL wait_timeout to %u. \n", data->dbRH[DB_MYSQL].mysql_wait); + } #endif #ifdef ENABLE_POSTGRESQL @@ -1278,6 +1283,14 @@ void ParseDatabaseArgs(DatabaseData *data) data->dbRH[data->dbtype_id].dbReconnectSleepTime.tv_sec = 5; } +#ifdef ENABLE_MYSQL + if(data->dbRH[data->dbtype_id].mysql_wait == 0) + { + LogMessage("INFO database: Defaulting MySQL wait_timeout to 28800 \n"); + data->dbRH[data->dbtype_id].mysql_wait = 28800; + } +#endif + return; } @@ -4049,6 +4062,17 @@ void Connect(DatabaseData * data) FatalError("database Connection to database '%s' failed\n", data->dbname); } + /* Setting connection timeout to defined value */ + char SessionSQL[50]; + sprintf(SessionSQL, "/*!40101 set @@session.wait_timeout=%u */", data->dbRH[data->dbtype_id].mysql_wait); + if (mysql_options(data->m_sock, MYSQL_INIT_COMMAND, SessionSQL) != 0) + { + LogMessage("database: Failed to set SESSION wait_timeout option: %s\n", mysql_error(data->m_sock)); + mysql_close(data->m_sock); + data->m_sock = NULL; + return; + } + /* check if we want to connect with ssl options */ if (data->use_ssl == 1) { @@ -4776,6 +4800,17 @@ u_int32_t MYSQL_ManualConnect(DatabaseData *dbdata) dbdata->dbname); } + /* Setting connection timeout to defined value */ + char SessionSQL[50]; + sprintf(SessionSQL, "/*!40101 set @@session.wait_timeout=%u */", dbdata->dbRH[dbdata->dbtype_id].mysql_wait); + if (mysql_options(dbdata->m_sock, MYSQL_INIT_COMMAND, SessionSQL) != 0) + { + LogMessage("database: Failed to set SESSION wait_timeout option: %s\n", mysql_error(dbdata->m_sock)); + mysql_close(dbdata->m_sock); + dbdata->m_sock = NULL; + return 1; + } + /* check if we want to connect with ssl options */ if (dbdata->use_ssl == 1) { diff --git a/src/output-plugins/spo_database.h b/src/output-plugins/spo_database.h index d5e21eb..6a8606f 100644 --- a/src/output-plugins/spo_database.h +++ b/src/output-plugins/spo_database.h @@ -358,6 +358,7 @@ typedef struct _dbReliabilityHandle unsigned long pThreadID; /* Used to store thread information and know if we "reconnected automaticaly" */ my_bool mysql_reconnect; /* We will handle it via the api. */ + u_int32_t mysql_wait; /* MySQL wait_timeout */ #endif /* ENABLE_MYSQL */ #ifdef ENABLE_POSTGRESQL @@ -500,14 +501,14 @@ typedef struct _DatabaseData #define KEYWORD_RECONNECT_SLEEP_TIME "reconnect_sleep_time" #define KEYWORD_DISABLE_SIGREFTABLE "disable_signature_reference_table" -#define KEYWORD_MYSQL_RECONNECT "mysql_reconnect" - #ifdef ENABLE_MYSQL # define KEYWORD_SSL_KEY "ssl_key" # define KEYWORD_SSL_CERT "ssl_cert" # define KEYWORD_SSL_CA "ssl_ca" # define KEYWORD_SSL_CA_PATH "ssl_ca_path" # define KEYWORD_SSL_CIPHER "ssl_cipher" +# define KEYWORD_MYSQL_RECONNECT "mysql_reconnect" +# define KEYWORD_MYSQL_WAIT "mysql_wait" #endif #ifdef ENABLE_POSTGRESQL