diff --git a/README b/README index c48656f..e1115a1 100644 --- a/README +++ b/README @@ -3,7 +3,7 @@ 0. SUMMARY ------------------------------------------------------------------------------ -Barnyard2 - version 2-1.13 +Barnyard2 - version 2-1.14 This README contains some quick information about how to set up and configure barnyard2 to ensure it works as it should. diff --git a/src/barnyard2.h b/src/barnyard2.h index add29ed..b063225 100644 --- a/src/barnyard2.h +++ b/src/barnyard2.h @@ -63,7 +63,7 @@ #define VER_MAJOR "2" #define VER_MINOR "1" #define VER_REVISION "14" -#define VER_BUILD "335" +#define VER_BUILD "336" #define STD_BUF 1024 diff --git a/src/spooler.c b/src/spooler.c index d1b1052..c92a1cb 100644 --- a/src/spooler.c +++ b/src/spooler.c @@ -61,8 +61,8 @@ int spoolerCloseWaldo(Waldo *); int spoolerPacketCacheAdd(Spooler *, Packet *); int spoolerPacketCacheClear(Spooler *); -int spoolerEventCachePush(Spooler *, uint32_t, void *); -EventRecordNode * spoolerEventCacheGetByEventID(Spooler *, uint32_t); +int spoolerEventCachePush(Spooler *, uint32_t, void *,uint32_t,uint32_t); +EventRecordNode * spoolerEventCacheGetByEventID(Spooler *, uint32_t,uint32_t); EventRecordNode * spoolerEventCacheGetHead(Spooler *); uint8_t spoolerEventCacheHeadUsed(Spooler *); int spoolerEventCacheClean(Spooler *); @@ -713,14 +713,17 @@ void spoolerProcessRecord(Spooler *spooler, int fire_output) pc.total_unknown++; } + /* convert event id once */ + uint32_t event_id = 0x0000ffff & ntohl(((Unified2CacheCommon *)spooler->record.data)->event_id); + uint32_t event_second = ntohl( ((Unified2CacheCommon *)spooler->record.data)->event_second); + + /* check if it's packet */ if (type == UNIFIED2_PACKET) { - /* convert event id once */ - uint32_t event_id = ntohl(((Unified2Packet *)spooler->record.data)->event_id); /* check if there is a previously cached event that matches this event id */ - ernCache = spoolerEventCacheGetByEventID(spooler, event_id); + ernCache = spoolerEventCacheGetByEventID(spooler, event_id,event_second); /* allocate space for the packet and construct the packet header */ spooler->record.pkt = SnortAlloc(sizeof(Packet)); @@ -826,7 +829,7 @@ void spoolerProcessRecord(Spooler *spooler, int fire_output) } /* cache new data */ - spoolerEventCachePush(spooler, type, spooler->record.data); + spoolerEventCachePush(spooler, type, spooler->record.data,event_id,event_second); spooler->record.data = NULL; /* waldo operations occur after the output plugins are called */ @@ -865,11 +868,13 @@ void spoolerProcessRecord(Spooler *spooler, int fire_output) spoolerEventCacheClean(spooler); } -int spoolerEventCachePush(Spooler *spooler, uint32_t type, void *data) +int spoolerEventCachePush(Spooler *spooler, uint32_t type, void *data,u_int32_t event_id,u_int32_t event_second) { EventRecordNode *ernNode; - - DEBUG_WRAP(DebugMessage(DEBUG_SPOOLER,"Caching event...\n");); + DEBUG_WRAP(DebugMessage(DEBUG_SPOOLER,"[%s], Caching event id[%u] second[%u] \n", + __FUNCTION__, + event_id, + event_second);); /* allocate memory */ ernNode = (EventRecordNode *)SnortAlloc(sizeof(EventRecordNode)); @@ -878,6 +883,9 @@ int spoolerEventCachePush(Spooler *spooler, uint32_t type, void *data) ernNode->used = 0; ernNode->type = type; ernNode->data = data; + + ernNode->event_id = event_id; + ernNode->event_second = event_second; /* add new events to the front of the cache */ ernNode->next = spooler->event_cache; @@ -890,14 +898,18 @@ int spoolerEventCachePush(Spooler *spooler, uint32_t type, void *data) return 0; } -EventRecordNode *spoolerEventCacheGetByEventID(Spooler *spooler, uint32_t event_id) +EventRecordNode *spoolerEventCacheGetByEventID(Spooler *spooler,uint32_t event_id,uint32_t event_second) { EventRecordNode *ernCurrent = spooler->event_cache; - + while (ernCurrent != NULL) { - if ( ntohl(((Unified2EventCommon *)ernCurrent->data)->event_id) == event_id ) + if ( (ernCurrent->event_id == event_id) && + (ernCurrent->event_second == event_second)) { + ernCurrent->time_used++; + DEBUG_WRAP(DebugMessage(DEBUG_SPOOLER,"[%s], Using cached event[%d] event second [%d] \n", + __FUNCTION__,event_id,event_second);); return ernCurrent; } @@ -928,6 +940,9 @@ int spoolerEventCacheClean(Spooler *spooler) EventRecordNode *ernCurrent = NULL; EventRecordNode *ernPrev = NULL; EventRecordNode *ernNext = NULL; + EventRecordNode *ernCandidate = NULL; + EventRecordNode *ernCandidateNext = NULL; + EventRecordNode *ernCandidatePrev = NULL; if (spooler == NULL || spooler->event_cache == NULL ) return 1; @@ -935,44 +950,64 @@ int spoolerEventCacheClean(Spooler *spooler) ernPrev = spooler->event_cache; ernCurrent = spooler->event_cache; - while (ernCurrent != NULL && spooler->events_cached > barnyard2_conf->event_cache_size ) + if(spooler->events_cached > barnyard2_conf->event_cache_size) { - ernNext = ernCurrent->next; + while (ernCurrent != NULL) + { + ernNext = ernCurrent->next; + if(ernCurrent->used == 1 && ernCurrent->time_used >=1) + { + ernCandidateNext = ernNext; + ernCandidatePrev = ernPrev; + ernCandidate=ernCurrent; + } + + if(ernCurrent != NULL) + { + ernPrev = ernCurrent; + } + + ernCurrent = ernNext; + } - if ( ernCurrent->used == 1 ) - { + if ( ernCandidate != NULL) + { /* Delete from list */ - if (ernCurrent == spooler->event_cache) + if (ernCandidate == spooler->event_cache) { - spooler->event_cache = ernNext; + spooler->event_cache = NULL; } - else + else { - ernPrev->next = ernNext; + ernCandidatePrev->next = ernCandidateNext; } - spooler->events_cached--; - - if(ernCurrent->data != NULL) + DEBUG_WRAP(DebugMessage(DEBUG_SPOOLER,"[%s],Event currently cached [%d] Purging cached event[%d] event second [%d]\n", + __FUNCTION__, + spooler->events_cached, + ernCandidate->event_id, + ernCandidate->event_second);); + + spooler->events_cached--; + + if(ernCandidate->data != NULL) { - free(ernCurrent->data); + free(ernCandidate->data); } - if(ernCurrent != NULL) + if(ernCandidate != NULL) { - free(ernCurrent); + free(ernCandidate); } - } - - if(ernCurrent != NULL) + } + else { - ernPrev = ernCurrent; + DEBUG_WRAP(DebugMessage(DEBUG_SPOOLER,"[%s],Can't find a purge candidate in event cache, oddness cached event [%d]!! \n", + __FUNCTION__, + spooler->events_cached);); } - ernCurrent = ernNext; - - } - + } return 0; } @@ -1002,7 +1037,7 @@ void spoolerEventCacheFlush(Spooler *spooler) } spooler->event_cache = NULL; - + spooler->events_cached = 0; return; } diff --git a/src/spooler.h b/src/spooler.h index c629c00..271508a 100644 --- a/src/spooler.h +++ b/src/spooler.h @@ -72,7 +72,10 @@ typedef struct _EventRecordNode uint32_t type; /* type of event stored */ void *data; /* unified2 event (eg IPv4, IPV6, MPLS, etc) */ uint8_t used; /* has the event be retrieved */ - + uint32_t time_used; /* time it has fired */ + uint32_t event_id; /* extracted from event original */ + uint32_t event_second; /* extracted from event originale */ + struct _EventRecordNode *next; /* reference to next event record */ } EventRecordNode; diff --git a/src/unified2.h b/src/unified2.h index a939178..e479232 100644 --- a/src/unified2.h +++ b/src/unified2.h @@ -214,6 +214,17 @@ typedef struct Unified2IDSEventIPv6_legacy ////////////////////-->LEGACY +/* +** Smaller subset of feature common across event,packet and extradata +** +** +*/ +typedef struct _Unified2CacheCommon +{ + uint32_t sensor_id; + uint32_t event_id; + uint32_t event_second; +} Unified2CacheCommon; /* ** The Unified2EventCommon structure is the common structure that occurs