Thread: [Secureideas-base-devel] Barnyard Patch or script to update events cache
Brought to you by:
secureideas,
sinukas
From: Brian W. <wil...@bu...> - 2008-04-22 20:23:34
|
Hi, I was looking through the archives and it appears that the barnyard patch is no longer available: http://infosec.ufl.edu/tools/barnyard/ I was looking for either this patch or the script that one can cron up and update the base events cache (Kevin talked about it on PaulDotCom podcast). Thanks, Brian |
From: Brian W. <wil...@bu...> - 2008-04-22 20:28:39
|
On Tue, 22 Apr 2008, Brian Wilson wrote: > > Hi, I was looking through the archives and it appears that the barnyard > patch is no longer available: > > http://infosec.ufl.edu/tools/barnyard/ > > I was looking for either this patch or the script that one can cron up and > update the base events cache (Kevin talked about it on PaulDotCom > podcast). > > Thanks, > Brian > My co-worker found it here: http://www.nabble.com/-Secureideas-base-user--Barnyard-Patch-td13877993.html So, is this still the best way to deal with the initial deal when loading up base (when it hasn't been loaded in quite awhile)? Thanks, Brian |
From: John H. S. <js...@uf...> - 2008-04-22 20:47:48
|
On Apr 22, 2008, at 4:28 PM, Brian Wilson wrote: > On Tue, 22 Apr 2008, Brian Wilson wrote: > >> >> Hi, I was looking through the archives and it appears that the >> barnyard >> patch is no longer available: >> >> http://infosec.ufl.edu/tools/barnyard/ >> >> I was looking for either this patch or the script that one can cron >> up and >> update the base events cache (Kevin talked about it on PaulDotCom >> podcast). >> >> Thanks, >> Brian >> > > My co-worker found it here: > http://www.nabble.com/-Secureideas-base-user--Barnyard-Patch-td13877993.html > > So, is this still the best way to deal with the initial deal when > loading > up base (when it hasn't been loaded in quite awhile)? > > Thanks, > Brian Just checked and it turns out that the file was named incorrectly. It is renamed and accessible again. -jhs |
From: Terry B. <te...@te...> - 2008-05-01 11:26:45
|
On Tue, Apr 22, 2008 at 9:45 PM, John H. Sawyer <js...@uf...> wrote: > On Apr 22, 2008, at 4:28 PM, Brian Wilson wrote: > > On Tue, 22 Apr 2008, Brian Wilson wrote: > >> Hi, I was looking through the archives and it appears that the > >> barnyard > >> patch is no longer available: <...snip...> > Just checked and it turns out that the file was named incorrectly. It > is renamed and accessible again. Hi John, Please could you apply the following to the ACID event patch to barnyard: ------8<------ --- op_acid_db.c.orig 2008-05-01 12:06:36.000000000 +0100 +++ op_acid_db.c 2008-05-01 12:14:41.000000000 +0100 @@ -451,10 +451,16 @@ int sig_class_id, int sig_priority, char *timestamp, int ip_src, int ip_dst, int ip_proto, int layer4_sport, int layer4_dport) { + char *e_name; + /* LogMessage("DEBUG: In AcidEventInsert\n"); */ + if(!(e_name = EscapeString(op_data, sig_name ? sig_name : ""))) + FatalError("Failed to escape string"); + if (snprintf(sql_buffer, MAX_QUERY_SIZE, acid_event_sql_format, - sid, cid, signature, sig_name, sig_class_id, sig_priority, + sid, cid, signature, e_name, sig_class_id, sig_priority, timestamp, ip_src, ip_dst, ip_proto, layer4_sport, layer4_dport) < MAX_QUERY_SIZE) { /* LogMessage("DEBUG: current query: %s\n", sql_buffer); */ Insert(op_data, sql_buffer, NULL); ------>8------ It escapes the sid_name variable which can contain a variety of unsafe characters. In my case, barnyard was exiting having encountered a sig_name containing a single quote. Thanks, Terry |
From: Jim H. <jf...@uf...> - 2008-05-01 15:18:50
|
Terry Burton wrote: > Hi John, > > Please could you apply the following to the ACID event patch to barnyard: > > ------8<------ > --- op_acid_db.c.orig 2008-05-01 12:06:36.000000000 +0100 > +++ op_acid_db.c 2008-05-01 12:14:41.000000000 +0100 > @@ -451,10 +451,16 @@ > int sig_class_id, int sig_priority, char *timestamp, int ip_src, > int ip_dst, int ip_proto, int layer4_sport, int layer4_dport) { > > + char *e_name; > + > /* LogMessage("DEBUG: In AcidEventInsert\n"); */ > > + if(!(e_name = EscapeString(op_data, sig_name ? sig_name : ""))) > + FatalError("Failed to escape string"); > + > if (snprintf(sql_buffer, MAX_QUERY_SIZE, acid_event_sql_format, > - sid, cid, signature, sig_name, sig_class_id, sig_priority, > + sid, cid, signature, e_name, sig_class_id, sig_priority, > timestamp, ip_src, ip_dst, ip_proto, layer4_sport, > layer4_dport) < MAX_QUERY_SIZE) { > /* LogMessage("DEBUG: current query: %s\n", sql_buffer); */ > Insert(op_data, sql_buffer, NULL); > ------>8------ > > It escapes the sid_name variable which can contain a variety of unsafe > characters. In my case, barnyard was exiting having encountered a > sig_name containing a single quote. Ok, this has been added ( I did add a free(e_name) to avoid memory leaks :-> ) and the new patch can be found at: http://infosec.ufl.edu/tools/barnyard/barnyard-base-0.2.patch The new patch also contains code to (hopefully) better handle snort log rotation. This newly patched version has been running on one of our busiest sensors for about 20 minutes now with no noticeable problems. ---------------------------------------------------------------------- | Jim Hranicky, Security Engineer UF InfoSec Team | | E202 SSRB Phone (352) 392-2061 | | jf...@uf... | ---------------------------------------------------------------------- |