Comments (4)
/* patched by mpatters and eagerl :D */
if( (sid >= 2500000) && (sid <= 2600000) )
{
LogMessage("INFO: I'm not going to insert this event SID [%u]\n",
sid);
return;
}
/* end patch */
does what I want it to, but possibly not what anybody else does. That goes into Database() in spo_database.c, about line 2415 or so, depending on versions etc. I'm putting the patch here since I nearly lost it from the last time beenph and I created it.
from barnyard2.
Well a better place for this would be to exist at the spooler level, so that as soon as the event is read from unified2 its not even cached and not sent to any output plugin.
This is something that could be usefull and will probably have extented configuration syntax.
To accomodate multiples ranges or single sid or lists.
But a quick and dirty if/elseif/else patch can do the job quickly without an issue also.
from barnyard2.
Well the guy (by the guy I meant you :P obviously referring as a 3rd party make it more interesting)
is gonna be happy.
I have prototyped something that I would like you to test ...if you ever have time.
Its still "experimental" thus it could crash even if I have stress tested it a bit and all, but adjustment could be made.
I will commit it to my branch pretty soon so lookup for my sidv2 https://github.com/binf/barnyard2/tree/sid-msgv2
In the configuration file you can do the following.
(The below are examples)
config sig_suppress: (GID):(SID) GID is optional
and SID can be a single sid or a range like below.
config sig_suppress: 10-40
is equivalent to
config sig_suppress: 1:10-40
but not equivalent to
config sig_suppress: 122:10-40
You can define overlapping interval and theorically from my tests
the interval will spread if possible.
If you have two range a large one and a small one the small one will not be inserted,
If you have a single entry and there is a range present that contain the single entry, the single entry will not be inserted since the range validate the single entry.
config sig_suppress: 1:10,20,1:30,2:90-102
config sig_suppress: 1:10,1:30-40,15,10-40,25
config sig_suppress: 1:10,50-55,15,10-20,80,51-52,31-35
config sig_suppress: 2:93,2:95,2:100-101,2:91-122,22-27,2008175,2657,2011766,9900009,2001972,2101623
So with the example above the final list is the following:
+[ Signature Suppress list ]+
-- Element type:[RANGE ] gid:[2] sid min:[90] sid max:[122]
-- Element type:[RANGE ] gid:[1] sid min:[30] sid max:[40]
-- Element type:[RANGE ] gid:[1] sid min:[50] sid max:[55]
-- Element type:[RANGE ] gid:[1] sid min:[10] sid max:[20]
-- Element type:[SINGLE] gid:[1] sid min:[80] sid max:[80]
-- Element type:[RANGE ] gid:[1] sid min:[22] sid max:[27]
-- Element type:[SINGLE] gid:[1] sid min:[2008175] sid max:[2008175]
-- Element type:[SINGLE] gid:[1] sid min:[2657] sid max:[2657]
-- Element type:[SINGLE] gid:[1] sid min:[2011766] sid max:[2011766]
-- Element type:[SINGLE] gid:[1] sid min:[9900009] sid max:[9900009]
-- Element type:[SINGLE] gid:[1] sid min:[2001972] sid max:[2001972]
-- Element type:[SINGLE] gid:[1] sid min:[2101623] sid max:[2101623]
+[ Signature Suppress list ]+
You can try to poke around hard, and let me know how it goes.
Right now the check happened in plugbase, the best place where I could quickly patch it without breaking the spooler, but in the future the hook would be somewhere in the spooler, since with a better event cache, if the event is tagged as suppressed it lookup in the suppress signature will not happen.
Cheers,
-elz
from barnyard2.
available in 2-1.13-beta
can close issue.
from barnyard2.
Related Issues (20)
- Barnyard2 2.1.13 sending alerts to remote syslog server.
- Need for a release for all distributions
- Will not compile with libpcap.1.9.0 HOT 20
- unable to write to the mysql database HOT 2
- Barnyard2 can't record to count event.
- Make command gives error in Barnyard2 compile HOT 1
- Error: There's no second layer header available for this datalink. HOT 1
- barnyard2 not read new spool file HOT 3
- ./configure --with-mysql --with-mysql-libraries=/usr/lib64/mysql/ && make && make install;mysql8.0 HOT 2
- Compilation error
- BASE not getting Updated
- mysql Fatal Error: Duplicate key HOT 10
- problem in ipv6 storage
- barnyard2 u2 alert_fast using GRE IP, not encapsulated IP.
- Change the output database
- HELP ME , how i can make barnyard2 HOT 1
- ./configure: line 14409: syntax error near unexpected token `0.9.6,'
- Can't make barnyard2 due to missing glsl link
- Unable to compile in ODBC HOT 1
- MariaDB fixed
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from barnyard2.