forked from firnsy/barnyard2
-
Notifications
You must be signed in to change notification settings - Fork 0
/
RELEASE.NOTES
331 lines (238 loc) · 12.8 KB
/
RELEASE.NOTES
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
2013-02-15 - Barnyard 2.1.12
[*] Improvements
* spo_syslog_full. Added both ascii and base64 support.
* spo_database. Many tweaks and fixes.
* Fixed PQping detection on build.
2012-11-29 - Barnyard 2.1.11
[*] Improvements
* spo_database. Keep-alive (via ping) for postgresql databases.
* Updated RPM spec file to support alternative pcap libraries and cleaned
some existing cruft. Thanks to Brent Woodruff.
* spo_alert_unixsock. Supports synchronisation, multiple connections and
improved error reporting. Thanks to Martijn van Oosterhaut.
* Many other general bug fixes and clean ups. Thanks to Jason Ish,
Thorsten Fischer, Brad Voth and Bill Parker.
2012-10-24 - Barnyard 2.1.10
[*] Additions
* spo_database. Support of encrypted connections to postgresql is now
available. See README.database for the appropriate options.
* spo_sguil. Fixed issue with duplication of alerts.
* Completely re-written database plugin for performance optimisation
against the original DB schema.
NOTE: If you have intentions of running this new version we highly
recommende you to clean two database tables for better performance:
reference and sig_reference, not doing so will not break anything but
could slow the startup caching process).
* New Bro output plugin (thanks to Seth Hall)
* A new syslog plugin (syslog_full) that support local and remote TCP and
UDP syslog.
[*] Improvements
* Improved support against the latest Unified 2 format. Extended
headers are read, however no plugins use the information currently.
* Improved core IPv6 support.
* Compile under cygwin
* And many, many bugfixes.
2010-12-27 - Barnyard 2.1.9
[*] Additions
* spo_database. Support of encrypted connections to postgresql is now
available. See README.database for the appropriate options.
* spo_sguil. Fixed issue with duplication of alerts.
[*] Improvements
* spooler. Fixed issue with borking when reading unrecognised records.
There is now sufficient information to skip and move on.
* spooler. Fixed early termination of non-readable files, causing the
dreaded SEGFAULT.
* classifications. Tweaked output for classification identification if the
appropriate node can't be found.
2010-03-05 - Barnyard 2.1.8
[*] Additions
* spo_database. Support of encrypted connections to mysql is now available.
See the example configuration file for the appropriate options.
* spo_sguil. Fixed issue with duplication of alerts.
[*] Improvements
* OpenBSD. Thanks to Markus Lude, we now stomped a few bugs that prevented
a clean build on OpenBSD platforms. Thanks mate!
* Log Files. Fixed missing command line parameter "-l" testing to enable
log file setting form the command line.
* Status Returns. The status return codes should now be a little saner when
scripting the barnyard2 process. We welcome any suggestions for
improvements to these return codes.
* spooler. The spooler now incorporates an improved event cache that willg
in time facilitate improved correlation for TCP portscans and similar
events.
2009-11-06 - Barnyard 2.1.7
[*] Additions
* Statistics. Similar to that of Snort, barnyard2 will now print a number
of statistics upon application termination.
[*] Improvements
* core. Barnyard2 has had the appropriate changes from snort 2.8.5.1 pushed
into the core.
g
* database. Fixed a duplication issue introduced with the alignment of the
snort 2.8.4.1 code base. Thanks to Jonathan Tullet.
* spooler. Fixed issue with duplicate processing due to waldo file not
being updated.
* alert_cef. Fixed crumping of the alert_cef plugin that was caused by a
recent alignment to Snort's output plugins.
* alert_fast. Small clean up in alert_fast to remove unused portions.
* RPM spec. The RPM spec has been updated thanks to Tom McLaughlin.
* log_tcpdump. The output of tcpdump will now match the linktype being
used by the packet. The output format can be explicitly defined or auto
adapting.
g
2009-07-15 - Barnyard 2.1.6g
[*] Improvements
* Waldo Files. Waldo files not being honoured has been fixed. The issue of
no new waldo files being created or updated was caused by a number of key
logical checks not being performed.
* Reference Files. The reference file can NOW be specified on the command
line via the "-R" option.
* Map Files. The core logic parsing of map files has been improved to avoid
splitting inappropriately. The WARNING about "command attempt" should no
longer raise its ugly head.
* spo_database. The sleeping logic in MySQL has been modified to make use
of nanosleep() and not sleep(). This should allow trapping of signals a
little easier.
2009-05-30 - Barnyard 2.1.5
[*] Additions
* Output Plugins. We are now attempting to support all Snort output plugins
except for alert_sf_socket.
* Reference System. A new config directive "reference-map" has been added
in order to better align with Snort's Reference System. The list of
references is typically stored in reference.config. This directive is
required to be defined in the configuration file or at the command line.
[*] Improvements
* core. Barnyard2 has had the appropriate changes from snort 2.8.4.1 pushed
into the core.
g
In addition an issue with non-unique pid files being generated when
multiple instances were running has been fixed. Thanks to Jon. B. Bayer
* maps. The maps have now been restructured to provide more consistency to
the Snort structures.
* spooler. The spooler function has been reworked and now provides the
appropriate event caching and correlation that was being performed in
individual output plugins. The end result is less code in the output
plugins and easier maintenance.
In addition an issue with referencing a free'd pointer has been found
and fixed. Thanks to Jon. B. Bayer.
* spo_database. MySQL reconnection support is more robust with continuing
reconnection attempts.
NOTE: The reconnection is blocking if other output plugins are enabled.
2009-04-18 - Barnyard 2.1.4
[*] Improvements
* core. Barnyard2 has had the appropriate changes from snort 2.8.4 pushed
into the core.
* map. The retrieval of sid messages from the map structures has been
updated and does not restrict to specific generator id's. This will be
re-addressed if sid to gid maps ever happen. Thanks to Jason Wallace.
* spooler. Fixed an issue with blank permissions when creating waldog
files from scratch. Thanks to Jason Wallace.
2009-03-07 - Barnyard 2.1.3
[*] Improvements
* spooler. Fixed regression with waldo file operations, where unreliable
creation, reading and writing would cause unexpected SEGFAULTs. I hate
SEGFAULTS!
2009-02-20 - Barnyard 2.1.2
[*] Improvements
* spo_alert_syslog. Fixed whitespace issues in output to allow for easier
parsing using command line or external scripts.
* spo_database. Ensure alert events are not flagged when packet info is
available. There is no indication of what mode Snort is in (alert, or
log) when information is written to the file.
* spooler. Fixed overly verbose spooler messages when using waldo files.
2009-01-29 - Barnyard 2.1.1
[*] Improvements
* spo_alert_syslog. Ability to add hostname to displayed log events has
been included. This is useful for multiple snort instances on different
sensors logging to the same syslog server.
* spo_sguil. Fixed inconsistencies between the documentated and the actual
configuration requirements for the sguil output plugin. The parameters
can be either comma (",") or space (" ") separated. The documentationg
refers to space separated only.
2008-12-04 - Barnyard 2.1.0
[*] Improvements
* core. Barnyard2 has been completely rewritten from the snort-2.8.3.1
code base to enable a complete GPL version. If there are any remaining
issues or concerns regarding licensing then please let us know. All
Snort wrapper functions are inhereted throughout. Yay Snort!!!
* spooler. The spooler has been re-organised, cleaned up and has had some
optimisation tweaks provided.
* Waldo. Waldo support has been completely revamped. I/O is now performed
as the file descriptor level and uses the fixed WaldoData structure
format defined in spooler.h
* spo_sguil. Significant overhaul and also released, with permission from
Bamm Vischer under GPL.
2008-11-11 - Barnyard 2.0.5
[*] Improvements
* spo_sguil. Modifed the parameter parsing of the configuration to nowg
expect "key=value" pairs and not "key value" pairs. This aligns with
traditional spo_database plugin.
* FreeBSD. A number of bugs have been discovered and subsequently squished
on FreeBSD systems. Slowly getting a hang of the autotools framework ;)
* Spooling. Fixed a bug preventing batch processing of files defined by
relative addressing.
* Xrefs. When Xref data is explicitly requested by the "xref" flag but an
alert does not have any it will now explicityly indicate similarly as
shown: "Xref => none".
2008-07-06 - Barnyard 2.0.4
[*] Additions
* Syslog support. Two new syslog output plugins have been added to the
collection. The plugins allow logging to either the local machines
syslog daemon or alternatively to a remote syslog daemon over UDP.
* CEF support. One of the aforementioned syslog plugins use the open
standard Common Event Format (CEF) from ArcSight. I obtained the CEF
message structure from Colin Grady, because I'm still waiting for
ArcSight to send me their "open" standard after numerous emails :(
[*] Improvements
* spo_sguil. Removed two instances of while(1) loops that would cause a
lockup when the sguil daemon was not up or not responding. It now
listens for global signals and should exit cleanly when told to do so.
* Spooling. Some minor cleanup was performed in the spooling section to
improve code layout and readability.
2008-06-02 - Barnyard 2.0.3
[*] Additions
* spo_sguil. Added post init configuration ability to allow testing of the
sguil plugin. Work in progress.
[*] Improvements
* spo_sguil. Fixed major incompatibilities with the sguil communications
channel including:
- network/host byte order mismatch of event ID's, and
- timestamp rendering
* GetUniqueName. Modified the prioritisation of obtaining/configuring the
ability to generate a unique machine name. Order of priority is now:
1. hostname directive
2. actual machine name
2008-06-01 - Barnyard 2.0.2
[*] Additions
* More databases (experimental). The spo_databsae plugin was able to beg
ported across with little effort. This means there is now database
support for MSSQL, MYSQL, Postgresql, any unixOBDC and Oracle. Awesome!
* Sguil support (experimental). We have started converting the originalg
Sguil plugin to the new API. This is a big milestone as it will now
allow us to start working on a more contemporary frontend for Sguil.
* Waldo files. The waldo file is now supported providing bookmarking for
file processing in the event of a barnyard crash or similar.
[*] Improvements
* Fixed segfault bugs in the event spooling routines of in spo_log_ascii
and spo_sguil.
* Cleaned up output format of spo_alert_fast.
2008-05-10 - Barnyard 2.0.1
[*] Additions
* Unified2 support. Since the release of Snort 2.8.0 a new output pluging
named 'unified2' will address all the shortfalls of the originalg
unified output plugin. The new format supports multiple records in the
one format as well as expansion for additional records such as packet
statistics, etc in the future.
g
* 64-bit support. Support for 64-bit systems has been considered from the
outset. However, given that we don't have any 64-bit machines to test
the current builds on we will wait for community feedback on this.
g
[*] Improvements
* Plugin structure. Given that we initially fused majority of the current
Snort core with the original barnyard code and improved from there weg
have attained/retained a similar output plugin API to that of Snort.
This requires only slight modification to existing Snort output plugins
to work with Barnyard. This may change to full compatibility in the
future depending on feedback.
g