Getting ready to modify

17 views
Skip to first unread message

hojo

unread,
Sep 10, 2013, 5:51:34 PM9/10/13
to barnyar...@googlegroups.com
I'm looking at the barnyard2.c code as I get ready to add a new command line option.  I noticed this in the options for unix:

static char *valid_options = "?a:Ac:C:d:Def:Fg:G:h:i:Il:m:noOqr:R:S:t:Tu:UvVw:xXy";
and below that:
{"snaplen", LONGOPT_ARG_REQUIRED, NULL, 'P'},

Why is the P not reflected in the valid_options?  It doesn't appear to be in the options processing loop below.  My only guess would be that it has to do with future features around snort as snort has the P/snaplen option.  Is this correct?  I was wanting to use the -P for an IDS/IPS feature but not sure if that would be discouraged.

thanks,
-hojo


hojo

unread,
Sep 10, 2013, 5:53:38 PM9/10/13
to barnyar...@googlegroups.com
I apologize for my horrible subject. I meant to type "getting ready to modify cmd line options" and apparently brain farted.

beenph

unread,
Sep 10, 2013, 10:27:39 PM9/10/13
to barnyar...@googlegroups.com
On Tue, Sep 10, 2013 at 5:53 PM, hojo <dhaj...@gmail.com> wrote:
> I apologize for my horrible subject. I meant to type "getting ready to
> modify cmd line options" and apparently brain farted.
>
> --
>

Its actually part of borrowed code but its not needed, what would you
expect by specifying a
payload lenght to barnyard2? Truncate logged payload?

-elz

Dave Hajoglou

unread,
Sep 10, 2013, 10:35:56 PM9/10/13
to barnyar...@googlegroups.com
So, the option bit is separate from the payload issue.  I figured I could use it but wasn't sure if it was a future option waiting to ambush my patch ;)


re: payload
I was hoping to send a header that then reported its data was 0 so that barnyard2 just thought it was a header with an empty payload.  So, snort reads the packet and writes a full unified2 log but in the process we tell snort to set the payload length to 0 then not write.  In truth, it's too hacky to really be useful but we did get by2 to consider it but the mod was far from ideal.  I based it on my interpretation of unified2 from the snort manual.

5.3.2 Unified2 Packet

    sensor id               4 bytes
    event id                4 bytes
    event seconds           4 bytes
    event microseconds      4 bytes
    linktype                4 bytes
    packet length           4 bytes  (set this to 0 thinking that by2 would just skip reading the packet data thus "emulating" alert
    packet data             <variable length> (skip writing this bit all together)



--

---
You received this message because you are subscribed to the Google Groups "barnyard2-devel" group.
To unsubscribe from this group and stop receiving emails from it, send an email to barnyard2-dev...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

beenph

unread,
Sep 10, 2013, 11:26:20 PM9/10/13
to barnyar...@googlegroups.com
Just use alert_unified2 output and force spo_database to ignore payload.

its a ~10 line patch in by2 or so.
Reply all
Reply to author
Forward
0 new messages