Home page logo

snort logo Snort mailing list archives

barnyard2 and bpf filters
From: Russell Fulton <r.fulton () auckland ac nz>
Date: Wed, 3 Nov 2010 17:01:17 +1300

HI Folk

Coming to the end of my effort to move from oinkmaster and the old barnyard to PulledPork an barnyard2.

I have a couple of questions about barnyard2:

1/  Am I right in thinking that barnyard2 database plugin insists on getting the Sensor_id from the data base?
 (i'm pretty sure about this -- I have been reading the source ;)

2/ I have also been trying to figure out how to get a bpf filter string into barnyard2 -- anyone know how?

the bpf_filter is one of the things used to decide which sid to use but the docs are not consistent:  README makes no 
mention of the filter but barnyard2 -- help suggest that there is something called <filter options> on the command line 
but these are not described anywhere.

looking at the source suggests that it has been partially implemented but nothing actually gets the sets the filter 

bluebottle:~ rful011$ grep  filter  tmp/barnyard2-1.8/src/*
tmp/barnyard2-1.8/src/barnyard2.c:    fprintf(stdout, "USAGE: %s [-options] <filter options>\n", program_name);
tmp/barnyard2-1.8/src/barnyard2.c:    fprintf(stdout, "       %s %s %s [-options] <filter options>\n", program_name
tmp/barnyard2-1.8/src/barnyard2.c:    char *pcap_filter = NULL;
tmp/barnyard2-1.8/src/barnyard2.c:    if (pcap_filter != NULL)
tmp/barnyard2-1.8/src/barnyard2.c:        free(pcap_filter);
tmp/barnyard2-1.8/src/barnyard2.c:    if (cmd_line->bpf_filter != NULL)
tmp/barnyard2-1.8/src/barnyard2.c:        config_file->bpf_filter = SnortStrdup(cmd_line->bpf_filter);
tmp/barnyard2-1.8/src/barnyard2.h:    char                *bpf_filter;            /* config bpf_filter */

Being able to set the filters would be useful for me.  I have worked around this issue but I could simplify my scripts 
a bit if I could tell get the bpf_filter set.

            ret = SnortSnprintf(select_sensor_id, MAX_QUERY_LENGTH, 
                                "SELECT sid "
                                "  FROM sensor "
                                " WHERE hostname = '%s' "
                                "   AND interface = '%s' "
                                "   AND filter ='%s' "
                                "   AND detail = %u "
                                "   AND encoding = %u ",
                                escapedSensorName, escapedInterfaceName,
                                escapedBPFFilter, data->detail, data->encoding);

At the moment having anything other than NULL in the filter column of the sensor table causes barnyard to allocate 
another sid.


Achieve Improved Network Security with IP and DNS Reputation.
Defend against bad network traffic, including botnets, malware, 
phishing sites, and compromised hosts - saving your company time, 
money, and embarrassment.   Learn More! 
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

  By Date           By Thread  

Current thread:
  • barnyard2 and bpf filters Russell Fulton (Nov 03)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]