barnyard2 and bpf filters

[Russell Fulton <r.fulton () auckland ac nz>]

HI Folk

Coming to the end of my effort to move from oinkmaster and the old barnyard to PulledPork an barnyard2.

I have a couple of questions about barnyard2:

1/  Am I right in thinking that barnyard2 database plugin insists on getting the Sensor_id from the data base?
 (i'm pretty sure about this -- I have been reading the source ;)

2/ I have also been trying to figure out how to get a bpf filter string into barnyard2 -- anyone know how?

the bpf_filter is one of the things used to decide which sid to use but the docs are not consistent:  README makes no 
mention of the filter but barnyard2 -- help suggest that there is something called <filter options> on the command line 
but these are not described anywhere.

looking at the source suggests that it has been partially implemented but nothing actually gets the sets the filter 
string:

bluebottle:~ rful011$ grep  filter  tmp/barnyard2-1.8/src/*
tmp/barnyard2-1.8/src/barnyard2.c:    fprintf(stdout, "USAGE: %s [-options] <filter options>\n", program_name);
tmp/barnyard2-1.8/src/barnyard2.c:    fprintf(stdout, "       %s %s %s [-options] <filter options>\n", program_name
tmp/barnyard2-1.8/src/barnyard2.c:    char *pcap_filter = NULL;
tmp/barnyard2-1.8/src/barnyard2.c:    if (pcap_filter != NULL)
tmp/barnyard2-1.8/src/barnyard2.c:        free(pcap_filter);
tmp/barnyard2-1.8/src/barnyard2.c:    if (cmd_line->bpf_filter != NULL)
tmp/barnyard2-1.8/src/barnyard2.c:        config_file->bpf_filter = SnortStrdup(cmd_line->bpf_filter);
tmp/barnyard2-1.8/src/barnyard2.h:    char                *bpf_filter;            /* config bpf_filter */

Being able to set the filters would be useful for me.  I have worked around this issue but I could simplify my scripts 
a bit if I could tell get the bpf_filter set.

            ret = SnortSnprintf(select_sensor_id, MAX_QUERY_LENGTH, 
                                "SELECT sid "
                                "  FROM sensor "
                                " WHERE hostname = '%s' "
                                "   AND interface = '%s' "
                                "   AND filter ='%s' "
                                "   AND detail = %u "
                                "   AND encoding = %u ",
                                escapedSensorName, escapedInterfaceName,
                                escapedBPFFilter, data->detail, data->encoding);

At the moment having anything other than NULL in the filter column of the sensor table causes barnyard to allocate 
another sid.

Russell


------------------------------------------------------------------------------
Achieve Improved Network Security with IP and DNS Reputation.
Defend against bad network traffic, including botnets, malware, 
phishing sites, and compromised hosts - saving your company time, 
money, and embarrassment.   Learn More! 
http://p.sf.net/sfu/hpdev2dev-nov
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users