12013-02-15 - Barnyard 2.1.12
2  [*] Improvements
3     * spo_syslog_full. Added both ascii and base64 support.
4
5     * spo_database. Many tweaks and fixes.
6
7     * Fixed PQping detection on build.
8
92012-11-29 - Barnyard 2.1.11
10  [*] Improvements
11     * spo_database. Keep-alive (via ping) for postgresql databases.
12
13     * Updated RPM spec file to support alternative pcap libraries and cleaned
14       some existing cruft. Thanks to Brent Woodruff.
15
16     * spo_alert_unixsock. Supports synchronisation, multiple connections and
17       improved error reporting. Thanks to Martijn van Oosterhaut.
18
19     * Many other general bug fixes and clean ups. Thanks to Jason Ish,
20       Thorsten Fischer, Brad Voth and Bill Parker.
21
22
232012-10-24 - Barnyard 2.1.10
24  [*] Additions
25     * spo_database. Support of encrypted connections to postgresql is now
26       available. See README.database for the appropriate options.
27
28     * spo_sguil. Fixed issue with duplication of alerts.
29
30     * Completely re-written database plugin for performance optimisation
31       against the original DB schema.
32
33       NOTE: If you have intentions of running this new version we highly
34       recommende you to clean two database tables for better performance:
35       reference and sig_reference, not doing so will not break anything but
36       could slow the startup caching process).
37
38     * New Bro output plugin (thanks to Seth Hall)
39
40     * A new syslog plugin (syslog_full) that support local and remote TCP and
41       UDP syslog.
42
43  [*] Improvements
44
45     * Improved support against the latest Unified 2 format. Extended
46       headers are read, however no plugins use the information currently.
47
48     * Improved core IPv6 support.
49
50     * Compile under cygwin
51
52     * And many, many bugfixes.
53
54
552010-12-27 - Barnyard 2.1.9
56  [*] Additions
57     * spo_database. Support of encrypted connections to postgresql is now
58       available. See README.database for the appropriate options.
59
60     * spo_sguil. Fixed issue with duplication of alerts.
61
62  [*] Improvements
63
64     * spooler. Fixed issue with borking when reading unrecognised records.
65       There is now sufficient information to skip and move on.
66
67     * spooler. Fixed early termination of non-readable files, causing the
68       dreaded SEGFAULT.
69
70     * classifications. Tweaked output for classification identification if the
71       appropriate node can't be found.
72
73
742010-03-05 - Barnyard 2.1.8
75  [*] Additions
76     * spo_database. Support of encrypted connections to mysql is now available.
77       See the example configuration file for the appropriate options.
78
79     * spo_sguil. Fixed issue with duplication of alerts.
80
81  [*] Improvements
82     * OpenBSD. Thanks to Markus Lude, we now stomped a few bugs that prevented
83       a clean build on OpenBSD platforms. Thanks mate!
84
85     * Log Files. Fixed missing command line parameter "-l" testing to enable
86       log file setting form the command line.
87
88     * Status Returns. The status return codes should now be a little saner when
89       scripting the barnyard2 process. We welcome any suggestions for
90       improvements to these return codes.
91
92     * spooler. The spooler now incorporates an improved event cache that willg
93       in time facilitate improved correlation for TCP portscans and similar
94       events.
95
96
972009-11-06 - Barnyard 2.1.7
98  [*] Additions
99     * Statistics. Similar to that of Snort, barnyard2 will now print a number
100       of statistics upon application termination.
101
102  [*] Improvements
103     * core. Barnyard2 has had the appropriate changes from snort 2.8.5.1 pushed
104       into the core.
105g
106     * database. Fixed a duplication issue introduced with the alignment of the
107       snort 2.8.4.1 code base. Thanks to Jonathan Tullet.
108
109     * spooler. Fixed issue with duplicate processing due to waldo file not
110       being updated.
111
112     * alert_cef. Fixed crumping of the alert_cef plugin that was caused by a
113       recent alignment to Snort's output plugins.
114
115     * alert_fast. Small clean up in alert_fast to remove unused portions.
116
117     * RPM spec. The RPM spec has been updated thanks to Tom McLaughlin.
118
119     * log_tcpdump. The output of tcpdump will now match the linktype being
120       used by the packet. The output format can be explicitly defined or auto
121       adapting.
122g
123
1242009-07-15 - Barnyard 2.1.6g
125  [*] Improvements
126     * Waldo Files. Waldo files not being honoured has been fixed. The issue of
127       no new waldo files being created or updated was caused by a number of key
128       logical checks not being performed.
129
130     * Reference Files. The reference file can NOW be specified on the command
131       line via the "-R" option.
132
133     * Map Files. The core logic parsing of map files has been improved to avoid
134       splitting inappropriately. The WARNING about "command attempt" should no
135       longer raise its ugly head.
136
137     * spo_database. The sleeping logic in MySQL has been modified to make use
138       of nanosleep() and not sleep(). This should allow trapping of signals a
139       little easier.
140
141
1422009-05-30 - Barnyard 2.1.5
143  [*] Additions
144     * Output Plugins. We are now attempting to support all Snort output plugins
145       except for alert_sf_socket.
146
147     * Reference System. A new config directive "reference-map" has been added
148       in order to better align with Snort's Reference System. The list of
149       references is typically stored in reference.config. This directive is
150       required to be defined in the configuration file or at the command line.
151
152  [*] Improvements
153     * core. Barnyard2 has had the appropriate changes from snort 2.8.4.1 pushed
154       into the core.
155g
156       In addition an issue with non-unique pid files being generated when
157       multiple instances were running has been fixed. Thanks to Jon. B. Bayer
158
159     * maps. The maps have now been restructured to provide more consistency to
160       the Snort structures.
161
162     * spooler. The spooler function has been reworked and now provides the
163       appropriate event caching and correlation that was being performed in
164       individual output plugins. The end result is less code in the output
165       plugins and easier maintenance.
166
167       In addition an issue with referencing a free'd pointer has been found
168       and fixed. Thanks to Jon. B. Bayer.
169
170     * spo_database. MySQL reconnection support is more robust with continuing
171       reconnection attempts.
172       NOTE: The reconnection is blocking if other output plugins are enabled.
173
174
1752009-04-18 - Barnyard 2.1.4
176  [*] Improvements
177     * core. Barnyard2 has had the appropriate changes from snort 2.8.4 pushed
178       into the core.
179
180     * map. The retrieval of sid messages from the map structures has been
181       updated and does not restrict to specific generator id's. This will be
182       re-addressed if sid to gid maps ever happen. Thanks to Jason Wallace.
183
184     * spooler. Fixed an issue with blank permissions when creating waldog
185       files from scratch. Thanks to Jason Wallace.
186
187
1882009-03-07 - Barnyard 2.1.3
189  [*] Improvements
190     * spooler. Fixed regression with waldo file operations, where unreliable
191       creation, reading and writing would cause unexpected SEGFAULTs. I hate
192       SEGFAULTS!
193
194
1952009-02-20 - Barnyard 2.1.2
196  [*] Improvements
197     * spo_alert_syslog. Fixed whitespace issues in output to allow for easier
198       parsing using command line or external scripts.
199
200     * spo_database. Ensure alert events are not flagged when packet info is
201       available. There is no indication of what mode Snort is in (alert, or
202       log) when information is written to the file.
203
204     * spooler. Fixed overly verbose spooler messages when using waldo files.
205
206
2072009-01-29 - Barnyard 2.1.1
208  [*] Improvements
209     * spo_alert_syslog. Ability to add hostname to displayed log events has
210       been included. This is useful for multiple snort instances on different
211       sensors logging to the same syslog server.
212
213     * spo_sguil. Fixed inconsistencies between the documentated and the actual
214       configuration requirements for the sguil output plugin. The parameters
215       can be either comma (",") or space (" ") separated. The documentationg
216       refers to space separated only.
217
218
2192008-12-04 - Barnyard 2.1.0
220  [*] Improvements
221     * core. Barnyard2 has been completely rewritten from the snort-2.8.3.1
222       code base to enable a complete GPL version. If there are any remaining
223       issues or concerns regarding licensing then please let us know. All
224       Snort wrapper functions are inhereted throughout. Yay Snort!!!
225
226     * spooler. The spooler has been re-organised, cleaned up and has had some
227       optimisation tweaks provided.
228
229     * Waldo. Waldo support has been completely revamped. I/O is now performed
230       as the file descriptor level and uses the fixed WaldoData structure
231       format defined in spooler.h
232
233     * spo_sguil. Significant overhaul and also released, with permission from
234       Bamm Vischer under GPL.
235
236
2372008-11-11 - Barnyard 2.0.5
238  [*] Improvements
239     * spo_sguil. Modifed the parameter parsing of the configuration to nowg
240       expect "key=value" pairs and not "key value" pairs. This aligns with
241       traditional spo_database plugin.
242
243     * FreeBSD. A number of bugs have been discovered and subsequently squished
244       on FreeBSD systems. Slowly getting a hang of the autotools framework ;)
245
246     * Spooling. Fixed a bug preventing batch processing of files defined by
247       relative addressing.
248
249     * Xrefs. When Xref data is explicitly requested by the "xref" flag but an
250       alert does not have any it will now explicityly indicate similarly as
251       shown: "Xref => none".
252
253
2542008-07-06 - Barnyard 2.0.4
255  [*] Additions
256     * Syslog support. Two new syslog output plugins have been added to the
257       collection. The plugins allow logging to either the local machines
258       syslog daemon or alternatively to a remote syslog daemon over UDP.
259
260     * CEF support. One of the aforementioned syslog plugins use the open
261       standard Common Event Format (CEF) from ArcSight. I obtained the CEF
262       message structure from Colin Grady, because I'm still waiting for
263       ArcSight to send me their "open" standard after numerous emails :(
264
265  [*] Improvements
266     * spo_sguil. Removed two instances of while(1) loops that would cause a
267       lockup when the sguil daemon was not up or not responding. It now
268       listens for global signals and should exit cleanly when told to do so.
269
270     * Spooling. Some minor cleanup was performed in the spooling section to
271       improve code layout and readability.
272
273
2742008-06-02 - Barnyard 2.0.3
275  [*] Additions
276     * spo_sguil. Added post init configuration ability to allow testing of the
277       sguil plugin. Work in progress.
278
279  [*] Improvements
280     * spo_sguil. Fixed major incompatibilities with the sguil communications
281       channel including:
282         - network/host byte order mismatch of event ID's, and
283         - timestamp rendering
284
285     * GetUniqueName. Modified the prioritisation of obtaining/configuring the
286       ability to generate a unique machine name. Order of priority is now:
287         1. hostname directive
288         2. actual machine name
289
290
2912008-06-01 - Barnyard 2.0.2
292  [*] Additions
293      * More databases (experimental). The spo_databsae plugin was able to beg
294        ported across with little effort. This means there is now database
295        support for MSSQL, MYSQL, Postgresql, any unixOBDC and Oracle. Awesome!
296
297      * Sguil support (experimental). We have started converting the originalg
298        Sguil plugin to the new API. This is a big milestone as it will now
299        allow us to start working on a more contemporary frontend for Sguil.
300
301      * Waldo files. The waldo file is now supported providing bookmarking for
302        file processing in the event of a barnyard crash or similar.
303
304  [*] Improvements
305      * Fixed segfault bugs in the event spooling routines of in spo_log_ascii
306        and spo_sguil.
307
308      * Cleaned up output format of spo_alert_fast.
309
310
3112008-05-10 - Barnyard 2.0.1
312  [*] Additions
313      * Unified2 support. Since the release of Snort 2.8.0 a new output pluging
314        named 'unified2' will address all the shortfalls of the originalg
315        unified output plugin. The new format supports multiple records in the
316        one format as well as expansion for additional records such as packet
317        statistics, etc in the future.
318g
319      * 64-bit support. Support for 64-bit systems has been considered from the
320        outset. However, given that we don't have any 64-bit machines to test
321        the current builds on we will wait for community feedback on this.
322g
323  [*] Improvements
324      * Plugin structure. Given that we initially fused majority of the current
325        Snort core with the original barnyard code and improved from there weg
326        have attained/retained a similar output plugin API to that of Snort.
327        This requires only slight modification to existing Snort output plugins
328        to work with Barnyard. This may change to full compatibility in the
329        future depending on feedback.
330
331g
332