12013-02-15 - Barnyard 2.1.12 2 [*] Improvements 3 * spo_syslog_full. Added both ascii and base64 support. 4 5 * spo_database. Many tweaks and fixes. 6 7 * Fixed PQping detection on build. 8 92012-11-29 - Barnyard 2.1.11 10 [*] Improvements 11 * spo_database. Keep-alive (via ping) for postgresql databases. 12 13 * Updated RPM spec file to support alternative pcap libraries and cleaned 14 some existing cruft. Thanks to Brent Woodruff. 15 16 * spo_alert_unixsock. Supports synchronisation, multiple connections and 17 improved error reporting. Thanks to Martijn van Oosterhaut. 18 19 * Many other general bug fixes and clean ups. Thanks to Jason Ish, 20 Thorsten Fischer, Brad Voth and Bill Parker. 21 22 232012-10-24 - Barnyard 2.1.10 24 [*] Additions 25 * spo_database. Support of encrypted connections to postgresql is now 26 available. See README.database for the appropriate options. 27 28 * spo_sguil. Fixed issue with duplication of alerts. 29 30 * Completely re-written database plugin for performance optimisation 31 against the original DB schema. 32 33 NOTE: If you have intentions of running this new version we highly 34 recommende you to clean two database tables for better performance: 35 reference and sig_reference, not doing so will not break anything but 36 could slow the startup caching process). 37 38 * New Bro output plugin (thanks to Seth Hall) 39 40 * A new syslog plugin (syslog_full) that support local and remote TCP and 41 UDP syslog. 42 43 [*] Improvements 44 45 * Improved support against the latest Unified 2 format. Extended 46 headers are read, however no plugins use the information currently. 47 48 * Improved core IPv6 support. 49 50 * Compile under cygwin 51 52 * And many, many bugfixes. 53 54 552010-12-27 - Barnyard 2.1.9 56 [*] Additions 57 * spo_database. Support of encrypted connections to postgresql is now 58 available. See README.database for the appropriate options. 59 60 * spo_sguil. Fixed issue with duplication of alerts. 61 62 [*] Improvements 63 64 * spooler. Fixed issue with borking when reading unrecognised records. 65 There is now sufficient information to skip and move on. 66 67 * spooler. Fixed early termination of non-readable files, causing the 68 dreaded SEGFAULT. 69 70 * classifications. Tweaked output for classification identification if the 71 appropriate node can't be found. 72 73 742010-03-05 - Barnyard 2.1.8 75 [*] Additions 76 * spo_database. Support of encrypted connections to mysql is now available. 77 See the example configuration file for the appropriate options. 78 79 * spo_sguil. Fixed issue with duplication of alerts. 80 81 [*] Improvements 82 * OpenBSD. Thanks to Markus Lude, we now stomped a few bugs that prevented 83 a clean build on OpenBSD platforms. Thanks mate! 84 85 * Log Files. Fixed missing command line parameter "-l" testing to enable 86 log file setting form the command line. 87 88 * Status Returns. The status return codes should now be a little saner when 89 scripting the barnyard2 process. We welcome any suggestions for 90 improvements to these return codes. 91 92 * spooler. The spooler now incorporates an improved event cache that willg 93 in time facilitate improved correlation for TCP portscans and similar 94 events. 95 96 972009-11-06 - Barnyard 2.1.7 98 [*] Additions 99 * Statistics. Similar to that of Snort, barnyard2 will now print a number 100 of statistics upon application termination. 101 102 [*] Improvements 103 * core. Barnyard2 has had the appropriate changes from snort 2.8.5.1 pushed 104 into the core. 105g 106 * database. Fixed a duplication issue introduced with the alignment of the 107 snort 2.8.4.1 code base. Thanks to Jonathan Tullet. 108 109 * spooler. Fixed issue with duplicate processing due to waldo file not 110 being updated. 111 112 * alert_cef. Fixed crumping of the alert_cef plugin that was caused by a 113 recent alignment to Snort's output plugins. 114 115 * alert_fast. Small clean up in alert_fast to remove unused portions. 116 117 * RPM spec. The RPM spec has been updated thanks to Tom McLaughlin. 118 119 * log_tcpdump. The output of tcpdump will now match the linktype being 120 used by the packet. The output format can be explicitly defined or auto 121 adapting. 122g 123 1242009-07-15 - Barnyard 2.1.6g 125 [*] Improvements 126 * Waldo Files. Waldo files not being honoured has been fixed. The issue of 127 no new waldo files being created or updated was caused by a number of key 128 logical checks not being performed. 129 130 * Reference Files. The reference file can NOW be specified on the command 131 line via the "-R" option. 132 133 * Map Files. The core logic parsing of map files has been improved to avoid 134 splitting inappropriately. The WARNING about "command attempt" should no 135 longer raise its ugly head. 136 137 * spo_database. The sleeping logic in MySQL has been modified to make use 138 of nanosleep() and not sleep(). This should allow trapping of signals a 139 little easier. 140 141 1422009-05-30 - Barnyard 2.1.5 143 [*] Additions 144 * Output Plugins. We are now attempting to support all Snort output plugins 145 except for alert_sf_socket. 146 147 * Reference System. A new config directive "reference-map" has been added 148 in order to better align with Snort's Reference System. The list of 149 references is typically stored in reference.config. This directive is 150 required to be defined in the configuration file or at the command line. 151 152 [*] Improvements 153 * core. Barnyard2 has had the appropriate changes from snort 2.8.4.1 pushed 154 into the core. 155g 156 In addition an issue with non-unique pid files being generated when 157 multiple instances were running has been fixed. Thanks to Jon. B. Bayer 158 159 * maps. The maps have now been restructured to provide more consistency to 160 the Snort structures. 161 162 * spooler. The spooler function has been reworked and now provides the 163 appropriate event caching and correlation that was being performed in 164 individual output plugins. The end result is less code in the output 165 plugins and easier maintenance. 166 167 In addition an issue with referencing a free'd pointer has been found 168 and fixed. Thanks to Jon. B. Bayer. 169 170 * spo_database. MySQL reconnection support is more robust with continuing 171 reconnection attempts. 172 NOTE: The reconnection is blocking if other output plugins are enabled. 173 174 1752009-04-18 - Barnyard 2.1.4 176 [*] Improvements 177 * core. Barnyard2 has had the appropriate changes from snort 2.8.4 pushed 178 into the core. 179 180 * map. The retrieval of sid messages from the map structures has been 181 updated and does not restrict to specific generator id's. This will be 182 re-addressed if sid to gid maps ever happen. Thanks to Jason Wallace. 183 184 * spooler. Fixed an issue with blank permissions when creating waldog 185 files from scratch. Thanks to Jason Wallace. 186 187 1882009-03-07 - Barnyard 2.1.3 189 [*] Improvements 190 * spooler. Fixed regression with waldo file operations, where unreliable 191 creation, reading and writing would cause unexpected SEGFAULTs. I hate 192 SEGFAULTS! 193 194 1952009-02-20 - Barnyard 2.1.2 196 [*] Improvements 197 * spo_alert_syslog. Fixed whitespace issues in output to allow for easier 198 parsing using command line or external scripts. 199 200 * spo_database. Ensure alert events are not flagged when packet info is 201 available. There is no indication of what mode Snort is in (alert, or 202 log) when information is written to the file. 203 204 * spooler. Fixed overly verbose spooler messages when using waldo files. 205 206 2072009-01-29 - Barnyard 2.1.1 208 [*] Improvements 209 * spo_alert_syslog. Ability to add hostname to displayed log events has 210 been included. This is useful for multiple snort instances on different 211 sensors logging to the same syslog server. 212 213 * spo_sguil. Fixed inconsistencies between the documentated and the actual 214 configuration requirements for the sguil output plugin. The parameters 215 can be either comma (",") or space (" ") separated. The documentationg 216 refers to space separated only. 217 218 2192008-12-04 - Barnyard 2.1.0 220 [*] Improvements 221 * core. Barnyard2 has been completely rewritten from the snort-2.8.3.1 222 code base to enable a complete GPL version. If there are any remaining 223 issues or concerns regarding licensing then please let us know. All 224 Snort wrapper functions are inhereted throughout. Yay Snort!!! 225 226 * spooler. The spooler has been re-organised, cleaned up and has had some 227 optimisation tweaks provided. 228 229 * Waldo. Waldo support has been completely revamped. I/O is now performed 230 as the file descriptor level and uses the fixed WaldoData structure 231 format defined in spooler.h 232 233 * spo_sguil. Significant overhaul and also released, with permission from 234 Bamm Vischer under GPL. 235 236 2372008-11-11 - Barnyard 2.0.5 238 [*] Improvements 239 * spo_sguil. Modifed the parameter parsing of the configuration to nowg 240 expect "key=value" pairs and not "key value" pairs. This aligns with 241 traditional spo_database plugin. 242 243 * FreeBSD. A number of bugs have been discovered and subsequently squished 244 on FreeBSD systems. Slowly getting a hang of the autotools framework ;) 245 246 * Spooling. Fixed a bug preventing batch processing of files defined by 247 relative addressing. 248 249 * Xrefs. When Xref data is explicitly requested by the "xref" flag but an 250 alert does not have any it will now explicityly indicate similarly as 251 shown: "Xref => none". 252 253 2542008-07-06 - Barnyard 2.0.4 255 [*] Additions 256 * Syslog support. Two new syslog output plugins have been added to the 257 collection. The plugins allow logging to either the local machines 258 syslog daemon or alternatively to a remote syslog daemon over UDP. 259 260 * CEF support. One of the aforementioned syslog plugins use the open 261 standard Common Event Format (CEF) from ArcSight. I obtained the CEF 262 message structure from Colin Grady, because I'm still waiting for 263 ArcSight to send me their "open" standard after numerous emails :( 264 265 [*] Improvements 266 * spo_sguil. Removed two instances of while(1) loops that would cause a 267 lockup when the sguil daemon was not up or not responding. It now 268 listens for global signals and should exit cleanly when told to do so. 269 270 * Spooling. Some minor cleanup was performed in the spooling section to 271 improve code layout and readability. 272 273 2742008-06-02 - Barnyard 2.0.3 275 [*] Additions 276 * spo_sguil. Added post init configuration ability to allow testing of the 277 sguil plugin. Work in progress. 278 279 [*] Improvements 280 * spo_sguil. Fixed major incompatibilities with the sguil communications 281 channel including: 282 - network/host byte order mismatch of event ID's, and 283 - timestamp rendering 284 285 * GetUniqueName. Modified the prioritisation of obtaining/configuring the 286 ability to generate a unique machine name. Order of priority is now: 287 1. hostname directive 288 2. actual machine name 289 290 2912008-06-01 - Barnyard 2.0.2 292 [*] Additions 293 * More databases (experimental). The spo_databsae plugin was able to beg 294 ported across with little effort. This means there is now database 295 support for MSSQL, MYSQL, Postgresql, any unixOBDC and Oracle. Awesome! 296 297 * Sguil support (experimental). We have started converting the originalg 298 Sguil plugin to the new API. This is a big milestone as it will now 299 allow us to start working on a more contemporary frontend for Sguil. 300 301 * Waldo files. The waldo file is now supported providing bookmarking for 302 file processing in the event of a barnyard crash or similar. 303 304 [*] Improvements 305 * Fixed segfault bugs in the event spooling routines of in spo_log_ascii 306 and spo_sguil. 307 308 * Cleaned up output format of spo_alert_fast. 309 310 3112008-05-10 - Barnyard 2.0.1 312 [*] Additions 313 * Unified2 support. Since the release of Snort 2.8.0 a new output pluging 314 named 'unified2' will address all the shortfalls of the originalg 315 unified output plugin. The new format supports multiple records in the 316 one format as well as expansion for additional records such as packet 317 statistics, etc in the future. 318g 319 * 64-bit support. Support for 64-bit systems has been considered from the 320 outset. However, given that we don't have any 64-bit machines to test 321 the current builds on we will wait for community feedback on this. 322g 323 [*] Improvements 324 * Plugin structure. Given that we initially fused majority of the current 325 Snort core with the original barnyard code and improved from there weg 326 have attained/retained a similar output plugin API to that of Snort. 327 This requires only slight modification to existing Snort output plugins 328 to work with Barnyard. This may change to full compatibility in the 329 future depending on feedback. 330 331g 332