Below is some random code I've written for some of the tools I use. Please feel free to use, and link to, this code. I'd also love to hear feedback and suggestions for other patches or tools.
To apply the patches below, you'll need the clean source code for the application (barnyard, dsniff, etc) and the appropriate version of the code. I've tried to name the patches appropriately to help identify the requirements. Once you have that, extract the source and patch the code. Below is an example of the process:
$ tar xzf barnyard-0.2.0.tar.gz $ cd barnyard-0.2.0 $ patch -p1 < /path/to/barnyard-0.2.0-something.patchThat should be it. Enjoy!
The source for dsniff can be found on monkey.org.
- dsniff-2.3-dnsspoof-cmg.patch - 2009-08-11
- - Supports optional logging to syslog.
- Allows for listening and spoofing on separate interfaces, which can be great for use with Snort.
- Adds additional host entry types (ignore, alert, spoof) for more flexible actions and logging.
- Adds daemon and silent modes of operation.
# ./dnsspoof -h Version: 2.3-cmg Usage: dnsspoof [-Dqlh] [-i interface] [-o interface] [-f hostsfile] [expression] -D Run as a daemon -q Don't print to the screen -l Log matches/actions to syslog -h Show this syntax help -i Interface to listen on (in) -o Interface to send spoofs on (out) -f Hosts file
The source for Barnyard can be found on snort.org.
- barnyard-0.2.0-schema107.patch - 2006-04-06
- - Patch for Barnyard 0.2.0 to add support for the Snort DB schema 107. Barnyard will continue to support schema 106 by identifying the schema version when connecting and making schema-dependant queries. Schema 107 was introduced with Snort 2.6 and adds generator ID logging to the signature table. This patch also addresses the signature revision issue where it is always zero.
- barnyard-0.2.0-caching.patch - 2006-04-07
- - Enables the caching of signature IDs associated with the signatures in the database. Signature IDs in the database are not the same as a signature SID in the scope of the database. Normally Barnyard must query the database with every alert to determine the signature ID -- way more overhead than necessary. This patch will reduce the total number of database transactions by almost 20% over the life of the Barnyard process.
- barnyard-0.2.0-combined.patch - 2008-02-26
- - Combined -schema107 and -caching patches above.
- barnyard-0.2.0-cleanup.patch - 2006-05-27
- - Add fclose() functions as appropriate to three functions that were
neglecting to close files getting opened.
- Removes an extra fopen() call in another function that was opening the same file twice.
- Compiler warnings have been addressed and fixed.
- barnyard-0.2.0-syslog2.patch - 2008-01-08
- - Reformats the syslog messages coming out of op_alert_syslog2 to match the format used by Snort's syslog output with interface name. This can be useful with some log parsing tools that are expecting a specific Snort log format.
- barnyard-0.2.0-cef.patch - 2008-01-30
- - Adds an op_alert_cef output plugin that supports the Common
Event Format (CEF) as defined by ArcSight.
Please note this does not provide payloads, so using ArcSight's native
solution is probably the better option. Below is an example
configuration (patch also adds this to example barnyard.conf):
# alert_cef #------------------------------- # Generates an ArcSight CEF syslog alert. # # output alert_cef: facility LOCAL4, severity ALERT, \ # syslog_host localhost, syslog_port 514
Maintained (off and on) since 2005 by Colin Grady. Patches and code follow the same licensing as that of the original application.