Difference between pages "Barnyard2" and "Chrome Disk Cache Format"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
 
 
Line 1: Line 1:
==About ==
+
{{expand}}
Barnyard2 is an open source interpreter for Snort unified2 binary output files.
+
Its primary use is allowing Snort to write to disk in an efficient manner and
+
leaving the task of parsing binary data into various formats to a separate
+
process that will not cause Snort to miss network traffic.
+
  
Barnyard2 has 3 modes of operation:
+
== Cache files ==
  1. batch (or one-shot),
+
The cache is stored in multiple:
  2. continual, and
+
{| class="wikitable"
  3. continual w/ bookmark.
+
|-
 +
! Filename
 +
! Description
 +
|-
 +
| index
 +
| The index file
 +
|-
 +
| data_#
 +
| Data block files
 +
|-
 +
| f_######
 +
| (Separate) data stream file
 +
|}
  
In batch (or one-shot) mode, barnyard2 will process the explicitly specified
+
== Cache address ==
file(s) and exit.
+
The cache address is 4 bytes in size and consists of:
 +
{| class="wikitable"
 +
|-
 +
! offset
 +
! size
 +
! value
 +
! description
 +
|-
 +
| <i>If file type is 0 (Separate file)</i>
 +
|
 +
|
 +
|
 +
|-
 +
| 0.0
 +
| 28 bits
 +
|
 +
| File number <br> The value represents the value of # in f_######
 +
|-
 +
| <i>Else</i>
 +
|
 +
|
 +
|
 +
|-
 +
| 0.0
 +
| 16 bits
 +
|
 +
| Block number
 +
|-
 +
| 2.0
 +
| 8 bits
 +
|
 +
| File number (or file selector) <br> The value represents the value of # in data_#
 +
|-
 +
| 3.0
 +
| 2 bits
 +
|
 +
| Block size <br> The number of contiguous blocks where 0 represents 1 block and 3 represents 4 blocks.
 +
|-
 +
| 3.2
 +
| 2 bits
 +
|
 +
| Reserved
 +
|-
 +
| <i>Common</i>
 +
|
 +
|
 +
|
 +
|-
 +
| 3.4
 +
| 3 bits
 +
|
 +
| File type
 +
|-
 +
| 3.7
 +
| 1 bit
 +
|
 +
| Initialized flag
 +
|}
  
In continual mode, barnyard2 will start with a location to look and a specified
+
=== File types ===
file pattern and continue to process new data (and new spool files) as they
+
{| class="wikitable"
appear.
+
|-
 +
! Value
 +
! Description
 +
|-
 +
| 0
 +
| (Separate) data stream file
 +
|-
 +
| 1
 +
| (Rankings) block data file (36 byte block data file)
 +
|-
 +
| 2
 +
| 256 byte block data file
 +
|-
 +
| 3
 +
| 1024 byte block data file
 +
|-
 +
| 4
 +
| 4096 byte block data file
 +
|-
 +
|
 +
|
 +
|-
 +
| 6
 +
| Unknown; seen on Mac OS  X 0x6f430074
 +
|}
  
Continual mode w/ bookmarking will also use a checkpoint file (or waldo file in
+
==== Examples ====
the snort world) to track where it is. In the event the barnyard2 process ends
+
{| class="wikitable"
while a waldo file is in use, barnyard2 will resume processing at the last
+
|-
entry as listed in the waldo file.
+
! Value
 +
! Description
 +
|-
 +
| 0x00000000
 +
| Not initialized
 +
|-
 +
| 0x8000002a
 +
| Data stream file: f_00002a
 +
|-
 +
| 0xa0010003
 +
| Block data file: data_1, block number 3, 1 block of size
 +
|}
  
The "-f", "-w", and "-o" options are used to determine which mode barnyard2
+
== Index file format (index) ==
will run in.  It is legal for both the "-f" and "-w" options to be used on the
+
Overview:
command line at the same time, however any data that exists in the waldo file
+
* File header
will override the command line data from the "-f" and "-d" options. See the
+
* least recently used (LRU) data (or eviction control data)
command directives section below for more detail.
+
* index table
  
Barnyard2 processing is controlled by two main types of directives: input
+
=== File header ===
processors and output plugins. The input processors read information in from a
+
*TODO*
specific format ( currently the spo_unified2 output module of Snort ) and
+
output them in one of several ways.
+
  
==History ==
+
== Data block file format (data_#) ==
Barnyard is a critical tool for the parsing of Snort's unified binary files, processing and on-forwarding to a variety of output plugins. Unfortunately it has not seen an updated in over 4 years and is not going to be maintained by the original developers. With the new version of the unified format (ie. unified2) arriving we need something to bridge this gap.
+
Overview:
To quote directly from the Snort FAQ:
+
* File header
* "Barnyard is an output system for Snort. Snort creates a special binary output format called unified. Barnyard reads this file, and then resends the data to a database backend. Unlike the database output plug-in, Barnyard is aware of a failure to send the alert to the database, and it stops sending alerts. It is also aware when the database can accept connections again and will start sending the alerts again."
+
* array of blocks
  
The SXL team love barnyard. So much so that we want it to stay and have been tinkering around with the code to give it a breath of new life. Here is what we have achieved to far for this reinvigorated code base:
+
=== File header ===
Parsing of the new unified2 log files.
+
*TODO*
*Maintaining majority of the command syntax of barnyard.
+
*Addressed all associated bug reports and feature requests arising since barnyard-0.2.0.
+
*Completely rewritten code based on the GPLv2 Snort making it entirely GPLv2.
+
  
== References ==
+
== Data stream ==
All information on this page is referenced to [http://www.securixlive.com/barnyard2/about.php securixlive.com] where further information about Barnyard can be found.
+
See: [[gzip]]
 +
 
 +
== See Also ==
 +
* [[Google Chrome]]
 +
* [[gzip]]
 +
 
 +
== External Links ==
 +
* [http://www.chromium.org/developers/design-documents/network-stack/disk-cache Disk Cache], The Chromium Projects
 +
 
 +
[[Category:File Formats]]

Revision as of 03:43, 22 June 2014

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

Cache files

The cache is stored in multiple:

Filename Description
index The index file
data_# Data block files
f_###### (Separate) data stream file

Cache address

The cache address is 4 bytes in size and consists of:

offset size value description
If file type is 0 (Separate file)
0.0 28 bits File number
The value represents the value of # in f_######
Else
0.0 16 bits Block number
2.0 8 bits File number (or file selector)
The value represents the value of # in data_#
3.0 2 bits Block size
The number of contiguous blocks where 0 represents 1 block and 3 represents 4 blocks.
3.2 2 bits Reserved
Common
3.4 3 bits File type
3.7 1 bit Initialized flag

File types

Value Description
0 (Separate) data stream file
1 (Rankings) block data file (36 byte block data file)
2 256 byte block data file
3 1024 byte block data file
4 4096 byte block data file
6 Unknown; seen on Mac OS X 0x6f430074

Examples

Value Description
0x00000000 Not initialized
0x8000002a Data stream file: f_00002a
0xa0010003 Block data file: data_1, block number 3, 1 block of size

Index file format (index)

Overview:

  • File header
  • least recently used (LRU) data (or eviction control data)
  • index table

File header

  • TODO*

Data block file format (data_#)

Overview:

  • File header
  • array of blocks

File header

  • TODO*

Data stream

See: gzip

See Also

External Links