[Oisf-devel] decode event definition and report problem

jiaoyf jiaoyf mail2walker at gmail.com
Tue Aug 2 07:41:40 UTC 2011 

thansk for tellig me the decode event report,now I found the keyword
"decode-event" codes.
but still has a problem,when decode-event geneted,the match codes like

DetectDecodeEventMatch->DECODER_ISSET_EVENT

#define DECODER_ISSET_EVENT(p, e) ({ \
    int r = 0; \
    uint8_t u; \
    for (u = 0; u < (p)->events.cnt; u++) { \
        if ((p)->events.events[u] == (e)) { \
            r = 1; \
            break; \
        } \
    } \
    r; \
})

so we have to compare multi  times for a decode-event defined in signature.
if we have N decode-event defined in rule files,whe have to compare up to
N*p->events.cnt tmes,why we don't use hash to store decode-event as I
mentioned ?

/** number of decoder events we support per packet. Power of 2 minus 1
 *  for memory layout */
#define PACKET_DECODER_EVENT_MAX 15

/** data structure to store decoder, defrag and stream events */
typedef struct PacketDecoderEvents_ {
    uint8_t cnt;                                /**< number of events */
    uint8_t events[PACKET_DECODER_EVENT_MAX];   /**< array of events */
} PacketDecoderEvents;

the max number of decode-event defined as the MAX in decode-event enum
type,as

typedef struct PacketDecoderEvents_ {
    uint8_t cnt;                                /**< number of events */ /*I
think the cnt mybe not need anymore*/
    uint8_t events[DECODE_EVENT_MAX];   /**< array of events */
} PacketDecoderEvents;

when decode event generated,we can use codes like:

/* OLD codes*/
#define DECODER_SET_EVENT(p, e) do { \
    if ((p)->events.cnt < PACKET_DECODER_EVENT_MAX) { \
        (p)->events.events[(p)->events.cnt] = e; \
        (p)->events.cnt++; \
    } \
} while(0)

/*NEW codes*/
#define DECODER_SET_EVENT(p, e) do { \
    if ((p)->events.cnt < DECODE_EVENT_MAX) { \/*usually not occur*/
        (p)->events.events[e] = 1; \
     } else {\
         BUG();\/*oop,you  not use decode-event defined in enum type*/
    }\
} while(0)

new match codes like
#define DECODER_ISSET_EVENT(p, e) ({ \
                if ((p)->events.events[u] == (e)) { \
                   r = 1; \
               } else {\
                   r=0;\
               } \
    r; \
})

so the index of events arry is the definition of devode-event.we can match
if the decode-event generated directly,not compare anymore in a for loop.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20110802/356ac737/attachment-0002.html>

More information about the Oisf-devel mailing list