Whoops, forgot to cc this on the list...<br><br><div class="gmail_quote">On Fri, Jul 9, 2010 at 1:18 PM, Xavier Lange <span dir="ltr"><<a href="mailto:xrlange@gmail.com">xrlange@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
Reason for suppression: I'm writing to a fifo for easy ipc. I've got my own barnyard-esque app and given my constraints it's easier to use a fifo (it has some properties I prefer). Snort had this feature in its log config so I thought it would handy here as well.<div>
<br></div><div>Out of curiosity, any reason to avoid adding the field to a threadvar?</div><div><br></div><div><font color="#888888">Xavier</font><div><div></div><div class="h5"><br><br><div class="gmail_quote">On Fri, Jul 9, 2010 at 12:48 PM, Victor Julien <span dir="ltr"><<a href="mailto:victor@inliniac.net" target="_blank">victor@inliniac.net</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">I guess my first question would be "what do you need to suppress it for?"<br>
<div><br>
Xavier Lange wrote:<br>
> What behavior would people like if you're suppressing the unified2<br>
> timestamp field? I'm hacking up some changes to suppress the timestamp<br>
> and I've got two options:<br>
><br>
> a) Reset the file when the limit is hit<br>
> b) Ignore the file limit and just keep writing<br>
><br>
> I think a is the better choice is a because the user has specified the<br>
> file size limit in their config. Either behavior is fine by me.<br>
><br>
> Here's the config I'm envisioning:<br>
> - unified2-alert:<br>
> enabled: yes<br>
> filename: unified2.alert<br>
> timestamp: false<br>
><br>
> And just have it keep writing to a file (in my case I'm writing to a<br>
> fifo for ez IPC).<br>
><br>
> The code I'm looking at changing:<br>
> * tm-modules.h<br>
> * Add (int) suppress_timestamp to LogFileCtx_.<br>
<br>
</div>I don't think this chance is necessary. You can get a new option for<br>
just unified2 in Unified2AlertInitCtx.<br>
<div><br>
> * Or come up with a convention where non-null filename and null prefix<br>
> imply suppression of timestamp.<br>
> * Unified2AlertInitCtx<br>
> * Inspect ConfNode to detect presence and value of "timestamp", alter<br>
> file_ctx accordingly<br>
<br>
</div>In Unified2AlertOpenFileCtx you could check for the option as it was<br>
retrieved by Unified2AlertInitCtx. The option can just be saved to a<br>
local static variable.<br>
<br>
Cheers,<br>
Victor<br>
<div><br>
> * Unified2<br>
> * Check suppress_timestamp or the convention, and then implement<br>
> strategy a) or b).<br>
><br>
> Ideas? Feedback?<br>
><br>
><br>
</div>> ------------------------------------------------------------------------<br>
><br>
> _______________________________________________<br>
> Oisf-devel mailing list<br>
> <a href="mailto:Oisf-devel@openinfosecfoundation.org" target="_blank">Oisf-devel@openinfosecfoundation.org</a><br>
> <a href="http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel" target="_blank">http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel</a><br>
<font color="#888888"><br>
<br>
--<br>
---------------------------------------------<br>
Victor Julien<br>
<a href="http://www.inliniac.net/" target="_blank">http://www.inliniac.net/</a><br>
PGP: <a href="http://www.inliniac.net/victorjulien.asc" target="_blank">http://www.inliniac.net/victorjulien.asc</a><br>
---------------------------------------------<br>
<br>
</font></blockquote></div><br></div></div></div>
</blockquote></div><br>