hi,when I read suricata 1.1b2 sourcode,I find some problems related with "Decode Event"<br><br>first,the definition of Decode event mybe not flexible<br><br>typedef struct PacketDecoderEvents_ {<br> uint8_t cnt; /**< number of events */<br>
uint8_t events[<span style="background-color: rgb(255, 0, 0);">PACKET_DECODER_EVENT_MAX</span>]; /**< array of events */<br>} PacketDecoderEvents;<br><br>the max events maybe defined into <span style="background-color: rgb(255, 0, 0);">DECODE_EVENT_MAX</span>,which is the MAX in decode event in enum<br>
as a benefit,we don't check if the decode event number exceed 15,like<br>if ((p)->events.cnt < PACKET_DECODER_EVENT_MAX) {<br><br>second,I don't find the codes of reporting decode event ,only events generated from signature match report.<br>
third,I think there should be a filter to contol the report of decode event, configure file like the flollowing ,<br><br>file name : decode-event.conf<br>file content:<br><br>[decode_event1]<br>Name:ethernet_pkt_too_small<br>
Match:yes<br><br>[decode_event2]<br>Name:ipv4_pkt_too_small<br>Match:yes<br><br><br>then when decode event generated, when output to files or prelude plugin,we can decide whether report this decode event or not.<br><br>codes like :<br>
<br>typedef struct _decode_event_conf_t {<br> char name[128];<br> uint8_t match;<br>}decode_event_conf_t;<br><br>typedef struct _decode_event_t {<br> uint8_t enable;<span style="background-color: rgb(255, 255, 255);"></span><br>
char *event_name;<br>}decode_event_t;<br><br>decode_event_t decode_event[<span style="background-color: rgb(255, 255, 255);">DECODE_EVENT_MAX]</span>={<br> [ETHERNET_PKT_TOO_SMALL]={0,"ethernet_pkt_too_small"},<br>
[IPV4_HLEN_TOO_SMALL]={0,"ipv4_hlen_too_small"},<br>.<br>.<br>.<br>.<br> /* not used */<br> [DECODE_EVENT_MAX]="decode_max"<br>
};<br><br><br>when init,when can set the item to 1 if the decode event match is yes ,otherwise is 0<br><br>int decode_event_conf_init (cha *path) {<br> /*codes to parse deode-event.conf file*/<br> ..........<br>
..........<br> for(int i=0;i<DECODE_EVENT_MAX;i++) {<br> if(!strcasecmp(<a href="http://decode_event_conf.name">decode_event_conf.name</a>,decode_event[i].event_name) {<br> decode_event[i].match =1;<br>
}<br> }<br><br> /*other codes*/<br>}<br><br><br>/* check whether this decode event should report or not<br>1, report<br>0,NOT report<br>*/<br>int inline report_decode_event(int event_id)<br>
{<br>/*if we only use id defined in enum,the codes mybe not need*/<br> if (event_id <IPV4_PKT_TOO_SMALL || event _id >=DECODE_EVENT_MAX) {<br> fprintf(stderr,"Invalid decode event ID(%d)!\n",event_id);<br>
goto err;<br> }<br><br> if( decode_event<span style="background-color: rgb(255, 255, 255);">[event_id] == 1</span>) {<br> return 1;<br> }<br><br> return 0;<br>err:<br>
return 0;<br>}<br><br><br><br>