hi,when I read suricata 1.1b2 sourcode,I find some problems related with "Decode Event"<br><br>first,the definition of Decode event mybe not flexible<br><br>typedef struct PacketDecoderEvents_ {<br>    uint8_t cnt;                                /**< number of events */<br>
    uint8_t events[<span style="background-color: rgb(255, 0, 0);">PACKET_DECODER_EVENT_MAX</span>];   /**< array of events */<br>} PacketDecoderEvents;<br><br>the max events maybe defined into <span style="background-color: rgb(255, 0, 0);">DECODE_EVENT_MAX</span>,which is the MAX in decode event  in enum<br>
as a benefit,we don't check if the decode event number exceed 15,like<br>if ((p)->events.cnt < PACKET_DECODER_EVENT_MAX) {<br><br>second,I don't find the codes of reporting decode event ,only events generated from signature match report.<br>
third,I think there should be a filter to contol the report of decode event, configure file like the flollowing ,<br><br>file name : decode-event.conf<br>file content:<br><br>[decode_event1]<br>Name:ethernet_pkt_too_small<br>
Match:yes<br><br>[decode_event2]<br>Name:ipv4_pkt_too_small<br>Match:yes<br><br><br>then when decode event generated, when output to files or prelude plugin,we can decide whether report this decode event or not.<br><br>codes like :<br>
<br>typedef struct _decode_event_conf_t {<br>        char name[128];<br>        uint8_t match;<br>}decode_event_conf_t;<br><br>typedef struct _decode_event_t {<br>         uint8_t enable;<span style="background-color: rgb(255, 255, 255);"></span><br>
         char *event_name;<br>}decode_event_t;<br><br>decode_event_t decode_event[<span style="background-color: rgb(255, 255, 255);">DECODE_EVENT_MAX]</span>={<br>                                      [ETHERNET_PKT_TOO_SMALL]={0,"ethernet_pkt_too_small"},<br>
                                      [IPV4_HLEN_TOO_SMALL]={0,"ipv4_hlen_too_small"},<br>.<br>.<br>.<br>.<br>                                       /* not used */<br>                                      [DECODE_EVENT_MAX]="decode_max"<br>
};<br><br><br>when init,when can set the item to 1 if the decode event match is yes ,otherwise is 0<br><br>int decode_event_conf_init (cha *path) {<br>              /*codes to parse deode-event.conf file*/<br>              ..........<br>
              ..........<br>            for(int i=0;i<DECODE_EVENT_MAX;i++) {<br>                  if(!strcasecmp(<a href="http://decode_event_conf.name">decode_event_conf.name</a>,decode_event[i].event_name) {<br>                          decode_event[i].match =1;<br>
                  }<br>           }<br><br>           /*other codes*/<br>}<br><br><br>/* check whether this decode event should report or not<br>1, report<br>0,NOT report<br>*/<br>int inline report_decode_event(int event_id)<br>
{<br>/*if we only use id defined in enum,the codes mybe not need*/<br>        if (event_id <IPV4_PKT_TOO_SMALL || event _id >=DECODE_EVENT_MAX) {<br>              fprintf(stderr,"Invalid decode event ID(%d)!\n",event_id);<br>
              goto err;<br>        }<br><br>        if( decode_event<span style="background-color: rgb(255, 255, 255);">[event_id] == 1</span>) {<br>                  return 1;<br>       }<br><br>      return 0;<br>err:<br>
     return 0;<br>}<br><br><br><br>