[Oisf-devel] Suppressing unified2 file timestamp

Xavier Lange xrlange at gmail.com
Fri Jul 9 21:11:48 UTC 2010


Whoops, forgot to cc this on the list...

On Fri, Jul 9, 2010 at 1:18 PM, Xavier Lange <xrlange at gmail.com> wrote:

> Reason for suppression: I'm writing to a fifo for easy ipc. I've got my own
> barnyard-esque app and given my constraints it's easier to use a fifo (it
> has some properties I prefer). Snort had this feature in its log config so I
> thought it would handy here as well.
>
> Out of curiosity, any reason to avoid adding the field to a threadvar?
>
> Xavier
>
>
> On Fri, Jul 9, 2010 at 12:48 PM, Victor Julien <victor at inliniac.net>wrote:
>
>> I guess my first question would be "what do you need to suppress it for?"
>>
>> Xavier Lange wrote:
>> > What behavior would people like if you're suppressing the unified2
>> > timestamp field? I'm hacking up some changes to suppress the timestamp
>> > and I've got two options:
>> >
>> > a) Reset the file when the limit is hit
>> > b) Ignore the file limit and just keep writing
>> >
>> > I think a is the better choice is a because the user has specified the
>> > file size limit in their config. Either behavior is fine by me.
>> >
>> > Here's the config I'm envisioning:
>> >   - unified2-alert:
>> >       enabled: yes
>> >       filename: unified2.alert
>> >       timestamp: false
>> >
>> > And just have it keep writing to a file (in my case I'm writing to a
>> > fifo for ez IPC).
>> >
>> > The code I'm looking at changing:
>> > * tm-modules.h
>> >   * Add (int) suppress_timestamp to LogFileCtx_.
>>
>> I don't think this chance is necessary. You can get a new option for
>> just unified2 in Unified2AlertInitCtx.
>>
>> >   * Or come up with a convention where non-null filename and null prefix
>> > imply suppression of timestamp.
>> > * Unified2AlertInitCtx
>> >   * Inspect ConfNode to detect presence and value of "timestamp", alter
>> > file_ctx accordingly
>>
>> In Unified2AlertOpenFileCtx you could check for the option as it was
>> retrieved by Unified2AlertInitCtx. The option can just be saved to a
>> local static variable.
>>
>> Cheers,
>> Victor
>>
>> > * Unified2
>> >   * Check suppress_timestamp or the convention, and then implement
>> > strategy a) or b).
>> >
>> > Ideas? Feedback?
>> >
>> >
>> > ------------------------------------------------------------------------
>> >
>> > _______________________________________________
>> > Oisf-devel mailing list
>> > Oisf-devel at openinfosecfoundation.org
>> > http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
>>
>>
>> --
>> ---------------------------------------------
>> Victor Julien
>> http://www.inliniac.net/
>> PGP: http://www.inliniac.net/victorjulien.asc
>> ---------------------------------------------
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20100709/8526bc3a/attachment-0002.html>


More information about the Oisf-devel mailing list