[Oisf-devel] Suppressing unified2 file timestamp

Victor Julien victor at inliniac.net
Mon Jul 12 14:34:52 UTC 2010 

Basically you do the changes in a local branch, commit them and run the
command "git format-patch -N" where N is the number of commits you have
done. So if you did all changes in one commit "git format-patch -1".
This gets you a patch file that you can send to me :)

Xavier Lange wrote:
> Great! Now I've used the instructions from doc/GITGUIDE and I created my
> branch and merged back in to master. How do I get these changes out to you?
> 
> Xavier
> 
> On Fri, Jul 9, 2010 at 2:18 PM, Victor Julien <victor at inliniac.net
> <mailto:victor at inliniac.net>> wrote:
> 
>     Xavier Lange wrote:
>     > Whoops, forgot to cc this on the list...
>     >
>     > On Fri, Jul 9, 2010 at 1:18 PM, Xavier Lange <xrlange at gmail.com
>     <mailto:xrlange at gmail.com>
>     > <mailto:xrlange at gmail.com <mailto:xrlange at gmail.com>>> wrote:
>     >
>     >     Reason for suppression: I'm writing to a fifo for easy ipc.
>     I've got
>     >     my own barnyard-esque app and given my constraints it's easier to
>     >     use a fifo (it has some properties I prefer). Snort had this
>     feature
>     >     in its log config so I thought it would handy here as well.
>     >
>     >     Out of curiosity, any reason to avoid adding the field to a
>     threadvar?
> 
>     Basically the different logging modules are each separate modules. I'd
>     like each module to be as separated from the others as possible. We have
>     a bunch of logging/output modules what don't use the timestamp: fast,
>     alert-debuglog, prelude.
> 
>     Cheers,
>     Victor
> 
>     >
>     >     Xavier
>     >
>     >
>     >     On Fri, Jul 9, 2010 at 12:48 PM, Victor Julien
>     <victor at inliniac.net <mailto:victor at inliniac.net>
>     >     <mailto:victor at inliniac.net <mailto:victor at inliniac.net>>> wrote:
>     >
>     >         I guess my first question would be "what do you need to
>     suppress
>     >         it for?"
>     >
>     >         Xavier Lange wrote:
>     >         > What behavior would people like if you're suppressing
>     the unified2
>     >         > timestamp field? I'm hacking up some changes to suppress the
>     >         timestamp
>     >         > and I've got two options:
>     >         >
>     >         > a) Reset the file when the limit is hit
>     >         > b) Ignore the file limit and just keep writing
>     >         >
>     >         > I think a is the better choice is a because the user has
>     >         specified the
>     >         > file size limit in their config. Either behavior is fine
>     by me.
>     >         >
>     >         > Here's the config I'm envisioning:
>     >         >   - unified2-alert:
>     >         >       enabled: yes
>     >         >       filename: unified2.alert
>     >         >       timestamp: false
>     >         >
>     >         > And just have it keep writing to a file (in my case I'm
>     >         writing to a
>     >         > fifo for ez IPC).
>     >         >
>     >         > The code I'm looking at changing:
>     >         > * tm-modules.h
>     >         >   * Add (int) suppress_timestamp to LogFileCtx_.
>     >
>     >         I don't think this chance is necessary. You can get a new
>     option for
>     >         just unified2 in Unified2AlertInitCtx.
>     >
>     >         >   * Or come up with a convention where non-null filename and
>     >         null prefix
>     >         > imply suppression of timestamp.
>     >         > * Unified2AlertInitCtx
>     >         >   * Inspect ConfNode to detect presence and value of
>     >         "timestamp", alter
>     >         > file_ctx accordingly
>     >
>     >         In Unified2AlertOpenFileCtx you could check for the option
>     as it was
>     >         retrieved by Unified2AlertInitCtx. The option can just be
>     saved to a
>     >         local static variable.
>     >
>     >         Cheers,
>     >         Victor
>     >
>     >         > * Unified2
>     >         >   * Check suppress_timestamp or the convention, and then
>     implement
>     >         > strategy a) or b).
>     >         >
>     >         > Ideas? Feedback?
>     >         >
>     >         >
>     >         >
>     >        
>     ------------------------------------------------------------------------
>     >         >
>     >         > _______________________________________________
>     >         > Oisf-devel mailing list
>     >         > Oisf-devel at openinfosecfoundation.org
>     <mailto:Oisf-devel at openinfosecfoundation.org>
>     >         <mailto:Oisf-devel at openinfosecfoundation.org
>     <mailto:Oisf-devel at openinfosecfoundation.org>>
>     >         >
>     http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
>     >
>     >
>     >         --
>     >         ---------------------------------------------
>     >         Victor Julien
>     >         http://www.inliniac.net/
>     >         PGP: http://www.inliniac.net/victorjulien.asc
>     >         ---------------------------------------------
>     >
>     >
>     >
> 
> 
>     --
>     ---------------------------------------------
>     Victor Julien
>     http://www.inliniac.net/
>     PGP: http://www.inliniac.net/victorjulien.asc
>     ---------------------------------------------
> 
> 


-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------

More information about the Oisf-devel mailing list