[Oisf-devel] decode event definition and report problem
Eric Leblond
eric at regit.org
Tue Aug 2 15:51:00 UTC 2011
Hello,
Le mardi 02 août 2011 à 15:41 +0800, jiaoyf jiaoyf a écrit :
> thansk for tellig me the decode event report,now I found the keyword
> "decode-event" codes.
> but still has a problem,when decode-event geneted,the match codes like
>
> DetectDecodeEventMatch->DECODER_ISSET_EVENT
>
> #define DECODER_ISSET_EVENT(p, e) ({ \
> int r = 0; \
> uint8_t u; \
> for (u = 0; u < (p)->events.cnt; u++) { \
> if ((p)->events.events[u] == (e)) { \
> r = 1; \
> break; \
> } \
> } \
> r; \
> })
>
> so we have to compare multi times for a decode-event defined in
> signature. if we have N decode-event defined in rule files,whe have to
> compare up to N*p->events.cnt tmes,why we don't use hash to store
> decode-event as I mentioned ?
From what I read, it seems you don't get how it is organized. The events
field is an array used to store a list of events linked to the
associated packet. For example, we could have a packet with
IP_CHECKSUM_INVALID and TCP_CHECKSUM_INVALID. This would give an events
p->events.cnt = 2
p->events.events = [IP_CHECKSUM_INVALID, TCP_CHECKSUM_INVALID, 0, ..., 0]
Thus the check will only do a equality test for events defined on the
packet (and not all the possible events).
Is this explanation clear ?
BR,
>
> /** number of decoder events we support per packet. Power of 2 minus 1
> * for memory layout */
> #define PACKET_DECODER_EVENT_MAX 15
>
> /** data structure to store decoder, defrag and stream events */
> typedef struct PacketDecoderEvents_ {
> uint8_t cnt; /**< number of events
> */
> uint8_t events[PACKET_DECODER_EVENT_MAX]; /**< array of events
> */
> } PacketDecoderEvents;
>
> the max number of decode-event defined as the MAX in decode-event enum
> type,as
>
> typedef struct PacketDecoderEvents_ {
> uint8_t cnt; /**< number of events
> */ /*I think the cnt mybe not need anymore*/
> uint8_t events[DECODE_EVENT_MAX]; /**< array of events */
> } PacketDecoderEvents;
>
> when decode event generated,we can use codes like:
>
> /* OLD codes*/
> #define DECODER_SET_EVENT(p, e) do { \
> if ((p)->events.cnt < PACKET_DECODER_EVENT_MAX) { \
> (p)->events.events[(p)->events.cnt] = e; \
> (p)->events.cnt++; \
> } \
> } while(0)
>
> /*NEW codes*/
> #define DECODER_SET_EVENT(p, e) do { \
> if ((p)->events.cnt < DECODE_EVENT_MAX) { \/*usually not occur*/
> (p)->events.events[e] = 1; \
> } else {\
> BUG();\/*oop,you not use decode-event defined in enum type*/
> }\
> } while(0)
>
> new match codes like
> #define DECODER_ISSET_EVENT(p, e) ({ \
> if ((p)->events.events[u] == (e)) { \
> r = 1; \
> } else {\
> r=0;\
> } \
> r; \
> })
>
> so the index of events arry is the definition of devode-event.we can
> match if the decode-event generated directly,not compare anymore in a
> for loop.
>
>
> _______________________________________________
> Oisf-devel mailing list
> Oisf-devel at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 190 bytes
Desc: This is a digitally signed message part
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20110802/64baf96c/attachment.sig>
More information about the Oisf-devel
mailing list