[Oisf-devel] decode event definition and report problem

jiaoyf jiaoyf mail2walker at gmail.com
Sat Jul 23 06:16:36 UTC 2011

hi,when I read suricata 1.1b2 sourcode,I find some problems related with
"Decode Event"

first,the definition of Decode event mybe not flexible

typedef struct PacketDecoderEvents_ {
    uint8_t cnt;                                /**< number of events */
    uint8_t events[PACKET_DECODER_EVENT_MAX];   /**< array of events */
} PacketDecoderEvents;

the max events maybe defined into DECODE_EVENT_MAX,which is the MAX in
decode event  in enum
as a benefit,we don't check if the decode event number exceed 15,like
if ((p)->events.cnt < PACKET_DECODER_EVENT_MAX) {

second,I don't find the codes of reporting decode event ,only events
generated from signature match report.
third,I think there should be a filter to contol the report of decode event,
configure file like the flollowing ,

file name : decode-event.conf
file content:



then when decode event generated, when output to files or prelude plugin,we
can decide whether report this decode event or not.

codes like :

typedef struct _decode_event_conf_t {
        char name[128];
        uint8_t match;

typedef struct _decode_event_t {
         uint8_t enable;
         char *event_name;

decode_event_t decode_event[DECODE_EVENT_MAX]={


                                       /* not used */

when init,when can set the item to 1 if the decode event match is yes
,otherwise is 0

int decode_event_conf_init (cha *path) {
              /*codes to parse deode-event.conf file*/
            for(int i=0;i<DECODE_EVENT_MAX;i++) {

                          decode_event[i].match =1;

           /*other codes*/

/* check whether this decode event should report or not
1, report
0,NOT report
int inline report_decode_event(int event_id)
/*if we only use id defined in enum,the codes mybe not need*/
        if (event_id <IPV4_PKT_TOO_SMALL || event _id >=DECODE_EVENT_MAX) {
              fprintf(stderr,"Invalid decode event ID(%d)!\n",event_id);
              goto err;

        if( decode_event[event_id] == 1) {
                  return 1;

      return 0;
     return 0;
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20110723/d765fee8/attachment-0002.html>

More information about the Oisf-devel mailing list