[Oisf-devel] decode event definition and report problem

jiaoyf jiaoyf mail2walker at gmail.com
Sat Jul 23 06:16:36 UTC 2011 

hi,when I read suricata 1.1b2 sourcode,I find some problems related with
"Decode Event"

first,the definition of Decode event mybe not flexible

typedef struct PacketDecoderEvents_ {
    uint8_t cnt;                                /**< number of events */
    uint8_t events[PACKET_DECODER_EVENT_MAX];   /**< array of events */
} PacketDecoderEvents;

the max events maybe defined into DECODE_EVENT_MAX,which is the MAX in
decode event  in enum
as a benefit,we don't check if the decode event number exceed 15,like
if ((p)->events.cnt < PACKET_DECODER_EVENT_MAX) {

second,I don't find the codes of reporting decode event ,only events
generated from signature match report.
third,I think there should be a filter to contol the report of decode event,
configure file like the flollowing ,

file name : decode-event.conf
file content:

[decode_event1]
Name:ethernet_pkt_too_small
Match:yes

[decode_event2]
Name:ipv4_pkt_too_small
Match:yes


then when decode event generated, when output to files or prelude plugin,we
can decide whether report this decode event or not.

codes like :

typedef struct _decode_event_conf_t {
        char name[128];
        uint8_t match;
}decode_event_conf_t;

typedef struct _decode_event_t {
         uint8_t enable;
         char *event_name;
}decode_event_t;

decode_event_t decode_event[DECODE_EVENT_MAX]={

[ETHERNET_PKT_TOO_SMALL]={0,"ethernet_pkt_too_small"},

[IPV4_HLEN_TOO_SMALL]={0,"ipv4_hlen_too_small"},
.
.
.
.
                                       /* not used */
                                      [DECODE_EVENT_MAX]="decode_max"
};


when init,when can set the item to 1 if the decode event match is yes
,otherwise is 0

int decode_event_conf_init (cha *path) {
              /*codes to parse deode-event.conf file*/
              ..........
              ..........
            for(int i=0;i<DECODE_EVENT_MAX;i++) {

if(!strcasecmp(decode_event_conf.name,decode_event[i].event_name)
{
                          decode_event[i].match =1;
                  }
           }

           /*other codes*/
}


/* check whether this decode event should report or not
1, report
0,NOT report
*/
int inline report_decode_event(int event_id)
{
/*if we only use id defined in enum,the codes mybe not need*/
        if (event_id <IPV4_PKT_TOO_SMALL || event _id >=DECODE_EVENT_MAX) {
              fprintf(stderr,"Invalid decode event ID(%d)!\n",event_id);
              goto err;
        }

        if( decode_event[event_id] == 1) {
                  return 1;
       }

      return 0;
err:
     return 0;
}
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20110723/d765fee8/attachment-0002.html>

More information about the Oisf-devel mailing list