[Oisf-devel] decode event definition and report problem

Victor Julien victor at inliniac.net
Tue Jul 26 14:50:00 UTC 2011

On 07/23/2011 08:16 AM, jiaoyf jiaoyf wrote:
> hi,when I read suricata 1.1b2 sourcode,I find some problems related with
> "Decode Event"

Please work with the git master.

> first,the definition of Decode event mybe not flexible
> typedef struct PacketDecoderEvents_ {
>     uint8_t cnt;                                /**< number of events */
>     uint8_t events[PACKET_DECODER_EVENT_MAX];   /**< array of events */
> } PacketDecoderEvents;
> the max events maybe defined into DECODE_EVENT_MAX,which is the MAX in
> decode event  in enum
> as a benefit,we don't check if the decode event number exceed 15,like
> if ((p)->events.cnt < PACKET_DECODER_EVENT_MAX) {

We do, events are set using this macro:

#define DECODER_SET_EVENT(p, e) do { \
    if ((p)->events.cnt < PACKET_DECODER_EVENT_MAX) { \
        (p)->events.events[(p)->events.cnt] = e; \
        (p)->events.cnt++; \
    } \
} while(0)

It only sets a new event if there is still space in the array.

> second,I don't find the codes of reporting decode event ,only events
> generated from signature match report.

The decoder events are exposed to the signature language, so an admin
can chose to enable/disable certain events, apply them only to certain
traffic, etc.

> third,I think there should be a filter to contol the report of decode event,
> configure file like the flollowing ,

No, this is what the signature keyword is for.

Why wouldn't that be sufficient?

Victor Julien
PGP: http://www.inliniac.net/victorjulien.asc

More information about the Oisf-devel mailing list