[Oisf-devel] decode event definition and report problem
Victor Julien
victor at inliniac.net
Tue Jul 26 14:50:00 UTC 2011
On 07/23/2011 08:16 AM, jiaoyf jiaoyf wrote:
> hi,when I read suricata 1.1b2 sourcode,I find some problems related with
> "Decode Event"
Please work with the git master.
> first,the definition of Decode event mybe not flexible
>
> typedef struct PacketDecoderEvents_ {
> uint8_t cnt; /**< number of events */
> uint8_t events[PACKET_DECODER_EVENT_MAX]; /**< array of events */
> } PacketDecoderEvents;
>
> the max events maybe defined into DECODE_EVENT_MAX,which is the MAX in
> decode event in enum
> as a benefit,we don't check if the decode event number exceed 15,like
> if ((p)->events.cnt < PACKET_DECODER_EVENT_MAX) {
We do, events are set using this macro:
#define DECODER_SET_EVENT(p, e) do { \
if ((p)->events.cnt < PACKET_DECODER_EVENT_MAX) { \
(p)->events.events[(p)->events.cnt] = e; \
(p)->events.cnt++; \
} \
} while(0)
It only sets a new event if there is still space in the array.
>
> second,I don't find the codes of reporting decode event ,only events
> generated from signature match report.
The decoder events are exposed to the signature language, so an admin
can chose to enable/disable certain events, apply them only to certain
traffic, etc.
> third,I think there should be a filter to contol the report of decode event,
> configure file like the flollowing ,
No, this is what the signature keyword is for.
Why wouldn't that be sufficient?
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-devel
mailing list