[Oisf-devel] alerts from modules and status of global variables

[David Mandelberg]

Hi,

I've been looking at the Suricata code and I have two questions:

In application layers, it looks like errors in protocol formats are
logged, but alerts are not sent, for example in app-layer-htp.c:497:

                SCLogError(SC_ERR_ALPARSER, "Error in parsing HTTP server "
                                            "response");

Since the error comes from network traffic rather than administrator
input or code malfunction, it seems like it would make sense to send it
as an alert instead of logging. I grepped the code for
PacketAlertAppend, which as far as I can tell is the function that sends
alerts, but the only calls to it look like they stem from rules
activating. Are there any reasons it couldn't be called from e.g.
app-layer-htp.c to alert on errors in protocol formats?

Also, according to the website, global variables aren't implemented yet
and rule variables are local to each flow. It looks like flow variables
are implemented in detect-tag.*, but detect-tag.h has an enum with both
DETECT_TAG_TYPE_SESSION and DETECT_TAG_TYPE_HOST. Does that mean that
Suricata supports variables that are local to either each flow or each
host? Is there any road map for support for fully global variables?

Thanks,
David

-- 
David Mandelberg
Thu Jun 16 11:20:40 EDT 2011