[Oisf-devel] alerts from modules and status of global variables

Martin Holste mcholste at gmail.com
Thu Jun 16 16:17:38 UTC 2011


SC_ERR_ALPARSER is EXTREMELY chatty.  I would never want this to be an alert.

On Thu, Jun 16, 2011 at 10:42 AM, David Mandelberg <dmandelb at bbn.com> wrote:
> Hi,
>
> I've been looking at the Suricata code and I have two questions:
>
> In application layers, it looks like errors in protocol formats are
> logged, but alerts are not sent, for example in app-layer-htp.c:497:
>
>                SCLogError(SC_ERR_ALPARSER, "Error in parsing HTTP server "
>                                            "response");
>
> Since the error comes from network traffic rather than administrator
> input or code malfunction, it seems like it would make sense to send it
> as an alert instead of logging. I grepped the code for
> PacketAlertAppend, which as far as I can tell is the function that sends
> alerts, but the only calls to it look like they stem from rules
> activating. Are there any reasons it couldn't be called from e.g.
> app-layer-htp.c to alert on errors in protocol formats?
>
> Also, according to the website, global variables aren't implemented yet
> and rule variables are local to each flow. It looks like flow variables
> are implemented in detect-tag.*, but detect-tag.h has an enum with both
> DETECT_TAG_TYPE_SESSION and DETECT_TAG_TYPE_HOST. Does that mean that
> Suricata supports variables that are local to either each flow or each
> host? Is there any road map for support for fully global variables?
>
> Thanks,
> David
>
> --
> David Mandelberg
> Thu Jun 16 11:20:40 EDT 2011
>
> _______________________________________________
> Oisf-devel mailing list
> Oisf-devel at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
>



More information about the Oisf-devel mailing list