[Oisf-devel] alerts from modules and status of global variables
Victor Julien
victor at inliniac.net
Fri Jun 17 07:35:55 UTC 2011
Actually, what we are planning to do is get rid of this error and create
a rule keyword that allows you to match on the individual error cases
the various parsers encounter. This will allow you to gradually alert
(e.g. only for traffic to your servers) or even drop / reject.
Will move this up on the prio list.
Cheers,
Victor
On 06/16/2011 06:17 PM, Martin Holste wrote:
> SC_ERR_ALPARSER is EXTREMELY chatty. I would never want this to be an alert.
>
> On Thu, Jun 16, 2011 at 10:42 AM, David Mandelberg <dmandelb at bbn.com> wrote:
>> Hi,
>>
>> I've been looking at the Suricata code and I have two questions:
>>
>> In application layers, it looks like errors in protocol formats are
>> logged, but alerts are not sent, for example in app-layer-htp.c:497:
>>
>> SCLogError(SC_ERR_ALPARSER, "Error in parsing HTTP server "
>> "response");
>>
>> Since the error comes from network traffic rather than administrator
>> input or code malfunction, it seems like it would make sense to send it
>> as an alert instead of logging. I grepped the code for
>> PacketAlertAppend, which as far as I can tell is the function that sends
>> alerts, but the only calls to it look like they stem from rules
>> activating. Are there any reasons it couldn't be called from e.g.
>> app-layer-htp.c to alert on errors in protocol formats?
>>
>> Also, according to the website, global variables aren't implemented yet
>> and rule variables are local to each flow. It looks like flow variables
>> are implemented in detect-tag.*, but detect-tag.h has an enum with both
>> DETECT_TAG_TYPE_SESSION and DETECT_TAG_TYPE_HOST. Does that mean that
>> Suricata supports variables that are local to either each flow or each
>> host? Is there any road map for support for fully global variables?
>>
>> Thanks,
>> David
>>
>> --
>> David Mandelberg
>> Thu Jun 16 11:20:40 EDT 2011
>>
>> _______________________________________________
>> Oisf-devel mailing list
>> Oisf-devel at openinfosecfoundation.org
>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
>>
> _______________________________________________
> Oisf-devel mailing list
> Oisf-devel at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
>
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-devel
mailing list