[Oisf-devel] [PATCH 1/2] Add transaction id to alert.
Victor Julien
victor at inliniac.net
Wed Oct 5 11:22:33 UTC 2011
On 10/04/2011 09:38 PM, Eric Leblond wrote:
> ---
> src/decode.h | 1 +
> src/detect-engine-alert.c | 15 +++++++++++++++
> 2 files changed, 16 insertions(+), 0 deletions(-)
>
> diff --git a/src/decode.h b/src/decode.h
> index 73f6547..4893308 100644
> --- a/src/decode.h
> +++ b/src/decode.h
> @@ -222,6 +222,7 @@ typedef struct PacketAlert_ {
> SigIntId order_id; /* Internal num, used for sorting */
> uint8_t action; /* Internal num, used for sorting */
> uint8_t flags;
> + int tx_id; /* Transaction id */
>
> /** Pointer to smsg this signature matched on, or
> * NULL if the sig didn't match on a smsg */
> diff --git a/src/detect-engine-alert.c b/src/detect-engine-alert.c
> index bb8b383..7b7c73e 100644
> --- a/src/detect-engine-alert.c
> +++ b/src/detect-engine-alert.c
> @@ -22,6 +22,8 @@
> #include "detect-engine-threshold.h"
> #include "detect-engine-tag.h"
>
> +#include "app-layer-parser.h"
> +
> #include "decode.h"
>
> #include "flow.h"
> @@ -182,6 +184,19 @@ int PacketAlertAppend(DetectEngineThreadCtx *det_ctx, Signature *s, Packet *p, u
> p->alerts.alerts[i].s = s;
> }
>
> + if (p->flow) {
> + int ret = 0;
> +
> + SCMutexLock(&p->flow->m);
> + ret = AppLayerTransactionGetInspectId(p->flow);
> + SCMutexUnlock(&p->flow->m);
> + if (ret == -1) {
> + p->alerts.alerts[i].tx_id = 0;
> + } else {
> + p->alerts.alerts[i].tx_id = ret;
> + }
> + }
> +
> /* Update the count */
> p->alerts.cnt++;
>
Thinking a little bit more about this solution I'm beginning to dislike
it. It will do an additional lock for almost every alert while the user
of the code (pcap-info log) is likely to be disabled for most ppl most
of the time.
I'm thinking if we can do this in a cheaper way... maybe storing the
txid into the detect thread ctx when we access it for inspection and
then pass it from there to PacketAlertAppend. Would safe us a lock...
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-devel
mailing list