[Oisf-devel] RFC: DNS app layer and logging (WIP)
Victor Julien
victor at inliniac.net
Wed Apr 24 15:12:22 UTC 2013
On 04/24/2013 04:59 PM, Anoop Saldanha wrote:
> On Wed, Apr 24, 2013 at 7:30 PM, Victor Julien <victor at inliniac.net> wrote:
>> Updated version:
>> https://github.com/inliniac/suricata/tree/dev-dns-parser-v1.3
>>
>> On 04/23/2013 06:03 PM, Victor Julien wrote:
>>>>> - app layer events won't work correctly with UDP it seems. They alert,
>>>>> but then keep on alerting in consecutive packets. Need to look into it.
>>
>> I added a fix for this, but we need to consider if this is right. The
>> commit is here:
>> https://github.com/inliniac/suricata/commit/cce88fade28f6bcf0c24e52be5db85ac929fcdfc
>>
>> It simply resets the app layer events once we switch to a new TX to inspect.
>>
>> Again, comments, review, etc welcome.
>>
>
> It will work, but it's not right from where I see. Events should be per tx.
>
Yeah, so we actually would need both. One per flow, for non-tx aware
protocols and for events that are not TX related.
And then the per TX one.
Similar to how we now have a callback for getting the "files" from a
alstate, we can probably also do a callback for events.
FileContainer *(*StateGetFiles)(void *, uint8_t);
E.g.
AppLayerDecoderEvents *(StateGetEvents)(void *alstate, int tx_id);
Make sense?
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-devel
mailing list