[Oisf-devel] RFC: DNS app layer and logging (WIP)
Anoop Saldanha
anoopsaldanha at gmail.com
Wed Apr 24 15:33:58 UTC 2013
On Wed, Apr 24, 2013 at 8:42 PM, Victor Julien <victor at inliniac.net> wrote:
> On 04/24/2013 04:59 PM, Anoop Saldanha wrote:
>> On Wed, Apr 24, 2013 at 7:30 PM, Victor Julien <victor at inliniac.net> wrote:
>>> Updated version:
>>> https://github.com/inliniac/suricata/tree/dev-dns-parser-v1.3
>>>
>>> On 04/23/2013 06:03 PM, Victor Julien wrote:
>>>>>> - app layer events won't work correctly with UDP it seems. They alert,
>>>>>> but then keep on alerting in consecutive packets. Need to look into it.
>>>
>>> I added a fix for this, but we need to consider if this is right. The
>>> commit is here:
>>> https://github.com/inliniac/suricata/commit/cce88fade28f6bcf0c24e52be5db85ac929fcdfc
>>>
>>> It simply resets the app layer events once we switch to a new TX to inspect.
>>>
>>> Again, comments, review, etc welcome.
>>>
>>
>> It will work, but it's not right from where I see. Events should be per tx.
>>
>
> Yeah, so we actually would need both. One per flow, for non-tx aware
> protocols and for events that are not TX related.
>
> And then the per TX one.
>
> Similar to how we now have a callback for getting the "files" from a
> alstate, we can probably also do a callback for events.
>
> FileContainer *(*StateGetFiles)(void *, uint8_t);
>
> E.g.
>
> AppLayerDecoderEvents *(StateGetEvents)(void *alstate, int tx_id);
>
> Make sense?
>
Yeah.
--
Anoop Saldanha
More information about the Oisf-devel
mailing list