[Oisf-devel] [oisf-devel] Suggestions about feature #447

Eric Leblond eric at regit.org
Wed Jan 2 16:29:44 UTC 2013 

Hello,

Le mercredi 02 janvier 2013 à 11:07 +0100, giuseppe at securitymind.it a
écrit :
> Hello,
> i'm a new member of this list.
> I would like to make a fast presentation about me:
> My name is Giuseppe, i'm 21 years old, from Italy.
> 
> I would like to give my contribution to the Suricata, developing 
> feature # 447.

We are talking about #417
https://redmine.openinfosecfoundation.org/issues/417 (as discussed on
IRC)

> Before starting development, I would like to ask some questions.
> 
> The ip frag timeout value must be implemented in the yaml file?
> How should the structure?
> I am writing an example:
> 
> IPv4:
> Suse: 20
> CentOS: 30
> Ubuntu: 30
> Debian: 30

The YAML needs formatting that is not seen in the YAML (suricata.yaml.in
in the root directory of source). One example that could be good to
follow on is the one of host-os-policy:

host-os-policy:
  # Make the default policy windows.
  windows: [0.0.0.0/0]
  bsd: []
  bsd-right: []


> Then, What we do with the value after reading from yaml?
> Can anyone give me any suggestions?

If you want to customize the way defragmentation is handled following
the OS, you will need to update the function that are doing
defragmentation. These functions are contained in src/defrag.c

DEFRAG_POLICY_ defines can be follow in the code to see how the behavior
are modified in the code.

I don't think there is currently a structure to host per OS params so
you may need to define one. The list of OS is static and contained in an
enum, so it is possible to use an array of ad-hoc structure. You will
then fill the array with the value of the YAML.

Next step is to update the defrag functions to use these values.

Don't hesitate to mail back if you have any questions.

BR,
--
Eric
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 190 bytes
Desc: This is a digitally signed message part
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20130102/6ad03ac8/attachment.sig>

More information about the Oisf-devel mailing list