[Oisf-devel] RFC: DNS app layer and logging (WIP)
Victor Julien
victor at inliniac.net
Thu May 2 10:03:46 UTC 2013
On 04/24/2013 05:33 PM, Anoop Saldanha wrote:
> On Wed, Apr 24, 2013 at 8:42 PM, Victor Julien <victor at inliniac.net> wrote:
>> On 04/24/2013 04:59 PM, Anoop Saldanha wrote:
>>> On Wed, Apr 24, 2013 at 7:30 PM, Victor Julien <victor at inliniac.net> wrote:
>>>> Updated version:
>>>> https://github.com/inliniac/suricata/tree/dev-dns-parser-v1.3
>>>>
>>>> On 04/23/2013 06:03 PM, Victor Julien wrote:
>>>>>>> - app layer events won't work correctly with UDP it seems. They alert,
>>>>>>> but then keep on alerting in consecutive packets. Need to look into it.
>>>>
>>>> I added a fix for this, but we need to consider if this is right. The
>>>> commit is here:
>>>> https://github.com/inliniac/suricata/commit/cce88fade28f6bcf0c24e52be5db85ac929fcdfc
>>>>
>>>> It simply resets the app layer events once we switch to a new TX to inspect.
>>>>
>>>> Again, comments, review, etc welcome.
>>>>
>>>
>>> It will work, but it's not right from where I see. Events should be per tx.
>>>
>>
>> Yeah, so we actually would need both. One per flow, for non-tx aware
>> protocols and for events that are not TX related.
>>
>> And then the per TX one.
>>
>> Similar to how we now have a callback for getting the "files" from a
>> alstate, we can probably also do a callback for events.
>>
>> FileContainer *(*StateGetFiles)(void *, uint8_t);
>>
>> E.g.
>>
>> AppLayerDecoderEvents *(StateGetEvents)(void *alstate, int tx_id);
>>
>> Make sense?
>>
>
> Yeah.
>
Updated branch:
https://github.com/inliniac/suricata/tree/dev-dns-parser-v1.4
https://github.com/inliniac/suricata/commit/3722631091883f7396a88cbdb8ef72dbaac164ff
adds the core engine support for TX based decoder events.
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-devel
mailing list