[Snort-devel] spo_database & fragments

James Hoagland hoagland at ...60...
Sun Jan 21 20:28:04 EST 2001


>This is very expandable message passing type ( sounds a lot like the
>packets we're dealing with in the first place ).  I'm slightly
>confused - is it an array of pointers or a linked list?   Is it a
>linked list of array messages?
>
>Seems like a null terminated variable length array could do the same
>for us as a linked list so I'm confused which way you a proposing.  I
>suppose it depends on what you wish to deal with.

Come to think of it, a null terminated variable length array is 
probably better.  Certainly cleaner.  (This from my experience 
playing with coding it.)

So instead of (or in addition to) void *arg, I suggest we have 
msg_info **msgs, where:

typedef enum {EXTRA_FIELDS, ALTERNATE_FIELDS, IDMEF_OUTPUT_SPEC, ...} msg_type;

typedef struct {
	msg_type type; /* the type of the message */
	void *msg;  /* type-specific message contents */
} msg_info;

msgs is of varying lengths.  msgs[i] is a pointer to information 
about the message i.  msgs[i] is NULL if there are i messages.

Regards,

   Jim
-- 
|*   Jim Hoagland, Associate Researcher, Silicon Defense    *|
|*               hoagland at ...60...                *|
|*              http://www.silicondefense.com/              *|
|*  Voice: (530) 756-7317              Fax: (707) 445-4222  *|




More information about the Snort-devel mailing list