[Snort-devel] spo_database & fragments
hoagland at ...60...
Sun Jan 28 15:39:34 EST 2001
At 1:41 AM -0500 1/27/01, Martin Roesch wrote:
>Let's please enumerate this, I don't want to be doing strcmps in the
>output stage if we don't have to. Remeber, we try to parse/process as
>much ahead of time as possible so that we keep the amount of work
>required to do any operation as efficient as possible. Let's
>tokenize/enumerate the strings and look them up that way.
I should probably let Joe M. do the talking here, but...
Joe has switched the 4th argument to be an enum type, so there is no
strcmps. Regarding the message passing into the output functions,
Joe has started converting the 3rd argument from a void * to
something similar to the msg_info ** that I proposed in my previous
message in this thread. Spade and the IDMEF output plugin has been
made to take advantage of this (I'm using this plugin to send
IDMEF-formatted anomalous event reports from Spade to the Spice
correlator via sockets; the message passed in describes where and how
to send an alert). I believe that Joe and I also decided that it was
best to convert the few existing uses of the third argument to the
standard message passing format.
Hopefully we will release a patch soon.
|* Jim Hoagland, Associate Researcher, Silicon Defense *|
|* hoagland at ...60... *|
|* http://www.silicondefense.com/ *|
|* Voice: (530) 756-7317 Fax: (707) 445-4222 *|
More information about the Snort-devel