[Snort-devel] spo_database & fragments

James Hoagland hoagland at ...60...
Sun Jan 28 15:39:34 EST 2001

At 1:41 AM -0500 1/27/01, Martin Roesch wrote:

>Let's please enumerate this, I don't want to be doing strcmps in the
>output stage if we don't have to.  Remeber, we try to parse/process as
>much ahead of time as possible so that we keep the amount of work
>required to do any operation as efficient as possible.  Let's
>tokenize/enumerate the strings and look them up that way.

I should probably let Joe M. do the talking here, but...

Joe has switched the 4th argument to be an enum type, so there is no 
strcmps.  Regarding the message passing into the output functions, 
Joe has started converting the 3rd argument from a void * to 
something similar to the msg_info ** that I proposed in my previous 
message in this thread.  Spade and the IDMEF output plugin has been 
made to take advantage of this (I'm using this plugin to send 
IDMEF-formatted anomalous event reports from Spade to the Spice 
correlator via sockets; the message passed in describes where and how 
to send an alert).  I believe that Joe and I also decided that it was 
best to convert the few existing uses of the third argument to the 
standard message passing format.

Hopefully we will release a patch soon.


|*   Jim Hoagland, Associate Researcher, Silicon Defense    *|
|*               hoagland at ...60...                *|
|*              http://www.silicondefense.com/              *|
|*  Voice: (530) 756-7317              Fax: (707) 445-4222  *|

More information about the Snort-devel mailing list