[Snort-devel] Timer in the flows preprocessor

Raymond Pun raymondpun80 at ...445...
Thu Nov 11 16:59:04 EST 2004


Hi,

I have a further question.

In the snort config, we have specified the home network address, like 
192.168.1.0/24.  How can I get that info in my preprocessor? Or is there any 
function that determine a given ip address is within a home network, 
something like IsHomeNetworkIP(in_addr *ip_addr)?

many many thanks.

regards,
Raymond

----- Original Message ----- 
From: "Jay Beale" <jay at ...2665...>
To: "Raymond Pun" <raymondpun80 at ...445...>
Cc: <snort-devel at lists.sourceforge.net>
Sent: Friday, November 12, 2004 04:17
Subject: Re: [Snort-devel] Timer in the flows preprocessor


> Raymond Pun wrote:
>> Hi,
>>
>> There is a parameter for the flow preprocessor that tells the inteveral
>> for reporting statistic. How the flow preprocessor output to screen
>> periodically? Is it using somekind of timer? I am not able to find it in
>> the code. Could someone please point it to me?
>
> Well, the interval is set to the default in  FlowInit() and then set to
> the value written in the config file, if any, by  FlowParseArgs().  They
> store this in the s_config struct's stats_interval variable.
>
> In FlowPreprocessor(), this is used by this code:
>
> /* printout some verbose statistics */
>    if(s_config.stats_interval  &&
>       ((last_output + s_config.stats_interval) <= p->pkth->ts.tv_sec))
>    {
>        last_output =  p->pkth->ts.tv_sec;
>
>        if(!pv.quiet_flag)
>            flowcache_stats(stdout, fcache);
>    }
>
> The code here checks if this packet came in stats_interval or more
> seconds since the time of the last output.  If it has, it sets
> last_output to the time of the current packet and calls
> flowcache_stats() to print statistics.
>
> That function is in the flow_cache.c code in the preprocessor/flow
> directory, which might be confusing you.  The flow and HttpInspect
> preprocessors get their own directories for most of their code, as its
> broken up into a number of files.
>
> - Jay
>
>
> -------------------------------------------------------
> This SF.Net email is sponsored by:
> Sybase ASE Linux Express Edition - download now for FREE
> LinuxWorld Reader's Choice Award Winner for best database on Linux.
> http://ads.osdn.com/?ad_id=5588&alloc_id=12065&op=click
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
> 




More information about the Snort-devel mailing list