[Snort-devel] does alertAdd() free pointer after logging?

Ed Borgoyn (eborgoyn) eborgoyn at ...3461...
Tue Mar 3 12:50:12 EST 2015


Hi kawsar,
  I looked at the implementation of the alertAdd() API and for performance, it directly uses the pointer passed as the msg argument when it internally queues the alert.  So you can’t free() the string after the call.  In fact the string should be static since the alertAdd() only queues the message for later processing.

  I hope this helps.

    Ed Borgoyn
    Cisco Snort Development Team


From: Mohiuddin Ebna Kawsar <mohiuddin.kawsar at ...2499...<mailto:mohiuddin.kawsar at ...2499...>>
Date: Monday, March 2, 2015 at 11:45 AM
To: "snort-devel at lists.sourceforge.net<mailto:snort-devel at ...362....net>" <snort-devel at lists.sourceforge.net<mailto:snort-devel at ...2763...rge.net>>
Cc: "matthias.wuebbeling at ...3568...<mailto:matthias.wuebbeling at ...3568...>" <matthias.wuebbeling at ...3568...<mailto:matthias.wuebbeling at ...3568...>>
Subject: [Snort-devel] does alertAdd() free pointer after logging?

Hi,

I was logging msg from my dynamic_preprocessor by
##########################################################
int a ,b;
a = getSize();
b= getSize();
static char* msg = 0;
msg = calloc(strlen(TEST_EVENT_DETECT_STR) + (2 * 10) + 1, sizeof(char*));
snprintf(msg,strlen(TEST_EVENT_DETECT_STR) + (2 * 10), TEST_EVENT_DETECT_STR, a, b);
_dpd.alertAdd(GENERATOR_SPP_TEST, TEST_EVENT_DETECT, TEST_EVENT_DETECT_REV, 0, 1, msg, 0 );
##############################################################

my question is should i free msg, or _dpd.alertAdd() have own implementation to free it?
because while i free msg i don't see any msg in my log file.

Regards
kawsar
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20150303/87830afe/attachment.html>


More information about the Snort-devel mailing list