[Snort-devel] does alertAdd() free pointer after logging?

Matthias Wübbeling matthias.wuebbeling at ...3568...
Tue Mar 3 13:52:51 EST 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

This means it is not possible to provide dynamic and case specific
information with an alert. Do you know another way to add further
information (application protocol specific)?

Imagine a dynamic-preprocessor that follows a tcp stream. It should
provide packet contents into the alert (e.g. a specific user name or
command).

Is it possible to get information about the alert queue from within a
preprocessor? Are there callback capabilities or similar? Maybe we can
keep the string on the heap until it has been written to file and free
it afterwards?

Kind regards
- - Matthias

On 03.03.2015 18:50, Ed Borgoyn (eborgoyn) wrote:
> Hi kawsar, I looked at the implementation of the alertAdd() API and
> for performance, it directly uses the pointer passed as the msg
> argument when it internally queues the alert.  So you can’t free()
> the string after the call.  In fact the string should be static
> since the alertAdd() only queues the message for later processing.
> 
> I hope this helps.
> 
> Ed Borgoyn Cisco Snort Development Team
> 
> 
> From: Mohiuddin Ebna Kawsar
> <mohiuddin.kawsar at ...2499...<mailto:mohiuddin.kawsar at ...2499...>> 
> Date: Monday, March 2, 2015 at 11:45 AM To:
> "snort-devel at lists.sourceforge.net<mailto:snort-devel at lists.sourceforge.net>"
> <snort-devel at lists.sourceforge.net<mailto:snort-devel at lists.sourceforge.net>>
>
> 
Cc:
"matthias.wuebbeling at ...3568...<mailto:matthias.wuebbeling at ...3568...>"
<matthias.wuebbeling at ...3568...<mailto:matthias.wuebbeling at ...3568...>>
> Subject: [Snort-devel] does alertAdd() free pointer after logging?
> 
> Hi,
> 
> I was logging msg from my dynamic_preprocessor by 
> ########################################################## int a
> ,b; a = getSize(); b= getSize(); static char* msg = 0; msg =
> calloc(strlen(TEST_EVENT_DETECT_STR) + (2 * 10) + 1,
> sizeof(char*)); snprintf(msg,strlen(TEST_EVENT_DETECT_STR) + (2 *
> 10), TEST_EVENT_DETECT_STR, a, b); 
> _dpd.alertAdd(GENERATOR_SPP_TEST, TEST_EVENT_DETECT,
> TEST_EVENT_DETECT_REV, 0, 1, msg, 0 ); 
> ##############################################################
> 
> my question is should i free msg, or _dpd.alertAdd() have own
> implementation to free it? because while i free msg i don't see any
> msg in my log file.
> 
> Regards kawsar
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBAgAGBQJU9gMDAAoJENfZCsROOOe2UK4H/iuh5AozSewiVexfdKqZKiJx
02MALENW/NDIV1WlVGMLZJUTs4SUHEVXIbHhHz+w3VNjVxja6Astah9VAzIlQhTU
oBxQVY5JjRC0ECvVQv6/6ZSR+kHZm9LQMzytMCue0g3HqPFKLjDPmkI6sQDmufQj
LD7xCVdXA60bJjA2/naShg+PwkJ1wseGvSgp1UWy8LEkJ1Q4M+07pBD9qxfC0Rg1
SCwRuijOwi6prk1XAPGC+lzTKD1mYCOL0kKwJHW9RHPG97j23PJHKc5OMVTuw2ae
KZ4KYB55W0UcMwifbNKKJe07t68XLv+ZGvi1a7l/mmB3OikToAXqg622aKCO2/U=
=JYFZ
-----END PGP SIGNATURE-----




More information about the Snort-devel mailing list