[Snort-devel] does alertAdd() free pointer after logging?

Steve Sturges (ststurge) ststurge at ...3461...
Tue Mar 3 20:36:09 EST 2015


The events themselves are designed to be well formed and uniform for quick logging, regardless of application protocol.

Recommend that you log other stuff such as usernames, file names, etc via extra data events that are linked back to the original event.

There are a few examples of this throughout the snort code.

Cheers
-steve

> On Mar 4, 2015, at 12:56 AM, Matthias Wübbeling <matthias.wuebbeling at ...1066....3568...> wrote:
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Hi,
> 
> This means it is not possible to provide dynamic and case specific
> information with an alert. Do you know another way to add further
> information (application protocol specific)?
> 
> Imagine a dynamic-preprocessor that follows a tcp stream. It should
> provide packet contents into the alert (e.g. a specific user name or
> command).
> 
> Is it possible to get information about the alert queue from within a
> preprocessor? Are there callback capabilities or similar? Maybe we can
> keep the string on the heap until it has been written to file and free
> it afterwards?
> 
> Kind regards
> - - Matthias
> 
>> On 03.03.2015 18:50, Ed Borgoyn (eborgoyn) wrote:
>> Hi kawsar, I looked at the implementation of the alertAdd() API and
>> for performance, it directly uses the pointer passed as the msg
>> argument when it internally queues the alert.  So you can’t free()
>> the string after the call.  In fact the string should be static
>> since the alertAdd() only queues the message for later processing.
>> 
>> I hope this helps.
>> 
>> Ed Borgoyn Cisco Snort Development Team
>> 
>> 
>> From: Mohiuddin Ebna Kawsar
>> <mohiuddin.kawsar at ...2499...<mailto:mohiuddin.kawsar at ...2499...>> 
>> Date: Monday, March 2, 2015 at 11:45 AM To:
>> "snort-devel at lists.sourceforge.net<mailto:snort-devel at ...2402...net>"
>> <snort-devel at lists.sourceforge.net<mailto:snort-devel at ...2402...net>>
> Cc:
> "matthias.wuebbeling at ...3568...<mailto:matthias.wuebbeling at ...3568...>"
> <matthias.wuebbeling at ...3568...<mailto:matthias.wuebbeling at ...3568...>>
>> Subject: [Snort-devel] does alertAdd() free pointer after logging?
>> 
>> Hi,
>> 
>> I was logging msg from my dynamic_preprocessor by 
>> ########################################################## int a
>> ,b; a = getSize(); b= getSize(); static char* msg = 0; msg =
>> calloc(strlen(TEST_EVENT_DETECT_STR) + (2 * 10) + 1,
>> sizeof(char*)); snprintf(msg,strlen(TEST_EVENT_DETECT_STR) + (2 *
>> 10), TEST_EVENT_DETECT_STR, a, b); 
>> _dpd.alertAdd(GENERATOR_SPP_TEST, TEST_EVENT_DETECT,
>> TEST_EVENT_DETECT_REV, 0, 1, msg, 0 ); 
>> ##############################################################
>> 
>> my question is should i free msg, or _dpd.alertAdd() have own
>> implementation to free it? because while i free msg i don't see any
>> msg in my log file.
>> 
>> Regards kawsar
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2
> 
> iQEcBAEBAgAGBQJU9gMDAAoJENfZCsROOOe2UK4H/iuh5AozSewiVexfdKqZKiJx
> 02MALENW/NDIV1WlVGMLZJUTs4SUHEVXIbHhHz+w3VNjVxja6Astah9VAzIlQhTU
> oBxQVY5JjRC0ECvVQv6/6ZSR+kHZm9LQMzytMCue0g3HqPFKLjDPmkI6sQDmufQj
> LD7xCVdXA60bJjA2/naShg+PwkJ1wseGvSgp1UWy8LEkJ1Q4M+07pBD9qxfC0Rg1
> SCwRuijOwi6prk1XAPGC+lzTKD1mYCOL0kKwJHW9RHPG97j23PJHKc5OMVTuw2ae
> KZ4KYB55W0UcMwifbNKKJe07t68XLv+ZGvi1a7l/mmB3OikToAXqg622aKCO2/U=
> =JYFZ
> -----END PGP SIGNATURE-----
> 
> ------------------------------------------------------------------------------
> Dive into the World of Parallel Programming The Go Parallel Website, sponsored
> by Intel and developed in partnership with Slashdot Media, is your hub for all
> things parallel software development, from weekly thought leadership blogs to
> news, videos, case studies, tutorials and more. Take a look and join the 
> conversation now. http://goparallel.sourceforge.net/
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
> Archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel
> 
> Please visit http://blog.snort.org for the latest news about Snort!




More information about the Snort-devel mailing list