[Snort-users] Patch for Time criteria handling in ACID

Mark Vevers mark at ...6083...
Thu Jun 13 17:44:03 EDT 2002

Hash: SHA1

Roman et al,

A number of issues were bugging me about the time criteria handling in ACID, 
and along the way I also picked up what I think is another bug ...

1. Even though a time criteria could be cleared to '/ * /'  it couldn't be 
completely removed.
2. Having fixed that the search entry time criteria disappears and since PHP 
doesn't run the for loop once whatever if expr2 doesn't evaluate to true, no 
option to add it was appearing ... added code to give 'Add Time' button when 
no time criteria have yet been entered.
2. Acid was displaying an error about multiple time criteria without and AND 
or OR despite the fact that only one criteria had been entered.(with and 
without the above fixes'
3.  During this I discovered ProcessCriteria was being called twice for a 
normal search, once by acid_qry_main and once by acid_qry_sqlcalls.  The 
second was unncessary for a normal query but was need when called by 
acid_ag_main.php so I moved the ProcessCriteria line was moved inside the if 
clause when called by acid_ag_main.

As far as I can tell the fixes work - I've tried normal searchs with and 
without multiple time criteria, canned queries and alert graphing and they 
all seem to work OK YMMV.  The change to the search UI may not be quite what 
you wanted, but it's a consequnce of the fact that Init function gets called 
to clear the criteria as well as to create it ......

- ---------------------------------------------------------------------------------------------------

Index: acid_state_citems.inc
RCS file: /cvsroot/acidlab/acid/acid/acid_state_citems.inc,v
retrieving revision 1.3
diff -r1.3 acid_state_citems.inc
>    function Init()
>    {
>      $this->criteria_cnt=0;
>      unset($this->criteria);
>    }
>      $this->criteria_cnt=0;
>      unset($this->criteria);
>       if ($this->criteria_cnt == 0)
>          echo '    <INPUT TYPE="submit" NAME="submit" VALUE="ADD Time">';
Index: acid_qry_sqlcalls.php
RCS file: /cvsroot/acidlab/acid/acid/acid_qry_sqlcalls.php,v
retrieving revision 1.9
diff -r1.9 acid_qry_sqlcalls.php
<   ProcessCriteria();
>      ProcessCriteria();
Index: acid_qry_common.php
RCS file: /cvsroot/acidlab/acid/acid/acid_qry_common.php,v
retrieving revision 1.16
diff -r1.16 acid_qry_common.php
<   for ( $i = 0; $i <= $cnt; $i++ )
- ---
>   for ( $i = 0; $i < $cnt; $i++ )

- -- 
Mark Vevers.    mark at ...5096... / mvevers at ...5097...
Internet Backbone Engineering Team
Internet for Learning, Research Machines Plc
Tel: +44 1235 823380,   Fax: +44 1235 823424
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org


More information about the Snort-users mailing list