[Snort-users] Patch for Time criteria handling in ACID

Roman Danyliw roman at ...438...
Sat Jun 15 13:52:02 EDT 2002


Mark,

Done.  Modified patch committed.

Thanks,
Roman

On Wed, 12 Jun 2002 14:47:12 +0100, Mark Vevers <mark at ...5096...> wrote :

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> (This didn't get through to the list yesterday as I sent it from another 
> unsubscribed address ....)
> 
> Roman et al,
> 
> A number of issues were bugging me about the time criteria handling in ACID,
> and along the way I also picked up what I think is another bug ...
> 
> 1. Even though a time criteria could be cleared to '/ * /'  it couldn't be
> completely removed.
> 2. Having fixed that the search entry time criteria disappears and since PHP
> doesn't run the for loop once whatever if expr2 doesn't evaluate to true, no
> option to add it was appearing ... added code to give 'Add Time' button when
> no time criteria have yet been entered.
> 2. Acid was displaying an error about multiple time criteria without and AND
> or OR despite the fact that only one criteria had been entered.(with and
> without the above fixes'
> 3.  During this I discovered ProcessCriteria was being called twice for a
> normal search, once by acid_qry_main and once by acid_qry_sqlcalls.  The
> second was unncessary for a normal query but was need when called by
> acid_ag_main.php so I moved the ProcessCriteria line was moved inside the if
> clause when called by acid_ag_main.
> 
> As far as I can tell the fixes work - I've tried normal searchs with and
> without multiple time criteria, canned queries and alert graphing and they
> all seem to work OK YMMV.  The change to the search UI may not be quite what
> you wanted, but it's a consequnce of the fact that Init function gets called
> to clear the criteria as well as to create it ......
> 
> Cheers
> Mark
> - --
> - ----------------------------------------------------------------------------
> 
> Index: acid_state_citems.inc
> ===================================================================
> RCS file: /cvsroot/acidlab/acid/acid/acid_state_citems.inc,v
> retrieving revision 1.3
> diff -r1.3 acid_state_citems.inc
> 589a590,596
> 
> >    function Init()
> >    {
> >      $this->criteria_cnt=0;
> >      unset($this->criteria);
> >    }
> 
> 593a601,602
> 
> >      $this->criteria_cnt=0;
> >      unset($this->criteria);
> 
> 650a660,663
> 
> >       if ($this->criteria_cnt == 0)
> >          echo '    <INPUT TYPE="submit" NAME="submit" VALUE="ADD Time">';
> 
> Index: acid_qry_sqlcalls.php
> ===================================================================
> RCS file: /cvsroot/acidlab/acid/acid/acid_qry_sqlcalls.php,v
> retrieving revision 1.9
> diff -r1.9 acid_qry_sqlcalls.php
> 20,21d19
> <   ProcessCriteria();
> <
> 23a22
> 
> >      ProcessCriteria();
> 
> Index: acid_qry_common.php
> ===================================================================
> RCS file: /cvsroot/acidlab/acid/acid/acid_qry_common.php,v
> retrieving revision 1.16
> diff -r1.16 acid_qry_common.php
> 124c124
> <   for ( $i = 0; $i <= $cnt; $i++ )
> - - ---
> 
> >   for ( $i = 0; $i < $cnt; $i++ )
> 
> - - --
> Mark Vevers.    mark at ...5096... / mvevers at ...5097...
> Internet Backbone Engineering Team
> Internet for Learning, Research Machines Plc
> Tel: +44 1235 823380,   Fax: +44 1235 823424
> - -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.0.6 (GNU/Linux)
> Comment: For info see http://www.gnupg.org
> 
> iD8DBQE9Bh94WLU9HLCPPKMRAhbTAJ9bCB0GPnc0oVRZ7zpfe/N4V2LVAwCbBh01
> 60JsqaLYt0Yj2n7cZHPm4ow=
> =z+9M
> - -----END PGP SIGNATURE-----
> 
> - -------------------------------------------------------
> 
> - -- 
> Mark Vevers.    mark at ...5096... / mvevers at ...5097...
> Internet Backbone Engineering Team
> Internet for Learning, Research Machines Plc
> Tel: +44 1235 823380,   Fax: +44 1235 823424
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.0.6 (GNU/Linux)
> Comment: For info see http://www.gnupg.org
> 
> iD8DBQE9B1DgWLU9HLCPPKMRAqT4AJ9ddyU92wPigjvAOmVaXLFxft0afACdEac9
> RT/ifuIym5mEstbeOiZ7rLU=
> =JksE
> -----END PGP SIGNATURE-----
> 
> 
> _______________________________________________________________
> 
> Sponsored by:
> ThinkGeek at http://www.ThinkGeek.com/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> 
> 
> 




More information about the Snort-users mailing list