Re: does alertAdd() free pointer after logging?

[Matthias Wübbeling <matthias.wuebbeling () cs uni-bonn de>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

This means it is not possible to provide dynamic and case specific
information with an alert. Do you know another way to add further
information (application protocol specific)?

Imagine a dynamic-preprocessor that follows a tcp stream. It should
provide packet contents into the alert (e.g. a specific user name or
command).

Is it possible to get information about the alert queue from within a
preprocessor? Are there callback capabilities or similar? Maybe we can
keep the string on the heap until it has been written to file and free
it afterwards?

Kind regards
- - Matthias

On 03.03.2015 18:50, Ed Borgoyn (eborgoyn) wrote:
> Hi kawsar, I looked at the implementation of the alertAdd() API and
> for performance, it directly uses the pointer passed as the msg
> argument when it internally queues the alert.  So you can’t free()
> the string after the call.  In fact the string should be static
> since the alertAdd() only queues the message for later processing.
>
> I hope this helps.
>
> Ed Borgoyn Cisco Snort Development Team
>
>
> From: Mohiuddin Ebna Kawsar
> <mohiuddin.kawsar () gmail com<mailto:mohiuddin.kawsar () gmail com>> 
> Date: Monday, March 2, 2015 at 11:45 AM To:
> "snort-devel () lists sourceforge net<mailto:snort-devel () lists sourceforge net>"
> <snort-devel () lists sourceforge net<mailto:snort-devel () lists sourceforge net>>
Cc:
"matthias.wuebbeling () cs uni-bonn de<mailto:matthias.wuebbeling () cs uni-bonn de>"
<matthias.wuebbeling () cs uni-bonn de<mailto:matthias.wuebbeling () cs uni-bonn de>>
> Subject: [Snort-devel] does alertAdd() free pointer after logging?
>
> Hi,
>
> I was logging msg from my dynamic_preprocessor by 
> ########################################################## int a
> ,b; a = getSize(); b= getSize(); static char* msg = 0; msg =
> calloc(strlen(TEST_EVENT_DETECT_STR) + (2 * 10) + 1,
> sizeof(char*)); snprintf(msg,strlen(TEST_EVENT_DETECT_STR) + (2 *
> 10), TEST_EVENT_DETECT_STR, a, b); 
> _dpd.alertAdd(GENERATOR_SPP_TEST, TEST_EVENT_DETECT,
> TEST_EVENT_DETECT_REV, 0, 1, msg, 0 ); 
> ##############################################################
>
> my question is should i free msg, or _dpd.alertAdd() have own
> implementation to free it? because while i free msg i don't see any
> msg in my log file.
>
> Regards kawsar
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBAgAGBQJU9gMDAAoJENfZCsROOOe2UK4H/iuh5AozSewiVexfdKqZKiJx
02MALENW/NDIV1WlVGMLZJUTs4SUHEVXIbHhHz+w3VNjVxja6Astah9VAzIlQhTU
oBxQVY5JjRC0ECvVQv6/6ZSR+kHZm9LQMzytMCue0g3HqPFKLjDPmkI6sQDmufQj
LD7xCVdXA60bJjA2/naShg+PwkJ1wseGvSgp1UWy8LEkJ1Q4M+07pBD9qxfC0Rg1
SCwRuijOwi6prk1XAPGC+lzTKD1mYCOL0kKwJHW9RHPG97j23PJHKc5OMVTuw2ae
KZ4KYB55W0UcMwifbNKKJe07t68XLv+ZGvi1a7l/mmB3OikToAXqg622aKCO2/U=
=JYFZ
-----END PGP SIGNATURE-----

------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the 
conversation now. http://goparallel.sourceforge.net/
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!