'[prelude-devel] Store the same analyzer in different alerts'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       prelude-devel
Subject:    [prelude-devel] Store the same analyzer in different alerts
From:       Victor Stinner <victor.stinner () inl ! fr>
Date:       2007-06-26 14:27:44
Message-ID: 200706261627.44137.victor.stinner () inl ! fr
[Download RAW message or body]

Hi,

After digging Prelude source code, I understood why my alerts sometimes lost 
their analyzer(1): it's not possible to use the same analyzer in two 
different alerts.

I mean different alerts existing at the same moment: I use alert template for 
faster alert creation and then clone them to send messages. I create all 
templates on startup and destroy them when I leave my program.

My buggy code was:
   alert = idmef_message_get_alert(idmef);
   analyzer = prelude_client_get_analyzer(global_client);
   idmef_alert_set_analyzer(alert, analyzer, 1);

idmef_alert_set_analyzer() code:
   void idmef_alert_set_analyzer(idmef_alert_t *ptr, 
                                 idmef_analyzer_t *object, int pos)
   {
      if ( ! prelude_list_is_empty(&object->list) )
         prelude_list_del_init(&object->list);

      list_insert(&ptr->analyzer_list, &object->list, pos);
   }

So on first call, analyzer is *connected* to first alert. On second call, 
analyzer is detached with prelude_list_del_init() call and then connected to 
second alert.

Fixed version is:
   alert = idmef_message_get_alert(idmef);
   client_analyzer = prelude_client_get_analyzer(global_client);
   idmef_analyzer_clone(client_analyzer, &analyzer);
   idmef_alert_set_analyzer(alert, analyzer, 1);

(I removed error checking code to have smallest code as possible)

-----

I don't know if it could be called a bug. It sounds like a feature, but for 
end user (prelude sensor developers, like me) it's hard to understand.

Solution:
- Store reference to the analyzer in the alert, and not directly the analyzer 
<= it's not a good idea to change this sensitive code
- or Use my workaround to avoid the behaviour
- or Write more API documentation
- or Write howto documentation (write a sensor)
- or Another idea?

Victor Stinner
http://www.inl.fr/

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic