On Wed, Jul 19, 2006 at 01:35:51PM +0530, Rajkumar S. wrote: > And these rules are dynamic ie, the rule one might be for 10 minutes > and after which it needs to be deleted. > > The current way is to flush the anchor and then load the anchor with > all the rules except the one deleted. It is a pita if I want to do > this with out touching the disk, that too from a snortsam pluin.
Why don't you create sub-anchors, one for each single rule? Then removing one rule (and the sub-anchor that contains it) can be done by simply flushing the sub-anchor. You need one call in the main ruleset or the existing anchor, using the wildcard '*', that call evaluates all sub-anchors, and the call doesn't need to be updated when you insert/remove sub-anchors. You could even use the sub-anchor names in some clever way, like put the rule's expiration time (unix epoch) in that string, so to purge expired rules, you can traverse the list of sub-anchors alphabetically and stop when a name is larger than time(NULL). Or store some ID in the name (which your plugin associates with the entry), which helps you purge the sub-anchor without traversing them all searching for some rule. Unless you expect to have several thousand rules like this concurrently, the overhead of the sub-anchor evaluation isn't that terrible. IIRC, the ioctl API once contained a call to insert/remove one particular rule in a certain place of the ruleset, but it was cumbersome, and the entire (sub-)anchor concept makes it superfluous in most cases. Daniel
