On Wed, Jul 19, 2006 at 01:35:51PM +0530, Rajkumar S. wrote:
And these rules are dynamic ie, the rule one might be for 10 minutes
and after which it needs to be deleted.
The current way is to flush the anchor and then load the anchor with
all the rules except the one deleted. It is a pita if I want to do
this with out touching the disk, that too from a snortsam pluin.
Why don't you create sub-anchors, one for each single rule? Then
removing one rule (and the sub-anchor that contains it) can be done by
simply flushing the sub-anchor.
You need one call in the main ruleset or the existing anchor, using the
wildcard '*', that call evaluates all sub-anchors, and the call doesn't
need to be updated when you insert/remove sub-anchors.
You could even use the sub-anchor names in some clever way, like put the
rule's expiration time (unix epoch) in that string, so to purge expired
rules, you can traverse the list of sub-anchors alphabetically and stop
when a name is larger than time(NULL).
Or store some ID in the name (which your plugin associates with the
entry), which helps you purge the sub-anchor without traversing them all
searching for some rule.
Unless you expect to have several thousand rules like this concurrently,
the overhead of the sub-anchor evaluation isn't that terrible.
IIRC, the ioctl API once contained a call to insert/remove one
particular rule in a certain place of the ruleset, but it was
cumbersome, and the entire (sub-)anchor concept makes it superfluous in
most cases.
Daniel
