some question about snort3 http_inspector

["Sitao \"Tony\" Cheng via Snort-sigs" <snort-sigs () lists snort org>]

Hello,    Thank you so much for your reading my e-mail!
    I am using snort3 as an IPS system, digging into http_inspect source code. When debugging and tracing 
some parameters by using a http pcap bigger than the configured stream_tcp_pdu , I found something confusing. My 
purpose is to get some sections like URL, body, etc in a packet. Here is the part I am stuck, in http_inspect.cc.




 





    As you see, because of the size of the packet, line 530 was called twice. However, the address of 
"current_section" newed by HttpMsgBody was the same, when the data and data size changed. Is the former instance 
destroyed ? Or are they the same instance?


    Going deeper,  I found this line in http_msg_body.cc.


  


    The 'body_octets' accumulated the data_size which is in two instances of the class "HttpMsgBodyCl". How 
could it get the 'body_octets' in another instance when it is not a static parameter?


    I might miss something. Could you give me some clues?


    I would appreciate it so much for you time.

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!