/*
* Changed so events are inserted in action config order 'drop alert ...',
* and sub sorted in each action group by priority or content length.
* The sub sorting is done in fpFinalSelect inf fpdetect.c. Once the
* events are inserted they can all be logged, as we only insert
* g_event_queue.log_events into the queue.
* ... Jan '06
*/
int SnortEventqAdd(unsigned int gid,
unsigned int sid,
unsigned int rev,
unsigned int classification,
unsigned int pri,
char *msg,
void *rule_info)
{
EventNode *en;
en = (EventNode *)sfeventq_event_alloc(snort_conf->event_queue);
if(!en)
return -1;
en->gid = gid;
en->sid = sid;
en->rev = rev;
en->classification = classification;
en->priority = pri;
en->msg = msg;
en->rule_info = rule_info;
/*
* Check if we have a preprocessor or decoder event
* Preprocessors and decoders may be configured to inspect
* and alert in their principle configuration (legacy code)
* this test than checks if the rule otn says they should
* be enabled or not. The rule itself will decide if it should
* be an alert or a drop (sdrop) condition.
*/
#ifdef PREPROCESSOR_AND_DECODER_RULE_EVENTS
{
struct _OptTreeNode * potn;
/* every event should have a rule/otn */
potn = OtnLookup(snort_conf->otn_map, gid, sid);
/*
* if no rule otn exists for this event, than it was
* not enabled via rules
*/
if (potn == NULL)
{
if (ScAutoGenPreprocDecoderOtns())
{
/* Generate an OTN if configured to do so.... */
potn = GenerateSnortEventOtn(en->gid,
en->sid,
en->rev,
en->classification,
en->priority,
en->msg);
if (potn != NULL)
OtnLookupAdd(snort_conf->otn_map, potn);
}
}
if (potn == NULL)
{
/* no otn found/created - do not add it to the queue */
return 0;
}
}
#endif
if (sfeventq_add(snort_conf->event_queue, (void *)en))
{
return -1;
}
return 0;
}
void ppm_pkt_log(ppm_cfg_t *ppm_cfg, Packet* p)
{
int filterEvent = 0;
if (!ppm_cfg->max_pkt_ticks)
return;
ppm_cfg->pkt_event_cnt++;
if (ppm_cfg->pkt_log & PPM_LOG_ALERT)
{
OptTreeNode* potn;
Event ev;
/* make sure we have an otn already in our table for this event */
potn = OtnLookup(snort_conf->otn_map, GENERATOR_PPM, PPM_EVENT_PACKET_ABORTED);
if (potn == NULL)
{
/* have to make one */
potn = GenerateSnortEventOtn(GENERATOR_PPM, /* GID */
PPM_EVENT_PACKET_ABORTED, /* SID */
1, /* Rev */
0, /* classification */
3, /* priority (low) */
PPM_EVENT_PACKET_ABORTED_STR /* msg string */);
if (potn == NULL)
return;
OtnLookupAdd(snort_conf->otn_map, potn);
}
SetEvent(&ev,
potn->sigInfo.generator, /* GID */
potn->sigInfo.id, /* SID */
potn->sigInfo.rev, /* Rev */
potn->sigInfo.class_id, /* classification */
potn->sigInfo.priority, /* priority (low) */
#if !defined(FEAT_OPEN_APPID)
0);
#else /* defined(FEAT_OPEN_APPID) */
0, NULL);
#endif /* defined(FEAT_OPEN_APPID) */
if ( IPH_IS_VALID(p) )
{
filterEvent = sfthreshold_test(
potn->event_data.sig_generator,
potn->event_data.sig_id,
GET_SRC_IP(p), GET_DST_IP(p),
p->pkth->ts.tv_sec);
}
else
{
snort_ip cleared;
IP_CLEAR(cleared);
filterEvent = sfthreshold_test(
potn->event_data.sig_generator,
potn->event_data.sig_id,
IP_ARG(cleared), IP_ARG(cleared),
p->pkth->ts.tv_sec);
}
if(filterEvent < 0)
filterEvent = 0;
else
AlertAction(p, potn, &ev);
}
static int LogSnortEvents(void *event, void *user)
{
Packet *p;
EventNode *en;
OTNX *otnx;
struct _OptTreeNode * potn;
SNORT_EVENTQ_USER *snort_user;
if(!event || !user)
return 0;
en = (EventNode *)event;
snort_user = (SNORT_EVENTQ_USER *)user;
p = (Packet *)snort_user->pkt;
/*
** Log rule events differently because we have to.
*/
if(en->rule_info)
{
otnx = (OTNX *)en->rule_info;
if(!otnx->otn || !getRuntimeRtnFromOtn(otnx->otn))
return 0;
snort_user->rule_alert = otnx->otn->sigInfo.rule_flushing;
fpLogEvent(getRuntimeRtnFromOtn(otnx->otn), otnx->otn, p);
}
else
{
/* Look up possible decoder and preprocessor event otn */
potn = OtnLookup(snort_conf->otn_map, en->gid, en->sid);
if (potn == NULL)
{
#ifdef PREPROCESSOR_AND_DECODER_RULE_EVENTS
if (ScAutoGenPreprocDecoderOtns())
{
/* Generate an OTN if configured to do so.... */
potn = GenerateSnortEventOtn(en->gid,
en->sid,
en->rev,
en->classification,
en->priority,
en->msg);
}
#else
/* Always generate an OTN.... */
potn = GenerateSnortEventOtn(en->gid,
en->sid,
en->rev,
en->classification,
en->priority,
en->msg);
#endif
if (potn != NULL)
{
OtnLookupAdd(snort_conf->otn_map, potn);
}
}
if( potn )
{
char *tmp = potn->sigInfo.message;
snort_user->rule_alert = potn->sigInfo.rule_flushing;
potn->sigInfo.message = en->msg;
fpLogEvent( getRuntimeRtnFromOtn(potn), potn, p );
potn->sigInfo.message = tmp;
}
}
sfthreshold_reset();
return 0;
}
