Beispiel #1
0
static int LogSnortEvents(void * event, void * user)
{
    EventNode *en = (EventNode *) event;
    SNORT_EVENTQ_USER *snort_user = (SNORT_EVENTQ_USER *) user;
    OptTreeNode *otn;
    RuleTreeNode *rtn = NULL;

    if (!event || !user)
        return 0;

    if (s_events > 0)
        s_events--;

    if (en->rule_info)
    {
        otn = en->rule_info;
    }
    else
    {
        // The above en->rule_info may be NULL to avoid performing an OTN/RTN
        // lookup until after policy switching is finalized. In that case, 
        // perform the lookup here.
        otn = GetApplicableOtn(
            en->gid,
            en->sid,
            en->rev,
            en->classification,
            en->priority,
            en->msg
        );
    }

    if (otn)
    {
        rtn = getRtnFromOtn(otn, getApplicableRuntimePolicy(en->gid));
        if (rtn)
        {
            snort_user->rule_alert = otn->sigInfo.rule_flushing;
            LogSnortEvent((Packet *) snort_user->pkt, otn, rtn, en->msg);
        }
    }

    sfthreshold_reset();

    return 0;
}
Beispiel #2
0
int file_eventq_add(uint32_t gid, uint32_t sid, char *msg, RuleType type)
{
    OptTreeNode *otn;
    RuleTreeNode *rtn;

    otn = GetApplicableOtn(gid, sid, 1, 0, 3, msg);
    if (otn == NULL)
        return 0;

    rtn = getRtnFromOtn(otn, getIpsRuntimePolicy());
    if (rtn == NULL)
    {
        return 0;
    }

    rtn->type = type;

    return SnortEventqAdd(gid, sid, 1, 0, 3, msg, otn);
}
Beispiel #3
0
int SnortEventqAdd(
    uint32_t gid,
    uint32_t sid,
    uint32_t rev,
    uint32_t classification,
    uint32_t priority,
    const char * msg,
    void * rule_info
    )
{
    EventNode *en;
    OptTreeNode *otn = (OptTreeNode *) rule_info;

    if (!otn)
        otn = GetApplicableOtn(gid, sid, rev, classification, priority, msg);
    else if (!getRtnFromOtn(otn, getApplicableRuntimePolicy(gid)))
        otn = NULL;

    if (otn)
    {
        en = (EventNode *) sfeventq_event_alloc(getEventQueue());
        if (!en)
            return -1;

        en->gid = gid;
        en->sid = sid;
        en->rev = rev;
        en->classification = classification;
        en->priority = priority;
        en->msg = msg;
        en->rule_info = rule_info;

        if (sfeventq_add(getEventQueue(), (void *) en) != 0)
            return -1;

        s_events++;
    }

    return 0;
}