static int LogSnortEvents(void *event, void *user)
{
EventNode *en = (EventNode *)event;
SNORT_EVENTQ_USER *snort_user = (SNORT_EVENTQ_USER *)user;
OptTreeNode *otn;
RuleTreeNode *rtn = NULL;
if ((event == NULL) || (user == NULL))
return 0;
if ( s_events > 0 )
s_events--;
if (en->rule_info != NULL)
{
otn = en->rule_info;
}
else
{
// The above en->rule_info may be NULL to avoid performing an OTN/RTN
// lookup until after policy switching is finalized. In that case,
// perform the lookup here.
otn = GetOTN(en->gid, en->sid, en->rev,
en->classification, en->priority, en->msg);
}
if (otn != NULL)
rtn = getRuntimeRtnFromOtn(otn);
if ((otn != NULL) && (rtn != NULL))
{
snort_user->rule_alert = otn->sigInfo.rule_flushing;
if (IsPreprocDecoderRule(otn->sigInfo.rule_type))
{
// If it's a preprocessor or decoder rule, the message we want to
// use is the one that was passed in, not what is in the message of
// the OTN, which will be generic if the rule was not autogenerated
// and potentially wrong if it was.
const char *tmp = otn->sigInfo.message;
otn->sigInfo.message = en->msg;
fpLogEvent(rtn, otn, (Packet *)snort_user->pkt);
otn->sigInfo.message = tmp;
}
else
{
fpLogEvent(rtn, otn, (Packet *)snort_user->pkt);
}
}
sfthreshold_reset();
return 0;
}
static int LogSnortEvents(void *event, void *user)
{
Packet *p;
EventNode *en;
OTNX *otnx;
struct _OptTreeNode * potn;
SNORT_EVENTQ_USER *snort_user;
if(!event || !user)
return 0;
en = (EventNode *)event;
snort_user = (SNORT_EVENTQ_USER *)user;
p = (Packet *)snort_user->pkt;
/*
** Log rule events differently because we have to.
*/
if(en->rule_info)
{
otnx = (OTNX *)en->rule_info;
if(!otnx->otn || !getRuntimeRtnFromOtn(otnx->otn))
return 0;
snort_user->rule_alert = otnx->otn->sigInfo.rule_flushing;
fpLogEvent(getRuntimeRtnFromOtn(otnx->otn), otnx->otn, p);
}
else
{
/* Look up possible decoder and preprocessor event otn */
potn = OtnLookup(snort_conf->otn_map, en->gid, en->sid);
if (potn == NULL)
{
#ifdef PREPROCESSOR_AND_DECODER_RULE_EVENTS
if (ScAutoGenPreprocDecoderOtns())
{
/* Generate an OTN if configured to do so.... */
potn = GenerateSnortEventOtn(en->gid,
en->sid,
en->rev,
en->classification,
en->priority,
en->msg);
}
#else
/* Always generate an OTN.... */
potn = GenerateSnortEventOtn(en->gid,
en->sid,
en->rev,
en->classification,
en->priority,
en->msg);
#endif
if (potn != NULL)
{
OtnLookupAdd(snort_conf->otn_map, potn);
}
}
if( potn )
{
char *tmp = potn->sigInfo.message;
snort_user->rule_alert = potn->sigInfo.rule_flushing;
potn->sigInfo.message = en->msg;
fpLogEvent( getRuntimeRtnFromOtn(potn), potn, p );
potn->sigInfo.message = tmp;
}
}
sfthreshold_reset();
return 0;
}
