static int LogSnortEvents(void * event, void * user)
{
EventNode *en = (EventNode *) event;
SNORT_EVENTQ_USER *snort_user = (SNORT_EVENTQ_USER *) user;
OptTreeNode *otn;
RuleTreeNode *rtn = NULL;
if (!event || !user)
return 0;
if (s_events > 0)
s_events--;
if (en->rule_info)
{
otn = en->rule_info;
}
else
{
// The above en->rule_info may be NULL to avoid performing an OTN/RTN
// lookup until after policy switching is finalized. In that case,
// perform the lookup here.
otn = GetApplicableOtn(
en->gid,
en->sid,
en->rev,
en->classification,
en->priority,
en->msg
);
}
if (otn)
{
rtn = getRtnFromOtn(otn, getApplicableRuntimePolicy(en->gid));
if (rtn)
{
snort_user->rule_alert = otn->sigInfo.rule_flushing;
LogSnortEvent((Packet *) snort_user->pkt, otn, rtn, en->msg);
}
}
sfthreshold_reset();
return 0;
}
int file_eventq_add(uint32_t gid, uint32_t sid, char *msg, RuleType type)
{
OptTreeNode *otn;
RuleTreeNode *rtn;
otn = GetApplicableOtn(gid, sid, 1, 0, 3, msg);
if (otn == NULL)
return 0;
rtn = getRtnFromOtn(otn, getIpsRuntimePolicy());
if (rtn == NULL)
{
return 0;
}
rtn->type = type;
return SnortEventqAdd(gid, sid, 1, 0, 3, msg, otn);
}
int SnortEventqAdd(
uint32_t gid,
uint32_t sid,
uint32_t rev,
uint32_t classification,
uint32_t priority,
const char * msg,
void * rule_info
)
{
EventNode *en;
OptTreeNode *otn = (OptTreeNode *) rule_info;
if (!otn)
otn = GetApplicableOtn(gid, sid, rev, classification, priority, msg);
else if (!getRtnFromOtn(otn, getApplicableRuntimePolicy(gid)))
otn = NULL;
if (otn)
{
en = (EventNode *) sfeventq_event_alloc(getEventQueue());
if (!en)
return -1;
en->gid = gid;
en->sid = sid;
en->rev = rev;
en->classification = classification;
en->priority = priority;
en->msg = msg;
en->rule_info = rule_info;
if (sfeventq_add(getEventQueue(), (void *) en) != 0)
return -1;
s_events++;
}
return 0;
}