/* * Changed so events are inserted in action config order 'drop alert ...', * and sub sorted in each action group by priority or content length. * The sub sorting is done in fpFinalSelect inf fpdetect.c. Once the * events are inserted they can all be logged, as we only insert * g_event_queue.log_events into the queue. * ... Jan '06 */ int SnortEventqAdd(unsigned int gid, unsigned int sid, unsigned int rev, unsigned int classification, unsigned int pri, char *msg, void *rule_info) { EventNode *en; en = (EventNode *)sfeventq_event_alloc(snort_conf->event_queue); if(!en) return -1; en->gid = gid; en->sid = sid; en->rev = rev; en->classification = classification; en->priority = pri; en->msg = msg; en->rule_info = rule_info; /* * Check if we have a preprocessor or decoder event * Preprocessors and decoders may be configured to inspect * and alert in their principle configuration (legacy code) * this test than checks if the rule otn says they should * be enabled or not. The rule itself will decide if it should * be an alert or a drop (sdrop) condition. */ #ifdef PREPROCESSOR_AND_DECODER_RULE_EVENTS { struct _OptTreeNode * potn; /* every event should have a rule/otn */ potn = OtnLookup(snort_conf->otn_map, gid, sid); /* * if no rule otn exists for this event, than it was * not enabled via rules */ if (potn == NULL) { if (ScAutoGenPreprocDecoderOtns()) { /* Generate an OTN if configured to do so.... */ potn = GenerateSnortEventOtn(en->gid, en->sid, en->rev, en->classification, en->priority, en->msg); if (potn != NULL) OtnLookupAdd(snort_conf->otn_map, potn); } } if (potn == NULL) { /* no otn found/created - do not add it to the queue */ return 0; } } #endif if (sfeventq_add(snort_conf->event_queue, (void *)en)) { return -1; } return 0; }
void ppm_pkt_log(ppm_cfg_t *ppm_cfg, Packet* p) { int filterEvent = 0; if (!ppm_cfg->max_pkt_ticks) return; ppm_cfg->pkt_event_cnt++; if (ppm_cfg->pkt_log & PPM_LOG_ALERT) { OptTreeNode* potn; Event ev; /* make sure we have an otn already in our table for this event */ potn = OtnLookup(snort_conf->otn_map, GENERATOR_PPM, PPM_EVENT_PACKET_ABORTED); if (potn == NULL) { /* have to make one */ potn = GenerateSnortEventOtn(GENERATOR_PPM, /* GID */ PPM_EVENT_PACKET_ABORTED, /* SID */ 1, /* Rev */ 0, /* classification */ 3, /* priority (low) */ PPM_EVENT_PACKET_ABORTED_STR /* msg string */); if (potn == NULL) return; OtnLookupAdd(snort_conf->otn_map, potn); } SetEvent(&ev, potn->sigInfo.generator, /* GID */ potn->sigInfo.id, /* SID */ potn->sigInfo.rev, /* Rev */ potn->sigInfo.class_id, /* classification */ potn->sigInfo.priority, /* priority (low) */ #if !defined(FEAT_OPEN_APPID) 0); #else /* defined(FEAT_OPEN_APPID) */ 0, NULL); #endif /* defined(FEAT_OPEN_APPID) */ if ( IPH_IS_VALID(p) ) { filterEvent = sfthreshold_test( potn->event_data.sig_generator, potn->event_data.sig_id, GET_SRC_IP(p), GET_DST_IP(p), p->pkth->ts.tv_sec); } else { snort_ip cleared; IP_CLEAR(cleared); filterEvent = sfthreshold_test( potn->event_data.sig_generator, potn->event_data.sig_id, IP_ARG(cleared), IP_ARG(cleared), p->pkth->ts.tv_sec); } if(filterEvent < 0) filterEvent = 0; else AlertAction(p, potn, &ev); }
static int LogSnortEvents(void *event, void *user) { Packet *p; EventNode *en; OTNX *otnx; struct _OptTreeNode * potn; SNORT_EVENTQ_USER *snort_user; if(!event || !user) return 0; en = (EventNode *)event; snort_user = (SNORT_EVENTQ_USER *)user; p = (Packet *)snort_user->pkt; /* ** Log rule events differently because we have to. */ if(en->rule_info) { otnx = (OTNX *)en->rule_info; if(!otnx->otn || !getRuntimeRtnFromOtn(otnx->otn)) return 0; snort_user->rule_alert = otnx->otn->sigInfo.rule_flushing; fpLogEvent(getRuntimeRtnFromOtn(otnx->otn), otnx->otn, p); } else { /* Look up possible decoder and preprocessor event otn */ potn = OtnLookup(snort_conf->otn_map, en->gid, en->sid); if (potn == NULL) { #ifdef PREPROCESSOR_AND_DECODER_RULE_EVENTS if (ScAutoGenPreprocDecoderOtns()) { /* Generate an OTN if configured to do so.... */ potn = GenerateSnortEventOtn(en->gid, en->sid, en->rev, en->classification, en->priority, en->msg); } #else /* Always generate an OTN.... */ potn = GenerateSnortEventOtn(en->gid, en->sid, en->rev, en->classification, en->priority, en->msg); #endif if (potn != NULL) { OtnLookupAdd(snort_conf->otn_map, potn); } } if( potn ) { char *tmp = potn->sigInfo.message; snort_user->rule_alert = potn->sigInfo.rule_flushing; potn->sigInfo.message = en->msg; fpLogEvent( getRuntimeRtnFromOtn(potn), potn, p ); potn->sigInfo.message = tmp; } } sfthreshold_reset(); return 0; }