/* * Changed so events are inserted in action config order 'drop alert ...', * and sub sorted in each action group by priority or content length. * The sub sorting is done in fpFinalSelect inf fpdetect.c. Once the * events are inserted they can all be logged, as we only insert * g_event_queue.log_events into the queue. * ... Jan '06 */ int SnortEventqAdd(unsigned int gid, unsigned int sid, unsigned int rev, unsigned int classification, unsigned int pri, char *msg, void *rule_info) { EventNode *en; en = (EventNode *)sfeventq_event_alloc(); if(!en) return -1; en->gid = gid; en->sid = sid; en->rev = rev; en->classification = classification; en->priority = pri; en->msg = msg; en->rule_info = rule_info; if(sfeventq_add((void *)en)) return -1; return 0; }
int SnortEventqAdd( uint32_t gid, uint32_t sid, uint32_t rev, uint32_t classification, uint32_t priority, const char * msg, void * rule_info ) { EventNode *en; OptTreeNode *otn = (OptTreeNode *) rule_info; if (!otn) otn = GetApplicableOtn(gid, sid, rev, classification, priority, msg); else if (!getRtnFromOtn(otn, getApplicableRuntimePolicy(gid))) otn = NULL; if (otn) { en = (EventNode *) sfeventq_event_alloc(getEventQueue()); if (!en) return -1; en->gid = gid; en->sid = sid; en->rev = rev; en->classification = classification; en->priority = priority; en->msg = msg; en->rule_info = rule_info; if (sfeventq_add(getEventQueue(), (void *) en) != 0) return -1; s_events++; } return 0; }
static inline int EventqAdd(uint32_t gid, uint32_t sid, uint32_t rev, uint32_t classification, uint32_t priority, const char *msg, OptTreeNode *rule_info) { EventNode *en = (EventNode *) sfeventq_event_alloc(getEventQueue()); if (!en) return -1; en->gid = gid; en->sid = sid; en->rev = rev; en->classification = classification; en->priority = priority; en->msg = msg; en->rule_info = rule_info; if (sfeventq_add(getEventQueue(), (void *) en) != 0) return -1; s_events++; return 0; }
int main(int argc, char **argv) { int max_events; int log_events; int add_events; int *event; int iCtr; if(argc < 4) { printf("-- Not enough args\n"); return 1; } max_events = atoi(argv[1]); if(max_events <= 0) { printf("-- max_events invalid.\n"); return 1; } log_events = atoi(argv[2]); if(log_events <= 0) { printf("-- log_events invalid.\n"); return 1; } add_events = atoi(argv[3]); if(add_events <= 0) { printf("-- add_events invalid.\n"); return 1; } if(max_events < log_events) { printf("-- log_events greater than max_events\n"); return 1; } srandom(time(NULL)); sfeventq_init(max_events, log_events, sizeof(int), mysort); do { printf("-- Event Queue Test --\n\n"); for(iCtr = 0; iCtr < add_events; iCtr++) { event = (int *)sfeventq_event_alloc(); if(!event) { printf("-- event allocation failed\n"); return 1; } *event = (int)(random()%3); sfeventq_add(event); printf("-- added %d\n", *event); } printf("\n-- Logging\n\n"); if(sfeventq_action(myaction, NULL)) { printf("-- There was a problem.\n"); return 1; } sfeventq_reset(); } while(getc(stdin) < 14); return 0; }
/* * Changed so events are inserted in action config order 'drop alert ...', * and sub sorted in each action group by priority or content length. * The sub sorting is done in fpFinalSelect inf fpdetect.c. Once the * events are inserted they can all be logged, as we only insert * g_event_queue.log_events into the queue. * ... Jan '06 */ int SnortEventqAdd(unsigned int gid, unsigned int sid, unsigned int rev, unsigned int classification, unsigned int pri, char *msg, void *rule_info) { EventNode *en; en = (EventNode *)sfeventq_event_alloc(snort_conf->event_queue); if(!en) return -1; en->gid = gid; en->sid = sid; en->rev = rev; en->classification = classification; en->priority = pri; en->msg = msg; en->rule_info = rule_info; /* * Check if we have a preprocessor or decoder event * Preprocessors and decoders may be configured to inspect * and alert in their principle configuration (legacy code) * this test than checks if the rule otn says they should * be enabled or not. The rule itself will decide if it should * be an alert or a drop (sdrop) condition. */ #ifdef PREPROCESSOR_AND_DECODER_RULE_EVENTS { struct _OptTreeNode * potn; /* every event should have a rule/otn */ potn = OtnLookup(snort_conf->otn_map, gid, sid); /* * if no rule otn exists for this event, than it was * not enabled via rules */ if (potn == NULL) { if (ScAutoGenPreprocDecoderOtns()) { /* Generate an OTN if configured to do so.... */ potn = GenerateSnortEventOtn(en->gid, en->sid, en->rev, en->classification, en->priority, en->msg); if (potn != NULL) OtnLookupAdd(snort_conf->otn_map, potn); } } if (potn == NULL) { /* no otn found/created - do not add it to the queue */ return 0; } } #endif if (sfeventq_add(snort_conf->event_queue, (void *)en)) { return -1; } return 0; }