OptTreeNode * GenerateSnortEventOtn( uint32_t gen_id, uint32_t sig_id, uint32_t sig_rev, uint32_t classification, uint32_t priority, char *msg ) { OptTreeNode * p; RuleTreeNode *rtn = NULL; p = calloc( 1, sizeof(OptTreeNode) ); if(!p ) return 0; p->sigInfo.generator = gen_id; p->sigInfo.id = sig_id; p->sigInfo.rev = sig_rev; p->sigInfo.message = msg; p->sigInfo.priority = priority; p->sigInfo.class_id = classification; p->generated = 1; p->sigInfo.rule_type=SI_RULE_TYPE_PREPROC; /* TODO: could be detect ... */ p->sigInfo.rule_flushing=SI_RULE_FLUSHING_OFF; /* only standard rules do this */ p->event_data.sig_generator = gen_id; p->event_data.sig_id = sig_id; p->event_data.sig_rev = sig_rev; p->event_data.classification = classification; p->event_data.priority = priority; rtn = GenerateSnortEventRtn(p, getRuntimePolicy()); if( !rtn ) { free(p); return NULL; } DEBUG_WRAP( LogMessage("Generating OTN for GID: %u, SID: %u\n",gen_id,sig_id););
OptTreeNode * GenerateSnortEventOtn( uint32_t gen_id, uint32_t sig_id, uint32_t sig_rev, uint32_t classification, uint32_t priority, const char *msg ) { OptTreeNode *otn; RuleTreeNode *rtn; otn = otnCreate(gen_id, sig_id, sig_rev, classification, priority, msg); if (otn) { rtn = GenerateSnortEventRtn(otn, getIpsRuntimePolicy()); if (!rtn) { free(otn); return NULL; } } DEBUG_WRAP( LogMessage("Generating OTN for GID: %u, SID: %u\n",gen_id,sig_id););
/* * Changed so events are inserted in action config order 'drop alert ...', * and sub sorted in each action group by priority or content length. * The sub sorting is done in fpFinalSelect inf fpdetect.c. Once the * events are inserted they can all be logged, as we only insert * g_event_queue.log_events into the queue. * ... Jan '06 */ int SnortEventqAdd(unsigned int gid, unsigned int sid, unsigned int rev, unsigned int classification, unsigned int pri, char *msg, void *rule_info) { EventNode *en; en = (EventNode *)sfeventq_event_alloc(snort_conf->event_queue[qIndex]); if(!en) return -1; en->gid = gid; en->sid = sid; en->rev = rev; en->classification = classification; en->priority = pri; en->msg = msg; en->rule_info = rule_info; /* * Check if we have a preprocessor or decoder event * Preprocessors and decoders may be configured to inspect * and alert in their principal configuration (legacy code) * this test than checks if the rule otn says they should * be enabled or not. The rule itself will decide if it should * be an alert or a drop (sdrop) condition. */ #ifdef PREPROCESSOR_AND_DECODER_RULE_EVENTS { struct _OptTreeNode * potn; /* every event should have a rule/otn */ potn = OtnLookup(snort_conf->otn_map, gid, sid); /* * if no rule otn exists for this event, than it was * not enabled via rules */ if (potn == NULL) { if (ScAutoGenPreprocDecoderOtns()) { /* Generate an OTN if configured to do so.... */ potn = GenerateSnortEventOtn(en->gid, en->sid, en->rev, en->classification, en->priority, en->msg); if (potn != NULL) OtnLookupAdd(snort_conf->otn_map, potn); } if (potn == NULL) { /* no otn found/created - do not add it to the queue */ return 0; } } else { tSfPolicyId policyId = getRuntimePolicy(); RuleTreeNode* rtn = getRtnFromOtn(potn, policyId); if ( !rtn ) { if ( ScAutoGenPreprocDecoderOtns() ) rtn = GenerateSnortEventRtn(potn, getRuntimePolicy()); if ( !rtn ) return 0; } } } #endif if (sfeventq_add(snort_conf->event_queue[qIndex], (void *)en)) { return -1; } s_events++; return 0; }