OptTreeNode * GenerateSnortEventOtn(
uint32_t gen_id,
uint32_t sig_id,
uint32_t sig_rev,
uint32_t classification,
uint32_t priority,
char *msg )
{
OptTreeNode * p;
RuleTreeNode *rtn = NULL;
p = calloc( 1, sizeof(OptTreeNode) );
if(!p )
return 0;
p->sigInfo.generator = gen_id;
p->sigInfo.id = sig_id;
p->sigInfo.rev = sig_rev;
p->sigInfo.message = msg;
p->sigInfo.priority = priority;
p->sigInfo.class_id = classification;
p->generated = 1;
p->sigInfo.rule_type=SI_RULE_TYPE_PREPROC; /* TODO: could be detect ... */
p->sigInfo.rule_flushing=SI_RULE_FLUSHING_OFF; /* only standard rules do this */
p->event_data.sig_generator = gen_id;
p->event_data.sig_id = sig_id;
p->event_data.sig_rev = sig_rev;
p->event_data.classification = classification;
p->event_data.priority = priority;
rtn = GenerateSnortEventRtn(p, getRuntimePolicy());
if( !rtn )
{
free(p);
return NULL;
}
DEBUG_WRAP(
LogMessage("Generating OTN for GID: %u, SID: %u\n",gen_id,sig_id););
OptTreeNode * GenerateSnortEventOtn(
uint32_t gen_id,
uint32_t sig_id,
uint32_t sig_rev,
uint32_t classification,
uint32_t priority,
const char *msg )
{
OptTreeNode *otn;
RuleTreeNode *rtn;
otn = otnCreate(gen_id, sig_id, sig_rev, classification, priority, msg);
if (otn)
{
rtn = GenerateSnortEventRtn(otn, getIpsRuntimePolicy());
if (!rtn)
{
free(otn);
return NULL;
}
}
DEBUG_WRAP(
LogMessage("Generating OTN for GID: %u, SID: %u\n",gen_id,sig_id););
/*
* Changed so events are inserted in action config order 'drop alert ...',
* and sub sorted in each action group by priority or content length.
* The sub sorting is done in fpFinalSelect inf fpdetect.c. Once the
* events are inserted they can all be logged, as we only insert
* g_event_queue.log_events into the queue.
* ... Jan '06
*/
int SnortEventqAdd(unsigned int gid,
unsigned int sid,
unsigned int rev,
unsigned int classification,
unsigned int pri,
char *msg,
void *rule_info)
{
EventNode *en;
en = (EventNode *)sfeventq_event_alloc(snort_conf->event_queue[qIndex]);
if(!en)
return -1;
en->gid = gid;
en->sid = sid;
en->rev = rev;
en->classification = classification;
en->priority = pri;
en->msg = msg;
en->rule_info = rule_info;
/*
* Check if we have a preprocessor or decoder event
* Preprocessors and decoders may be configured to inspect
* and alert in their principal configuration (legacy code)
* this test than checks if the rule otn says they should
* be enabled or not. The rule itself will decide if it should
* be an alert or a drop (sdrop) condition.
*/
#ifdef PREPROCESSOR_AND_DECODER_RULE_EVENTS
{
struct _OptTreeNode * potn;
/* every event should have a rule/otn */
potn = OtnLookup(snort_conf->otn_map, gid, sid);
/*
* if no rule otn exists for this event, than it was
* not enabled via rules
*/
if (potn == NULL)
{
if (ScAutoGenPreprocDecoderOtns())
{
/* Generate an OTN if configured to do so.... */
potn = GenerateSnortEventOtn(en->gid,
en->sid,
en->rev,
en->classification,
en->priority,
en->msg);
if (potn != NULL)
OtnLookupAdd(snort_conf->otn_map, potn);
}
if (potn == NULL)
{
/* no otn found/created - do not add it to the queue */
return 0;
}
}
else
{
tSfPolicyId policyId = getRuntimePolicy();
RuleTreeNode* rtn = getRtnFromOtn(potn, policyId);
if ( !rtn )
{
if ( ScAutoGenPreprocDecoderOtns() )
rtn = GenerateSnortEventRtn(potn, getRuntimePolicy());
if ( !rtn )
return 0;
}
}
}
#endif
if (sfeventq_add(snort_conf->event_queue[qIndex], (void *)en))
{
return -1;
}
s_events++;
return 0;
}
