/*
* Changed so events are inserted in action config order 'drop alert ...',
* and sub sorted in each action group by priority or content length.
* The sub sorting is done in fpFinalSelect inf fpdetect.c. Once the
* events are inserted they can all be logged, as we only insert
* g_event_queue.log_events into the queue.
* ... Jan '06
*/
int SnortEventqAdd(unsigned int gid,
unsigned int sid,
unsigned int rev,
unsigned int classification,
unsigned int pri,
char *msg,
void *rule_info)
{
EventNode *en;
en = (EventNode *)sfeventq_event_alloc();
if(!en)
return -1;
en->gid = gid;
en->sid = sid;
en->rev = rev;
en->classification = classification;
en->priority = pri;
en->msg = msg;
en->rule_info = rule_info;
if(sfeventq_add((void *)en))
return -1;
return 0;
}
int SnortEventqAdd(
uint32_t gid,
uint32_t sid,
uint32_t rev,
uint32_t classification,
uint32_t priority,
const char * msg,
void * rule_info
)
{
EventNode *en;
OptTreeNode *otn = (OptTreeNode *) rule_info;
if (!otn)
otn = GetApplicableOtn(gid, sid, rev, classification, priority, msg);
else if (!getRtnFromOtn(otn, getApplicableRuntimePolicy(gid)))
otn = NULL;
if (otn)
{
en = (EventNode *) sfeventq_event_alloc(getEventQueue());
if (!en)
return -1;
en->gid = gid;
en->sid = sid;
en->rev = rev;
en->classification = classification;
en->priority = priority;
en->msg = msg;
en->rule_info = rule_info;
if (sfeventq_add(getEventQueue(), (void *) en) != 0)
return -1;
s_events++;
}
return 0;
}
static inline int EventqAdd(uint32_t gid, uint32_t sid, uint32_t rev,
uint32_t classification, uint32_t priority,
const char *msg, OptTreeNode *rule_info)
{
EventNode *en = (EventNode *) sfeventq_event_alloc(getEventQueue());
if (!en)
return -1;
en->gid = gid;
en->sid = sid;
en->rev = rev;
en->classification = classification;
en->priority = priority;
en->msg = msg;
en->rule_info = rule_info;
if (sfeventq_add(getEventQueue(), (void *) en) != 0)
return -1;
s_events++;
return 0;
}
int main(int argc, char **argv)
{
int max_events;
int log_events;
int add_events;
int *event;
int iCtr;
if(argc < 4)
{
printf("-- Not enough args\n");
return 1;
}
max_events = atoi(argv[1]);
if(max_events <= 0)
{
printf("-- max_events invalid.\n");
return 1;
}
log_events = atoi(argv[2]);
if(log_events <= 0)
{
printf("-- log_events invalid.\n");
return 1;
}
add_events = atoi(argv[3]);
if(add_events <= 0)
{
printf("-- add_events invalid.\n");
return 1;
}
if(max_events < log_events)
{
printf("-- log_events greater than max_events\n");
return 1;
}
srandom(time(NULL));
sfeventq_init(max_events, log_events, sizeof(int), mysort);
do
{
printf("-- Event Queue Test --\n\n");
for(iCtr = 0; iCtr < add_events; iCtr++)
{
event = (int *)sfeventq_event_alloc();
if(!event)
{
printf("-- event allocation failed\n");
return 1;
}
*event = (int)(random()%3);
sfeventq_add(event);
printf("-- added %d\n", *event);
}
printf("\n-- Logging\n\n");
if(sfeventq_action(myaction, NULL))
{
printf("-- There was a problem.\n");
return 1;
}
sfeventq_reset();
} while(getc(stdin) < 14);
return 0;
}
/*
* Changed so events are inserted in action config order 'drop alert ...',
* and sub sorted in each action group by priority or content length.
* The sub sorting is done in fpFinalSelect inf fpdetect.c. Once the
* events are inserted they can all be logged, as we only insert
* g_event_queue.log_events into the queue.
* ... Jan '06
*/
int SnortEventqAdd(unsigned int gid,
unsigned int sid,
unsigned int rev,
unsigned int classification,
unsigned int pri,
char *msg,
void *rule_info)
{
EventNode *en;
en = (EventNode *)sfeventq_event_alloc(snort_conf->event_queue);
if(!en)
return -1;
en->gid = gid;
en->sid = sid;
en->rev = rev;
en->classification = classification;
en->priority = pri;
en->msg = msg;
en->rule_info = rule_info;
/*
* Check if we have a preprocessor or decoder event
* Preprocessors and decoders may be configured to inspect
* and alert in their principle configuration (legacy code)
* this test than checks if the rule otn says they should
* be enabled or not. The rule itself will decide if it should
* be an alert or a drop (sdrop) condition.
*/
#ifdef PREPROCESSOR_AND_DECODER_RULE_EVENTS
{
struct _OptTreeNode * potn;
/* every event should have a rule/otn */
potn = OtnLookup(snort_conf->otn_map, gid, sid);
/*
* if no rule otn exists for this event, than it was
* not enabled via rules
*/
if (potn == NULL)
{
if (ScAutoGenPreprocDecoderOtns())
{
/* Generate an OTN if configured to do so.... */
potn = GenerateSnortEventOtn(en->gid,
en->sid,
en->rev,
en->classification,
en->priority,
en->msg);
if (potn != NULL)
OtnLookupAdd(snort_conf->otn_map, potn);
}
}
if (potn == NULL)
{
/* no otn found/created - do not add it to the queue */
return 0;
}
}
#endif
if (sfeventq_add(snort_conf->event_queue, (void *)en))
{
return -1;
}
return 0;
}
