/** ** We return whether we logged events or not. We've add a eventq user ** structure so we can track whether the events logged were rule events ** or preprocessor/decoder events. The reason being that we don't want ** to flush a TCP stream for preprocessor/decoder events, and cause ** early flushing of the stream. ** ** @return 1 logged events ** @return 0 did not log events or logged only decoder/preprocessor events */ int SnortEventqLog(SF_EVENTQ *eq[], Packet *p) { static SNORT_EVENTQ_USER user; user.rule_alert = 0x00; user.pkt = (void *)p; if (sfeventq_action(eq[qIndex], LogSnortEvents, (void *)&user) > 0) { if (user.rule_alert) return 1; } return 0; }
int main(int argc, char **argv) { int max_events; int log_events; int add_events; int *event; int iCtr; if(argc < 4) { printf("-- Not enough args\n"); return 1; } max_events = atoi(argv[1]); if(max_events <= 0) { printf("-- max_events invalid.\n"); return 1; } log_events = atoi(argv[2]); if(log_events <= 0) { printf("-- log_events invalid.\n"); return 1; } add_events = atoi(argv[3]); if(add_events <= 0) { printf("-- add_events invalid.\n"); return 1; } if(max_events < log_events) { printf("-- log_events greater than max_events\n"); return 1; } srandom(time(NULL)); sfeventq_init(max_events, log_events, sizeof(int), mysort); do { printf("-- Event Queue Test --\n\n"); for(iCtr = 0; iCtr < add_events; iCtr++) { event = (int *)sfeventq_event_alloc(); if(!event) { printf("-- event allocation failed\n"); return 1; } *event = (int)(random()%3); sfeventq_add(event); printf("-- added %d\n", *event); } printf("\n-- Logging\n\n"); if(sfeventq_action(myaction, NULL)) { printf("-- There was a problem.\n"); return 1; } sfeventq_reset(); } while(getc(stdin) < 14); return 0; }