Rule::Rule(const Rule & rule) { m_useId = false; m_id = rule.GetEventId(); if (m_id > 0) m_useId = true; m_source = rule.GetSource(); m_alarmColor = rule.GetAlarmColor(); m_ignore = rule.GetIgnore(); m_type = rule.GetType(); m_user = rule.GetUser(); m_value = rule.GetValue(); m_delay = rule.GetDelay(); m_count = rule.GetCount(); m_countTmp = 0; m_priority = rule.GetPriority(); }
// // return true if the event matched the rule // bool Session::ApplyRule(const Rule & rule, const EVENTLOGRECORD * ev) { string test; GetEventUser(ev, test); if (rule.GetEventId() != 0 && rule.GetEventId() != (ev->EventID & MSG_ID_MASK)) return false; if (ev->TimeGenerated < (m_now - rule.GetDelay()) && rule.GetIgnore() == false) // ignore rules don't depend on delay parameters return false; if (rule.GetSource().length() > 0) { string source = (LPSTR) ((LPBYTE) ev + sizeof(EVENTLOGRECORD)); std::transform(source.begin(), source.end(), source.begin(), tolower); if (source != rule.GetSource()) return false; } if (rule.GetType() != 0 && rule.GetType() != ev->EventType) return false; if (rule.GetUser().length() > 0) { string user; boost::regex e(rule.GetUser(), boost::regbase::perl); GetEventUser(ev, user); boost::match_results<std::string::const_iterator> what; if(boost::regex_search(user, what, e) == 0) { return false; } } if (rule.GetValue().length() > 0) { string desc; boost::regex e(rule.GetValue(), boost::regbase::perl); GetEventDescription(ev, desc); boost::match_results<std::string::const_iterator> what; if(boost::regex_search(desc, what, e) == 0) { return false; } } return true; }
void Session::AddRule(const Rule & rule) { if (rule.GetIgnore()) m_ignoreRules.push_back(rule); else m_matchRules.push_back(rule); }