src/event_wrapper.c Source File

00001 /**
00002  * @file   event_wrapper.c
00003  * @author Chris Green <cmg@sourcefire.com>
00004  * @date   Wed Jun 18 10:49:59 2003
00005  * 
00006  * @brief  generate a snort event
00007  * 
00008  * This is a wrapper around SetEvent,CallLogFuncs,CallEventFuncs 
00009  */
00010 
00011 #ifdef HAVE_CONFIG_H
00012 #include "config.h"
00013 #endif
00014 
00015 #include "util.h"
00016 #include "event_wrapper.h"
00017 
00018 u_int32_t GenerateSnortEvent(Packet *p,
00019                             u_int32_t gen_id,
00020                             u_int32_t sig_id,
00021                             u_int32_t sig_rev,
00022                             u_int32_t classification,
00023                             u_int32_t priority,
00024                             char *msg)
00025 {
00026     Event event;
00027 
00028     if(!msg)
00029     {
00030         return 0;
00031     }
00032     
00033     SetEvent(&event, gen_id, sig_id, sig_rev, classification, priority, 0);
00034     CallAlertFuncs(p, msg, NULL, &event);
00035 
00036     if(p)
00037     {
00038         /*
00039         **  This logic is for if we eventually decide to flush streams on
00040         **  events that aren't rules.  Right now we don't flush because
00041         **  the rules are what are the most important and not generic
00042         **  preprocessor events, so we don't want to flush a stream that
00043         **  might have alerted on a rule, but instead "all you got was
00044         **  this lousy preprocessor event".  But here's the logic if we 
00045         **  want to add it sometime.
00046         */
00047         /*
00048         if(p->ssnptr != NULL)
00049         {
00050             if(AlertFlushStream(p) == 0)
00051                 CallLogFuncs(p, msg, NULL, &event);
00052         }
00053         else
00054         {
00055             CallLogFuncs(p, msg, NULL, &event);
00056         }
00057         */
00058 
00059         CallLogFuncs(p, msg, NULL, &event);
00060     }
00061 
00062     /* 0 is never used as an event id in snort unless things wrap around... */
00063     return event.event_id;
00064 }
00065 
00066 /** 
00067  * Log additional packet data using the same kinda mechanism tagging does.
00068  * 
00069  * @param p Packet to log
00070  * @param gen_id generator id
00071  * @param sig_id signature id
00072  * @param sig_rev revision is
00073  * @param classification classification id
00074  * @param priority priority level
00075  * @param event_ref reference of a previous event
00076  * @param ref_sec the tv_sec of that previous event
00077  * @param msg The message data txt
00078  * 
00079  * @return 1 on success, 0 on FAILURE ( note this is to stay the same as GenerateSnortEvent() )
00080  */
00081 int LogTagData(Packet *p,
00082                u_int32_t gen_id,
00083                u_int32_t sig_id,
00084                u_int32_t sig_rev,
00085                u_int32_t classification,
00086                u_int32_t priority,
00087                u_int32_t event_ref,
00088                time_t ref_sec,
00089                char *msg)
00090    
00091 {
00092     Event event;
00093     
00094     if(!event_ref || !ref_sec)
00095         return 0;
00096 
00097     SetEvent(&event, gen_id, sig_id, sig_rev, classification, priority, event_ref);
00098 
00099     event.ref_time.tv_sec = ref_sec;
00100     
00101     if(p)
00102         CallLogFuncs(p, msg, NULL, &event);
00103 
00104     return 1;
00105 }
00106