event_queue.c File Reference

Snort wrapper to sfeventq library. More...

#include "fpcreate.h"
#include "fpdetect.h"
#include "util.h"
#include "sfeventq.h"
#include "event_wrapper.h"
#include "event_queue.h"
#include "sfthreshold.h"

Go to the source code of this file.

Functions
int	SnortEventqAdd (unsigned int gid, unsigned int sid, unsigned int rev, unsigned int classification, unsigned int pri, char *msg, void *rule_info)
static int	OrderPriority (void *event1, void *event2)
static int	OrderContentLength (void *event1, void *event2)
int	SnortEventqInit (void)
static int	LogSnortEvents (void *event, void *user)
int	SnortEventqLog (Packet *p)
void	SnortEventqReset (void)
Variables
SNORT_EVENT_QUEUE	g_event_queue = {8,3,SNORT_EVENTQ_CONTENT_LEN}

---

Detailed Description

Snort wrapper to sfeventq library.

Author:

Daniel Roelker <droelker@sourcefire.com>

Copyright (C) 2004, Daniel Roelker and Sourcefire, Inc.

These functions wrap the sfeventq API and provide the priority functions for ordering incoming events.

Definition in file event_queue.c.

---

Function Documentation

static int LogSnortEvents (  void *  event, void *  user )  [static]

Definition at line 153 of file event_queue.c. References _EventNode::classification, fpLogEvent(), GenerateSnortEvent(), _EventNode::gid, _EventNode::msg, _otnx_::otn, s_SNORT_EVENTQ_USER::pkt, _EventNode::priority, _EventNode::rev, _otnx_::rtn, s_SNORT_EVENTQ_USER::rule_alert, _EventNode::rule_info, sfthreshold_reset(), and _EventNode::sid. Referenced by SnortEventqLog().

static int OrderContentLength (  void *  event1, void *  event2 )  [static]

Definition at line 75 of file event_queue.c. References _otnx_::content_length, and _EventNode::rule_info. Referenced by SnortEventqInit().

static int OrderPriority (  void *  event1, void *  event2 )  [static]

Definition at line 58 of file event_queue.c. References _EventNode::priority. Referenced by SnortEventqInit().

int SnortEventqAdd (  unsigned int  gid, unsigned int  sid, unsigned int  rev, unsigned int  classification, unsigned int  pri, char *  msg, void *  rule_info )

Definition at line 30 of file event_queue.c. References _EventNode::classification, _EventNode::gid, _EventNode::msg, _EventNode::priority, _EventNode::rev, _EventNode::rule_info, sfeventq_add(), sfeventq_event_alloc(), and _EventNode::sid. Referenced by BoFind(), BoGetDirection(), CheckRst(), ConvFunc(), CreateNewSession(), DecodeARP(), DecodeEAP(), DecodeEapol(), DecodeEapolKey(), DecodeICMP(), DecodeIEEE80211Pkt(), DecodeIP(), DecodeIPOptions(), DecodePPPoEPkt(), DecodeTCP(), DecodeTCPOptions(), DecodeTRPkt(), DecodeUDP(), DecodeVlan(), DetectARPattacks(), EventAnomBadsizeLg(), EventAnomBadsizeSm(), EventAnomIpOpts(), EventAnomOverlap(), EventAnomOversize(), EventAnomShortFrag(), EventAnomZeroFrag(), EventAttackTeardrop(), fpFinalSelectEvent(), Frag2Defrag(), InsertFrag(), IPHdrTests(), LogEvents(), ParseXLink2State(), PreprocRpcDecode(), ReassembleStream4(), StoreStreamPkt(), TcpAction(), and TcpActionAsync().

int SnortEventqInit (  void   )

Definition at line 127 of file event_queue.c. References FatalError(), int(), s_SNORT_EVENT_QUEUE::log_events, s_SNORT_EVENT_QUEUE::max_events, NULL, s_SNORT_EVENT_QUEUE::order, OrderContentLength(), OrderPriority(), sfeventq_init(), SNORT_EVENTQ_CONTENT_LEN, and SNORT_EVENTQ_PRIORITY. Referenced by SnortMain().

int SnortEventqLog (  Packet *  p  )

We return whether we logged events or not. We've add a eventq user structure so we can track whether the events logged we're rule events or preprocessor/decoder events. The reason being that we don't want to flush a TCP stream for preprocessor/decoder events, and cause early flushing of the stream. Returns: 1 logged events 0 did not log events or logged only decoder/preprocessor events Definition at line 205 of file event_queue.c. References LogSnortEvents(), s_SNORT_EVENTQ_USER::pkt, s_SNORT_EVENTQ_USER::rule_alert, and sfeventq_action(). Referenced by Preprocess().

void SnortEventqReset (  void   )

Definition at line 221 of file event_queue.c. References sfeventq_reset(). Referenced by PcapProcessPacket(), and Preprocess().

---

Variable Documentation

SNORT_EVENT_QUEUE g_event_queue = {8,3,SNORT_EVENTQ_CONTENT_LEN}

size of flowbits tracking Definition at line 28 of file event_queue.c.

---