在程序中与事件相关的几个文件: event.h,event_queue.h,event_queue.c,event_wrapper.h,event_wrapper.c,和fsutil/sfeventq.h,/fsutil/sfeventq.c
1,event中主要定义了一个事件的数据结构
2,event_queue.h和event_queue.c中定义了
在event_queue.c中还有三个静态函数
static int OrderPriority(void *event1, void *event2) //比较event1和event2的优先级(priority成员大小),
if(event1->priority < event2->priority) return 1;
static int OrderContentLength(void *event1, void *event2) //比较event1和event2的规则信息的长度(rule_info的长度),event1大的话就返回1。
static int LogSnortEvents(void *event, void *user)
3,event_wrapper.h,event_wrapper.c中定义两个函数
4,Sfeventq.h和Sfenentq.c文件
sfeventq.h中定义了五个函数
void *sfeventq_event_alloc(void);
//清空sfeventq
void sfeventq_reset(void);
//在sfeventq队列里添加一个event
int sfeventq_add(void *event);
//根据action_func处理
int sfeventq_action(int (*action_func)(void *event, void *user), void *user);
//sfeventq的空间分配
int sfeventq_init(int max_nodes, int log_nodes, int event_size,
int (*sort)(void *, void *));
1,event中主要定义了一个事件的数据结构
//事件的数据结构
typedef struct _Event
{
u_int32_t sig_generator; /* which part of snort generated the alert? */
u_int32_t sig_id; /* sig id for this generator */
u_int32_t sig_rev; /* sig revision for this id */
u_int32_t classification; /* event classification */
u_int32_t priority; /* event priority */
u_int32_t event_id; /* event ID */
u_int32_t event_reference; /* reference to other events that have gone off,*/
/* such as in the case of tagged packets */
struct timeval ref_time; /* reference time for the event reference */
} Event;
typedef struct _Event
{
u_int32_t sig_generator; /* which part of snort generated the alert? */
u_int32_t sig_id; /* sig id for this generator */
u_int32_t sig_rev; /* sig revision for this id */
u_int32_t classification; /* event classification */
u_int32_t priority; /* event priority */
u_int32_t event_id; /* event ID */
u_int32_t event_reference; /* reference to other events that have gone off,*/
/* such as in the case of tagged packets */
struct timeval ref_time; /* reference time for the event reference */
} Event;
typedef struct s_SNORT_EVENTQ_USER
{
char rule_alert;
void *pkt;/*一般为Packet*/
} SNORT_EVENTQ_USER;
typedef struct s_SNORT_EVENT_QUEUE
{
int max_events;
int log_events;
int order;
} SNORT_EVENT_QUEUE;
typedef struct _EventNode
{
unsigned int gid;
unsigned int sid;
unsigned int rev;
unsigned int classification;
unsigned int priority;
char *msg;
void *rule_info;
} EventNode;//和事件的数据结构大致相同
//以下函数的具体实现调用了fsutil/fseventq.*的实现
int SnortEventqInit(void);
void SnortEventqReset(void);
int SnortEventqLog(Packet *);
int SnortEventqAdd(unsigned int gid,unsigned int sid,unsigned int rev,
unsigned int classification,unsigned int pri,char *msg,
void *rule_info);
{
char rule_alert;
void *pkt;/*一般为Packet*/
} SNORT_EVENTQ_USER;
typedef struct s_SNORT_EVENT_QUEUE
{
int max_events;
int log_events;
int order;
} SNORT_EVENT_QUEUE;
typedef struct _EventNode
{
unsigned int gid;
unsigned int sid;
unsigned int rev;
unsigned int classification;
unsigned int priority;
char *msg;
void *rule_info;
} EventNode;//和事件的数据结构大致相同
//以下函数的具体实现调用了fsutil/fseventq.*的实现
int SnortEventqInit(void);
void SnortEventqReset(void);
int SnortEventqLog(Packet *);
int SnortEventqAdd(unsigned int gid,unsigned int sid,unsigned int rev,
unsigned int classification,unsigned int pri,char *msg,
void *rule_info);
static int OrderPriority(void *event1, void *event2) //比较event1和event2的优先级(priority成员大小),
if(event1->priority < event2->priority) return 1;
static int OrderContentLength(void *event1, void *event2) //比较event1和event2的规则信息的长度(rule_info的长度),event1大的话就返回1。
static int LogSnortEvents(void *event, void *user)
3,event_wrapper.h,event_wrapper.c中定义两个函数
//调用log.c 中的setEvent和detect.c中的CallLogFuncs设置生成的事件,并返回event.event_id
u_int32_t GenerateSnortEvent(Packet *p,
u_int32_t gen_id,
u_int32_t sig_id,
u_int32_t sig_rev,
u_int32_t classification,
u_int32_t priority,
char *msg);
//和上个函数差不多,只是多了一个事件参考(event_ref)和时间(ref_sec)的设置,返回0或1
//如果event_ref和ref_sec都不为空,则返回1
int LogTagData(Packet *p,
u_int32_t gen_id,
u_int32_t sig_id,
u_int32_t sig_rev,
u_int32_t classification,
u_int32_t priority,
u_int32_t event_ref,
time_t ref_sec,
char *msg);
u_int32_t GenerateSnortEvent(Packet *p,
u_int32_t gen_id,
u_int32_t sig_id,
u_int32_t sig_rev,
u_int32_t classification,
u_int32_t priority,
char *msg);
//和上个函数差不多,只是多了一个事件参考(event_ref)和时间(ref_sec)的设置,返回0或1
//如果event_ref和ref_sec都不为空,则返回1
int LogTagData(Packet *p,
u_int32_t gen_id,
u_int32_t sig_id,
u_int32_t sig_rev,
u_int32_t classification,
u_int32_t priority,
u_int32_t event_ref,
time_t ref_sec,
char *msg);
sfeventq.h中定义了五个函数
void *sfeventq_event_alloc(void);
//清空sfeventq
void sfeventq_reset(void);
//在sfeventq队列里添加一个event
int sfeventq_add(void *event);
//根据action_func处理
int sfeventq_action(int (*action_func)(void *event, void *user), void *user);
//sfeventq的空间分配
int sfeventq_init(int max_nodes, int log_nodes, int event_size,
int (*sort)(void *, void *));