snort中的事件(Event)机制
在程序中与事件相关的几个文件: event.h,event_queue.h,event_queue.c,event_wrapper.h,event_wrapper.c,和fsutil/sfeventq.h,/fsutil/sfeventq.c
1,event中主要定义了一个事件的数据结构
//
事件的数据结构
typedef
struct
_Event
{
u_int32_t sig_generator; /**//* which part of snort generated the alert? */
u_int32_t sig_id; /**//* sig id for this generator */
u_int32_t sig_rev; /**//* sig revision for this id */
u_int32_t classification; /**//* event classification */
u_int32_t priority; /**//* event priority */
u_int32_t event_id; /**//* event ID */
u_int32_t event_reference; /**//* reference to other events that have gone off,*/
/* such as in the case of tagged packets */
struct timeval ref_time; /**//* reference time for the event reference */
}
Event;
2,event_queue.h和event_queue.c中定义了
typedef
struct
s_SNORT_EVENTQ_USER
{
char rule_alert;
void *pkt;/*一般为Packet*/
}
SNORT_EVENTQ_USER;
typedef
struct
s_SNORT_EVENT_QUEUE
{
int max_events;
int log_events;
int order;
}
SNORT_EVENT_QUEUE;
typedef
struct
_EventNode
{
unsigned int gid;
unsigned int sid;
unsigned int rev;
unsigned int classification;
unsigned int priority;
char *msg;
void *rule_info;
}
EventNode;//和事件的数据结构大致相同
//以下函数的具体实现调用了fsutil/fseventq.*的实现
int
SnortEventqInit(
void
);
void
SnortEventqReset(
void
);
int
SnortEventqLog(Packet
*
);
int
SnortEventqAdd(unsigned
int
gid,unsigned
int
sid,unsigned
int
rev,
unsigned
int
classification,unsigned
int
pri,
char
*
msg,
void
*
rule_info);
在event_queue.c中还有三个静态函数
static int OrderPriority(void *event1, void *event2) //比较event1和event2的优先级(priority成员大小),
if(event1->priority < event2->priority) return 1;
static int OrderContentLength(void *event1, void *event2) //比较event1和event2的规则信息的长度(rule_info的长度),event1大的话就返回1。
static int LogSnortEvents(void *event, void *user)
3,event_wrapper.h,event_wrapper.c中定义两个函数
//
调用log.c 中的setEvent和detect.c中的CallLogFuncs设置生成的事件,并返回event.event_id
u_int32_t GenerateSnortEvent(Packet
*
p,
u_int32_t gen_id,
u_int32_t sig_id,
u_int32_t sig_rev,
u_int32_t classification,
u_int32_t priority,
char
*
msg);
//
和上个函数差不多,只是多了一个事件参考(event_ref)和时间(ref_sec)的设置,返回0或1
//
如果event_ref和ref_sec都不为空,则返回1
int
LogTagData(Packet
*
p,
u_int32_t gen_id,
u_int32_t sig_id,
u_int32_t sig_rev,
u_int32_t classification,
u_int32_t priority,
u_int32_t event_ref,
time_t ref_sec,
char
*
msg);
4,Sfeventq.h和Sfenentq.c文件
sfeventq.h中定义了五个函数
void
*
sfeventq_event_alloc(
void
);
//清空sfeventq
void
sfeventq_reset(
void
);
//在sfeventq队列里添加一个event
int
sfeventq_add(
void
*
event
);
//根据action_func处理
int
sfeventq_action(
int
(
*
action_func)(
void
*
event
,
void
*
user),
void
*
user);
//sfeventq的空间分配
int
sfeventq_init(
int
max_nodes,
int
log_nodes,
int
event_size,
int
(
*
sort)(
void
*
,
void
*
));
1,event中主要定义了一个事件的数据结构
//
事件的数据结构
typedef
struct
_Event
{ u_int32_t sig_generator; /**//* which part of snort generated the alert? */ u_int32_t sig_id; /**//* sig id for this generator */ u_int32_t sig_rev; /**//* sig revision for this id */ u_int32_t classification; /**//* event classification */ u_int32_t priority; /**//* event priority */ u_int32_t event_id; /**//* event ID */ u_int32_t event_reference; /**//* reference to other events that have gone off,*//* such as in the case of tagged packets
*/ struct timeval ref_time; /**//* reference time for the event reference */}
Event;
typedef
struct
s_SNORT_EVENTQ_USER
{ char rule_alert; void *pkt;/*一般为Packet*/}
SNORT_EVENTQ_USER;typedef
struct
s_SNORT_EVENT_QUEUE
{ int max_events; int log_events; int order;}
SNORT_EVENT_QUEUE;typedef
struct
_EventNode
{ unsigned int gid; unsigned int sid; unsigned int rev; unsigned int classification; unsigned int priority; char *msg; void *rule_info;}
EventNode;//和事件的数据结构大致相同//以下函数的具体实现调用了fsutil/fseventq.*的实现
int
SnortEventqInit(
void
);
void
SnortEventqReset(
void
);
int
SnortEventqLog(Packet
*
);
int
SnortEventqAdd(unsigned
int
gid,unsigned
int
sid,unsigned
int
rev, unsigned
int
classification,unsigned
int
pri,
char
*
msg,
void
*
rule_info);
static int OrderPriority(void *event1, void *event2) //比较event1和event2的优先级(priority成员大小),
if(event1->priority < event2->priority) return 1;
static int OrderContentLength(void *event1, void *event2) //比较event1和event2的规则信息的长度(rule_info的长度),event1大的话就返回1。
static int LogSnortEvents(void *event, void *user)
3,event_wrapper.h,event_wrapper.c中定义两个函数
//
调用log.c 中的setEvent和detect.c中的CallLogFuncs设置生成的事件,并返回event.event_id
u_int32_t GenerateSnortEvent(Packet
*
p, u_int32_t gen_id, u_int32_t sig_id, u_int32_t sig_rev, u_int32_t classification, u_int32_t priority,
char
*
msg);
//
和上个函数差不多,只是多了一个事件参考(event_ref)和时间(ref_sec)的设置,返回0或1
//
如果event_ref和ref_sec都不为空,则返回1
int
LogTagData(Packet
*
p, u_int32_t gen_id, u_int32_t sig_id, u_int32_t sig_rev, u_int32_t classification, u_int32_t priority, u_int32_t event_ref, time_t ref_sec,
char
*
msg);
sfeventq.h中定义了五个函数
void
*
sfeventq_event_alloc(
void
);//清空sfeventq
void
sfeventq_reset(
void
);//在sfeventq队列里添加一个event
int
sfeventq_add(
void
*
event
);//根据action_func处理
int
sfeventq_action(
int
(
*
action_func)(
void
*
event
,
void
*
user),
void
*
user);//sfeventq的空间分配
int
sfeventq_init(
int
max_nodes,
int
log_nodes,
int
event_size,
int
(
*
sort)(
void
*
,
void
*
));