public bool CheckIfMatched(ref SecurityEvent securityEvent, ref Rule rule) { string padding = Assistant.GetPadding(); // Check <if_sid> element => scan dependencies and matchList if (rule.ifSID != 0) { logger.Trace("{0}Check <if_sid>{1}</if_sid>", padding, rule.ifSID); if (!matchList.ContainsKey(rule.ifSID)) { return(false); } if (matchList[rule.ifSID] == 0) { return(false); } } // Check <same_source_ip> element if (!rule.sourceIP.Equals("")) { logger.Trace(padding + " Check <same_source_ip/>"); if (!securityEvent.srcIP.Equals(rule.sourceIP)) { return(false); } } // Check <match> element if (!rule.match.Equals("")) { logger.Trace("{0}Check <match>{1}</match>", padding, rule.match); // Process logical OR bool check = false; string[] parts = rule.match.Split(new Char[] { '|' }, StringSplitOptions.RemoveEmptyEntries); foreach (string part in parts) { if (securityEvent.message.IndexOf(part, StringComparison.OrdinalIgnoreCase) >= 0) { check = true; break; } } if (!check) { return(false); } } // Check <if_matched_sid> element if (rule.ifMatchedSID != 0) { logger.Trace("{0}Check <if_matched_sid>{1}</if_matched_sid>", padding, rule.ifMatchedSID); if (matchList.ContainsKey(rule.ifMatchedSID)) { if (matchList[rule.ifMatchedSID] == 0) { return(false); } // Scan FireQueue if (!fireDictionary.ContainsKey(rule.ifMatchedSID)) { return(false); } if (fireDictionary[rule.ifMatchedSID].CheckIfMatched(securityEvent, rule)) { logger.Trace("{0} Rule {1} QueueDictionary.CheckIfMatched == TRUE", padding, rule.ifMatchedSID); } else { logger.Trace("{0} Rule {1} QueueDictionary.CheckIfMatched == FALSE", padding, rule.ifMatchedSID); return(false); } } } // Rule matched return(true); }