- /* Active response to the forwarder */
- else if((Config.ar & REMOTE_AR))
- {
- int rc;
- /*If lf->location start with a ( was generated by remote agent and its ID is included in lf->location
- if missing then it must of been generated by the local analysisd so prepend a false id tag */
- if(lf->location[0] == '(') {
- snprintf(exec_msg, OS_SIZE_1024,
- "%s %c%c%c %s %s %s %s %d.%ld %d %s %s",
- lf->location,
- (ar->location & ALL_AGENTS)?ALL_AGENTS_C:NONE_C,
- (ar->location & REMOTE_AGENT)?REMOTE_AGENT_C:NONE_C,
- (ar->location & SPECIFIC_AGENT)?SPECIFIC_AGENT_C:NONE_C,
- ar->agent_id != NULL? ar->agent_id: "(null)",
- ar->name,
- user,
- ip,
- lf->time,
- __crt_ftell,
- lf->generated_rule->sigid,
- lf->location,
- filename);
- } else {
- snprintf(exec_msg, OS_SIZE_1024,
- "(local_source) %s %c%c%c %s %s %s %s %d.%ld %d %s %s",
- lf->location,
- (ar->location & ALL_AGENTS)?ALL_AGENTS_C:NONE_C,
- (ar->location & REMOTE_AGENT)?REMOTE_AGENT_C:NONE_C,
- (ar->location & SPECIFIC_AGENT)?SPECIFIC_AGENT_C:NONE_C,
- ar->agent_id != NULL? ar->agent_id: "(null)",
- ar->name,
- user,
- ip,
- lf->time,
- __crt_ftell,
- lf->generated_rule->sigid,
- lf->location,
- filename);
- }
-
- if((rc = OS_SendUnix(*arq, exec_msg, 0)) < 0)
- {
- if(rc == OS_SOCKBUSY)
- {