Snort_AIPreproc/doc/latex/group__cluster.tex

\hypertarget{group__cluster}{
\section{Manage the clustering of alarms}
\label{group__cluster}\index{Manage the clustering of alarms@{Manage the clustering of alarms}}
}
\subsection*{Data Structures}
\begin{DoxyCompactItemize}
\item 
struct \hyperlink{structattribute__key}{attribute\_\-key}
\item 
struct \hyperlink{structattribute__value}{attribute\_\-value}
\end{DoxyCompactItemize}
\subsection*{Functions}
\begin{DoxyCompactItemize}
\item 
PRIVATE int \hyperlink{group__cluster_ga81f5fa721719fdb281595a568eef2101}{\_\-heuristic\_\-func} (\hyperlink{spp__ai_8h_ae2ff3c6586aa2ab211a102abfde86640}{cluster\_\-type} type)
\begin{DoxyCompactList}\small\item\em Function that picks up the heuristic value for a clustering attribute in according to Julisch's heuristic (ACM, Vol.2, No.3, 09 2002, pag.124). \item\end{DoxyCompactList}\item 
PRIVATE \hyperlink{struct__hierarchy__node}{hierarchy\_\-node} $\ast$ \hyperlink{group__cluster_ga2f1a22cfea64e4669da0467620c3e3b3}{\_\-hierarchy\_\-node\_\-new} (char $\ast$label, int min\_\-val, int max\_\-val)
\begin{DoxyCompactList}\small\item\em Create a new clustering hierarchy node. \item\end{DoxyCompactList}\item 
PRIVATE void \hyperlink{group__cluster_ga5601a1f603d9c870ef6e2df192e30c30}{\_\-hierarchy\_\-node\_\-append} (\hyperlink{struct__hierarchy__node}{hierarchy\_\-node} $\ast$parent, \hyperlink{struct__hierarchy__node}{hierarchy\_\-node} $\ast$child)
\begin{DoxyCompactList}\small\item\em Append a node to a clustering hierarchy node. \item\end{DoxyCompactList}\item 
PRIVATE \hyperlink{struct__hierarchy__node}{hierarchy\_\-node} $\ast$ \hyperlink{group__cluster_ga6ddddcd505b1f763c339e81fc143e079}{\_\-AI\_\-get\_\-min\_\-hierarchy\_\-node} (int val, \hyperlink{struct__hierarchy__node}{hierarchy\_\-node} $\ast$root)
\begin{DoxyCompactList}\small\item\em Get the minimum node in a hierarchy tree that matches a certain value. \item\end{DoxyCompactList}\item 
PRIVATE \hyperlink{spp__ai_8h_a3e5b8192e7d9ffaf3542f1210aec18dd}{BOOL} \hyperlink{group__cluster_ga0f91c8bfc37a3975f5c26b19fd6c5cba}{\_\-AI\_\-equal\_\-alarms} (\hyperlink{struct__AI__snort__alert}{AI\_\-snort\_\-alert} $\ast$a1, \hyperlink{struct__AI__snort__alert}{AI\_\-snort\_\-alert} $\ast$a2)
\begin{DoxyCompactList}\small\item\em Check if two alerts are semantically equal. \item\end{DoxyCompactList}\item 
PRIVATE int \hyperlink{group__cluster_ga8ce8e5a5d8954672297fa2dedb380dcd}{\_\-AI\_\-merge\_\-alerts} (\hyperlink{struct__AI__snort__alert}{AI\_\-snort\_\-alert} $\ast$$\ast$log)
\begin{DoxyCompactList}\small\item\em Merge the alerts marked as equal in the log. \item\end{DoxyCompactList}\item 
PRIVATE void \hyperlink{group__cluster_ga7d151880080470b542e99643dc0426a7}{\_\-AI\_\-print\_\-clustered\_\-alerts} (\hyperlink{struct__AI__snort__alert}{AI\_\-snort\_\-alert} $\ast$log, FILE $\ast$fp)
\begin{DoxyCompactList}\small\item\em Print the clustered alerts to a log file. \item\end{DoxyCompactList}\item 
PRIVATE void $\ast$ \hyperlink{group__cluster_ga8a5eae61dc9fd0f13e0acdfa5f4478e2}{\_\-AI\_\-cluster\_\-thread} (void $\ast$arg)
\begin{DoxyCompactList}\small\item\em Thread for periodically clustering the log information. \item\end{DoxyCompactList}\item 
PRIVATE \hyperlink{spp__ai_8h_a3e5b8192e7d9ffaf3542f1210aec18dd}{BOOL} \hyperlink{group__cluster_ga29c35cd6c56f54e27b5b190c6d6c487a}{\_\-AI\_\-check\_\-duplicate} (\hyperlink{struct__hierarchy__node}{hierarchy\_\-node} $\ast$node, \hyperlink{struct__hierarchy__node}{hierarchy\_\-node} $\ast$root)
\begin{DoxyCompactList}\small\item\em Check if a certain node's range (minimum and maximum value) are already present in a clustering hierarchy. \item\end{DoxyCompactList}\item 
void \hyperlink{group__cluster_ga1445818b37483f78cc3fb2890155842c}{AI\_\-hierarchies\_\-build} (\hyperlink{structAI__config}{AI\_\-config} $\ast$\hyperlink{group__correlation_gaad7a982b6016390e7cd1164bd7db8bca}{conf}, \hyperlink{struct__hierarchy__node}{hierarchy\_\-node} $\ast$$\ast$nodes, int n\_\-nodes)
\begin{DoxyCompactList}\small\item\em Build the clustering hierarchy trees. \item\end{DoxyCompactList}\item 
PRIVATE \hyperlink{struct__AI__snort__alert}{AI\_\-snort\_\-alert} $\ast$ \hyperlink{group__cluster_gab4c8ab92691e85a6f0ac4abb122712fd}{\_\-AI\_\-copy\_\-clustered\_\-alerts} (\hyperlink{struct__AI__snort__alert}{AI\_\-snort\_\-alert} $\ast$node)
\begin{DoxyCompactList}\small\item\em Return a copy of the clustered alerts. \item\end{DoxyCompactList}\item 
\hyperlink{struct__AI__snort__alert}{AI\_\-snort\_\-alert} $\ast$ \hyperlink{group__cluster_ga2553c678eeb83282c230d649a0e8fcd4}{AI\_\-get\_\-clustered\_\-alerts} ()
\begin{DoxyCompactList}\small\item\em Return the alerts parsed so far as a linked list. \item\end{DoxyCompactList}\end{DoxyCompactItemize}
\subsection*{Variables}
\begin{DoxyCompactItemize}
\item 
PRIVATE \hyperlink{struct__hierarchy__node}{hierarchy\_\-node} $\ast$ \hyperlink{group__cluster_ga97d35425cf5a0207fb50b64ee8cdda82}{h\_\-root} \mbox{[}CLUSTER\_\-TYPES\mbox{]} = \{ NULL \}
\item 
PRIVATE \hyperlink{structAI__config}{AI\_\-config} $\ast$ \hyperlink{group__cluster_ga91458e2d34595688e39fcb63ba418849}{\_\-config} = NULL
\item 
PRIVATE \hyperlink{struct__AI__snort__alert}{AI\_\-snort\_\-alert} $\ast$ \hyperlink{group__cluster_gaaf4c19f60f48741b0890c6114dcff7d9}{alert\_\-log} = NULL
\end{DoxyCompactItemize}


\subsection{Function Documentation}
\hypertarget{group__cluster_ga29c35cd6c56f54e27b5b190c6d6c487a}{
\index{cluster@{cluster}!\_\-AI\_\-check\_\-duplicate@{\_\-AI\_\-check\_\-duplicate}}
\index{\_\-AI\_\-check\_\-duplicate@{\_\-AI\_\-check\_\-duplicate}!cluster@{cluster}}
\subsubsection[{\_\-AI\_\-check\_\-duplicate}]{\setlength{\rightskip}{0pt plus 5cm}PRIVATE {\bf BOOL} \_\-AI\_\-check\_\-duplicate (
\begin{DoxyParamCaption}
\item[{{\bf hierarchy\_\-node} $\ast$}]{ node, }
\item[{{\bf hierarchy\_\-node} $\ast$}]{ root}
\end{DoxyParamCaption}
)}}
\label{group__cluster_ga29c35cd6c56f54e27b5b190c6d6c487a}


Check if a certain node's range (minimum and maximum value) are already present in a clustering hierarchy. 


\begin{DoxyParams}{Parameters}
\item[{\em node}]Node to be checked \item[{\em root}]Clustering hierarchy \end{DoxyParams}
\begin{DoxyReturn}{Returns}
True if 'node' is already in 'root', false otherwise 
\end{DoxyReturn}
\hypertarget{group__cluster_ga8a5eae61dc9fd0f13e0acdfa5f4478e2}{
\index{cluster@{cluster}!\_\-AI\_\-cluster\_\-thread@{\_\-AI\_\-cluster\_\-thread}}
\index{\_\-AI\_\-cluster\_\-thread@{\_\-AI\_\-cluster\_\-thread}!cluster@{cluster}}
\subsubsection[{\_\-AI\_\-cluster\_\-thread}]{\setlength{\rightskip}{0pt plus 5cm}PRIVATE void$\ast$ \_\-AI\_\-cluster\_\-thread (
\begin{DoxyParamCaption}
\item[{void $\ast$}]{ arg}
\end{DoxyParamCaption}
)}}
\label{group__cluster_ga8a5eae61dc9fd0f13e0acdfa5f4478e2}


Thread for periodically clustering the log information. 

\hypertarget{group__cluster_gab4c8ab92691e85a6f0ac4abb122712fd}{
\index{cluster@{cluster}!\_\-AI\_\-copy\_\-clustered\_\-alerts@{\_\-AI\_\-copy\_\-clustered\_\-alerts}}
\index{\_\-AI\_\-copy\_\-clustered\_\-alerts@{\_\-AI\_\-copy\_\-clustered\_\-alerts}!cluster@{cluster}}
\subsubsection[{\_\-AI\_\-copy\_\-clustered\_\-alerts}]{\setlength{\rightskip}{0pt plus 5cm}PRIVATE {\bf AI\_\-snort\_\-alert}$\ast$ \_\-AI\_\-copy\_\-clustered\_\-alerts (
\begin{DoxyParamCaption}
\item[{{\bf AI\_\-snort\_\-alert} $\ast$}]{ node}
\end{DoxyParamCaption}
)}}
\label{group__cluster_gab4c8ab92691e85a6f0ac4abb122712fd}


Return a copy of the clustered alerts. 

\begin{DoxyReturn}{Returns}
An AI\_\-snort\_\-alert pointer identifying the list of clustered alerts 
\end{DoxyReturn}
\hypertarget{group__cluster_ga0f91c8bfc37a3975f5c26b19fd6c5cba}{
\index{cluster@{cluster}!\_\-AI\_\-equal\_\-alarms@{\_\-AI\_\-equal\_\-alarms}}
\index{\_\-AI\_\-equal\_\-alarms@{\_\-AI\_\-equal\_\-alarms}!cluster@{cluster}}
\subsubsection[{\_\-AI\_\-equal\_\-alarms}]{\setlength{\rightskip}{0pt plus 5cm}PRIVATE {\bf BOOL} \_\-AI\_\-equal\_\-alarms (
\begin{DoxyParamCaption}
\item[{{\bf AI\_\-snort\_\-alert} $\ast$}]{ a1, }
\item[{{\bf AI\_\-snort\_\-alert} $\ast$}]{ a2}
\end{DoxyParamCaption}
)}}
\label{group__cluster_ga0f91c8bfc37a3975f5c26b19fd6c5cba}


Check if two alerts are semantically equal. 


\begin{DoxyParams}{Parameters}
\item[{\em a1}]First alert \item[{\em a2}]Second alert \end{DoxyParams}
\begin{DoxyReturn}{Returns}
True if they are equal, false otherwise 
\end{DoxyReturn}
\hypertarget{group__cluster_ga6ddddcd505b1f763c339e81fc143e079}{
\index{cluster@{cluster}!\_\-AI\_\-get\_\-min\_\-hierarchy\_\-node@{\_\-AI\_\-get\_\-min\_\-hierarchy\_\-node}}
\index{\_\-AI\_\-get\_\-min\_\-hierarchy\_\-node@{\_\-AI\_\-get\_\-min\_\-hierarchy\_\-node}!cluster@{cluster}}
\subsubsection[{\_\-AI\_\-get\_\-min\_\-hierarchy\_\-node}]{\setlength{\rightskip}{0pt plus 5cm}PRIVATE {\bf hierarchy\_\-node}$\ast$ \_\-AI\_\-get\_\-min\_\-hierarchy\_\-node (
\begin{DoxyParamCaption}
\item[{int}]{ val, }
\item[{{\bf hierarchy\_\-node} $\ast$}]{ root}
\end{DoxyParamCaption}
)}}
\label{group__cluster_ga6ddddcd505b1f763c339e81fc143e079}


Get the minimum node in a hierarchy tree that matches a certain value. 


\begin{DoxyParams}{Parameters}
\item[{\em val}]Value to be matched in the range \item[{\em root}]Root of the hierarchy \end{DoxyParams}
\begin{DoxyReturn}{Returns}
The minimum node that matches the value if any, NULL otherwise 
\end{DoxyReturn}
\hypertarget{group__cluster_ga8ce8e5a5d8954672297fa2dedb380dcd}{
\index{cluster@{cluster}!\_\-AI\_\-merge\_\-alerts@{\_\-AI\_\-merge\_\-alerts}}
\index{\_\-AI\_\-merge\_\-alerts@{\_\-AI\_\-merge\_\-alerts}!cluster@{cluster}}
\subsubsection[{\_\-AI\_\-merge\_\-alerts}]{\setlength{\rightskip}{0pt plus 5cm}PRIVATE int \_\-AI\_\-merge\_\-alerts (
\begin{DoxyParamCaption}
\item[{{\bf AI\_\-snort\_\-alert} $\ast$$\ast$}]{ log}
\end{DoxyParamCaption}
)}}
\label{group__cluster_ga8ce8e5a5d8954672297fa2dedb380dcd}


Merge the alerts marked as equal in the log. 


\begin{DoxyParams}{Parameters}
\item[{\em log}]Alert log reference \end{DoxyParams}
\begin{DoxyReturn}{Returns}
The number of merged couples 
\end{DoxyReturn}
\hypertarget{group__cluster_ga7d151880080470b542e99643dc0426a7}{
\index{cluster@{cluster}!\_\-AI\_\-print\_\-clustered\_\-alerts@{\_\-AI\_\-print\_\-clustered\_\-alerts}}
\index{\_\-AI\_\-print\_\-clustered\_\-alerts@{\_\-AI\_\-print\_\-clustered\_\-alerts}!cluster@{cluster}}
\subsubsection[{\_\-AI\_\-print\_\-clustered\_\-alerts}]{\setlength{\rightskip}{0pt plus 5cm}PRIVATE void \_\-AI\_\-print\_\-clustered\_\-alerts (
\begin{DoxyParamCaption}
\item[{{\bf AI\_\-snort\_\-alert} $\ast$}]{ log, }
\item[{FILE $\ast$}]{ fp}
\end{DoxyParamCaption}
)}}
\label{group__cluster_ga7d151880080470b542e99643dc0426a7}


Print the clustered alerts to a log file. 


\begin{DoxyParams}{Parameters}
\item[{\em log}]Log containing the alerts \item[{\em fp}]File pointer where the alerts will be printed \end{DoxyParams}
\hypertarget{group__cluster_ga81f5fa721719fdb281595a568eef2101}{
\index{cluster@{cluster}!\_\-heuristic\_\-func@{\_\-heuristic\_\-func}}
\index{\_\-heuristic\_\-func@{\_\-heuristic\_\-func}!cluster@{cluster}}
\subsubsection[{\_\-heuristic\_\-func}]{\setlength{\rightskip}{0pt plus 5cm}PRIVATE int \_\-heuristic\_\-func (
\begin{DoxyParamCaption}
\item[{{\bf cluster\_\-type}}]{ type}
\end{DoxyParamCaption}
)}}
\label{group__cluster_ga81f5fa721719fdb281595a568eef2101}


Function that picks up the heuristic value for a clustering attribute in according to Julisch's heuristic (ACM, Vol.2, No.3, 09 2002, pag.124). 


\begin{DoxyParams}{Parameters}
\item[{\em type}]Attribute type \end{DoxyParams}
\begin{DoxyReturn}{Returns}
The heuristic coefficient for that attribute, -\/1 if no clustering information is available for that attribute 
\end{DoxyReturn}
\hypertarget{group__cluster_ga5601a1f603d9c870ef6e2df192e30c30}{
\index{cluster@{cluster}!\_\-hierarchy\_\-node\_\-append@{\_\-hierarchy\_\-node\_\-append}}
\index{\_\-hierarchy\_\-node\_\-append@{\_\-hierarchy\_\-node\_\-append}!cluster@{cluster}}
\subsubsection[{\_\-hierarchy\_\-node\_\-append}]{\setlength{\rightskip}{0pt plus 5cm}PRIVATE void \_\-hierarchy\_\-node\_\-append (
\begin{DoxyParamCaption}
\item[{{\bf hierarchy\_\-node} $\ast$}]{ parent, }
\item[{{\bf hierarchy\_\-node} $\ast$}]{ child}
\end{DoxyParamCaption}
)}}
\label{group__cluster_ga5601a1f603d9c870ef6e2df192e30c30}


Append a node to a clustering hierarchy node. 


\begin{DoxyParams}{Parameters}
\item[{\em parent}]Parent node \item[{\em child}]Child node \end{DoxyParams}
\hypertarget{group__cluster_ga2f1a22cfea64e4669da0467620c3e3b3}{
\index{cluster@{cluster}!\_\-hierarchy\_\-node\_\-new@{\_\-hierarchy\_\-node\_\-new}}
\index{\_\-hierarchy\_\-node\_\-new@{\_\-hierarchy\_\-node\_\-new}!cluster@{cluster}}
\subsubsection[{\_\-hierarchy\_\-node\_\-new}]{\setlength{\rightskip}{0pt plus 5cm}PRIVATE {\bf hierarchy\_\-node}$\ast$ \_\-hierarchy\_\-node\_\-new (
\begin{DoxyParamCaption}
\item[{char $\ast$}]{ label, }
\item[{int}]{ min\_\-val, }
\item[{int}]{ max\_\-val}
\end{DoxyParamCaption}
)}}
\label{group__cluster_ga2f1a22cfea64e4669da0467620c3e3b3}


Create a new clustering hierarchy node. 


\begin{DoxyParams}{Parameters}
\item[{\em label}]Label for the node \item[{\em min\_\-val}]Minimum value for the range represented by the node \item[{\em max\_\-val}]Maximum value for the range represented by the node \end{DoxyParams}
\begin{DoxyReturn}{Returns}
The brand new node if the allocation was ok, otherwise abort the application 
\end{DoxyReturn}
\hypertarget{group__cluster_ga2553c678eeb83282c230d649a0e8fcd4}{
\index{cluster@{cluster}!AI\_\-get\_\-clustered\_\-alerts@{AI\_\-get\_\-clustered\_\-alerts}}
\index{AI\_\-get\_\-clustered\_\-alerts@{AI\_\-get\_\-clustered\_\-alerts}!cluster@{cluster}}
\subsubsection[{AI\_\-get\_\-clustered\_\-alerts}]{\setlength{\rightskip}{0pt plus 5cm}{\bf AI\_\-snort\_\-alert}$\ast$ AI\_\-get\_\-clustered\_\-alerts (
\begin{DoxyParamCaption}
\item[{void}]{}
\end{DoxyParamCaption}
)}}
\label{group__cluster_ga2553c678eeb83282c230d649a0e8fcd4}


Return the alerts parsed so far as a linked list. 

\begin{DoxyReturn}{Returns}
An AI\_\-snort\_\-alert pointer identifying the list of clustered alerts 
\end{DoxyReturn}
\hypertarget{group__cluster_ga1445818b37483f78cc3fb2890155842c}{
\index{cluster@{cluster}!AI\_\-hierarchies\_\-build@{AI\_\-hierarchies\_\-build}}
\index{AI\_\-hierarchies\_\-build@{AI\_\-hierarchies\_\-build}!cluster@{cluster}}
\subsubsection[{AI\_\-hierarchies\_\-build}]{\setlength{\rightskip}{0pt plus 5cm}void AI\_\-hierarchies\_\-build (
\begin{DoxyParamCaption}
\item[{{\bf AI\_\-config} $\ast$}]{ conf, }
\item[{{\bf hierarchy\_\-node} $\ast$$\ast$}]{ nodes, }
\item[{int}]{ n\_\-nodes}
\end{DoxyParamCaption}
)}}
\label{group__cluster_ga1445818b37483f78cc3fb2890155842c}


Build the clustering hierarchy trees. 


\begin{DoxyParams}{Parameters}
\item[{\em conf}]Reference to the configuration of the module \item[{\em nodes}]Nodes containing the information about the clustering ranges \item[{\em n\_\-nodes}]Number of nodes \end{DoxyParams}


\subsection{Variable Documentation}
\hypertarget{group__cluster_ga91458e2d34595688e39fcb63ba418849}{
\index{cluster@{cluster}!\_\-config@{\_\-config}}
\index{\_\-config@{\_\-config}!cluster@{cluster}}
\subsubsection[{\_\-config}]{\setlength{\rightskip}{0pt plus 5cm}PRIVATE {\bf AI\_\-config}$\ast$ {\bf \_\-config} = NULL}}
\label{group__cluster_ga91458e2d34595688e39fcb63ba418849}
\hypertarget{group__cluster_gaaf4c19f60f48741b0890c6114dcff7d9}{
\index{cluster@{cluster}!alert\_\-log@{alert\_\-log}}
\index{alert\_\-log@{alert\_\-log}!cluster@{cluster}}
\subsubsection[{alert\_\-log}]{\setlength{\rightskip}{0pt plus 5cm}PRIVATE {\bf AI\_\-snort\_\-alert}$\ast$ {\bf alert\_\-log} = NULL}}
\label{group__cluster_gaaf4c19f60f48741b0890c6114dcff7d9}
\hypertarget{group__cluster_ga97d35425cf5a0207fb50b64ee8cdda82}{
\index{cluster@{cluster}!h\_\-root@{h\_\-root}}
\index{h\_\-root@{h\_\-root}!cluster@{cluster}}
\subsubsection[{h\_\-root}]{\setlength{\rightskip}{0pt plus 5cm}PRIVATE {\bf hierarchy\_\-node}$\ast$ {\bf h\_\-root}\mbox{[}CLUSTER\_\-TYPES\mbox{]} = \{ NULL \}}}
\label{group__cluster_ga97d35425cf5a0207fb50b64ee8cdda82}