From 0ac6af992114fcd7fa839a2ade3189ed69ce890c Mon Sep 17 00:00:00 2001 From: BlackLight Date: Tue, 21 Sep 2010 21:47:48 +0200 Subject: [PATCH] Alert serialization for db too, configuration fixed --- alert_history.c | 28 +++++++++++------------ alert_parser.c | 60 +++++++++++++++++++++---------------------------- cluster.c | 9 +++----- correlation.c | 29 +++++++++++------------- db.c | 32 ++++++++++++++++---------- db.h | 2 +- mysql.c | 2 +- postgresql.c | 2 +- spp_ai.c | 15 +++++-------- spp_ai.h | 17 +++++++++++--- stream.c | 6 ++--- 11 files changed, 100 insertions(+), 102 deletions(-) diff --git a/alert_history.c b/alert_history.c index 4c649ac..c7ea7fb 100644 --- a/alert_history.c +++ b/alert_history.c @@ -73,12 +73,11 @@ AI_alerts_hash_free ( AI_alert_event **events ) /** * \brief Deserialize a alerts' hash table from the binary history file - * \param conf Configuration of the module * \return A void* pointer (to be casted to AI_alert_event*) to the stored hash table */ void* -AI_deserialize_alerts ( AI_config *conf ) +AI_deserialize_alerts () { FILE *fp = NULL; struct stat st; @@ -90,19 +89,19 @@ AI_deserialize_alerts ( AI_config *conf ) *event_list = NULL; AI_alert_event_key key; - if ( stat ( conf->alert_history_file, &st ) < 0 ) + if ( stat ( config->alert_history_file, &st ) < 0 ) return NULL; if ( ! S_ISREG ( st.st_mode )) - _dpd.fatalMsg ( "AIPreproc: '%s' is not a regular file\n", conf->alert_history_file ); + _dpd.fatalMsg ( "AIPreproc: '%s' is not a regular file\n", config->alert_history_file ); - if ( !( fp = fopen ( conf->alert_history_file, "r" ))) - _dpd.fatalMsg ( "AIPreproc: Unable to read from the file '%s'\n", conf->alert_history_file ); + if ( !( fp = fopen ( config->alert_history_file, "r" ))) + _dpd.fatalMsg ( "AIPreproc: Unable to read from the file '%s'\n", config->alert_history_file ); AI_alerts_hash_free ( &alerts_hash ); if ( fread ( &lists_count, sizeof ( unsigned int ), 1, fp ) <= 0 ) - _dpd.fatalMsg ( "AIPreproc: Malformed history file '%s'\n", conf->alert_history_file ); + _dpd.fatalMsg ( "AIPreproc: Malformed history file '%s'\n", config->alert_history_file ); /* Fill the hash table reading from the file */ for ( i=0; i < lists_count; i++ ) @@ -111,7 +110,7 @@ AI_deserialize_alerts ( AI_config *conf ) event_prev = NULL; if ( fread ( &items_count, sizeof ( unsigned int ), 1, fp ) <= 0 ) - _dpd.fatalMsg ( "AIPreproc: Malformed history file '%s'\n", conf->alert_history_file ); + _dpd.fatalMsg ( "AIPreproc: Malformed history file '%s'\n", config->alert_history_file ); for ( j=0; j < items_count; j++ ) { @@ -131,10 +130,10 @@ AI_deserialize_alerts ( AI_config *conf ) event_iterator->count = items_count; if ( fread ( &( event_iterator->key ), sizeof ( event_iterator->key ), 1, fp ) <= 0 ) - _dpd.fatalMsg ( "AIPreproc: Malformed history file '%s'\n", conf->alert_history_file ); + _dpd.fatalMsg ( "AIPreproc: Malformed history file '%s'\n", config->alert_history_file ); if ( fread ( &( event_iterator->timestamp ), sizeof ( event_iterator->timestamp ), 1, fp ) <= 0 ) - _dpd.fatalMsg ( "AIPreproc: Malformed history file '%s'\n", conf->alert_history_file ); + _dpd.fatalMsg ( "AIPreproc: Malformed history file '%s'\n", config->alert_history_file ); if ( event_prev ) { @@ -157,11 +156,10 @@ AI_deserialize_alerts ( AI_config *conf ) * \brief Serialize a buffer of alerts to the binary history file * \param alerts_pool Buffer of alerts to be serialized * \param alerts_pool_count Number of alerts in the buffer - * \param conf Configuration of the module */ void -AI_serialize_alerts ( AI_snort_alert **alerts_pool, unsigned int alerts_pool_count, AI_config *conf ) +AI_serialize_alerts ( AI_snort_alert **alerts_pool, unsigned int alerts_pool_count ) { unsigned int i, hash_count = 0, @@ -175,7 +173,7 @@ AI_serialize_alerts ( AI_snort_alert **alerts_pool, unsigned int alerts_pool_cou if ( !alerts_hash ) { - AI_deserialize_alerts ( conf ); + AI_deserialize_alerts(); } for ( i=0; i < alerts_pool_count; i++ ) @@ -220,8 +218,8 @@ AI_serialize_alerts ( AI_snort_alert **alerts_pool, unsigned int alerts_pool_cou hash_count = HASH_COUNT ( alerts_hash ); - if ( !( fp = fopen ( conf->alert_history_file, "w" ))) - _dpd.fatalMsg ( "AIPreproc: Unable to write on '%s'\n", conf->alert_history_file ); + if ( !( fp = fopen ( config->alert_history_file, "w" ))) + _dpd.fatalMsg ( "AIPreproc: Unable to write on '%s'\n", config->alert_history_file ); fwrite ( &hash_count, sizeof ( hash_count ), 1, fp ); for ( event = alerts_hash; event; event = ( AI_alert_event* ) event->hh.next ) diff --git a/alert_parser.c b/alert_parser.c index 4872d66..8c1d0c0 100644 --- a/alert_parser.c +++ b/alert_parser.c @@ -22,21 +22,23 @@ #include #include #include -#ifndef MACOS -# include + +#ifdef LINUX +#include #endif + #include #include PRIVATE AI_snort_alert *alerts = NULL; -PRIVATE AI_snort_alert **alerts_pool = NULL; -PRIVATE AI_config *conf = NULL; PRIVATE FILE *alert_fp = NULL; -PRIVATE unsigned int alerts_pool_count = 0; PRIVATE pthread_mutex_t alert_mutex; PRIVATE pthread_mutex_t alerts_pool_mutex; +AI_snort_alert **alerts_pool = NULL; +unsigned int alerts_pool_count = 0; + /** \defgroup alert_parser Parse the alert log into binary structures * @{ */ @@ -47,8 +49,8 @@ PRIVATE pthread_mutex_t alerts_pool_mutex; * \param arg void* pointer to the alert to be added to the pool, if any */ -PRIVATE void* -_AI_serializer_thread ( void *arg ) +void* +AI_serializer_thread ( void *arg ) { unsigned int i = 0; AI_snort_alert *alert = NULL; @@ -62,10 +64,10 @@ _AI_serializer_thread ( void *arg ) pthread_mutex_unlock ( &alerts_pool_mutex ); } - if ( !arg || ( arg && alerts_pool_count >= conf->alert_bufsize )) + if ( !arg || ( arg && alerts_pool_count >= config->alert_bufsize )) { pthread_mutex_lock ( &alerts_pool_mutex ); - AI_serialize_alerts ( alerts_pool, alerts_pool_count, conf ); + AI_serialize_alerts ( alerts_pool, alerts_pool_count ); for ( i=0; i < alerts_pool_count; i++ ) { @@ -78,43 +80,36 @@ _AI_serializer_thread ( void *arg ) pthread_exit ((void*) 0); return (void*) 0; -} /* ----- end of function _AI_serializer_thread ----- */ +} /* ----- end of function AI_serializer_thread ----- */ /** * \brief Thread for managing the buffer of alerts and serialize them at constant intervals */ -PRIVATE void* -_AI_alerts_pool_thread ( void *arg ) +void* +AI_alerts_pool_thread ( void *arg ) { pthread_t serializer_thread; while ( 1 ) { - if ( !conf ) - { - pthread_exit ((void*) 0); - return (void*) 0; - } - - sleep ( conf->alertSerializationInterval ); + sleep ( config->alertSerializationInterval ); if ( !alerts_pool || alerts_pool_count == 0 ) continue; - if ( pthread_create ( &serializer_thread, NULL, _AI_serializer_thread, NULL ) != 0 ) + if ( pthread_create ( &serializer_thread, NULL, AI_serializer_thread, NULL ) != 0 ) _dpd.fatalMsg ( "Failed to create the alerts' serializer thread\n" ); } pthread_exit ((void*) 0); return (void*) 0; -} /* ----- end of function _AI_alerts_pool_thread ----- */ +} /* ----- end of function AI_alerts_pool_thread ----- */ /** * \brief Thread for parsing Snort's alert file - * \param arg void* pointer to module's configuration */ void* @@ -155,8 +150,6 @@ AI_file_alertparser_thread ( void* arg ) pthread_t alerts_pool_thread; pthread_t serializer_thread; - conf = ( AI_config* ) arg; - /* Initialize the mutex lock, so nobody can read the alerts while we write there */ pthread_mutex_init ( &alert_mutex, NULL ); @@ -164,14 +157,14 @@ AI_file_alertparser_thread ( void* arg ) pthread_mutex_init ( &alerts_pool_mutex, NULL ); /* Initialize the pool of alerts to be passed to the serialization thread */ - if ( !( alerts_pool = ( AI_snort_alert** ) malloc ( conf->alert_bufsize * sizeof ( AI_snort_alert* )))) + if ( !( alerts_pool = ( AI_snort_alert** ) malloc ( config->alert_bufsize * sizeof ( AI_snort_alert* )))) _dpd.fatalMsg ( "Dynamic memory allocation error at %s:%d\n", __FILE__, __LINE__ ); - for ( i=0; i < conf->alert_bufsize; i++ ) + for ( i=0; i < config->alert_bufsize; i++ ) alerts_pool[i] = NULL; /* Initialize the thread for managing the serialization of alerts' pool */ - if ( pthread_create ( &alerts_pool_thread, NULL, _AI_alerts_pool_thread, NULL ) != 0 ) + if ( pthread_create ( &alerts_pool_thread, NULL, AI_alerts_pool_thread, NULL ) != 0 ) _dpd.fatalMsg ( "Failed to create the alerts' pool management thread\n" ); while ( 1 ) @@ -182,9 +175,9 @@ AI_file_alertparser_thread ( void* arg ) _dpd.fatalMsg ( "Could not initialize an inotify object on the alert log file" ); } - if ( stat ( conf->alertfile, &st ) < 0 ) + if ( stat ( config->alertfile, &st ) < 0 ) { - if (( wd = inotify_add_watch ( ifd, conf->alertfile, IN_CREATE )) < 0 ) + if (( wd = inotify_add_watch ( ifd, config->alertfile, IN_CREATE )) < 0 ) { _dpd.fatalMsg ( "Could not initialize a watch descriptor on the alert log file" ); } @@ -194,14 +187,14 @@ AI_file_alertparser_thread ( void* arg ) } else { if ( !alert_fp ) { - if ( ! (alert_fp = fopen ( conf->alertfile, "r" )) ) + if ( ! (alert_fp = fopen ( config->alertfile, "r" )) ) { _dpd.fatalMsg ( "Could not open alert log file for reading" ); } } } - if (( wd = inotify_add_watch ( ifd, conf->alertfile, IN_MODIFY )) < 0 ) + if (( wd = inotify_add_watch ( ifd, config->alertfile, IN_MODIFY )) < 0 ) { _dpd.fatalMsg ( "Could not initialize a watch descriptor on the alert log file" ); } @@ -217,7 +210,7 @@ AI_file_alertparser_thread ( void* arg ) */ if ( !alert_fp ) { - if ( ! (alert_fp = fopen ( conf->alertfile, "r" )) ) + if ( ! (alert_fp = fopen ( config->alertfile, "r" )) ) { _dpd.fatalMsg ( "Could not open alert log file for reading" ); } @@ -291,7 +284,7 @@ AI_file_alertparser_thread ( void* arg ) tmp->next = alert; } - if ( pthread_create ( &serializer_thread, NULL, _AI_serializer_thread, alert ) != 0 ) + if ( pthread_create ( &serializer_thread, NULL, AI_serializer_thread, alert ) != 0 ) _dpd.fatalMsg ( "Failed to create the alerts' serializer thread\n" ); in_alert = false; @@ -452,7 +445,6 @@ AI_file_alertparser_thread ( void* arg ) } pthread_mutex_unlock ( &alert_mutex ); - /* AI_alert_serialize ( alert, conf ); */ } free ( alerts_pool ); diff --git a/cluster.c b/cluster.c index 2f094ed..7a4ef6b 100644 --- a/cluster.c +++ b/cluster.c @@ -51,7 +51,6 @@ typedef struct { PRIVATE hierarchy_node *h_root[CLUSTER_TYPES] = { NULL }; -PRIVATE AI_config *_config = NULL; PRIVATE AI_snort_alert *alert_log = NULL; PRIVATE pthread_mutex_t mutex; @@ -450,7 +449,7 @@ _AI_cluster_thread ( void* arg ) while ( 1 ) { /* Between an execution of the thread and the next one, sleep for alert_clustering_interval seconds */ - sleep ( _config->alertClusteringInterval ); + sleep ( config->alertClusteringInterval ); /* Set the lock over the alert log until it's done with the clustering operation */ pthread_mutex_lock ( &mutex ); @@ -565,7 +564,7 @@ _AI_cluster_thread ( void* arg ) pthread_mutex_unlock ( &mutex ); - if ( !( cluster_fp = fopen ( _config->clusterfile, "w" )) ) + if ( !( cluster_fp = fopen ( config->clusterfile, "w" )) ) { pthread_exit ((void*) 0 ); return (void*) 0; @@ -610,20 +609,18 @@ _AI_check_duplicate ( hierarchy_node *node, hierarchy_node *root ) /** * \brief Build the clustering hierarchy trees - * \param conf Reference to the configuration of the module * \param nodes Nodes containing the information about the clustering ranges * \param n_nodes Number of nodes */ void -AI_hierarchies_build ( AI_config *conf, hierarchy_node **nodes, int n_nodes ) +AI_hierarchies_build ( hierarchy_node **nodes, int n_nodes ) { int i, j; int min_range = 0; pthread_t cluster_thread; hierarchy_node *root = NULL; hierarchy_node *cover = NULL; - _config = conf; for ( i=0; i < n_nodes; i++ ) { diff --git a/correlation.c b/correlation.c index bc784ea..839828e 100644 --- a/correlation.c +++ b/correlation.c @@ -67,7 +67,6 @@ typedef struct { } AI_alert_correlation; PRIVATE AI_hyperalert_info *hyperalerts = NULL; -PRIVATE AI_config *conf = NULL; PRIVATE AI_snort_alert *alerts = NULL; PRIVATE AI_alert_correlation *correlation_table = NULL; PRIVATE pthread_mutex_t mutex; @@ -566,7 +565,7 @@ _AI_hyperalert_from_XML ( AI_hyperalert_key key ) hyp->key = key; snprintf ( hyperalert_file, sizeof ( hyperalert_file ), "%s/%d-%d-%d.xml", - conf->corr_rules_dir, key.gid, key.sid, key.rev ); + config->corr_rules_dir, key.gid, key.sid, key.rev ); if ( stat ( hyperalert_file, &st ) < 0 ) return NULL; @@ -679,7 +678,6 @@ _AI_hyperalert_from_XML ( AI_hyperalert_key key ) /** * \brief Thread for correlating clustered alerts - * \param arg Void pointer to module's configuration */ void* @@ -712,17 +710,16 @@ AI_alert_correlation_thread ( void *arg ) graph_t *g = NULL; #endif - conf = (AI_config*) arg; pthread_mutex_init ( &mutex, NULL ); while ( 1 ) { - sleep ( conf->correlationGraphInterval ); + sleep ( config->correlationGraphInterval ); - if ( stat ( conf->corr_rules_dir, &st ) < 0 ) + if ( stat ( config->corr_rules_dir, &st ) < 0 ) { _dpd.errMsg ( "AIPreproc: Correlation rules directory '%s' not found, the correlation thread won't be active\n", - conf->corr_rules_dir ); + config->corr_rules_dir ); pthread_exit (( void* ) 0 ); return ( void* ) 0; } @@ -829,18 +826,18 @@ AI_alert_correlation_thread ( void *arg ) } std_deviation = sqrt ( std_deviation / (double) HASH_COUNT ( correlation_table )); - corr_threshold = avg_correlation + ( conf->correlationThresholdCoefficient * std_deviation ); - corr_strong_threshold = avg_correlation + ( 2.0 * conf->correlationThresholdCoefficient * std_deviation ); - snprintf ( corr_dot_file, sizeof ( corr_dot_file ), "%s/correlated_alerts.dot", conf->corr_alerts_dir ); + corr_threshold = avg_correlation + ( config->correlationThresholdCoefficient * std_deviation ); + corr_strong_threshold = avg_correlation + ( 2.0 * config->correlationThresholdCoefficient * std_deviation ); + snprintf ( corr_dot_file, sizeof ( corr_dot_file ), "%s/correlated_alerts.dot", config->corr_alerts_dir ); - if ( stat ( conf->corr_alerts_dir, &st ) < 0 ) + if ( stat ( config->corr_alerts_dir, &st ) < 0 ) { - if ( mkdir ( conf->corr_alerts_dir, 0755 ) < 0 ) + if ( mkdir ( config->corr_alerts_dir, 0755 ) < 0 ) { - _dpd.fatalMsg ( "AIPreproc: Unable to create directory '%s'\n", conf->corr_alerts_dir ); + _dpd.fatalMsg ( "AIPreproc: Unable to create directory '%s'\n", config->corr_alerts_dir ); } } else if ( !S_ISDIR ( st.st_mode )) { - _dpd.fatalMsg ( "AIPreproc: '%s' found but it's not a directory\n", conf->corr_alerts_dir ); + _dpd.fatalMsg ( "AIPreproc: '%s' found but it's not a directory\n", config->corr_alerts_dir ); } if ( !( fp = fopen ( corr_dot_file, "w" ))) @@ -873,8 +870,8 @@ AI_alert_correlation_thread ( void *arg ) fclose ( fp ); #ifdef HAVE_LIBGVC - snprintf ( corr_png_file, sizeof ( corr_png_file ), "%s/correlated_alerts.png", conf->corr_alerts_dir ); - snprintf ( corr_ps_file , sizeof ( corr_ps_file ), "%s/correlated_alerts.ps" , conf->corr_alerts_dir ); + snprintf ( corr_png_file, sizeof ( corr_png_file ), "%s/correlated_alerts.png", config->corr_alerts_dir ); + snprintf ( corr_ps_file , sizeof ( corr_ps_file ), "%s/correlated_alerts.ps" , config->corr_alerts_dir ); if ( !( gvc = gvContext() )) continue; diff --git a/db.c b/db.c index 8868305..102dfac 100644 --- a/db.c +++ b/db.c @@ -30,22 +30,23 @@ * @{ */ -PRIVATE AI_config *config; PRIVATE AI_snort_alert *alerts = NULL; PRIVATE pthread_mutex_t mutex; /** * \brief Thread for parsing alerts from a database - * \param arg void* pointer to the module configuration */ void* AI_db_alertparser_thread ( void *arg ) { - char query[1024]; + unsigned int i = 0; + char query[1024] = { 0 }; int rows = 0; int latest_cid = 0; time_t latest_time = time ( NULL ); + pthread_t alerts_pool_thread; + pthread_t serializer_thread; DB_result res, res2; DB_row row, row2; @@ -55,21 +56,25 @@ AI_db_alertparser_thread ( void *arg ) AI_snort_alert *alert = NULL; AI_snort_alert *tmp = NULL; - if ( !arg ) - { - pthread_exit ((void*) 0 ); - return (void*) 0; - } - - config = ( AI_config* ) arg; pthread_mutex_init ( &mutex, NULL ); - if ( !DB_init ( config )) + if ( !DB_init() ) { _dpd.fatalMsg ( "AIPreproc: Unable to connect to the database '%s' @ '%s'\n", config->dbname, config->dbhost ); } + /* Initialize the pool of alerts to be passed to the serialization thread */ + if ( !( alerts_pool = ( AI_snort_alert** ) malloc ( config->alert_bufsize * sizeof ( AI_snort_alert* )))) + _dpd.fatalMsg ( "Dynamic memory allocation error at %s:%d\n", __FILE__, __LINE__ ); + + for ( i=0; i < config->alert_bufsize; i++ ) + alerts_pool[i] = NULL; + + /* Initialize the thread for managing the serialization of alerts' pool */ + if ( pthread_create ( &alerts_pool_thread, NULL, AI_alerts_pool_thread, NULL ) != 0 ) + _dpd.fatalMsg ( "Failed to create the alerts' pool management thread\n" ); + while ( 1 ) { sleep ( config->databaseParsingInterval ); @@ -220,6 +225,9 @@ AI_db_alertparser_thread ( void *arg ) pthread_mutex_unlock ( &mutex ); DB_free_result ( res ); latest_time = time ( NULL ); + + if ( pthread_create ( &serializer_thread, NULL, AI_serializer_thread, alert ) != 0 ) + _dpd.fatalMsg ( "Failed to create the alerts' serializer thread\n" ); } DB_close(); @@ -276,5 +284,5 @@ AI_db_get_alerts () /** @} */ -#endif +#endif /* HAVE_DB */ diff --git a/db.h b/db.h index d9ccd9a..26b83f7 100644 --- a/db.h +++ b/db.h @@ -62,7 +62,7 @@ DB_result DB_query ( const char* ); #endif - void* DB_init ( AI_config* ); + void* DB_init(); void DB_close(); #endif diff --git a/mysql.c b/mysql.c index 0ff1e60..59609ca 100644 --- a/mysql.c +++ b/mysql.c @@ -28,7 +28,7 @@ PRIVATE MYSQL *db = NULL; void* -mysql_do_init ( AI_config *config ) +mysql_do_init () { if ( !( db = (MYSQL*) malloc ( sizeof ( MYSQL )))) return NULL; diff --git a/postgresql.c b/postgresql.c index eee9964..089c03c 100644 --- a/postgresql.c +++ b/postgresql.c @@ -30,7 +30,7 @@ PRIVATE PGconn *db = NULL; void* -postgresql_do_init ( AI_config *config ) +postgresql_do_init () { char *conninfo = NULL; int conninfo_max_length = diff --git a/spp_ai.c b/spp_ai.c index 7ba4736..7bc2754 100644 --- a/spp_ai.c +++ b/spp_ai.c @@ -28,6 +28,7 @@ * @{ */ AI_snort_alert* (*get_alerts)(void); +AI_config *config = NULL; tSfPolicyUserContextId ex_config = NULL; static void* (*alertparser_thread)(void*) = NULL; @@ -71,8 +72,6 @@ void AI_setup(void) static void AI_init(char *args) { - AI_config *config; - pthread_t cleanup_thread, logparse_thread, correlation_thread; @@ -183,8 +182,6 @@ static AI_config * AI_parse(char *args) has_database_log = false, has_alert_history_file = false; - AI_config *config = NULL; - if ( !( config = ( AI_config* ) malloc ( sizeof( AI_config )) )) _dpd.fatalMsg("Could not allocate configuration struct.\n"); memset ( config, 0, sizeof ( AI_config )); @@ -863,7 +860,7 @@ static AI_config * AI_parse(char *args) config->alertClusteringInterval = DEFAULT_ALERT_CLUSTERING_INTERVAL; } - AI_hierarchies_build ( config, hierarchy_nodes, n_hierarchy_nodes ); + AI_hierarchies_build ( hierarchy_nodes, n_hierarchy_nodes ); } if ( ! has_corr_rules_dir ) @@ -923,12 +920,12 @@ static AI_config * AI_parse(char *args) void AI_process(void *pkt, void *context) { SFSnortPacket *p = (SFSnortPacket *) pkt; - AI_config *config; + AI_config *_config; sfPolicyUserPolicySet(ex_config, _dpd.getRuntimePolicy()); - config = (AI_config * ) sfPolicyUserDataGetCurrent (ex_config); + _config = (AI_config * ) sfPolicyUserDataGetCurrent (ex_config); - if (config == NULL) + if (_config == NULL) return; if (!p->ip4_header || p->ip4_header->proto != IPPROTO_TCP || !p->tcp_header) @@ -943,7 +940,7 @@ void AI_process(void *pkt, void *context) #ifdef SNORT_RELOAD static void AI_reload(char *args) { - AI_config *config; + /* AI_config *config; */ tSfPolicyId policy_id = _dpd.getParserPolicy(); _dpd.logMsg("AI dynamic preprocessor configuration\n"); diff --git a/spp_ai.h b/spp_ai.h index d8312c2..0e0d149 100644 --- a/spp_ai.h +++ b/spp_ai.h @@ -316,18 +316,29 @@ void* AI_db_alertparser_thread ( void* ); void AI_pkt_enqueue ( SFSnortPacket* ); void AI_set_stream_observed ( struct pkt_key key ); -void AI_hierarchies_build ( AI_config*, hierarchy_node**, int ); +void AI_hierarchies_build ( hierarchy_node**, int ); void AI_free_alerts ( AI_snort_alert *node ); struct pkt_info* AI_get_stream_by_key ( struct pkt_key ); AI_snort_alert* AI_get_alerts ( void ); AI_snort_alert* AI_get_clustered_alerts ( void ); -void AI_serialize_alerts ( AI_snort_alert**, unsigned int, AI_config* ); -void* AI_deserialize_alerts ( AI_config* ); +void AI_serialize_alerts ( AI_snort_alert**, unsigned int ); +void* AI_deserialize_alerts (); +void* AI_alerts_pool_thread ( void *arg ); +void* AI_serializer_thread ( void *arg ); /** Function pointer to the function used for getting the alert list (from log file, db, ...) */ extern AI_snort_alert* (*get_alerts)(void); +/** Buffer containing the alerts to be serialized on the binary history file */ +extern AI_snort_alert **alerts_pool; + +/** Number of alerts contained in the buffer to be serialized */ +extern unsigned int alerts_pool_count; + +/** Configuration of the module */ +extern AI_config *config; + #endif /* _SPP_AI_H */ diff --git a/stream.c b/stream.c index a711a06..06247ac 100644 --- a/stream.c +++ b/stream.c @@ -92,7 +92,6 @@ _AI_stream_free ( struct pkt_info* stream ) /** * \brief Thread called for cleaning up the hash table from the traffic streams older than * a certain threshold - * \param arg Pointer to the AI_config struct */ void* @@ -100,11 +99,10 @@ AI_hashcleanup_thread ( void* arg ) { struct pkt_info *h, *stream; time_t max_timestamp; - AI_config* conf = (AI_config*) arg; while ( 1 ) { /* Sleep for the specified number of seconds */ - sleep ( conf->hashCleanupInterval ); + sleep ( config->hashCleanupInterval ); /* If the hash is empty, come back to sleep */ if ( !hash || !HASH_COUNT(hash) ) @@ -122,7 +120,7 @@ AI_hashcleanup_thread ( void* arg ) } /* If the most recent packet in the stream is older than the specified threshold, remove that stream */ - if ( time(NULL) - max_timestamp > conf->streamExpireInterval ) { + if ( time(NULL) - max_timestamp > config->streamExpireInterval ) { stream = h; if ( stream )