From 3a61a4e91a36328d0a57bbf8671ed7a531cf85e9 Mon Sep 17 00:00:00 2001 From: BlackLight Date: Thu, 14 Oct 2010 02:53:17 +0200 Subject: [PATCH] Updating the documentation --- INSTALL | 21 +++++++++++++++++++++ README | 19 ++++++++++++++++--- TODO | 4 +--- 3 files changed, 38 insertions(+), 6 deletions(-) diff --git a/INSTALL b/INSTALL index e69de29..f06de91 100644 --- a/INSTALL +++ b/INSTALL @@ -0,0 +1,21 @@ +The installation procedure is the usual one: + +$ ./configure +$ make +$ make install + +If you did not install Snort in /usr directory you may need to use the --prefix +option with configure for selecting the directory where you installed Snort (for + example ./configure --prefix=$HOME/local/snort). If the prefix was +specified correctly, and it actually points to the location where Snort was +installed, the module binaries should be placed in +$SNORT_DIR/lib/snort_dynamicpreprocessor after the installation, and +automatically loaded by Snort at the next start. Moreover, a new directory +named corr_rules will be created, in /etc/snort if the prefix was /usr or in +$SNORT_DIR/etc otherwise, containing XML files describing default correlation +rules provided by the developer. This set can be enriched in any moment with new +XML files, provided by third parts or created by the user itself, describing +more hyperalerts. + +For more details, see the README file. + diff --git a/README b/README index 6a541f3..22e5337 100644 --- a/README +++ b/README @@ -125,10 +125,15 @@ install libpq-dev. clusters, correlations and packet streams information on a DBMS, making the analysis easier. -- Perl (OPTIONAL), used for the CGI script in the web interface that saves a -packet stream associated to an alert in .pcap format, to be analyzed by tools -like tcpdump and Wireshark. +- Perl (RECOMMANDED), used for the CGI script in the web interface that +saves a packet stream associated to an alert in .pcap format, to be analyzed +by tools like tcpdump and Wireshark. +- XML::Simple Perl module (RECOMMANDED), used by 'correlate.cgi' CGI script for +reading and writing manual (un)correlations XML files. A quick way for +installing it on a Unix system is by using CPAN: + +# cpan XML::Simple ===================== 3.2 Configure options @@ -453,6 +458,14 @@ your documents and files inside. You can moreover place some CGI scripts or applications made in the language you prefer, as long as they are files executable by any users and they have the extension ".cgi". +A powerful featured offered by the web interface is the one that allows the user +to manually "mark" two alerts as correlated, if the system didn't do that, or as +not correlated, if the system made a mistake correlating two uncorrelated +alerts. These decisions are made simply by clicking the right button on the web +page and clicking the two alerts to mark as correlated or uncorrelated. After +that, all the alerts of those types will be marted as correlated, or +uncorrelated. + =========================== 8. Additional documentation diff --git a/TODO b/TODO index 61bd719..7cac8e9 100644 --- a/TODO +++ b/TODO @@ -2,8 +2,6 @@ AVERAGE/HIGH PRIORITY: ====================== -- XML::Simple dependancy -- Manual alert correlation from the web interface - Bayesian network - Modules for correlation coefficients - Code profiling @@ -17,7 +15,6 @@ LOW PRIORITY: - Managing clusters for addresses, timestamps (and more?) - Splitting the distinct subgraphs of the output graph -- libgc support ===== DONE: @@ -38,4 +35,5 @@ DONE: + Web interface + Function names (private functions with _ or __ ?) + Saving packet flows as .pcap ++ Manual alert correlation from the web interface