mirror of
https://github.com/BlackLight/Snort_AIPreproc.git
synced 2024-11-23 20:25:12 +01:00
Updating the documentation
This commit is contained in:
parent
544daa31cc
commit
3a61a4e91a
3 changed files with 38 additions and 6 deletions
21
INSTALL
21
INSTALL
|
@ -0,0 +1,21 @@
|
||||||
|
The installation procedure is the usual one:
|
||||||
|
|
||||||
|
$ ./configure
|
||||||
|
$ make
|
||||||
|
$ make install
|
||||||
|
|
||||||
|
If you did not install Snort in /usr directory you may need to use the --prefix
|
||||||
|
option with configure for selecting the directory where you installed Snort (for
|
||||||
|
example ./configure --prefix=$HOME/local/snort). If the prefix was
|
||||||
|
specified correctly, and it actually points to the location where Snort was
|
||||||
|
installed, the module binaries should be placed in
|
||||||
|
$SNORT_DIR/lib/snort_dynamicpreprocessor after the installation, and
|
||||||
|
automatically loaded by Snort at the next start. Moreover, a new directory
|
||||||
|
named corr_rules will be created, in /etc/snort if the prefix was /usr or in
|
||||||
|
$SNORT_DIR/etc otherwise, containing XML files describing default correlation
|
||||||
|
rules provided by the developer. This set can be enriched in any moment with new
|
||||||
|
XML files, provided by third parts or created by the user itself, describing
|
||||||
|
more hyperalerts.
|
||||||
|
|
||||||
|
For more details, see the README file.
|
||||||
|
|
19
README
19
README
|
@ -125,10 +125,15 @@ install libpq-dev.
|
||||||
clusters, correlations and packet streams information on a DBMS, making the
|
clusters, correlations and packet streams information on a DBMS, making the
|
||||||
analysis easier.
|
analysis easier.
|
||||||
|
|
||||||
- Perl (OPTIONAL), used for the CGI script in the web interface that saves a
|
- Perl (RECOMMANDED), used for the CGI script in the web interface that
|
||||||
packet stream associated to an alert in .pcap format, to be analyzed by tools
|
saves a packet stream associated to an alert in .pcap format, to be analyzed
|
||||||
like tcpdump and Wireshark.
|
by tools like tcpdump and Wireshark.
|
||||||
|
|
||||||
|
- XML::Simple Perl module (RECOMMANDED), used by 'correlate.cgi' CGI script for
|
||||||
|
reading and writing manual (un)correlations XML files. A quick way for
|
||||||
|
installing it on a Unix system is by using CPAN:
|
||||||
|
|
||||||
|
# cpan XML::Simple
|
||||||
|
|
||||||
=====================
|
=====================
|
||||||
3.2 Configure options
|
3.2 Configure options
|
||||||
|
@ -453,6 +458,14 @@ your documents and files inside. You can moreover place some CGI scripts or
|
||||||
applications made in the language you prefer, as long as they are files
|
applications made in the language you prefer, as long as they are files
|
||||||
executable by any users and they have the extension ".cgi".
|
executable by any users and they have the extension ".cgi".
|
||||||
|
|
||||||
|
A powerful featured offered by the web interface is the one that allows the user
|
||||||
|
to manually "mark" two alerts as correlated, if the system didn't do that, or as
|
||||||
|
not correlated, if the system made a mistake correlating two uncorrelated
|
||||||
|
alerts. These decisions are made simply by clicking the right button on the web
|
||||||
|
page and clicking the two alerts to mark as correlated or uncorrelated. After
|
||||||
|
that, all the alerts of those types will be marted as correlated, or
|
||||||
|
uncorrelated.
|
||||||
|
|
||||||
|
|
||||||
===========================
|
===========================
|
||||||
8. Additional documentation
|
8. Additional documentation
|
||||||
|
|
4
TODO
4
TODO
|
@ -2,8 +2,6 @@
|
||||||
AVERAGE/HIGH PRIORITY:
|
AVERAGE/HIGH PRIORITY:
|
||||||
======================
|
======================
|
||||||
|
|
||||||
- XML::Simple dependancy
|
|
||||||
- Manual alert correlation from the web interface
|
|
||||||
- Bayesian network
|
- Bayesian network
|
||||||
- Modules for correlation coefficients
|
- Modules for correlation coefficients
|
||||||
- Code profiling
|
- Code profiling
|
||||||
|
@ -17,7 +15,6 @@ LOW PRIORITY:
|
||||||
|
|
||||||
- Managing clusters for addresses, timestamps (and more?)
|
- Managing clusters for addresses, timestamps (and more?)
|
||||||
- Splitting the distinct subgraphs of the output graph
|
- Splitting the distinct subgraphs of the output graph
|
||||||
- libgc support
|
|
||||||
|
|
||||||
=====
|
=====
|
||||||
DONE:
|
DONE:
|
||||||
|
@ -38,4 +35,5 @@ DONE:
|
||||||
+ Web interface
|
+ Web interface
|
||||||
+ Function names (private functions with _ or __ ?)
|
+ Function names (private functions with _ or __ ?)
|
||||||
+ Saving packet flows as .pcap
|
+ Saving packet flows as .pcap
|
||||||
|
+ Manual alert correlation from the web interface
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue