Updated documentation

2010-09-21 17:01:36 +02:00 · 2010-09-21 17:01:36 +02:00 · 4792e5bf4e
parent 684f387a6e
commit 4792e5bf4e
2 changed files with 13 additions and 2 deletions
--- a/13
+++ b/13
@ -149,6 +149,8 @@ preprocessor ai: \
 	tcp_stream_expire_interval 300 \
 	alertfile "/your/snort/dir/log/alert" \
 	alert_history_file "/your/snort/dir/log/alert_history" \
+	alert_serialization_interval 3600 \
+	alert_bufsize 30 \
 	alert_clustering_interval 300 \
 	correlation_graph_interval 300 \
 	correlation_rules_dir "/your/snort/dir/etc/corr_rules" \
@ -183,6 +185,17 @@ and   not  to  a  database  (default  if  not  specified:  /var/log/snort/alert)
 of   all  the  alerts  received  by  the  IDS, so that the module can build some
 statistical        correlation        inferences       over       the       past

+- alert_serialization_interval:   The   interval   that   should  occur  from  a
+serialization  of  a  buffer  of  alerts  on  the  history file and the next one
+(default if not specified: 1 hour, as it is a quite expensive operation in terms
+of       resources      if      the     system     received     many     alerts)
+
+- alert_bufsize:  Size of the buffer containing the alerts to be sent, in group,
+to   the  serializer  thread.  The  buffer is sent when full and made empty even
+when   the  alert_serialization_interval  parameter  is  not  expired  yet,  for
+avoiding   overflows,  other  memory  problems  or  deadlocks  (default value if
+not                                 specified:                               30)
+
 - alert_clustering_interval:  The interval that should occur from the clustering
 of  the  alerts  in the log according to the provided clustering hierarchies and
 the     next     one     (default     if    not    specified:    300    seconds)
--- a/alert_parser.c
+++ b/alert_parser.c
@ -65,7 +65,6 @@ _AI_serializer_thread ( void *arg )
 	if ( !arg || ( arg && alerts_pool_count >= conf->alert_bufsize ))
 	{
 		pthread_mutex_lock ( &alerts_pool_mutex );
-		_dpd.logMsg ( "**** LOCKED ****\n" );
 		AI_serialize_alerts ( alerts_pool, alerts_pool_count, conf );

 		for ( i=0; i < alerts_pool_count; i++ )
@ -75,7 +74,6 @@ _AI_serializer_thread ( void *arg )

 		alerts_pool_count = 0;
 		pthread_mutex_unlock ( &alerts_pool_mutex );
-		_dpd.logMsg ( "**** UNLOCKED ****\n\n" );
 	}

 	pthread_exit ((void*) 0);