From 4792e5bf4eb63053f76407e16ff5e00b0fbe4c01 Mon Sep 17 00:00:00 2001
From: BlackLight <blacklight@autistici.org>
Date: Tue, 21 Sep 2010 17:01:36 +0200
Subject: [PATCH] Updated documentation

---
 README         | 13 +++++++++++++
 alert_parser.c |  2 --
 2 files changed, 13 insertions(+), 2 deletions(-)

diff --git a/README b/README
index be801e5..40fed34 100644
--- a/README
+++ b/README
@@ -149,6 +149,8 @@ preprocessor ai: \
 	tcp_stream_expire_interval 300 \
 	alertfile "/your/snort/dir/log/alert" \
 	alert_history_file "/your/snort/dir/log/alert_history" \
+	alert_serialization_interval 3600 \
+	alert_bufsize 30 \
 	alert_clustering_interval 300 \
 	correlation_graph_interval 300 \
 	correlation_rules_dir "/your/snort/dir/etc/corr_rules" \
@@ -183,6 +185,17 @@ and   not  to  a  database  (default  if  not  specified:  /var/log/snort/alert)
 of   all  the  alerts  received  by  the  IDS, so that the module can build some
 statistical        correlation        inferences       over       the       past
 
+- alert_serialization_interval:   The   interval   that   should  occur  from  a
+serialization  of  a  buffer  of  alerts  on  the  history file and the next one
+(default if not specified: 1 hour, as it is a quite expensive operation in terms
+of       resources      if      the     system     received     many     alerts)
+
+- alert_bufsize:  Size of the buffer containing the alerts to be sent, in group,
+to   the  serializer  thread.  The  buffer is sent when full and made empty even
+when   the  alert_serialization_interval  parameter  is  not  expired  yet,  for
+avoiding   overflows,  other  memory  problems  or  deadlocks  (default value if
+not                                 specified:                               30)
+
 - alert_clustering_interval:  The interval that should occur from the clustering
 of  the  alerts  in the log according to the provided clustering hierarchies and
 the     next     one     (default     if    not    specified:    300    seconds)
diff --git a/alert_parser.c b/alert_parser.c
index 19f2913..4872d66 100644
--- a/alert_parser.c
+++ b/alert_parser.c
@@ -65,7 +65,6 @@ _AI_serializer_thread ( void *arg )
 	if ( !arg || ( arg && alerts_pool_count >= conf->alert_bufsize ))
 	{
 		pthread_mutex_lock ( &alerts_pool_mutex );
-		_dpd.logMsg ( "**** LOCKED ****\n" );
 		AI_serialize_alerts ( alerts_pool, alerts_pool_count, conf );
 
 		for ( i=0; i < alerts_pool_count; i++ )
@@ -75,7 +74,6 @@ _AI_serializer_thread ( void *arg )
 
 		alerts_pool_count = 0;
 		pthread_mutex_unlock ( &alerts_pool_mutex );
-		_dpd.logMsg ( "**** UNLOCKED ****\n\n" );
 	}
 
 	pthread_exit ((void*) 0);