blacklight/Snort_AIPreproc
1
0
Fork 0
mirror of https://github.com/BlackLight/Snort_AIPreproc.git synced 2024-11-27 22:25:12 +01:00
Code Issues Projects Releases Packages Wiki Activity

Updated documentation

Browse source
This commit is contained in:
BlackLight 2010-09-21 17:01:36 +02:00
parent 684f387a6e
commit 4792e5bf4e
2 changed files with 13 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

13
README
View file

@ -149,6 +149,8 @@ preprocessor ai: \
tcp_stream_expire_interval 300 \ tcp_stream_expire_interval 300 \
alertfile "/your/snort/dir/log/alert" \ alertfile "/your/snort/dir/log/alert" \
alert_history_file "/your/snort/dir/log/alert_history" \ alert_history_file "/your/snort/dir/log/alert_history" \
alert_serialization_interval 3600 \
alert_bufsize 30 \
alert_clustering_interval 300 \ alert_clustering_interval 300 \
correlation_graph_interval 300 \ correlation_graph_interval 300 \
correlation_rules_dir "/your/snort/dir/etc/corr_rules" \ correlation_rules_dir "/your/snort/dir/etc/corr_rules" \
@ -183,6 +185,17 @@ and not to a database (default if not specified: /var/log/snort/alert)
of all the alerts received by the IDS, so that the module can build some of all the alerts received by the IDS, so that the module can build some
statistical correlation inferences over the past statistical correlation inferences over the past
- alert_serialization_interval: The interval that should occur from a
serialization of a buffer of alerts on the history file and the next one
(default if not specified: 1 hour, as it is a quite expensive operation in terms
of resources if the system received many alerts)
- alert_bufsize: Size of the buffer containing the alerts to be sent, in group,
to the serializer thread. The buffer is sent when full and made empty even
when the alert_serialization_interval parameter is not expired yet, for
avoiding overflows, other memory problems or deadlocks (default value if
not specified: 30)
- alert_clustering_interval: The interval that should occur from the clustering - alert_clustering_interval: The interval that should occur from the clustering
of the alerts in the log according to the provided clustering hierarchies and of the alerts in the log according to the provided clustering hierarchies and
the next one (default if not specified: 300 seconds) the next one (default if not specified: 300 seconds)

2
alert_parser.c
View file

@ -65,7 +65,6 @@ _AI_serializer_thread ( void *arg )
if ( !arg || ( arg && alerts_pool_count >= conf->alert_bufsize )) if ( !arg || ( arg && alerts_pool_count >= conf->alert_bufsize ))
{ {
pthread_mutex_lock ( &alerts_pool_mutex ); pthread_mutex_lock ( &alerts_pool_mutex );
_dpd.logMsg ( "**** LOCKED ****\n" );
AI_serialize_alerts ( alerts_pool, alerts_pool_count, conf ); AI_serialize_alerts ( alerts_pool, alerts_pool_count, conf );
for ( i=0; i < alerts_pool_count; i++ ) for ( i=0; i < alerts_pool_count; i++ )
@ -75,7 +74,6 @@ _AI_serializer_thread ( void *arg )
alerts_pool_count = 0; alerts_pool_count = 0;
pthread_mutex_unlock ( &alerts_pool_mutex ); pthread_mutex_unlock ( &alerts_pool_mutex );
_dpd.logMsg ( "**** UNLOCKED ****\n\n" );
} }
pthread_exit ((void*) 0); pthread_exit ((void*) 0);