mirror of
https://github.com/BlackLight/Snort_AIPreproc.git
synced 2024-11-24 04:35:11 +01:00
Updated documentation
This commit is contained in:
parent
684f387a6e
commit
4792e5bf4e
2 changed files with 13 additions and 2 deletions
13
README
13
README
|
@ -149,6 +149,8 @@ preprocessor ai: \
|
|||
tcp_stream_expire_interval 300 \
|
||||
alertfile "/your/snort/dir/log/alert" \
|
||||
alert_history_file "/your/snort/dir/log/alert_history" \
|
||||
alert_serialization_interval 3600 \
|
||||
alert_bufsize 30 \
|
||||
alert_clustering_interval 300 \
|
||||
correlation_graph_interval 300 \
|
||||
correlation_rules_dir "/your/snort/dir/etc/corr_rules" \
|
||||
|
@ -183,6 +185,17 @@ and not to a database (default if not specified: /var/log/snort/alert)
|
|||
of all the alerts received by the IDS, so that the module can build some
|
||||
statistical correlation inferences over the past
|
||||
|
||||
- alert_serialization_interval: The interval that should occur from a
|
||||
serialization of a buffer of alerts on the history file and the next one
|
||||
(default if not specified: 1 hour, as it is a quite expensive operation in terms
|
||||
of resources if the system received many alerts)
|
||||
|
||||
- alert_bufsize: Size of the buffer containing the alerts to be sent, in group,
|
||||
to the serializer thread. The buffer is sent when full and made empty even
|
||||
when the alert_serialization_interval parameter is not expired yet, for
|
||||
avoiding overflows, other memory problems or deadlocks (default value if
|
||||
not specified: 30)
|
||||
|
||||
- alert_clustering_interval: The interval that should occur from the clustering
|
||||
of the alerts in the log according to the provided clustering hierarchies and
|
||||
the next one (default if not specified: 300 seconds)
|
||||
|
|
|
@ -65,7 +65,6 @@ _AI_serializer_thread ( void *arg )
|
|||
if ( !arg || ( arg && alerts_pool_count >= conf->alert_bufsize ))
|
||||
{
|
||||
pthread_mutex_lock ( &alerts_pool_mutex );
|
||||
_dpd.logMsg ( "**** LOCKED ****\n" );
|
||||
AI_serialize_alerts ( alerts_pool, alerts_pool_count, conf );
|
||||
|
||||
for ( i=0; i < alerts_pool_count; i++ )
|
||||
|
@ -75,7 +74,6 @@ _AI_serializer_thread ( void *arg )
|
|||
|
||||
alerts_pool_count = 0;
|
||||
pthread_mutex_unlock ( &alerts_pool_mutex );
|
||||
_dpd.logMsg ( "**** UNLOCKED ****\n\n" );
|
||||
}
|
||||
|
||||
pthread_exit ((void*) 0);
|
||||
|
|
Loading…
Reference in a new issue