Fixing a 'Too many files open' error in fsom

2024-11-23 20:25:12 +01:00 · 2010-11-21 17:43:08 +01:00 · 2010-11-21 17:43:08 +01:00 · 4962097aa9
commit 4962097aa9
parent fec0bbea96
7 changed files with 39 additions and 6 deletions
--- a/Makefile.am
+++ b/Makefile.am
@ -68,6 +68,7 @@ fi
 	install -m 0644 "${PWD}/htdocs/manual_uncorrelations.xml" "${SHARE_PREFIX}/htdocs"
 	install -m 0755 "${PWD}/htdocs/pcap.cgi" "${SHARE_PREFIX}/htdocs"
 	install -m 0755 "${PWD}/htdocs/correlate.cgi" "${SHARE_PREFIX}/htdocs"
+	install -m 0755 "${PWD}/htdocs/default.xsl" "${SHARE_PREFIX}/htdocs"
 	install -m 0644 "${PWD}/htdocs/js/Curry-1.0.1.js" "${SHARE_PREFIX}/htdocs/js"
 	install -m 0644 "${PWD}/htdocs/js/dracula_algorithms.js" "${SHARE_PREFIX}/htdocs/js"
 	install -m 0644 "${PWD}/htdocs/js/dracula_graffle.js" "${SHARE_PREFIX}/htdocs/js"
--- a/Makefile.in
+++ b/Makefile.in
@ -862,6 +862,7 @@ fi
 	install -m 0644 "${PWD}/htdocs/manual_uncorrelations.xml" "${SHARE_PREFIX}/htdocs"
 	install -m 0755 "${PWD}/htdocs/pcap.cgi" "${SHARE_PREFIX}/htdocs"
 	install -m 0755 "${PWD}/htdocs/correlate.cgi" "${SHARE_PREFIX}/htdocs"
+	install -m 0755 "${PWD}/htdocs/default.xsl" "${SHARE_PREFIX}/htdocs"
 	install -m 0644 "${PWD}/htdocs/js/Curry-1.0.1.js" "${SHARE_PREFIX}/htdocs/js"
 	install -m 0644 "${PWD}/htdocs/js/dracula_algorithms.js" "${SHARE_PREFIX}/htdocs/js"
 	install -m 0644 "${PWD}/htdocs/js/dracula_graffle.js" "${SHARE_PREFIX}/htdocs/js"
--- a/8
+++ b/8
@ -188,6 +188,7 @@ preprocessor ai: \
 	database_parsing_interval 30 \
 	hashtable_cleanup_interval 300 \
 	manual_correlations_parsing_interval 120 \
+	neural_clustering_interval 1200 \
 	neural_network_training_interval 43200 \
 	neural_train_steps 10 \
 	output_database ( type="dbtype", name="snort", user="snortusr", password="snortpass", host="dbhost" ) \
@ -330,6 +331,13 @@ of  the  thread for parsing the alert correlations manually set and the next one
 (default       value       if       not       specified:       120      seconds)


+- neural_clustering_interval:  Interval  in  seconds between an execution of the
+thread  for  clustering  (using  k-means)  the alerts on the output layer of the
+neural  network in order to recognize likely attack scenarios, and the next one.
+Set  this  to  0  if  you want no clusterization (default if not specified: 1200
+seconds)
+
+
 - neural_network_training_interval:  Interval in seconds between an execution of
 the  thread  for  training the neural network using the set of recent alerts and
 the     next     one    (default    if    not    specified:    43200    seconds)
--- a/alert_history.c
+++ b/alert_history.c
@ -77,6 +77,8 @@ AI_deserialize_alerts ()
 				      *event_list     = NULL;
 	AI_alert_event_key   key;

+	return NULL;
+
 	if ( stat ( config->alert_history_file, &st ) < 0 )
 		return NULL;

@ -159,6 +161,8 @@ AI_serialize_alerts ( AI_snort_alert **alerts_pool, unsigned int alerts_pool_cou
 					*event_next     = NULL,
 					*event_iterator = NULL;

+	return;
+
 	if ( !alerts_hash )
 	{
 		AI_deserialize_alerts();
--- a/correlation.c
+++ b/correlation.c
@ -1205,8 +1205,12 @@ AI_alert_correlation_thread ( void *arg )
 {
 	int                       i;
 	struct stat               st;
-	char                      corr_dot_file[4096]   = { 0 },
-						 corr_ps_file [4096]   = { 0 };
+
+	char                      corr_dot_file[4096]   = { 0 };
+
+#ifdef HAVE_LIBGVC
+	char                      corr_ps_file [4096]   = { 0 };
+#endif

 	double                    avg_correlation       = 0.0,
 						 std_deviation         = 0.0,
--- a/fsom/fsom.c
+++ b/fsom/fsom.c
@ -909,6 +909,7 @@ som_deserialize ( const char* fname )

 	if ( !( net = ( som_network_t* ) malloc ( sizeof ( som_network_t ))))
 	{
+		fclose ( fp );
 		return NULL;
 	}

@ -923,6 +924,7 @@ som_deserialize ( const char* fname )
 	if ( !( net->input_layer = som_input_layer_new ( input_neurons )))
 	{
 		free ( net );
+		fclose ( fp );
 		return NULL;
 	}

@ -930,6 +932,7 @@ som_deserialize ( const char* fname )
 	{
 		free ( net->input_layer );
 		free ( net );
+		fclose ( fp );
 		return NULL;
 	}

@ -945,12 +948,14 @@ som_deserialize ( const char* fname )
 				{
 					som_input_layer_destroy ( net );
 					som_output_layer_destroy ( net );
+					fclose ( fp );
 					return NULL;
 				}
 			}
 		}
 	}

+	fclose ( fp );
 	return net;
 }		/* -----  end of function som_deserialize  ----- */

--- a/neural_cluster.c
+++ b/neural_cluster.c
@ -31,7 +31,10 @@

 #include	<stdio.h>
 #include	<stdlib.h>
+#include	<string.h>
+#include	<sys/stat.h>
 #include	<unistd.h>
+#include	<time.h>

 /**
 * \brief  Print the clusters associated to the SOM output to an XML log file
@ -49,7 +52,8 @@ __AI_neural_clusters_to_xml ( kmeans_t *km, AI_alerts_per_neuron *alerts_per_neu
 		    dst_addr = 0;

 	char src_ip[INET_ADDRSTRLEN] = { 0 },
-		dst_ip[INET_ADDRSTRLEN] = { 0 };
+		dst_ip[INET_ADDRSTRLEN] = { 0 },
+		*timestamp = NULL;

 	AI_alerts_per_neuron_key key;
 	AI_alerts_per_neuron *alert_iterator = NULL;
@ -59,7 +63,8 @@ __AI_neural_clusters_to_xml ( kmeans_t *km, AI_alerts_per_neuron *alerts_per_neu
 		AI_fatal_err ( "Unable to write on the neural clusters XML log file", __FILE__, __LINE__ );
 	}

-	fprintf ( fp, "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n\n"
+	fprintf ( fp, "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n"
+		"<?xml-stylesheet href=\"default.xsl\" type=\"text/xsl\"?>\n\n"
 		"<clusters>\n" );

 	for ( i=0; i < km->k; i++ )
@ -104,15 +109,18 @@ __AI_neural_clusters_to_xml ( kmeans_t *km, AI_alerts_per_neuron *alerts_per_neu
 						inet_ntop ( AF_INET, &src_addr, src_ip, INET_ADDRSTRLEN );
 						inet_ntop ( AF_INET, &dst_addr, dst_ip, INET_ADDRSTRLEN );

+						timestamp = ctime ( &( alert_iterator->alerts[k].timestamp ));
+						timestamp[ strlen ( timestamp ) - 1 ] = 0;
+
 						fprintf ( fp, "\t\t<alert desc=\"%s\" gid=\"%d\" sid=\"%d\" rev=\"%d\" src_ip=\"%s\" src_port=\"%d\" "
-							"dst_ip=\"%s\" dst_port=\"%d\" timestamp=\"%lu\" xcoord=\"%d\" ycoord=\"%d\"/>\n",
+							"dst_ip=\"%s\" dst_port=\"%d\" timestamp=\"%s\" xcoord=\"%d\" ycoord=\"%d\"/>\n",
 							alert_iterator->alerts[k].desc,
 							alert_iterator->alerts[k].gid,
 							alert_iterator->alerts[k].sid,
 							alert_iterator->alerts[k].rev,
 							src_ip, alert_iterator->alerts[k].src_port,
 							dst_ip, alert_iterator->alerts[k].dst_port,
-							alert_iterator->alerts[k].timestamp,
+							timestamp,
 							alert_iterator->key.x, alert_iterator->key.y );
 					}
 				}
@ -124,6 +132,8 @@ __AI_neural_clusters_to_xml ( kmeans_t *km, AI_alerts_per_neuron *alerts_per_neu

 	fprintf ( fp, "</clusters>\n" );
 	fclose ( fp );
+
+	chmod ( config->neural_clusters_log, 0644 );
 }		/* -----  end of function __AI_neural_clusters_to_xml  ----- */

 /**