diff --git a/Makefile.am b/Makefile.am index 339c817..fd8bfed 100644 --- a/Makefile.am +++ b/Makefile.am @@ -68,6 +68,7 @@ fi install -m 0644 "${PWD}/htdocs/manual_uncorrelations.xml" "${SHARE_PREFIX}/htdocs" install -m 0755 "${PWD}/htdocs/pcap.cgi" "${SHARE_PREFIX}/htdocs" install -m 0755 "${PWD}/htdocs/correlate.cgi" "${SHARE_PREFIX}/htdocs" + install -m 0755 "${PWD}/htdocs/default.xsl" "${SHARE_PREFIX}/htdocs" install -m 0644 "${PWD}/htdocs/js/Curry-1.0.1.js" "${SHARE_PREFIX}/htdocs/js" install -m 0644 "${PWD}/htdocs/js/dracula_algorithms.js" "${SHARE_PREFIX}/htdocs/js" install -m 0644 "${PWD}/htdocs/js/dracula_graffle.js" "${SHARE_PREFIX}/htdocs/js" diff --git a/Makefile.in b/Makefile.in index 0643603..c5dc893 100644 --- a/Makefile.in +++ b/Makefile.in @@ -862,6 +862,7 @@ fi install -m 0644 "${PWD}/htdocs/manual_uncorrelations.xml" "${SHARE_PREFIX}/htdocs" install -m 0755 "${PWD}/htdocs/pcap.cgi" "${SHARE_PREFIX}/htdocs" install -m 0755 "${PWD}/htdocs/correlate.cgi" "${SHARE_PREFIX}/htdocs" + install -m 0755 "${PWD}/htdocs/default.xsl" "${SHARE_PREFIX}/htdocs" install -m 0644 "${PWD}/htdocs/js/Curry-1.0.1.js" "${SHARE_PREFIX}/htdocs/js" install -m 0644 "${PWD}/htdocs/js/dracula_algorithms.js" "${SHARE_PREFIX}/htdocs/js" install -m 0644 "${PWD}/htdocs/js/dracula_graffle.js" "${SHARE_PREFIX}/htdocs/js" diff --git a/README b/README index e296204..b653425 100644 --- a/README +++ b/README @@ -188,6 +188,7 @@ preprocessor ai: \ database_parsing_interval 30 \ hashtable_cleanup_interval 300 \ manual_correlations_parsing_interval 120 \ + neural_clustering_interval 1200 \ neural_network_training_interval 43200 \ neural_train_steps 10 \ output_database ( type="dbtype", name="snort", user="snortusr", password="snortpass", host="dbhost" ) \ @@ -330,6 +331,13 @@ of the thread for parsing the alert correlations manually set and the next one (default value if not specified: 120 seconds) +- neural_clustering_interval: Interval in seconds between an execution of the +thread for clustering (using k-means) the alerts on the output layer of the +neural network in order to recognize likely attack scenarios, and the next one. +Set this to 0 if you want no clusterization (default if not specified: 1200 +seconds) + + - neural_network_training_interval: Interval in seconds between an execution of the thread for training the neural network using the set of recent alerts and the next one (default if not specified: 43200 seconds) diff --git a/alert_history.c b/alert_history.c index 9afecc6..301c3b1 100644 --- a/alert_history.c +++ b/alert_history.c @@ -77,6 +77,8 @@ AI_deserialize_alerts () *event_list = NULL; AI_alert_event_key key; + return NULL; + if ( stat ( config->alert_history_file, &st ) < 0 ) return NULL; @@ -159,6 +161,8 @@ AI_serialize_alerts ( AI_snort_alert **alerts_pool, unsigned int alerts_pool_cou *event_next = NULL, *event_iterator = NULL; + return; + if ( !alerts_hash ) { AI_deserialize_alerts(); diff --git a/correlation.c b/correlation.c index 04e406c..42e5285 100644 --- a/correlation.c +++ b/correlation.c @@ -1205,8 +1205,12 @@ AI_alert_correlation_thread ( void *arg ) { int i; struct stat st; - char corr_dot_file[4096] = { 0 }, - corr_ps_file [4096] = { 0 }; + + char corr_dot_file[4096] = { 0 }; + +#ifdef HAVE_LIBGVC + char corr_ps_file [4096] = { 0 }; +#endif double avg_correlation = 0.0, std_deviation = 0.0, diff --git a/fsom/fsom.c b/fsom/fsom.c index 2cbbda3..c8975c0 100644 --- a/fsom/fsom.c +++ b/fsom/fsom.c @@ -909,6 +909,7 @@ som_deserialize ( const char* fname ) if ( !( net = ( som_network_t* ) malloc ( sizeof ( som_network_t )))) { + fclose ( fp ); return NULL; } @@ -923,6 +924,7 @@ som_deserialize ( const char* fname ) if ( !( net->input_layer = som_input_layer_new ( input_neurons ))) { free ( net ); + fclose ( fp ); return NULL; } @@ -930,6 +932,7 @@ som_deserialize ( const char* fname ) { free ( net->input_layer ); free ( net ); + fclose ( fp ); return NULL; } @@ -945,12 +948,14 @@ som_deserialize ( const char* fname ) { som_input_layer_destroy ( net ); som_output_layer_destroy ( net ); + fclose ( fp ); return NULL; } } } } + fclose ( fp ); return net; } /* ----- end of function som_deserialize ----- */ diff --git a/neural_cluster.c b/neural_cluster.c index ac3caac..0d6024f 100644 --- a/neural_cluster.c +++ b/neural_cluster.c @@ -31,7 +31,10 @@ #include #include +#include +#include #include +#include /** * \brief Print the clusters associated to the SOM output to an XML log file @@ -49,7 +52,8 @@ __AI_neural_clusters_to_xml ( kmeans_t *km, AI_alerts_per_neuron *alerts_per_neu dst_addr = 0; char src_ip[INET_ADDRSTRLEN] = { 0 }, - dst_ip[INET_ADDRSTRLEN] = { 0 }; + dst_ip[INET_ADDRSTRLEN] = { 0 }, + *timestamp = NULL; AI_alerts_per_neuron_key key; AI_alerts_per_neuron *alert_iterator = NULL; @@ -59,7 +63,8 @@ __AI_neural_clusters_to_xml ( kmeans_t *km, AI_alerts_per_neuron *alerts_per_neu AI_fatal_err ( "Unable to write on the neural clusters XML log file", __FILE__, __LINE__ ); } - fprintf ( fp, "\n\n" + fprintf ( fp, "\n" + "\n\n" "\n" ); for ( i=0; i < km->k; i++ ) @@ -104,15 +109,18 @@ __AI_neural_clusters_to_xml ( kmeans_t *km, AI_alerts_per_neuron *alerts_per_neu inet_ntop ( AF_INET, &src_addr, src_ip, INET_ADDRSTRLEN ); inet_ntop ( AF_INET, &dst_addr, dst_ip, INET_ADDRSTRLEN ); + timestamp = ctime ( &( alert_iterator->alerts[k].timestamp )); + timestamp[ strlen ( timestamp ) - 1 ] = 0; + fprintf ( fp, "\t\t\n", + "dst_ip=\"%s\" dst_port=\"%d\" timestamp=\"%s\" xcoord=\"%d\" ycoord=\"%d\"/>\n", alert_iterator->alerts[k].desc, alert_iterator->alerts[k].gid, alert_iterator->alerts[k].sid, alert_iterator->alerts[k].rev, src_ip, alert_iterator->alerts[k].src_port, dst_ip, alert_iterator->alerts[k].dst_port, - alert_iterator->alerts[k].timestamp, + timestamp, alert_iterator->key.x, alert_iterator->key.y ); } } @@ -124,6 +132,8 @@ __AI_neural_clusters_to_xml ( kmeans_t *km, AI_alerts_per_neuron *alerts_per_neu fprintf ( fp, "\n" ); fclose ( fp ); + + chmod ( config->neural_clusters_log, 0644 ); } /* ----- end of function __AI_neural_clusters_to_xml ----- */ /**