mirror of
https://github.com/BlackLight/Snort_AIPreproc.git
synced 2024-11-24 04:35:11 +01:00
Fixing a 'Too many files open' error in fsom
This commit is contained in:
parent
fec0bbea96
commit
4962097aa9
7 changed files with 39 additions and 6 deletions
|
@ -68,6 +68,7 @@ fi
|
||||||
install -m 0644 "${PWD}/htdocs/manual_uncorrelations.xml" "${SHARE_PREFIX}/htdocs"
|
install -m 0644 "${PWD}/htdocs/manual_uncorrelations.xml" "${SHARE_PREFIX}/htdocs"
|
||||||
install -m 0755 "${PWD}/htdocs/pcap.cgi" "${SHARE_PREFIX}/htdocs"
|
install -m 0755 "${PWD}/htdocs/pcap.cgi" "${SHARE_PREFIX}/htdocs"
|
||||||
install -m 0755 "${PWD}/htdocs/correlate.cgi" "${SHARE_PREFIX}/htdocs"
|
install -m 0755 "${PWD}/htdocs/correlate.cgi" "${SHARE_PREFIX}/htdocs"
|
||||||
|
install -m 0755 "${PWD}/htdocs/default.xsl" "${SHARE_PREFIX}/htdocs"
|
||||||
install -m 0644 "${PWD}/htdocs/js/Curry-1.0.1.js" "${SHARE_PREFIX}/htdocs/js"
|
install -m 0644 "${PWD}/htdocs/js/Curry-1.0.1.js" "${SHARE_PREFIX}/htdocs/js"
|
||||||
install -m 0644 "${PWD}/htdocs/js/dracula_algorithms.js" "${SHARE_PREFIX}/htdocs/js"
|
install -m 0644 "${PWD}/htdocs/js/dracula_algorithms.js" "${SHARE_PREFIX}/htdocs/js"
|
||||||
install -m 0644 "${PWD}/htdocs/js/dracula_graffle.js" "${SHARE_PREFIX}/htdocs/js"
|
install -m 0644 "${PWD}/htdocs/js/dracula_graffle.js" "${SHARE_PREFIX}/htdocs/js"
|
||||||
|
|
|
@ -862,6 +862,7 @@ fi
|
||||||
install -m 0644 "${PWD}/htdocs/manual_uncorrelations.xml" "${SHARE_PREFIX}/htdocs"
|
install -m 0644 "${PWD}/htdocs/manual_uncorrelations.xml" "${SHARE_PREFIX}/htdocs"
|
||||||
install -m 0755 "${PWD}/htdocs/pcap.cgi" "${SHARE_PREFIX}/htdocs"
|
install -m 0755 "${PWD}/htdocs/pcap.cgi" "${SHARE_PREFIX}/htdocs"
|
||||||
install -m 0755 "${PWD}/htdocs/correlate.cgi" "${SHARE_PREFIX}/htdocs"
|
install -m 0755 "${PWD}/htdocs/correlate.cgi" "${SHARE_PREFIX}/htdocs"
|
||||||
|
install -m 0755 "${PWD}/htdocs/default.xsl" "${SHARE_PREFIX}/htdocs"
|
||||||
install -m 0644 "${PWD}/htdocs/js/Curry-1.0.1.js" "${SHARE_PREFIX}/htdocs/js"
|
install -m 0644 "${PWD}/htdocs/js/Curry-1.0.1.js" "${SHARE_PREFIX}/htdocs/js"
|
||||||
install -m 0644 "${PWD}/htdocs/js/dracula_algorithms.js" "${SHARE_PREFIX}/htdocs/js"
|
install -m 0644 "${PWD}/htdocs/js/dracula_algorithms.js" "${SHARE_PREFIX}/htdocs/js"
|
||||||
install -m 0644 "${PWD}/htdocs/js/dracula_graffle.js" "${SHARE_PREFIX}/htdocs/js"
|
install -m 0644 "${PWD}/htdocs/js/dracula_graffle.js" "${SHARE_PREFIX}/htdocs/js"
|
||||||
|
|
8
README
8
README
|
@ -188,6 +188,7 @@ preprocessor ai: \
|
||||||
database_parsing_interval 30 \
|
database_parsing_interval 30 \
|
||||||
hashtable_cleanup_interval 300 \
|
hashtable_cleanup_interval 300 \
|
||||||
manual_correlations_parsing_interval 120 \
|
manual_correlations_parsing_interval 120 \
|
||||||
|
neural_clustering_interval 1200 \
|
||||||
neural_network_training_interval 43200 \
|
neural_network_training_interval 43200 \
|
||||||
neural_train_steps 10 \
|
neural_train_steps 10 \
|
||||||
output_database ( type="dbtype", name="snort", user="snortusr", password="snortpass", host="dbhost" ) \
|
output_database ( type="dbtype", name="snort", user="snortusr", password="snortpass", host="dbhost" ) \
|
||||||
|
@ -330,6 +331,13 @@ of the thread for parsing the alert correlations manually set and the next one
|
||||||
(default value if not specified: 120 seconds)
|
(default value if not specified: 120 seconds)
|
||||||
|
|
||||||
|
|
||||||
|
- neural_clustering_interval: Interval in seconds between an execution of the
|
||||||
|
thread for clustering (using k-means) the alerts on the output layer of the
|
||||||
|
neural network in order to recognize likely attack scenarios, and the next one.
|
||||||
|
Set this to 0 if you want no clusterization (default if not specified: 1200
|
||||||
|
seconds)
|
||||||
|
|
||||||
|
|
||||||
- neural_network_training_interval: Interval in seconds between an execution of
|
- neural_network_training_interval: Interval in seconds between an execution of
|
||||||
the thread for training the neural network using the set of recent alerts and
|
the thread for training the neural network using the set of recent alerts and
|
||||||
the next one (default if not specified: 43200 seconds)
|
the next one (default if not specified: 43200 seconds)
|
||||||
|
|
|
@ -77,6 +77,8 @@ AI_deserialize_alerts ()
|
||||||
*event_list = NULL;
|
*event_list = NULL;
|
||||||
AI_alert_event_key key;
|
AI_alert_event_key key;
|
||||||
|
|
||||||
|
return NULL;
|
||||||
|
|
||||||
if ( stat ( config->alert_history_file, &st ) < 0 )
|
if ( stat ( config->alert_history_file, &st ) < 0 )
|
||||||
return NULL;
|
return NULL;
|
||||||
|
|
||||||
|
@ -159,6 +161,8 @@ AI_serialize_alerts ( AI_snort_alert **alerts_pool, unsigned int alerts_pool_cou
|
||||||
*event_next = NULL,
|
*event_next = NULL,
|
||||||
*event_iterator = NULL;
|
*event_iterator = NULL;
|
||||||
|
|
||||||
|
return;
|
||||||
|
|
||||||
if ( !alerts_hash )
|
if ( !alerts_hash )
|
||||||
{
|
{
|
||||||
AI_deserialize_alerts();
|
AI_deserialize_alerts();
|
||||||
|
|
|
@ -1205,8 +1205,12 @@ AI_alert_correlation_thread ( void *arg )
|
||||||
{
|
{
|
||||||
int i;
|
int i;
|
||||||
struct stat st;
|
struct stat st;
|
||||||
char corr_dot_file[4096] = { 0 },
|
|
||||||
corr_ps_file [4096] = { 0 };
|
char corr_dot_file[4096] = { 0 };
|
||||||
|
|
||||||
|
#ifdef HAVE_LIBGVC
|
||||||
|
char corr_ps_file [4096] = { 0 };
|
||||||
|
#endif
|
||||||
|
|
||||||
double avg_correlation = 0.0,
|
double avg_correlation = 0.0,
|
||||||
std_deviation = 0.0,
|
std_deviation = 0.0,
|
||||||
|
|
|
@ -909,6 +909,7 @@ som_deserialize ( const char* fname )
|
||||||
|
|
||||||
if ( !( net = ( som_network_t* ) malloc ( sizeof ( som_network_t ))))
|
if ( !( net = ( som_network_t* ) malloc ( sizeof ( som_network_t ))))
|
||||||
{
|
{
|
||||||
|
fclose ( fp );
|
||||||
return NULL;
|
return NULL;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -923,6 +924,7 @@ som_deserialize ( const char* fname )
|
||||||
if ( !( net->input_layer = som_input_layer_new ( input_neurons )))
|
if ( !( net->input_layer = som_input_layer_new ( input_neurons )))
|
||||||
{
|
{
|
||||||
free ( net );
|
free ( net );
|
||||||
|
fclose ( fp );
|
||||||
return NULL;
|
return NULL;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -930,6 +932,7 @@ som_deserialize ( const char* fname )
|
||||||
{
|
{
|
||||||
free ( net->input_layer );
|
free ( net->input_layer );
|
||||||
free ( net );
|
free ( net );
|
||||||
|
fclose ( fp );
|
||||||
return NULL;
|
return NULL;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -945,12 +948,14 @@ som_deserialize ( const char* fname )
|
||||||
{
|
{
|
||||||
som_input_layer_destroy ( net );
|
som_input_layer_destroy ( net );
|
||||||
som_output_layer_destroy ( net );
|
som_output_layer_destroy ( net );
|
||||||
|
fclose ( fp );
|
||||||
return NULL;
|
return NULL;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
fclose ( fp );
|
||||||
return net;
|
return net;
|
||||||
} /* ----- end of function som_deserialize ----- */
|
} /* ----- end of function som_deserialize ----- */
|
||||||
|
|
||||||
|
|
|
@ -31,7 +31,10 @@
|
||||||
|
|
||||||
#include <stdio.h>
|
#include <stdio.h>
|
||||||
#include <stdlib.h>
|
#include <stdlib.h>
|
||||||
|
#include <string.h>
|
||||||
|
#include <sys/stat.h>
|
||||||
#include <unistd.h>
|
#include <unistd.h>
|
||||||
|
#include <time.h>
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* \brief Print the clusters associated to the SOM output to an XML log file
|
* \brief Print the clusters associated to the SOM output to an XML log file
|
||||||
|
@ -49,7 +52,8 @@ __AI_neural_clusters_to_xml ( kmeans_t *km, AI_alerts_per_neuron *alerts_per_neu
|
||||||
dst_addr = 0;
|
dst_addr = 0;
|
||||||
|
|
||||||
char src_ip[INET_ADDRSTRLEN] = { 0 },
|
char src_ip[INET_ADDRSTRLEN] = { 0 },
|
||||||
dst_ip[INET_ADDRSTRLEN] = { 0 };
|
dst_ip[INET_ADDRSTRLEN] = { 0 },
|
||||||
|
*timestamp = NULL;
|
||||||
|
|
||||||
AI_alerts_per_neuron_key key;
|
AI_alerts_per_neuron_key key;
|
||||||
AI_alerts_per_neuron *alert_iterator = NULL;
|
AI_alerts_per_neuron *alert_iterator = NULL;
|
||||||
|
@ -59,7 +63,8 @@ __AI_neural_clusters_to_xml ( kmeans_t *km, AI_alerts_per_neuron *alerts_per_neu
|
||||||
AI_fatal_err ( "Unable to write on the neural clusters XML log file", __FILE__, __LINE__ );
|
AI_fatal_err ( "Unable to write on the neural clusters XML log file", __FILE__, __LINE__ );
|
||||||
}
|
}
|
||||||
|
|
||||||
fprintf ( fp, "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n\n"
|
fprintf ( fp, "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n"
|
||||||
|
"<?xml-stylesheet href=\"default.xsl\" type=\"text/xsl\"?>\n\n"
|
||||||
"<clusters>\n" );
|
"<clusters>\n" );
|
||||||
|
|
||||||
for ( i=0; i < km->k; i++ )
|
for ( i=0; i < km->k; i++ )
|
||||||
|
@ -104,15 +109,18 @@ __AI_neural_clusters_to_xml ( kmeans_t *km, AI_alerts_per_neuron *alerts_per_neu
|
||||||
inet_ntop ( AF_INET, &src_addr, src_ip, INET_ADDRSTRLEN );
|
inet_ntop ( AF_INET, &src_addr, src_ip, INET_ADDRSTRLEN );
|
||||||
inet_ntop ( AF_INET, &dst_addr, dst_ip, INET_ADDRSTRLEN );
|
inet_ntop ( AF_INET, &dst_addr, dst_ip, INET_ADDRSTRLEN );
|
||||||
|
|
||||||
|
timestamp = ctime ( &( alert_iterator->alerts[k].timestamp ));
|
||||||
|
timestamp[ strlen ( timestamp ) - 1 ] = 0;
|
||||||
|
|
||||||
fprintf ( fp, "\t\t<alert desc=\"%s\" gid=\"%d\" sid=\"%d\" rev=\"%d\" src_ip=\"%s\" src_port=\"%d\" "
|
fprintf ( fp, "\t\t<alert desc=\"%s\" gid=\"%d\" sid=\"%d\" rev=\"%d\" src_ip=\"%s\" src_port=\"%d\" "
|
||||||
"dst_ip=\"%s\" dst_port=\"%d\" timestamp=\"%lu\" xcoord=\"%d\" ycoord=\"%d\"/>\n",
|
"dst_ip=\"%s\" dst_port=\"%d\" timestamp=\"%s\" xcoord=\"%d\" ycoord=\"%d\"/>\n",
|
||||||
alert_iterator->alerts[k].desc,
|
alert_iterator->alerts[k].desc,
|
||||||
alert_iterator->alerts[k].gid,
|
alert_iterator->alerts[k].gid,
|
||||||
alert_iterator->alerts[k].sid,
|
alert_iterator->alerts[k].sid,
|
||||||
alert_iterator->alerts[k].rev,
|
alert_iterator->alerts[k].rev,
|
||||||
src_ip, alert_iterator->alerts[k].src_port,
|
src_ip, alert_iterator->alerts[k].src_port,
|
||||||
dst_ip, alert_iterator->alerts[k].dst_port,
|
dst_ip, alert_iterator->alerts[k].dst_port,
|
||||||
alert_iterator->alerts[k].timestamp,
|
timestamp,
|
||||||
alert_iterator->key.x, alert_iterator->key.y );
|
alert_iterator->key.x, alert_iterator->key.y );
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -124,6 +132,8 @@ __AI_neural_clusters_to_xml ( kmeans_t *km, AI_alerts_per_neuron *alerts_per_neu
|
||||||
|
|
||||||
fprintf ( fp, "</clusters>\n" );
|
fprintf ( fp, "</clusters>\n" );
|
||||||
fclose ( fp );
|
fclose ( fp );
|
||||||
|
|
||||||
|
chmod ( config->neural_clusters_log, 0644 );
|
||||||
} /* ----- end of function __AI_neural_clusters_to_xml ----- */
|
} /* ----- end of function __AI_neural_clusters_to_xml ----- */
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
|
Loading…
Reference in a new issue