blacklight/Snort_AIPreproc
1
0
Fork 0
mirror of https://github.com/BlackLight/Snort_AIPreproc.git synced 2025-07-09 23:28:06 +02:00
Code Issues Projects Releases Packages Wiki Activity

Full support for MySQL (and any?) database alerts

Browse source
This commit is contained in:
BlackLight 2010-09-04 21:33:53 +02:00
parent a1d157487c
commit 5cb91e3427
115 changed files with 5670 additions and 2909 deletions

275
doc/html/spp__ai_8h_source.html
View file

@ -77,129 +77,158 @@ var searchBox = new SearchBox("searchBox", "search",false,'Search');
<a name="l00026"></a>00026
<a name="l00027"></a><a class="code" href="spp__ai_8h.html#a5e151c615eda34903514212f05a5ccf8">00027</a> <span class="preprocessor">#define PRIVATE static</span>
<a name="l00028"></a>00028 <span class="preprocessor"></span>
<a name="l00029"></a><a class="code" href="spp__ai_8h.html#a5f555c0ebd29ce2771a3e2dd4f526746">00029</a> <span class="preprocessor">#define DEFAULT_HASH_CLEANUP_INTERVAL 300</span>
<a name="l00030"></a><a class="code" href="spp__ai_8h.html#a0f6a189af15ef783fb46ed37c144e031">00030</a> <span class="preprocessor"></span><span class="preprocessor">#define DEFAULT_STREAM_EXPIRE_INTERVAL 300</span>
<a name="l00031"></a><a class="code" href="spp__ai_8h.html#a0c4b6fce670e46083e33b9f53b78f39e">00031</a> <span class="preprocessor"></span><span class="preprocessor">#define DEFAULT_ALERT_CLUSTERING_INTERVAL 3600</span>
<a name="l00032"></a><a class="code" href="spp__ai_8h.html#a6d9bf552c32371e0144dc6a6209c7e4a">00032</a> <span class="preprocessor"></span><span class="preprocessor">#define DEFAULT_ALERT_LOG_FILE &quot;/var/log/snort/alert&quot;</span>
<a name="l00033"></a><a class="code" href="spp__ai_8h.html#a803dc913297ccdace9e604dbfecda97d">00033</a> <span class="preprocessor"></span><span class="preprocessor">#define DEFAULT_CLUSTER_LOG_FILE &quot;/var/log/snort/cluster_alert&quot;</span>
<a name="l00030"></a><a class="code" href="spp__ai_8h.html#a5f555c0ebd29ce2771a3e2dd4f526746">00030</a> <span class="preprocessor">#define DEFAULT_HASH_CLEANUP_INTERVAL 300</span>
<a name="l00031"></a>00031 <span class="preprocessor"></span>
<a name="l00033"></a><a class="code" href="spp__ai_8h.html#a0f6a189af15ef783fb46ed37c144e031">00033</a> <span class="preprocessor">#define DEFAULT_STREAM_EXPIRE_INTERVAL 300</span>
<a name="l00034"></a>00034 <span class="preprocessor"></span>
<a name="l00035"></a>00035 <span class="keyword">extern</span> DynamicPreprocessorData <a class="code" href="sf__dynamic__preproc__lib_8c.html#ab46420126c43c1aac5eabc5db266a71c">_dpd</a>;
<a name="l00036"></a><a class="code" href="spp__ai_8h.html#aba7bc1797add20fe3efdf37ced1182c5">00036</a> <span class="keyword">typedef</span> <span class="keywordtype">unsigned</span> <span class="keywordtype">char</span> uint8_t;
<a name="l00037"></a><a class="code" href="spp__ai_8h.html#a273cf69d639a59973b6019625df33e30">00037</a> <span class="keyword">typedef</span> <span class="keywordtype">unsigned</span> <span class="keywordtype">short</span> uint16_t;
<a name="l00038"></a><a class="code" href="spp__ai_8h.html#a435d1572bf3f880d55459d9805097f62">00038</a> <span class="keyword">typedef</span> <span class="keywordtype">unsigned</span> <span class="keywordtype">int</span> uint32_t;
<a name="l00039"></a>00039
<a name="l00040"></a><a class="code" href="spp__ai_8h.html#a3e5b8192e7d9ffaf3542f1210aec18dda08f175a5505a10b9ed657defeb050e4b">00040</a> <span class="keyword">typedef</span> <span class="keyword">enum</span> { <span class="keyword">false</span>, <span class="keyword">true</span> } BOOL;
<a name="l00041"></a>00041
<a name="l00042"></a><a class="code" href="spp__ai_8h.html#ae2ff3c6586aa2ab211a102abfde86640">00042</a> <span class="keyword">typedef</span> <span class="keyword">enum</span> {
<a name="l00043"></a><a class="code" href="spp__ai_8h.html#ae2ff3c6586aa2ab211a102abfde86640ac1335c508143eb06843af2ce5ff3027b">00043</a> none, src_addr, dst_addr, src_port, dst_port, <a class="code" href="spp__ai_8h.html#ae2ff3c6586aa2ab211a102abfde86640ab16bb5c4b330d5db02e2d852cd2ba451">CLUSTER_TYPES</a>
<a name="l00044"></a>00044 } cluster_type;
<a name="l00045"></a>00045
<a name="l00046"></a>00046 <span class="comment">/* Each stream in the hash table is identified by the couple (src_ip, dst_port) */</span>
<a name="l00047"></a><a class="code" href="structpkt__key.html">00047</a> <span class="keyword">struct </span><a class="code" href="structpkt__key.html">pkt_key</a>
<a name="l00048"></a>00048 {
<a name="l00049"></a><a class="code" href="structpkt__key.html#a3a091c20dafb8b3f689db00c5b2f8ddb">00049</a> <a class="code" href="spp__ai_8h.html#a435d1572bf3f880d55459d9805097f62">uint32_t</a> <a class="code" href="structpkt__key.html#a3a091c20dafb8b3f689db00c5b2f8ddb">src_ip</a>;
<a name="l00050"></a><a class="code" href="structpkt__key.html#af77f5eb1f4cd88b43fe99fd73553351d">00050</a> <a class="code" href="spp__ai_8h.html#a273cf69d639a59973b6019625df33e30">uint16_t</a> <a class="code" href="structpkt__key.html#af77f5eb1f4cd88b43fe99fd73553351d">dst_port</a>;
<a name="l00051"></a>00051 };
<a name="l00052"></a>00052
<a name="l00053"></a>00053 <span class="comment">/* Identifier of a packet in a stream */</span>
<a name="l00054"></a><a class="code" href="structpkt__info.html">00054</a> <span class="keyword">struct </span><a class="code" href="structpkt__info.html">pkt_info</a>
<a name="l00055"></a>00055 {
<a name="l00056"></a><a class="code" href="structpkt__info.html#a231d4734d3c62292b06eb9ea4b49c339">00056</a> <span class="keyword">struct </span><a class="code" href="structpkt__key.html">pkt_key</a> <a class="code" href="structpkt__info.html#a231d4734d3c62292b06eb9ea4b49c339">key</a>; <span class="comment">/* Key of the packet (src_ip, dst_port) */</span>
<a name="l00057"></a><a class="code" href="structpkt__info.html#a7f5090443f21e6290f0439f1bb872e92">00057</a> time_t <a class="code" href="structpkt__info.html#a7f5090443f21e6290f0439f1bb872e92">timestamp</a>; <span class="comment">/* Timestamp */</span>
<a name="l00058"></a><a class="code" href="structpkt__info.html#a8d5ebd04a32067b05387e5c5056fe168">00058</a> SFSnortPacket* <a class="code" href="structpkt__info.html#a8d5ebd04a32067b05387e5c5056fe168">pkt</a>; <span class="comment">/* Reference to SFSnortPacket containing packet&#39;s information */</span>
<a name="l00059"></a><a class="code" href="structpkt__info.html#a5ee3c51f2ca5768b94819182641ef168">00059</a> <span class="keyword">struct </span><a class="code" href="structpkt__info.html">pkt_info</a>* <a class="code" href="structpkt__info.html#a5ee3c51f2ca5768b94819182641ef168">next</a>; <span class="comment">/* Pointer to the next packet in the stream */</span>
<a name="l00060"></a><a class="code" href="structpkt__info.html#ac7ff78ea5faf333fc91f92e3085ea7c9">00060</a> <a class="code" href="spp__ai_8h.html#a3e5b8192e7d9ffaf3542f1210aec18dd">BOOL</a> <a class="code" href="structpkt__info.html#ac7ff78ea5faf333fc91f92e3085ea7c9">observed</a>; <span class="comment">/* Flag set if the packet is observed, i.e. associated to a security alert */</span>
<a name="l00061"></a><a class="code" href="structpkt__info.html#a264e90d4b5d490de040f38c1072e142f">00061</a> UT_hash_handle <a class="code" href="structpkt__info.html#a264e90d4b5d490de040f38c1072e142f">hh</a>; <span class="comment">/* Make the struct &#39;hashable&#39; */</span>
<a name="l00062"></a>00062 };
<a name="l00063"></a>00063
<a name="l00064"></a>00064 <span class="comment">/* Data type containing the configuration of the module */</span>
<a name="l00065"></a><a class="code" href="structAI__config.html">00065</a> <span class="keyword">typedef</span> <span class="keyword">struct</span>
<a name="l00066"></a>00066 {
<a name="l00067"></a><a class="code" href="structAI__config.html#a9f7680615027d4fb74b4aa144a7028a4">00067</a> <span class="keywordtype">unsigned</span> <span class="keywordtype">long</span> hashCleanupInterval;
<a name="l00068"></a><a class="code" href="structAI__config.html#abbe77d5f94b8c5164bea47acba09c98b">00068</a> <span class="keywordtype">unsigned</span> <span class="keywordtype">long</span> streamExpireInterval;
<a name="l00069"></a><a class="code" href="structAI__config.html#a7d0d098b8263aa3d8415b11d1ec7f93d">00069</a> <span class="keywordtype">unsigned</span> <span class="keywordtype">long</span> alertClusteringInterval;
<a name="l00070"></a><a class="code" href="structAI__config.html#a2efa9590d7eea6dce8b5dd9aa76ed8ca">00070</a> <span class="keywordtype">char</span> alertfile[1024];
<a name="l00071"></a><a class="code" href="structAI__config.html#a6da02a3f7116fd3810a41b738e8883a3">00071</a> <span class="keywordtype">char</span> clusterfile[1024];
<a name="l00072"></a>00072 } <a class="code" href="structAI__config.html">AI_config</a>;
<a name="l00073"></a>00073
<a name="l00074"></a>00074 <span class="comment">/* Data type for hierarchies used for clustering */</span>
<a name="l00075"></a><a class="code" href="struct__hierarchy__node.html">00075</a> <span class="keyword">typedef</span> <span class="keyword">struct </span><a class="code" href="struct__hierarchy__node.html">_hierarchy_node</a>
<a name="l00076"></a>00076 {
<a name="l00077"></a><a class="code" href="struct__hierarchy__node.html#a3b18e3ddfa2212c5e4ff9c0b4bde4296">00077</a> <a class="code" href="spp__ai_8h.html#ae2ff3c6586aa2ab211a102abfde86640">cluster_type</a> <a class="code" href="struct__hierarchy__node.html#a3b18e3ddfa2212c5e4ff9c0b4bde4296">type</a>;
<a name="l00078"></a><a class="code" href="struct__hierarchy__node.html#ae498f6fd14ca058a3ae0a95d5425451a">00078</a> <span class="keywordtype">char</span> <a class="code" href="struct__hierarchy__node.html#ae498f6fd14ca058a3ae0a95d5425451a">label</a>[256];
<a name="l00079"></a><a class="code" href="struct__hierarchy__node.html#a13ceebd7b435b9ef347fb90d9e6bbfe4">00079</a> <span class="keywordtype">int</span> <a class="code" href="struct__hierarchy__node.html#a13ceebd7b435b9ef347fb90d9e6bbfe4">min_val</a>;
<a name="l00080"></a><a class="code" href="struct__hierarchy__node.html#a79ea88029938dc30ab8f159405d12c87">00080</a> <span class="keywordtype">int</span> <a class="code" href="struct__hierarchy__node.html#a79ea88029938dc30ab8f159405d12c87">max_val</a>;
<a name="l00081"></a><a class="code" href="struct__hierarchy__node.html#a849256ce1039e2cefaaf64d91171be0a">00081</a> <span class="keywordtype">int</span> <a class="code" href="struct__hierarchy__node.html#a849256ce1039e2cefaaf64d91171be0a">nchildren</a>;
<a name="l00082"></a><a class="code" href="struct__hierarchy__node.html#a5c94c89d7e2aea393f1c550afb766bbe">00082</a> <span class="keyword">struct </span><a class="code" href="struct__hierarchy__node.html">_hierarchy_node</a> *<a class="code" href="struct__hierarchy__node.html#a5c94c89d7e2aea393f1c550afb766bbe">parent</a>;
<a name="l00083"></a><a class="code" href="struct__hierarchy__node.html#afc23d4fe6426873164cdaab2f3d4f0cd">00083</a> <span class="keyword">struct </span><a class="code" href="struct__hierarchy__node.html">_hierarchy_node</a> **<a class="code" href="struct__hierarchy__node.html#afc23d4fe6426873164cdaab2f3d4f0cd">children</a>;
<a name="l00084"></a>00084 } <a class="code" href="struct__hierarchy__node.html">hierarchy_node</a>;
<a name="l00085"></a>00085
<a name="l00086"></a>00086 <span class="comment">/* Data type for Snort alerts */</span>
<a name="l00087"></a><a class="code" href="struct__AI__snort__alert.html">00087</a> <span class="keyword">typedef</span> <span class="keyword">struct </span><a class="code" href="struct__AI__snort__alert.html">_AI_snort_alert</a> {
<a name="l00088"></a>00088 <span class="comment">/* Identifiers of the alert */</span>
<a name="l00089"></a><a class="code" href="struct__AI__snort__alert.html#af8408be5da59cda853442dd13465c0f6">00089</a> <span class="keywordtype">unsigned</span> <span class="keywordtype">int</span> <a class="code" href="struct__AI__snort__alert.html#af8408be5da59cda853442dd13465c0f6">gid</a>;
<a name="l00090"></a><a class="code" href="struct__AI__snort__alert.html#a3349aa68d2234f8ffd897367c3a8a137">00090</a> <span class="keywordtype">unsigned</span> <span class="keywordtype">int</span> <a class="code" href="struct__AI__snort__alert.html#a3349aa68d2234f8ffd897367c3a8a137">sid</a>;
<a name="l00091"></a><a class="code" href="struct__AI__snort__alert.html#a864d3baa48586d6a31639f4cd27d9d37">00091</a> <span class="keywordtype">unsigned</span> <span class="keywordtype">int</span> <a class="code" href="struct__AI__snort__alert.html#a864d3baa48586d6a31639f4cd27d9d37">rev</a>;
<a name="l00092"></a>00092
<a name="l00093"></a>00093 <span class="comment">/* Snort priority, description,</span>
<a name="l00094"></a>00094 <span class="comment"> * classification and timestamp</span>
<a name="l00095"></a>00095 <span class="comment"> * of the alert */</span>
<a name="l00096"></a><a class="code" href="struct__AI__snort__alert.html#a25661fa4e212c5e30af5e6a892985ec9">00096</a> <span class="keywordtype">unsigned</span> <span class="keywordtype">short</span> <a class="code" href="struct__AI__snort__alert.html#a25661fa4e212c5e30af5e6a892985ec9">priority</a>;
<a name="l00097"></a><a class="code" href="struct__AI__snort__alert.html#ac0902d7c756ec675fb06347ce4706135">00097</a> <span class="keywordtype">char</span> *<a class="code" href="struct__AI__snort__alert.html#ac0902d7c756ec675fb06347ce4706135">desc</a>;
<a name="l00098"></a><a class="code" href="struct__AI__snort__alert.html#aa89585e14acb2c4e684a1552d322632f">00098</a> <span class="keywordtype">char</span> *<a class="code" href="struct__AI__snort__alert.html#aa89585e14acb2c4e684a1552d322632f">classification</a>;
<a name="l00099"></a><a class="code" href="struct__AI__snort__alert.html#a10a67f60ca3da339a2104849a0b2ac19">00099</a> time_t <a class="code" href="struct__AI__snort__alert.html#a10a67f60ca3da339a2104849a0b2ac19">timestamp</a>;
<a name="l00100"></a>00100
<a name="l00101"></a>00101 <span class="comment">/* IP header information */</span>
<a name="l00102"></a><a class="code" href="struct__AI__snort__alert.html#a882ae6db43dc0fe08071947ccb044b93">00102</a> <a class="code" href="spp__ai_8h.html#aba7bc1797add20fe3efdf37ced1182c5">uint8_t</a> <a class="code" href="struct__AI__snort__alert.html#a882ae6db43dc0fe08071947ccb044b93">tos</a>;
<a name="l00103"></a><a class="code" href="struct__AI__snort__alert.html#a523ef8842d01a1bc4ea3c0bf27518e78">00103</a> <a class="code" href="spp__ai_8h.html#a273cf69d639a59973b6019625df33e30">uint16_t</a> <a class="code" href="struct__AI__snort__alert.html#a523ef8842d01a1bc4ea3c0bf27518e78">iplen</a>;
<a name="l00104"></a><a class="code" href="struct__AI__snort__alert.html#a45e4acf90450a5f9efd4e0c290f84bcf">00104</a> <a class="code" href="spp__ai_8h.html#a273cf69d639a59973b6019625df33e30">uint16_t</a> <a class="code" href="struct__AI__snort__alert.html#a45e4acf90450a5f9efd4e0c290f84bcf">id</a>;
<a name="l00105"></a><a class="code" href="struct__AI__snort__alert.html#ab9b1ce8ee440a324af116403ac9c51a2">00105</a> <a class="code" href="spp__ai_8h.html#aba7bc1797add20fe3efdf37ced1182c5">uint8_t</a> <a class="code" href="struct__AI__snort__alert.html#ab9b1ce8ee440a324af116403ac9c51a2">ttl</a>;
<a name="l00106"></a><a class="code" href="struct__AI__snort__alert.html#a2a5f2741918c3c13890f2b617a7f23a4">00106</a> <a class="code" href="spp__ai_8h.html#aba7bc1797add20fe3efdf37ced1182c5">uint8_t</a> <a class="code" href="struct__AI__snort__alert.html#a2a5f2741918c3c13890f2b617a7f23a4">ipproto</a>;
<a name="l00107"></a><a class="code" href="struct__AI__snort__alert.html#ab16a24f368020e4b40e65b53cae33b48">00107</a> <a class="code" href="spp__ai_8h.html#a435d1572bf3f880d55459d9805097f62">uint32_t</a> <a class="code" href="struct__AI__snort__alert.html#ab16a24f368020e4b40e65b53cae33b48">src_addr</a>;
<a name="l00108"></a><a class="code" href="struct__AI__snort__alert.html#a69cc2ba171c8c808a0b45caa9426cd8c">00108</a> <a class="code" href="spp__ai_8h.html#a435d1572bf3f880d55459d9805097f62">uint32_t</a> <a class="code" href="struct__AI__snort__alert.html#a69cc2ba171c8c808a0b45caa9426cd8c">dst_addr</a>;
<a name="l00109"></a>00109
<a name="l00110"></a>00110 <span class="comment">/* TCP header information */</span>
<a name="l00111"></a><a class="code" href="struct__AI__snort__alert.html#a856cccd3eaabd38aa9974f26d3edc5e3">00111</a> <a class="code" href="spp__ai_8h.html#a273cf69d639a59973b6019625df33e30">uint16_t</a> <a class="code" href="struct__AI__snort__alert.html#a856cccd3eaabd38aa9974f26d3edc5e3">src_port</a>;
<a name="l00112"></a><a class="code" href="struct__AI__snort__alert.html#a6b323c07ae501d221e330e13646a96a3">00112</a> <a class="code" href="spp__ai_8h.html#a273cf69d639a59973b6019625df33e30">uint16_t</a> <a class="code" href="struct__AI__snort__alert.html#a6b323c07ae501d221e330e13646a96a3">dst_port</a>;
<a name="l00113"></a><a class="code" href="struct__AI__snort__alert.html#acb20c4c55149d5806d7523720786ab77">00113</a> <a class="code" href="spp__ai_8h.html#a435d1572bf3f880d55459d9805097f62">uint32_t</a> <a class="code" href="struct__AI__snort__alert.html#acb20c4c55149d5806d7523720786ab77">sequence</a>;
<a name="l00114"></a><a class="code" href="struct__AI__snort__alert.html#a2b185c678d3a7f1207b2119b0b567c37">00114</a> <a class="code" href="spp__ai_8h.html#a435d1572bf3f880d55459d9805097f62">uint32_t</a> <a class="code" href="struct__AI__snort__alert.html#a2b185c678d3a7f1207b2119b0b567c37">ack</a>;
<a name="l00115"></a><a class="code" href="struct__AI__snort__alert.html#aa643f11db93b70242b57f0a04775e507">00115</a> <a class="code" href="spp__ai_8h.html#aba7bc1797add20fe3efdf37ced1182c5">uint8_t</a> <a class="code" href="struct__AI__snort__alert.html#aa643f11db93b70242b57f0a04775e507">tcp_flags</a>;
<a name="l00116"></a><a class="code" href="struct__AI__snort__alert.html#a63e94be3d248cf4beb0d4d5ab75331b1">00116</a> <a class="code" href="spp__ai_8h.html#a273cf69d639a59973b6019625df33e30">uint16_t</a> <a class="code" href="struct__AI__snort__alert.html#a63e94be3d248cf4beb0d4d5ab75331b1">window</a>;
<a name="l00117"></a><a class="code" href="struct__AI__snort__alert.html#a519a103f5e8f1cb006c0c137b7c6a1c0">00117</a> <a class="code" href="spp__ai_8h.html#a273cf69d639a59973b6019625df33e30">uint16_t</a> <a class="code" href="struct__AI__snort__alert.html#a519a103f5e8f1cb006c0c137b7c6a1c0">tcplen</a>;
<a name="l00118"></a>00118
<a name="l00119"></a>00119 <span class="comment">/* Reference to the TCP stream</span>
<a name="l00120"></a>00120 <span class="comment"> * associated to the alert, if any */</span>
<a name="l00121"></a><a class="code" href="struct__AI__snort__alert.html#a09dfe0a841fd3912ec78060d4547cb31">00121</a> <span class="keyword">struct </span><a class="code" href="structpkt__info.html">pkt_info</a> *<a class="code" href="struct__AI__snort__alert.html#a09dfe0a841fd3912ec78060d4547cb31">stream</a>;
<a name="l00122"></a>00122
<a name="l00123"></a>00123 <span class="comment">/* Pointer to the next alert in</span>
<a name="l00124"></a>00124 <span class="comment"> * the log, if any*/</span>
<a name="l00125"></a><a class="code" href="struct__AI__snort__alert.html#aa8336d4b3359015ed8ea312ca1fd1173">00125</a> <span class="keyword">struct </span><a class="code" href="struct__AI__snort__alert.html">_AI_snort_alert</a> *<a class="code" href="struct__AI__snort__alert.html#aa8336d4b3359015ed8ea312ca1fd1173">next</a>;
<a name="l00126"></a>00126
<a name="l00127"></a>00127 <span class="comment">/* Hierarchies for addresses and ports,</span>
<a name="l00128"></a>00128 <span class="comment"> * if the clustering algorithm is used */</span>
<a name="l00129"></a><a class="code" href="struct__AI__snort__alert.html#ac53765584296ead1328eabfaba8a3aed">00129</a> <a class="code" href="struct__hierarchy__node.html">hierarchy_node</a> *<a class="code" href="struct__AI__snort__alert.html#ac53765584296ead1328eabfaba8a3aed">h_node</a>[CLUSTER_TYPES];
<a name="l00130"></a>00130
<a name="l00131"></a>00131 <span class="comment">/* If the clustering algorithm is used,</span>
<a name="l00132"></a>00132 <span class="comment"> * we also count how many alerts this</span>
<a name="l00133"></a>00133 <span class="comment"> * single alert groups */</span>
<a name="l00134"></a><a class="code" href="struct__AI__snort__alert.html#a285aff12d6bac03c316ccc5305d28e53">00134</a> <span class="keywordtype">unsigned</span> <span class="keywordtype">int</span> <a class="code" href="struct__AI__snort__alert.html#a285aff12d6bac03c316ccc5305d28e53">grouped_alarms_count</a>;
<a name="l00135"></a>00135 } <a class="code" href="struct__AI__snort__alert.html">AI_snort_alert</a>;
<a name="l00136"></a>00136
<a name="l00137"></a>00137 <span class="keywordtype">int</span> <a class="code" href="regex_8c.html#a35f57c052a7de1ded54b67a1f7819791" title="Check if a string matches a regular expression.">preg_match</a> ( <span class="keyword">const</span> <span class="keywordtype">char</span>*, <span class="keywordtype">char</span>*, <span class="keywordtype">char</span>***, <span class="keywordtype">int</span>* );
<a name="l00138"></a>00138
<a name="l00139"></a>00139 <span class="keywordtype">void</span>* <a class="code" href="spp__ai_8h.html#ad56f71be823eead743972274b99c82ff" title="Thread called for cleaning up the hash table from the traffic streams older than a certain threshold...">AI_hashcleanup_thread</a> ( <span class="keywordtype">void</span>* );
<a name="l00140"></a>00140 <span class="keywordtype">void</span>* <a class="code" href="alert__parser_8c.html#ad68c45b5846743a54ad3fa92c8e48f8a" title="Thread for parsing Snort&amp;#39;s alert file.">AI_alertparser_thread</a> ( <span class="keywordtype">void</span>* );
<a name="l00141"></a>00141
<a name="l00142"></a>00142 <span class="keywordtype">void</span> <a class="code" href="spp__ai_8h.html#af6f7d167c3623bbc669e8d31c2719b29" title="Function called for appending a new packet to the hash table, creating a new stream or appending it t...">AI_pkt_enqueue</a> ( SFSnortPacket* );
<a name="l00143"></a>00143 <span class="keywordtype">void</span> <a class="code" href="spp__ai_8h.html#a8749989cee2ac05a7de058faac280c02" title="Set the flag &amp;quot;observed&amp;quot; on a stream associated to a security alert, so that it won&amp;#39;t be...">AI_set_stream_observed</a> ( <span class="keyword">struct</span> <a class="code" href="structpkt__key.html">pkt_key</a> key );
<a name="l00144"></a>00144 <span class="keywordtype">void</span> <a class="code" href="cluster_8c.html#a1445818b37483f78cc3fb2890155842c" title="Build the clustering hierarchy trees.">AI_hierarchies_build</a> ( <a class="code" href="structAI__config.html">AI_config</a>*, <a class="code" href="struct__hierarchy__node.html">hierarchy_node</a>**, <span class="keywordtype">int</span> );
<a name="l00145"></a>00145
<a name="l00146"></a>00146 <span class="keyword">struct </span><a class="code" href="structpkt__info.html">pkt_info</a>* <a class="code" href="spp__ai_8h.html#a3054f06297a9caefd4d9b1283bb8b69a" title="Get a TCP stream by key.">AI_get_stream_by_key</a> ( <span class="keyword">struct</span> <a class="code" href="structpkt__key.html">pkt_key</a> );
<a name="l00147"></a>00147 <a class="code" href="struct__AI__snort__alert.html">AI_snort_alert</a>* <a class="code" href="alert__parser_8c.html#a99474495643197b3075ac22ec6f6c70f" title="Return the alerts parsed so far as a linked list.">AI_get_alerts</a> ( <span class="keywordtype">void</span> );
<a name="l00148"></a>00148 <span class="keywordtype">void</span> <a class="code" href="alert__parser_8c.html#a270e86669a0aa64a8da37bc16cda645b" title="Deallocate the memory of a log alert linked list.">AI_free_alerts</a> ( <a class="code" href="struct__AI__snort__alert.html">AI_snort_alert</a> *node );
<a name="l00149"></a>00149
<a name="l00150"></a>00150 <span class="preprocessor">#endif </span><span class="comment">/* _SPP_AI_H */</span>
<a name="l00151"></a>00151
<a name="l00036"></a><a class="code" href="spp__ai_8h.html#a3c4984a0ee515fbc091ac6e33b05e310">00036</a> <span class="preprocessor">#define DEFAULT_DATABASE_INTERVAL 30</span>
<a name="l00037"></a>00037 <span class="preprocessor"></span>
<a name="l00039"></a><a class="code" href="spp__ai_8h.html#a0c4b6fce670e46083e33b9f53b78f39e">00039</a> <span class="preprocessor">#define DEFAULT_ALERT_CLUSTERING_INTERVAL 3600</span>
<a name="l00040"></a>00040 <span class="preprocessor"></span>
<a name="l00042"></a><a class="code" href="spp__ai_8h.html#a6d9bf552c32371e0144dc6a6209c7e4a">00042</a> <span class="preprocessor">#define DEFAULT_ALERT_LOG_FILE &quot;/var/log/snort/alert&quot;</span>
<a name="l00043"></a>00043 <span class="preprocessor"></span>
<a name="l00045"></a><a class="code" href="spp__ai_8h.html#a803dc913297ccdace9e604dbfecda97d">00045</a> <span class="preprocessor">#define DEFAULT_CLUSTER_LOG_FILE &quot;/var/log/snort/cluster_alert&quot;</span>
<a name="l00046"></a>00046 <span class="preprocessor"></span>
<a name="l00047"></a>00047 <span class="keyword">extern</span> DynamicPreprocessorData <a class="code" href="sf__dynamic__preproc__lib_8c.html#ab46420126c43c1aac5eabc5db266a71c">_dpd</a>;
<a name="l00048"></a><a class="code" href="spp__ai_8h.html#aba7bc1797add20fe3efdf37ced1182c5">00048</a> <span class="keyword">typedef</span> <span class="keywordtype">unsigned</span> <span class="keywordtype">char</span> uint8_t;
<a name="l00049"></a><a class="code" href="spp__ai_8h.html#a273cf69d639a59973b6019625df33e30">00049</a> <span class="keyword">typedef</span> <span class="keywordtype">unsigned</span> <span class="keywordtype">short</span> uint16_t;
<a name="l00050"></a><a class="code" href="spp__ai_8h.html#a435d1572bf3f880d55459d9805097f62">00050</a> <span class="keyword">typedef</span> <span class="keywordtype">unsigned</span> <span class="keywordtype">int</span> uint32_t;
<a name="l00051"></a>00051
<a name="l00052"></a><a class="code" href="spp__ai_8h.html#a3e5b8192e7d9ffaf3542f1210aec18dda08f175a5505a10b9ed657defeb050e4b">00052</a> <span class="keyword">typedef</span> <span class="keyword">enum</span> { <span class="keyword">false</span>, <span class="keyword">true</span> } BOOL;
<a name="l00053"></a>00053
<a name="l00055"></a><a class="code" href="spp__ai_8h.html#ae2ff3c6586aa2ab211a102abfde86640">00055</a> <span class="keyword">typedef</span> <span class="keyword">enum</span> {
<a name="l00056"></a><a class="code" href="spp__ai_8h.html#ae2ff3c6586aa2ab211a102abfde86640ac1335c508143eb06843af2ce5ff3027b">00056</a> none, src_addr, dst_addr, src_port, dst_port, <a class="code" href="spp__ai_8h.html#ae2ff3c6586aa2ab211a102abfde86640ab16bb5c4b330d5db02e2d852cd2ba451">CLUSTER_TYPES</a>
<a name="l00057"></a>00057 } cluster_type;
<a name="l00058"></a>00058
<a name="l00060"></a><a class="code" href="structpkt__key.html">00060</a> <span class="keyword">struct </span><a class="code" href="structpkt__key.html">pkt_key</a>
<a name="l00061"></a>00061 {
<a name="l00062"></a><a class="code" href="structpkt__key.html#a3a091c20dafb8b3f689db00c5b2f8ddb">00062</a> <a class="code" href="spp__ai_8h.html#a435d1572bf3f880d55459d9805097f62">uint32_t</a> <a class="code" href="structpkt__key.html#a3a091c20dafb8b3f689db00c5b2f8ddb">src_ip</a>;
<a name="l00063"></a><a class="code" href="structpkt__key.html#af77f5eb1f4cd88b43fe99fd73553351d">00063</a> <a class="code" href="spp__ai_8h.html#a273cf69d639a59973b6019625df33e30">uint16_t</a> <a class="code" href="structpkt__key.html#af77f5eb1f4cd88b43fe99fd73553351d">dst_port</a>;
<a name="l00064"></a>00064 };
<a name="l00065"></a>00065
<a name="l00067"></a><a class="code" href="structpkt__info.html">00067</a> <span class="keyword">struct </span><a class="code" href="structpkt__info.html">pkt_info</a>
<a name="l00068"></a>00068 {
<a name="l00070"></a><a class="code" href="structpkt__info.html#a231d4734d3c62292b06eb9ea4b49c339">00070</a> <span class="keyword">struct </span><a class="code" href="structpkt__key.html">pkt_key</a> <a class="code" href="structpkt__info.html#a231d4734d3c62292b06eb9ea4b49c339">key</a>;
<a name="l00071"></a>00071
<a name="l00073"></a><a class="code" href="structpkt__info.html#a7f5090443f21e6290f0439f1bb872e92">00073</a> time_t <a class="code" href="structpkt__info.html#a7f5090443f21e6290f0439f1bb872e92">timestamp</a>;
<a name="l00074"></a>00074
<a name="l00076"></a><a class="code" href="structpkt__info.html#a8d5ebd04a32067b05387e5c5056fe168">00076</a> SFSnortPacket* <a class="code" href="structpkt__info.html#a8d5ebd04a32067b05387e5c5056fe168">pkt</a>;
<a name="l00077"></a>00077
<a name="l00079"></a><a class="code" href="structpkt__info.html#a5ee3c51f2ca5768b94819182641ef168">00079</a> <span class="keyword">struct </span><a class="code" href="structpkt__info.html">pkt_info</a>* <a class="code" href="structpkt__info.html#a5ee3c51f2ca5768b94819182641ef168">next</a>;
<a name="l00080"></a>00080
<a name="l00082"></a><a class="code" href="structpkt__info.html#ac7ff78ea5faf333fc91f92e3085ea7c9">00082</a> <a class="code" href="spp__ai_8h.html#a3e5b8192e7d9ffaf3542f1210aec18dd">BOOL</a> <a class="code" href="structpkt__info.html#ac7ff78ea5faf333fc91f92e3085ea7c9">observed</a>;
<a name="l00083"></a>00083
<a name="l00085"></a><a class="code" href="structpkt__info.html#a264e90d4b5d490de040f38c1072e142f">00085</a> UT_hash_handle <a class="code" href="structpkt__info.html#a264e90d4b5d490de040f38c1072e142f">hh</a>;
<a name="l00086"></a>00086 };
<a name="l00087"></a>00087
<a name="l00088"></a>00088 <span class="comment">/* Data type containing the configuration of the module */</span>
<a name="l00089"></a><a class="code" href="structAI__config.html">00089</a> <span class="keyword">typedef</span> <span class="keyword">struct</span>
<a name="l00090"></a>00090 {
<a name="l00092"></a><a class="code" href="structAI__config.html#a9f7680615027d4fb74b4aa144a7028a4">00092</a> <span class="keywordtype">unsigned</span> <span class="keywordtype">long</span> hashCleanupInterval;
<a name="l00093"></a>00093
<a name="l00095"></a><a class="code" href="structAI__config.html#abbe77d5f94b8c5164bea47acba09c98b">00095</a> <span class="keywordtype">unsigned</span> <span class="keywordtype">long</span> streamExpireInterval;
<a name="l00096"></a>00096
<a name="l00098"></a><a class="code" href="structAI__config.html#a7d0d098b8263aa3d8415b11d1ec7f93d">00098</a> <span class="keywordtype">unsigned</span> <span class="keywordtype">long</span> alertClusteringInterval;
<a name="l00099"></a>00099
<a name="l00101"></a><a class="code" href="structAI__config.html#ae6ca715cab1d90b70c3aad443133c263">00101</a> <span class="keywordtype">unsigned</span> <span class="keywordtype">long</span> databaseParsingInterval;
<a name="l00102"></a>00102
<a name="l00104"></a><a class="code" href="structAI__config.html#a2efa9590d7eea6dce8b5dd9aa76ed8ca">00104</a> <span class="keywordtype">char</span> alertfile[1024];
<a name="l00105"></a>00105
<a name="l00107"></a><a class="code" href="structAI__config.html#a6da02a3f7116fd3810a41b738e8883a3">00107</a> <span class="keywordtype">char</span> clusterfile[1024];
<a name="l00108"></a>00108
<a name="l00110"></a><a class="code" href="structAI__config.html#ac8a93607f12106e2f5c9b43af27107da">00110</a> <span class="keywordtype">char</span> dbname[256];
<a name="l00111"></a>00111
<a name="l00113"></a><a class="code" href="structAI__config.html#aa004adebfdafb6d14092aecd7f4912b0">00113</a> <span class="keywordtype">char</span> dbuser[256];
<a name="l00114"></a>00114
<a name="l00116"></a><a class="code" href="structAI__config.html#aa1cda349763faf60b2ebdbf2d187ae7d">00116</a> <span class="keywordtype">char</span> dbpass[256];
<a name="l00117"></a>00117
<a name="l00119"></a><a class="code" href="structAI__config.html#a8e56f1a1b2095d3d329c8068ea0f3aab">00119</a> <span class="keywordtype">char</span> dbhost[256];
<a name="l00120"></a>00120 } <a class="code" href="structAI__config.html">AI_config</a>;
<a name="l00121"></a>00121
<a name="l00122"></a>00122 <span class="comment">/* Data type for hierarchies used for clustering */</span>
<a name="l00123"></a><a class="code" href="struct__hierarchy__node.html">00123</a> <span class="keyword">typedef</span> <span class="keyword">struct </span><a class="code" href="struct__hierarchy__node.html">_hierarchy_node</a>
<a name="l00124"></a>00124 {
<a name="l00125"></a><a class="code" href="struct__hierarchy__node.html#a3b18e3ddfa2212c5e4ff9c0b4bde4296">00125</a> <a class="code" href="spp__ai_8h.html#ae2ff3c6586aa2ab211a102abfde86640">cluster_type</a> <a class="code" href="struct__hierarchy__node.html#a3b18e3ddfa2212c5e4ff9c0b4bde4296">type</a>;
<a name="l00126"></a><a class="code" href="struct__hierarchy__node.html#ae498f6fd14ca058a3ae0a95d5425451a">00126</a> <span class="keywordtype">char</span> <a class="code" href="struct__hierarchy__node.html#ae498f6fd14ca058a3ae0a95d5425451a">label</a>[256];
<a name="l00127"></a><a class="code" href="struct__hierarchy__node.html#a13ceebd7b435b9ef347fb90d9e6bbfe4">00127</a> <span class="keywordtype">int</span> <a class="code" href="struct__hierarchy__node.html#a13ceebd7b435b9ef347fb90d9e6bbfe4">min_val</a>;
<a name="l00128"></a><a class="code" href="struct__hierarchy__node.html#a79ea88029938dc30ab8f159405d12c87">00128</a> <span class="keywordtype">int</span> <a class="code" href="struct__hierarchy__node.html#a79ea88029938dc30ab8f159405d12c87">max_val</a>;
<a name="l00129"></a><a class="code" href="struct__hierarchy__node.html#a849256ce1039e2cefaaf64d91171be0a">00129</a> <span class="keywordtype">int</span> <a class="code" href="struct__hierarchy__node.html#a849256ce1039e2cefaaf64d91171be0a">nchildren</a>;
<a name="l00130"></a><a class="code" href="struct__hierarchy__node.html#a5c94c89d7e2aea393f1c550afb766bbe">00130</a> <span class="keyword">struct </span><a class="code" href="struct__hierarchy__node.html">_hierarchy_node</a> *<a class="code" href="struct__hierarchy__node.html#a5c94c89d7e2aea393f1c550afb766bbe">parent</a>;
<a name="l00131"></a><a class="code" href="struct__hierarchy__node.html#afc23d4fe6426873164cdaab2f3d4f0cd">00131</a> <span class="keyword">struct </span><a class="code" href="struct__hierarchy__node.html">_hierarchy_node</a> **<a class="code" href="struct__hierarchy__node.html#afc23d4fe6426873164cdaab2f3d4f0cd">children</a>;
<a name="l00132"></a>00132 } <a class="code" href="struct__hierarchy__node.html">hierarchy_node</a>;
<a name="l00133"></a>00133
<a name="l00135"></a><a class="code" href="struct__AI__snort__alert.html">00135</a> <span class="keyword">typedef</span> <span class="keyword">struct </span><a class="code" href="struct__AI__snort__alert.html">_AI_snort_alert</a> {
<a name="l00136"></a>00136 <span class="comment">/* Identifiers of the alert */</span>
<a name="l00137"></a><a class="code" href="struct__AI__snort__alert.html#af8408be5da59cda853442dd13465c0f6">00137</a> <span class="keywordtype">unsigned</span> <span class="keywordtype">int</span> <a class="code" href="struct__AI__snort__alert.html#af8408be5da59cda853442dd13465c0f6">gid</a>;
<a name="l00138"></a><a class="code" href="struct__AI__snort__alert.html#a3349aa68d2234f8ffd897367c3a8a137">00138</a> <span class="keywordtype">unsigned</span> <span class="keywordtype">int</span> <a class="code" href="struct__AI__snort__alert.html#a3349aa68d2234f8ffd897367c3a8a137">sid</a>;
<a name="l00139"></a><a class="code" href="struct__AI__snort__alert.html#a864d3baa48586d6a31639f4cd27d9d37">00139</a> <span class="keywordtype">unsigned</span> <span class="keywordtype">int</span> <a class="code" href="struct__AI__snort__alert.html#a864d3baa48586d6a31639f4cd27d9d37">rev</a>;
<a name="l00140"></a>00140
<a name="l00141"></a>00141 <span class="comment">/* Snort priority, description,</span>
<a name="l00142"></a>00142 <span class="comment"> * classification and timestamp</span>
<a name="l00143"></a>00143 <span class="comment"> * of the alert */</span>
<a name="l00144"></a><a class="code" href="struct__AI__snort__alert.html#a25661fa4e212c5e30af5e6a892985ec9">00144</a> <span class="keywordtype">unsigned</span> <span class="keywordtype">short</span> <a class="code" href="struct__AI__snort__alert.html#a25661fa4e212c5e30af5e6a892985ec9">priority</a>;
<a name="l00145"></a><a class="code" href="struct__AI__snort__alert.html#ac0902d7c756ec675fb06347ce4706135">00145</a> <span class="keywordtype">char</span> *<a class="code" href="struct__AI__snort__alert.html#ac0902d7c756ec675fb06347ce4706135">desc</a>;
<a name="l00146"></a><a class="code" href="struct__AI__snort__alert.html#aa89585e14acb2c4e684a1552d322632f">00146</a> <span class="keywordtype">char</span> *<a class="code" href="struct__AI__snort__alert.html#aa89585e14acb2c4e684a1552d322632f">classification</a>;
<a name="l00147"></a><a class="code" href="struct__AI__snort__alert.html#a10a67f60ca3da339a2104849a0b2ac19">00147</a> time_t <a class="code" href="struct__AI__snort__alert.html#a10a67f60ca3da339a2104849a0b2ac19">timestamp</a>;
<a name="l00148"></a>00148
<a name="l00149"></a>00149 <span class="comment">/* IP header information */</span>
<a name="l00150"></a><a class="code" href="struct__AI__snort__alert.html#a3f3c47f9baf3229d067504a85873b416">00150</a> <a class="code" href="spp__ai_8h.html#aba7bc1797add20fe3efdf37ced1182c5">uint8_t</a> <a class="code" href="struct__AI__snort__alert.html#a3f3c47f9baf3229d067504a85873b416">ip_tos</a>;
<a name="l00151"></a><a class="code" href="struct__AI__snort__alert.html#ad3ffe99036513d5f33b94d22fb84f8f1">00151</a> <a class="code" href="spp__ai_8h.html#a273cf69d639a59973b6019625df33e30">uint16_t</a> <a class="code" href="struct__AI__snort__alert.html#ad3ffe99036513d5f33b94d22fb84f8f1">ip_len</a>;
<a name="l00152"></a><a class="code" href="struct__AI__snort__alert.html#a2fc673dec85a7b49dd16ac7c0bb1bb78">00152</a> <a class="code" href="spp__ai_8h.html#a273cf69d639a59973b6019625df33e30">uint16_t</a> <a class="code" href="struct__AI__snort__alert.html#a2fc673dec85a7b49dd16ac7c0bb1bb78">ip_id</a>;
<a name="l00153"></a><a class="code" href="struct__AI__snort__alert.html#a3c9bbe84ec696cd58668a45799a66600">00153</a> <a class="code" href="spp__ai_8h.html#aba7bc1797add20fe3efdf37ced1182c5">uint8_t</a> <a class="code" href="struct__AI__snort__alert.html#a3c9bbe84ec696cd58668a45799a66600">ip_ttl</a>;
<a name="l00154"></a><a class="code" href="struct__AI__snort__alert.html#a5ea7b250ac1c472f3ab57565b6df2536">00154</a> <a class="code" href="spp__ai_8h.html#aba7bc1797add20fe3efdf37ced1182c5">uint8_t</a> <a class="code" href="struct__AI__snort__alert.html#a5ea7b250ac1c472f3ab57565b6df2536">ip_proto</a>;
<a name="l00155"></a><a class="code" href="struct__AI__snort__alert.html#a194117c57a52933d16a97838562bb611">00155</a> <a class="code" href="spp__ai_8h.html#a435d1572bf3f880d55459d9805097f62">uint32_t</a> <a class="code" href="struct__AI__snort__alert.html#a194117c57a52933d16a97838562bb611">ip_src_addr</a>;
<a name="l00156"></a><a class="code" href="struct__AI__snort__alert.html#a754ca683593c838e4032fa8c13b1512b">00156</a> <a class="code" href="spp__ai_8h.html#a435d1572bf3f880d55459d9805097f62">uint32_t</a> <a class="code" href="struct__AI__snort__alert.html#a754ca683593c838e4032fa8c13b1512b">ip_dst_addr</a>;
<a name="l00157"></a>00157
<a name="l00158"></a>00158 <span class="comment">/* TCP header information */</span>
<a name="l00159"></a><a class="code" href="struct__AI__snort__alert.html#a4d4cbdbd9675f4c43545547f55174cb7">00159</a> <a class="code" href="spp__ai_8h.html#a273cf69d639a59973b6019625df33e30">uint16_t</a> <a class="code" href="struct__AI__snort__alert.html#a4d4cbdbd9675f4c43545547f55174cb7">tcp_src_port</a>;
<a name="l00160"></a><a class="code" href="struct__AI__snort__alert.html#aaca31cb67d48ffc3bfd1227686d5f5a4">00160</a> <a class="code" href="spp__ai_8h.html#a273cf69d639a59973b6019625df33e30">uint16_t</a> <a class="code" href="struct__AI__snort__alert.html#aaca31cb67d48ffc3bfd1227686d5f5a4">tcp_dst_port</a>;
<a name="l00161"></a><a class="code" href="struct__AI__snort__alert.html#ad6edf59fccea55bf5f940bf36117020b">00161</a> <a class="code" href="spp__ai_8h.html#a435d1572bf3f880d55459d9805097f62">uint32_t</a> <a class="code" href="struct__AI__snort__alert.html#ad6edf59fccea55bf5f940bf36117020b">tcp_seq</a>;
<a name="l00162"></a><a class="code" href="struct__AI__snort__alert.html#a8aac577224a4325ec50511c6d79b4b79">00162</a> <a class="code" href="spp__ai_8h.html#a435d1572bf3f880d55459d9805097f62">uint32_t</a> <a class="code" href="struct__AI__snort__alert.html#a8aac577224a4325ec50511c6d79b4b79">tcp_ack</a>;
<a name="l00163"></a><a class="code" href="struct__AI__snort__alert.html#aa643f11db93b70242b57f0a04775e507">00163</a> <a class="code" href="spp__ai_8h.html#aba7bc1797add20fe3efdf37ced1182c5">uint8_t</a> <a class="code" href="struct__AI__snort__alert.html#aa643f11db93b70242b57f0a04775e507">tcp_flags</a>;
<a name="l00164"></a><a class="code" href="struct__AI__snort__alert.html#a1687fccc26bb211591db8b36ffec5348">00164</a> <a class="code" href="spp__ai_8h.html#a273cf69d639a59973b6019625df33e30">uint16_t</a> <a class="code" href="struct__AI__snort__alert.html#a1687fccc26bb211591db8b36ffec5348">tcp_window</a>;
<a name="l00165"></a><a class="code" href="struct__AI__snort__alert.html#ab7e0507050b8e475fea7a4b26c768857">00165</a> <a class="code" href="spp__ai_8h.html#a273cf69d639a59973b6019625df33e30">uint16_t</a> <a class="code" href="struct__AI__snort__alert.html#ab7e0507050b8e475fea7a4b26c768857">tcp_len</a>;
<a name="l00166"></a>00166
<a name="l00167"></a>00167 <span class="comment">/* Reference to the TCP stream</span>
<a name="l00168"></a>00168 <span class="comment"> * associated to the alert, if any */</span>
<a name="l00169"></a><a class="code" href="struct__AI__snort__alert.html#a09dfe0a841fd3912ec78060d4547cb31">00169</a> <span class="keyword">struct </span><a class="code" href="structpkt__info.html">pkt_info</a> *<a class="code" href="struct__AI__snort__alert.html#a09dfe0a841fd3912ec78060d4547cb31">stream</a>;
<a name="l00170"></a>00170
<a name="l00171"></a>00171 <span class="comment">/* Pointer to the next alert in</span>
<a name="l00172"></a>00172 <span class="comment"> * the log, if any*/</span>
<a name="l00173"></a><a class="code" href="struct__AI__snort__alert.html#aa8336d4b3359015ed8ea312ca1fd1173">00173</a> <span class="keyword">struct </span><a class="code" href="struct__AI__snort__alert.html">_AI_snort_alert</a> *<a class="code" href="struct__AI__snort__alert.html#aa8336d4b3359015ed8ea312ca1fd1173">next</a>;
<a name="l00174"></a>00174
<a name="l00175"></a>00175 <span class="comment">/* Hierarchies for addresses and ports,</span>
<a name="l00176"></a>00176 <span class="comment"> * if the clustering algorithm is used */</span>
<a name="l00177"></a><a class="code" href="struct__AI__snort__alert.html#ac53765584296ead1328eabfaba8a3aed">00177</a> <a class="code" href="struct__hierarchy__node.html">hierarchy_node</a> *<a class="code" href="struct__AI__snort__alert.html#ac53765584296ead1328eabfaba8a3aed">h_node</a>[CLUSTER_TYPES];
<a name="l00178"></a>00178
<a name="l00179"></a>00179 <span class="comment">/* If the clustering algorithm is used,</span>
<a name="l00180"></a>00180 <span class="comment"> * we also count how many alerts this</span>
<a name="l00181"></a>00181 <span class="comment"> * single alert groups */</span>
<a name="l00182"></a><a class="code" href="struct__AI__snort__alert.html#a285aff12d6bac03c316ccc5305d28e53">00182</a> <span class="keywordtype">unsigned</span> <span class="keywordtype">int</span> <a class="code" href="struct__AI__snort__alert.html#a285aff12d6bac03c316ccc5305d28e53">grouped_alarms_count</a>;
<a name="l00183"></a>00183 } <a class="code" href="struct__AI__snort__alert.html">AI_snort_alert</a>;
<a name="l00184"></a>00184
<a name="l00185"></a>00185 <span class="keywordtype">int</span> <a class="code" href="group__regex.html#ga35f57c052a7de1ded54b67a1f7819791" title="Check if a string matches a regular expression.">preg_match</a> ( <span class="keyword">const</span> <span class="keywordtype">char</span>*, <span class="keywordtype">char</span>*, <span class="keywordtype">char</span>***, <span class="keywordtype">int</span>* );
<a name="l00186"></a>00186
<a name="l00187"></a>00187 <span class="keywordtype">void</span>* <a class="code" href="group__stream.html#ga24b1131374e5059564b8a12380c4eb75" title="Thread called for cleaning up the hash table from the traffic streams older than a certain threshold...">AI_hashcleanup_thread</a> ( <span class="keywordtype">void</span>* );
<a name="l00188"></a>00188 <span class="keywordtype">void</span>* <a class="code" href="group__alert__parser.html#ga5aab8d9bdf0e92a51731442fd787f61f" title="Thread for parsing Snort&amp;#39;s alert file.">AI_file_alertparser_thread</a> ( <span class="keywordtype">void</span>* );
<a name="l00189"></a>00189 <span class="keywordtype">void</span>* <a class="code" href="group__mysql.html#gadf275635641f88725930de208fb5523f" title="Thread for parsing alerts from MySQL database.">AI_mysql_alertparser_thread</a> ( <span class="keywordtype">void</span>* );
<a name="l00190"></a>00190
<a name="l00191"></a>00191 <span class="keywordtype">void</span> <a class="code" href="group__stream.html#ga7d71c5645b9baff7b6c4b9a181bf80c5" title="Function called for appending a new packet to the hash table, creating a new stream or appending it t...">AI_pkt_enqueue</a> ( SFSnortPacket* );
<a name="l00192"></a>00192 <span class="keywordtype">void</span> <a class="code" href="group__stream.html#ga8749989cee2ac05a7de058faac280c02" title="Set the flag &amp;quot;observed&amp;quot; on a stream associated to a security alert, so that it won&amp;#39;t be...">AI_set_stream_observed</a> ( <span class="keyword">struct</span> <a class="code" href="structpkt__key.html">pkt_key</a> key );
<a name="l00193"></a>00193 <span class="keywordtype">void</span> <a class="code" href="group__cluster.html#ga1445818b37483f78cc3fb2890155842c" title="Build the clustering hierarchy trees.">AI_hierarchies_build</a> ( <a class="code" href="structAI__config.html">AI_config</a>*, <a class="code" href="struct__hierarchy__node.html">hierarchy_node</a>**, <span class="keywordtype">int</span> );
<a name="l00194"></a>00194
<a name="l00195"></a>00195 <span class="keyword">struct </span><a class="code" href="structpkt__info.html">pkt_info</a>* <a class="code" href="group__stream.html#ga2efedcabbfd12c5345f0c93a3dd4735c" title="Get a TCP stream by key.">AI_get_stream_by_key</a> ( <span class="keyword">struct</span> <a class="code" href="structpkt__key.html">pkt_key</a> );
<a name="l00196"></a>00196
<a name="l00197"></a>00197 <a class="code" href="struct__AI__snort__alert.html">AI_snort_alert</a>* <a class="code" href="group__alert__parser.html#ga99474495643197b3075ac22ec6f6c70f" title="Return the alerts parsed so far as a linked list.">AI_get_alerts</a> ( <span class="keywordtype">void</span> );
<a name="l00198"></a>00198 <a class="code" href="struct__AI__snort__alert.html">AI_snort_alert</a>* <a class="code" href="group__mysql.html#ga0ead3c1e46063e215168e76d7999d65b" title="Return the alerts parsed so far as a linked list.">AI_mysql_get_alerts</a> ( <span class="keywordtype">void</span> );
<a name="l00199"></a>00199
<a name="l00200"></a>00200 <span class="keywordtype">void</span> <a class="code" href="group__alert__parser.html#ga270e86669a0aa64a8da37bc16cda645b" title="Deallocate the memory of a log alert linked list.">AI_free_alerts</a> ( <a class="code" href="struct__AI__snort__alert.html">AI_snort_alert</a> *node );
<a name="l00201"></a>00201 <span class="keywordtype">void</span> <a class="code" href="spp__ai_8h.html#ad0d003c241328962df5757398329b809">AI_mysql_free_alerts</a> ( <a class="code" href="struct__AI__snort__alert.html">AI_snort_alert</a> *node );
<a name="l00202"></a>00202
<a name="l00204"></a><a class="code" href="spp__ai_8h.html#ab184b676360ce03035801284a2bd1ea7">00204</a> <a class="code" href="struct__AI__snort__alert.html">AI_snort_alert</a>* (*get_alerts)(void);
<a name="l00205"></a>00205
<a name="l00206"></a>00206 <span class="preprocessor">#endif </span><span class="comment">/* _SPP_AI_H */</span>
<a name="l00207"></a>00207
</pre></div></div>
</div>
<!--- window showing the filter options -->
@ -216,7 +245,7 @@ var searchBox = new SearchBox("searchBox", "search",false,'Search');
</iframe>
</div>
<hr class="footer"/><address class="footer"><small>Generated on Mon Aug 16 2010 22:05:38 for Snort AI preprocessor module by&nbsp;
<hr class="footer"/><address class="footer"><small>Generated on Sat Sep 4 2010 21:30:42 for Snort AI preprocessor module by&nbsp;
<a href="http://www.doxygen.org/index.html">
<img class="footer" src="doxygen.png" alt="doxygen"/></a> 1.7.1 </small></address>
</body>