From 997ebcbcd8b3c99a9478e1b48531ad01e62411f4 Mon Sep 17 00:00:00 2001 From: BlackLight Date: Sat, 11 Sep 2010 12:45:30 +0200 Subject: [PATCH] Sept 11 2010 commit --- TODO | 4 +- alert_parser.c | 7 + cluster.c | 14 +- correlation.c | 136 ++++++++-- db.c | 10 +- doc/html/alert__parser_8c.html | 18 +- doc/html/annotated.html | 7 +- doc/html/classes.html | 9 +- doc/html/cluster_8c.html | 3 +- doc/html/correlation_8c.html | 18 +- doc/html/db_8c.html | 2 +- doc/html/db_8h.html | 2 +- doc/html/db_8h_source.html | 2 +- doc/html/files.html | 2 +- doc/html/functions.html | 40 ++- doc/html/functions_vars.html | 40 ++- doc/html/globals.html | 38 ++- doc/html/globals_defs.html | 2 +- doc/html/globals_enum.html | 2 +- doc/html/globals_eval.html | 2 +- doc/html/globals_func.html | 23 +- doc/html/globals_type.html | 2 +- doc/html/globals_vars.html | 13 +- doc/html/group__alert__parser.html | 2 +- doc/html/group__cluster.html | 16 +- doc/html/group__correlation.html | 131 ++++++++- doc/html/group__regex.html | 94 ++++++- doc/html/group__spp__ai.html | 2 +- doc/html/group__stream.html | 2 +- doc/html/index.html | 2 +- doc/html/modules.html | 2 +- doc/html/mysql_8c.html | 2 +- doc/html/regex_8c.html | 6 +- doc/html/search/all_5f.html | 38 ++- doc/html/search/all_61.html | 120 +++++---- doc/html/search/all_62.html | 10 +- doc/html/search/all_63.html | 18 +- doc/html/search/all_67.html | 2 +- doc/html/search/all_68.html | 13 +- doc/html/search/all_6b.html | 4 +- doc/html/search/all_6c.html | 10 + doc/html/search/all_6e.html | 8 +- doc/html/search/all_70.html | 8 +- doc/html/search/all_72.html | 2 +- doc/html/search/all_73.html | 26 +- doc/html/search/classes_61.html | 21 +- doc/html/search/functions_5f.html | 30 ++- doc/html/search/functions_73.html | 36 +-- doc/html/search/search.js | 6 +- doc/html/search/variables_61.html | 23 +- doc/html/search/variables_62.html | 26 ++ doc/html/search/variables_63.html | 16 +- doc/html/search/variables_67.html | 2 +- doc/html/search/variables_68.html | 11 +- doc/html/search/variables_6b.html | 4 +- doc/html/search/variables_6c.html | 10 + doc/html/search/variables_6e.html | 8 +- doc/html/search/variables_70.html | 8 +- doc/html/search/variables_72.html | 2 +- doc/html/search/variables_73.html | 2 +- doc/html/sf__preproc__info_8h.html | 2 +- doc/html/sf__preproc__info_8h_source.html | 23 +- doc/html/spp__ai_8c.html | 2 +- doc/html/spp__ai_8h.html | 9 +- doc/html/spp__ai_8h_source.html | 292 +++++++++++---------- doc/html/stream_8c.html | 2 +- doc/html/structAI__alert__correlation.html | 148 +++++++++++ doc/html/structAI__config.html | 2 +- doc/html/structAI__hyperalert__info.html | 177 +++++++++++++ doc/html/structAI__hyperalert__key.html | 129 +++++++++ doc/html/struct__AI__snort__alert.html | 21 +- doc/html/struct__hierarchy__node.html | 4 +- doc/html/structattribute__key.html | 2 +- doc/html/structattribute__value.html | 2 +- doc/html/structpkt__info.html | 2 +- doc/html/structpkt__key.html | 2 +- doc/latex/alert__parser_8c.tex | 7 + doc/latex/annotated.tex | 5 +- doc/latex/cluster_8c.tex | 2 + doc/latex/correlation_8c.tex | 18 +- doc/latex/doxygen.sty | 4 +- doc/latex/group__cluster.tex | 7 + doc/latex/group__correlation.tex | 89 +++++-- doc/latex/group__regex.tex | 48 +++- doc/latex/refman.tex | 7 +- doc/latex/regex_8c.tex | 6 +- doc/latex/spp__ai_8h.tex | 10 +- doc/latex/structAI__alert__correlation.tex | 46 ++++ doc/latex/structAI__hyperalert__info.tex | 64 +++++ doc/latex/structAI__hyperalert__key.tex | 43 +++ doc/latex/struct__AI__snort__alert.tex | 15 +- doc/latex/struct__hierarchy__node.tex | 3 + 92 files changed, 1856 insertions(+), 456 deletions(-) create mode 100644 doc/html/search/variables_62.html create mode 100644 doc/html/structAI__alert__correlation.html create mode 100644 doc/html/structAI__hyperalert__info.html create mode 100644 doc/html/structAI__hyperalert__key.html create mode 100644 doc/latex/structAI__alert__correlation.tex create mode 100644 doc/latex/structAI__hyperalert__info.tex create mode 100644 doc/latex/structAI__hyperalert__key.tex diff --git a/TODO b/TODO index 3e22cc6..7703c4e 100644 --- a/TODO +++ b/TODO @@ -1,4 +1,6 @@ +- Correlation macros valid also for hierarchies flags +- Bayesian learning among alerts in alert log + - Managing clusters for addresses, timestamps (and more?) - Dynamic cluster_min_size algorithm -- Alerts for port scan, grouped alerts, UDP and ICMP too diff --git a/alert_parser.c b/alert_parser.c index 515533d..1a93bb4 100644 --- a/alert_parser.c +++ b/alert_parser.c @@ -29,6 +29,7 @@ PRIVATE AI_snort_alert *alerts = NULL; PRIVATE FILE *alert_fp = NULL; +PRIVATE BOOL lock_flag = false; /** \defgroup alert_parser Parse the alert log into binary structures * @{ */ @@ -105,6 +106,9 @@ AI_file_alertparser_thread ( void* arg ) inotify_rm_watch ( ifd, wd ); close ( ifd ); + /* Set the lock flag to true until it's done with alert parsing */ + lock_flag = true; + while ( !feof ( alert_fp )) { fgets ( line, sizeof(line), alert_fp ); @@ -300,6 +304,8 @@ AI_file_alertparser_thread ( void* arg ) matches = NULL; } } + + lock_flag = false; } pthread_exit ((void*) 0 ); @@ -345,6 +351,7 @@ _AI_copy_alerts ( AI_snort_alert *node ) AI_snort_alert* AI_get_alerts () { + while ( lock_flag ); return _AI_copy_alerts ( alerts ); } /* ----- end of function AI_get_alerts ----- */ diff --git a/cluster.c b/cluster.c index fc7c2ea..491a024 100644 --- a/cluster.c +++ b/cluster.c @@ -45,6 +45,7 @@ typedef struct { PRIVATE hierarchy_node *h_root[CLUSTER_TYPES] = { NULL }; PRIVATE AI_config *_config = NULL; PRIVATE AI_snort_alert *alert_log = NULL; +PRIVATE BOOL lock_flag = false; /** @@ -373,11 +374,19 @@ _AI_cluster_thread ( void* arg ) /* Between an execution of the thread and the next one, sleep for alert_clustering_interval seconds */ sleep ( _config->alertClusteringInterval ); + /* Set the lock over the alert log until it's done with the clustering operation */ + lock_flag = true; + /* Free the current alert log and get the latest one */ - AI_free_alerts ( alert_log ); + if ( alert_log ) + { + AI_free_alerts ( alert_log ); + alert_log = NULL; + } if ( !( alert_log = get_alerts() )) { + lock_flag = false; continue; } @@ -481,6 +490,8 @@ _AI_cluster_thread ( void* arg ) /* break; */ } while ( old_alert_count != alert_count ); + lock_flag = false; + if ( !( cluster_fp = fopen ( _config->clusterfile, "w" )) ) { pthread_exit ((void*) 0 ); @@ -650,6 +661,7 @@ _AI_copy_clustered_alerts ( AI_snort_alert *node ) AI_snort_alert* AI_get_clustered_alerts () { + while ( lock_flag ); return _AI_copy_clustered_alerts ( alert_log ); } /* ----- end of function AI_get_clustered_alerts ----- */ diff --git a/correlation.c b/correlation.c index a7ee901..be3b037 100644 --- a/correlation.c +++ b/correlation.c @@ -34,9 +34,62 @@ /** Enumeration for the types of XML tags */ enum { inHyperAlert, inSnortIdTag, inPreTag, inPostTag, TAG_NUM }; -PRIVATE AI_hyperalert_info *hyperalerts = NULL; -PRIVATE AI_config *conf = NULL; -PRIVATE AI_snort_alert *alerts = NULL; +/** Struct representing the correlation between all the couples of alerts */ +typedef struct { + /** First alert */ + AI_snort_alert *a; + + /** Second alert */ + AI_snort_alert *b; + + /** Correlation coefficient */ + double correlation; + + /** Make the struct 'hashable' */ + UT_hash_handle hh; +} AI_alert_correlation; + +PRIVATE AI_hyperalert_info *hyperalerts = NULL; +PRIVATE AI_config *conf = NULL; +PRIVATE AI_snort_alert *alerts = NULL; +PRIVATE AI_alert_correlation *correlation_table = NULL; +PRIVATE BOOL lock_flag = false; + +/** + * \brief Compute the correlation coefficient between two alerts, as #INTERSECTION(pre(B), post(A) / #UNION(pre(B), post(A)) + * \param a Alert a + * \param b Alert b + * \return The correlation coefficient between A and B as coefficient in [0,1] + */ + +double +_AI_correlation_coefficient ( AI_snort_alert *a, AI_snort_alert *b ) +{ + unsigned int i, j, + n_intersection = 0, + n_union = 0; + + if ( !a->hyperalert || !b->hyperalert ) + return 0.0; + + if ( a->hyperalert->n_postconds == 0 || b->hyperalert->n_preconds == 0 ) + return 0.0; + + n_union = a->hyperalert->n_postconds + b->hyperalert->n_preconds; + + for ( i=0; i < a->hyperalert->n_postconds; i++ ) + { + for ( j=0; j < b->hyperalert->n_preconds; j++ ) + { + if ( !strcasecmp ( a->hyperalert->postconds[i], b->hyperalert->preconds[j] )) + { + n_intersection += 2; + } + } + } + + return (double) ((double) n_intersection / (double) n_union ); +} /* ----- end of function _AI_correlation_coefficient ----- */ /** * \brief Substitute the macros in hyperalert pre-conditions and post-conditions with their associated values @@ -300,9 +353,13 @@ AI_alert_correlation_thread ( void *arg ) int i; struct stat st; AI_hyperalert_key key; - AI_hyperalert_info *hyp = NULL; - AI_snort_alert *tmp = NULL; - FILE *fp; + AI_hyperalert_info *hyp = NULL; + AI_snort_alert *alert_iterator = NULL, + *alert_iterator2 = NULL; + + FILE *fp = fopen ( "/home/blacklight/LOG", "w" ); + fclose ( fp ); + conf = (AI_config*) arg; while ( 1 ) @@ -317,15 +374,27 @@ AI_alert_correlation_thread ( void *arg ) return ( void* ) 0; } - if ( !( alerts = AI_get_clustered_alerts() )) - continue; + /* Set the lock flag to true, and keep it this way until I've done with generating the new hyperalerts */ + lock_flag = true; - for ( tmp = alerts; tmp; tmp = tmp->next ) + if ( alerts ) + { + AI_free_alerts ( alerts ); + alerts = NULL; + } + + if ( !( alerts = AI_get_clustered_alerts() )) + { + lock_flag = false; + continue; + } + + for ( alert_iterator = alerts; alert_iterator; alert_iterator = alert_iterator->next ) { /* Check if my hash table of hyperalerts already contains info about this alert */ - key.gid = tmp->gid; - key.sid = tmp->sid; - key.rev = tmp->rev; + key.gid = alert_iterator->gid; + key.sid = alert_iterator->sid; + key.rev = alert_iterator->rev; HASH_FIND ( hh, hyperalerts, &key, sizeof ( AI_hyperalert_key ), hyp ); /* If not, try to read info from the XML file, if it exists */ @@ -340,34 +409,43 @@ AI_alert_correlation_thread ( void *arg ) } /* Fill the hyper alert info for the current alert */ - if ( !( tmp->hyperalert = ( AI_hyperalert_info* ) malloc ( sizeof ( AI_hyperalert_info )))) + if ( !( alert_iterator->hyperalert = ( AI_hyperalert_info* ) malloc ( sizeof ( AI_hyperalert_info )))) _dpd.fatalMsg ( "AIPreproc: Fatal memory allocation error at %s:%d\n", __FILE__, __LINE__ ); - tmp->hyperalert->key = hyp->key; - tmp->hyperalert->n_preconds = hyp->n_preconds; - tmp->hyperalert->n_postconds = hyp->n_postconds; + alert_iterator->hyperalert->key = hyp->key; + alert_iterator->hyperalert->n_preconds = hyp->n_preconds; + alert_iterator->hyperalert->n_postconds = hyp->n_postconds; - if ( !( tmp->hyperalert->preconds = ( char** ) malloc ( tmp->hyperalert->n_preconds * sizeof ( char* )))) + if ( !( alert_iterator->hyperalert->preconds = ( char** ) malloc ( alert_iterator->hyperalert->n_preconds * sizeof ( char* )))) _dpd.fatalMsg ( "AIPreproc: Fatal memory allocation error at %s:%d\n", __FILE__, __LINE__ ); - for ( i=0; i < tmp->hyperalert->n_preconds; i++ ) - tmp->hyperalert->preconds[i] = strdup ( hyp->preconds[i] ); + for ( i=0; i < alert_iterator->hyperalert->n_preconds; i++ ) + alert_iterator->hyperalert->preconds[i] = strdup ( hyp->preconds[i] ); - if ( !( tmp->hyperalert->postconds = ( char** ) malloc ( tmp->hyperalert->n_postconds * sizeof ( char* )))) + if ( !( alert_iterator->hyperalert->postconds = ( char** ) malloc ( alert_iterator->hyperalert->n_postconds * sizeof ( char* )))) _dpd.fatalMsg ( "AIPreproc: Fatal memory allocation error at %s:%d\n", __FILE__, __LINE__ ); - for ( i=0; i < tmp->hyperalert->n_postconds; i++ ) - tmp->hyperalert->postconds[i] = strdup ( hyp->postconds[i] ); + for ( i=0; i < alert_iterator->hyperalert->n_postconds; i++ ) + alert_iterator->hyperalert->postconds[i] = strdup ( hyp->postconds[i] ); - _AI_macro_subst ( &tmp ); - - fp = fopen ( "/home/blacklight/LOG", "a" ); - fprintf ( fp, "pre: %s\n", (tmp->hyperalert->n_preconds > 0) ? tmp->hyperalert->preconds[0] : "()" ); - fprintf ( fp, "post: %s\n", (tmp->hyperalert->n_postconds > 0) ? tmp->hyperalert->postconds[0] : "()" ); - fclose ( fp ); + _AI_macro_subst ( &alert_iterator ); } - AI_free_alerts ( alerts ); + for ( alert_iterator = alerts; alert_iterator; alert_iterator = alert_iterator->next ) + { + for ( alert_iterator2 = alerts; alert_iterator2; alert_iterator2 = alert_iterator2->next ) + { + if ( alert_iterator != alert_iterator2 ) + { + fp = fopen ( "/home/blacklight/LOG", "a" ); + fprintf ( fp, "alert1: (%s), alert2: (%s)\n", alert_iterator->desc, alert_iterator2->desc ); + fprintf ( fp, "correlation (alert1, alert2): %f\n\n", _AI_correlation_coefficient ( alert_iterator, alert_iterator2 )); + fclose ( fp ); + } + } + } + + lock_flag = false; } pthread_exit (( void* ) 0 ); diff --git a/db.c b/db.c index 0d26f46..1f84741 100644 --- a/db.c +++ b/db.c @@ -31,7 +31,8 @@ PRIVATE AI_config *config; -PRIVATE AI_snort_alert *alerts = NULL; +PRIVATE AI_snort_alert *alerts = NULL; +PRIVATE BOOL lock_flag = false; /** pthread mutex for accessing database data */ PRIVATE pthread_mutex_t db_mutex = PTHREAD_MUTEX_INITIALIZER; @@ -77,6 +78,10 @@ AI_db_alertparser_thread ( void *arg ) while ( 1 ) { sleep ( config->databaseParsingInterval ); + + /* Set the lock flag to true until it's done with alert parsing */ + lock_flag = true; + memset ( query, 0, sizeof ( query )); snprintf ( query, sizeof (query), "select cid, unix_timestamp(timestamp), signature from event where cid > %d " "and unix_timestamp(timestamp) > %ld order by cid", latest_cid, latest_time ); @@ -93,6 +98,7 @@ AI_db_alertparser_thread ( void *arg ) DB_close(); _dpd.fatalMsg ( "AIPreproc: Could not store the query result at %s:%d\n", __FILE__, __LINE__ ); } else if ( rows == 0 ) { + lock_flag = false; continue; } @@ -218,6 +224,7 @@ AI_db_alertparser_thread ( void *arg ) } } + lock_flag = false; DB_free_result ( res ); latest_time = time ( NULL ); } @@ -265,6 +272,7 @@ _AI_db_copy_alerts ( AI_snort_alert *node ) AI_snort_alert* AI_db_get_alerts () { + while ( lock_flag ); return _AI_db_copy_alerts ( alerts ); } /* ----- end of function AI_db_get_alerts ----- */ diff --git a/doc/html/alert__parser_8c.html b/doc/html/alert__parser_8c.html index 58efaf9..a14b5c1 100644 --- a/doc/html/alert__parser_8c.html +++ b/doc/html/alert__parser_8c.html @@ -75,6 +75,7 @@ Functions Variables PRIVATE AI_snort_alertalerts = NULL PRIVATE FILE * alert_fp = NULL +PRIVATE BOOL lock_flag = false

Variable Documentation

@@ -95,7 +96,20 @@ Variables
- + + +
PRIVATE AI_snort_alert* alerts = NULLPRIVATE AI_snort_alert* alerts = NULL
+
+
+ +
+ + +
+
+ + +
PRIVATE BOOL lock_flag = false
@@ -118,7 +132,7 @@ Variables
-
Generated on Fri Sep 10 2010 02:56:16 for Snort AI preprocessor module by  +
Generated on Sat Sep 11 2010 12:45:18 for Snort AI preprocessor module by  doxygen 1.7.1
diff --git a/doc/html/annotated.html b/doc/html/annotated.html index eca52da..07f1117 100644 --- a/doc/html/annotated.html +++ b/doc/html/annotated.html @@ -54,11 +54,12 @@ var searchBox = new SearchBox("searchBox", "search",false,'Search'); Here are the data structures with brief descriptions: + + + - -
_AI_snort_alert
_hierarchy_node
AI_alert_correlation
AI_config
AI_hyperalert_info
AI_hyperalert_key
attribute_key
attribute_value
hyperalert
hyperalert_key
pkt_info
pkt_key
@@ -77,7 +78,7 @@ Here are the data structures with brief descriptions: -
Generated on Fri Sep 10 2010 02:56:16 for Snort AI preprocessor module by  +
Generated on Sat Sep 11 2010 12:45:18 for Snort AI preprocessor module by  doxygen 1.7.1
diff --git a/doc/html/classes.html b/doc/html/classes.html index e2d7076..e0f7525 100644 --- a/doc/html/classes.html +++ b/doc/html/classes.html @@ -51,13 +51,12 @@ var searchBox = new SearchBox("searchBox", "search",false,'Search');

Data Structure Index

-
A | H | P | _
+
A | P | _
  A  
-		attribute_value   hyperalert_key   pkt_key   _AI_snort_alert   
AI_config   
  H  
-
  P  
+		AI_hyperalert_info   attribute_value   pkt_key   _AI_snort_alert   
AI_alert_correlation   AI_hyperalert_key   
  P  
  _  
-		_hierarchy_node   
attribute_key   hyperalert   pkt_info   
A | H | P | _
+_hierarchy_node   AI_config   attribute_key   pkt_info   
A | P | _
-
Generated on Fri Sep 10 2010 02:56:16 for Snort AI preprocessor module by  +
Generated on Sat Sep 11 2010 12:45:18 for Snort AI preprocessor module by  doxygen 1.7.1
diff --git a/doc/html/cluster_8c.html b/doc/html/cluster_8c.html index 5ed51be..f7ab9a1 100644 --- a/doc/html/cluster_8c.html +++ b/doc/html/cluster_8c.html @@ -95,6 +95,7 @@ Variables PRIVATE hierarchy_nodeh_root [CLUSTER_TYPES] = { NULL } PRIVATE AI_config_config = NULL PRIVATE AI_snort_alertalert_log = NULL +PRIVATE BOOL lock_flag = false @@ -111,7 +112,7 @@ Variables -
Generated on Fri Sep 10 2010 02:56:16 for Snort AI preprocessor module by  +
Generated on Sat Sep 11 2010 12:45:18 for Snort AI preprocessor module by  doxygen 1.7.1
diff --git a/doc/html/correlation_8c.html b/doc/html/correlation_8c.html index fd41cff..1beff00 100644 --- a/doc/html/correlation_8c.html +++ b/doc/html/correlation_8c.html @@ -63,8 +63,7 @@ var searchBox = new SearchBox("searchBox", "search",false,'Search'); - - + } - - + + + + + + - + + + +

Data Structures

struct  hyperalert_key
struct  hyperalert
struct  AI_alert_correlation

Enumerations

enum  {
@@ -78,14 +77,21 @@ Enumerations

Functions

PRIVATE hyperalert_AI_hyperalert_from_XML (hyperalert_key key)
 Parse info about a hyperalert from a correlation XML file, if it exists.
double _AI_correlation_coefficient (AI_snort_alert *a, AI_snort_alert *b)
 Compute the correlation coefficient between two alerts, as INTERSECTION(pre(B), post(A) / UNION(pre(B), post(A)).
void _AI_macro_subst (AI_snort_alert **alert)
 Substitute the macros in hyperalert pre-conditions and post-conditions with their associated values.
PRIVATE AI_hyperalert_info_AI_hyperalert_from_XML (AI_hyperalert_key key)
 Parse info about a hyperalert from a correlation XML file, if it exists.
void * AI_alert_correlation_thread (void *arg)
 Thread for correlating clustered alerts.

Variables

PRIVATE hyperalerthyperalerts = NULL
PRIVATE AI_hyperalert_infohyperalerts = NULL
PRIVATE AI_configconf = NULL
PRIVATE AI_snort_alertalerts = NULL
PRIVATE AI_alert_correlationcorrelation_table = NULL
PRIVATE BOOL lock_flag = false
@@ -102,7 +108,7 @@ Variables -
Generated on Fri Sep 10 2010 02:56:16 for Snort AI preprocessor module by  +
Generated on Sat Sep 11 2010 12:45:18 for Snort AI preprocessor module by  doxygen 1.7.1
diff --git a/doc/html/db_8c.html b/doc/html/db_8c.html index 8b1a982..86340f0 100644 --- a/doc/html/db_8c.html +++ b/doc/html/db_8c.html @@ -68,7 +68,7 @@ var searchBox = new SearchBox("searchBox", "search",false,'Search'); -
Generated on Fri Sep 10 2010 02:56:16 for Snort AI preprocessor module by  +
Generated on Sat Sep 11 2010 12:45:18 for Snort AI preprocessor module by  doxygen 1.7.1
diff --git a/doc/html/db_8h.html b/doc/html/db_8h.html index c84ac8f..e0815a0 100644 --- a/doc/html/db_8h.html +++ b/doc/html/db_8h.html @@ -69,7 +69,7 @@ var searchBox = new SearchBox("searchBox", "search",false,'Search'); -
Generated on Fri Sep 10 2010 02:56:16 for Snort AI preprocessor module by  +
Generated on Sat Sep 11 2010 12:45:18 for Snort AI preprocessor module by  doxygen 1.7.1
diff --git a/doc/html/db_8h_source.html b/doc/html/db_8h_source.html index 892b2e8..98340db 100644 --- a/doc/html/db_8h_source.html +++ b/doc/html/db_8h_source.html @@ -111,7 +111,7 @@ var searchBox = new SearchBox("searchBox", "search",false,'Search'); -
Generated on Fri Sep 10 2010 02:56:16 for Snort AI preprocessor module by  +
Generated on Sat Sep 11 2010 12:45:18 for Snort AI preprocessor module by  doxygen 1.7.1
diff --git a/doc/html/files.html b/doc/html/files.html index 5bb16da..50ac166 100644 --- a/doc/html/files.html +++ b/doc/html/files.html @@ -78,7 +78,7 @@ Here is a list of all files with brief descriptions: -
Generated on Fri Sep 10 2010 02:56:16 for Snort AI preprocessor module by  +
Generated on Sat Sep 11 2010 12:45:18 for Snort AI preprocessor module by  doxygen 1.7.1
diff --git a/doc/html/functions.html b/doc/html/functions.html index c59f3e7..ff8c17e 100644 --- a/doc/html/functions.html +++ b/doc/html/functions.html @@ -54,6 +54,7 @@ var searchBox = new SearchBox("searchBox", "search",false,'Search');
-
Generated on Fri Sep 10 2010 02:56:16 for Snort AI preprocessor module by  +
Generated on Sat Sep 11 2010 12:45:18 for Snort AI preprocessor module by  doxygen 1.7.1
diff --git a/doc/html/functions_vars.html b/doc/html/functions_vars.html index 7201cf4..64809be 100644 --- a/doc/html/functions_vars.html +++ b/doc/html/functions_vars.html @@ -54,6 +54,7 @@ var searchBox = new SearchBox("searchBox", "search",false,'Search');
-
Generated on Fri Sep 10 2010 02:56:16 for Snort AI preprocessor module by  +
Generated on Sat Sep 11 2010 12:45:18 for Snort AI preprocessor module by  doxygen 1.7.1
diff --git a/doc/html/globals.html b/doc/html/globals.html index b168fac..213f4ed 100644 --- a/doc/html/globals.html +++ b/doc/html/globals.html @@ -67,6 +67,7 @@ var searchBox = new SearchBox("searchBox", "search",false,'Search');
  • g
  • h
  • i
    • +
  • l
  • m
  • n
  • p
    • @@ -92,6 +93,9 @@ Here is a list of all functions, variables, defines, enums, and typedefs with li
  • _AI_copy_clustered_alerts() : cluster.c
    • +
  • _AI_correlation_coefficient() +: correlation.c +
  • _AI_equal_alarms() : cluster.c
    • @@ -99,7 +103,10 @@ Here is a list of all functions, variables, defines, enums, and typedefs with li : cluster.c
  • _AI_hyperalert_from_XML() -: correlation.c +: correlation.c +
    • +
  • _AI_macro_subst() +: correlation.c
  • _AI_merge_alerts() : cluster.c @@ -179,8 +186,8 @@ Here is a list of all functions, variables, defines, enums, and typedefs with li , stream.c
  • AI_setup() -: spp_ai.c -, sf_preproc_info.h +: sf_preproc_info.h +, spp_ai.c
  • AI_snort_alert : spp_ai.h @@ -196,6 +203,7 @@ Here is a list of all functions, variables, defines, enums, and typedefs with li
  • alerts : alert_parser.c +, correlation.c
    • @@ -220,6 +228,9 @@ Here is a list of all functions, variables, defines, enums, and typedefs with li
  • conf : correlation.c
    • +
  • correlation_table +: correlation.c +
    • @@ -295,7 +306,7 @@ Here is a list of all functions, variables, defines, enums, and typedefs with li : spp_ai.h
  • hyperalerts -: correlation.c +: correlation.c
    • @@ -316,6 +327,15 @@ Here is a list of all functions, variables, defines, enums, and typedefs with li +

    - l -

    + +

    - m -

    @@ -396,7 +424,7 @@ Here is a list of all functions, variables, defines, enums, and typedefs with li -
    Generated on Fri Sep 10 2010 02:56:16 for Snort AI preprocessor module by  +
    Generated on Sat Sep 11 2010 12:45:18 for Snort AI preprocessor module by  doxygen 1.7.1
    diff --git a/doc/html/globals_defs.html b/doc/html/globals_defs.html index ba1009d..43e9788 100644 --- a/doc/html/globals_defs.html +++ b/doc/html/globals_defs.html @@ -116,7 +116,7 @@ var searchBox = new SearchBox("searchBox", "search",false,'Search'); -
    Generated on Fri Sep 10 2010 02:56:16 for Snort AI preprocessor module by  +
    Generated on Sat Sep 11 2010 12:45:18 for Snort AI preprocessor module by  doxygen 1.7.1
    diff --git a/doc/html/globals_enum.html b/doc/html/globals_enum.html index a4b7539..1672b16 100644 --- a/doc/html/globals_enum.html +++ b/doc/html/globals_enum.html @@ -80,7 +80,7 @@ var searchBox = new SearchBox("searchBox", "search",false,'Search'); -
    Generated on Fri Sep 10 2010 02:56:16 for Snort AI preprocessor module by  +
    Generated on Sat Sep 11 2010 12:45:18 for Snort AI preprocessor module by  doxygen 1.7.1
    diff --git a/doc/html/globals_eval.html b/doc/html/globals_eval.html index d794090..a215cfc 100644 --- a/doc/html/globals_eval.html +++ b/doc/html/globals_eval.html @@ -113,7 +113,7 @@ var searchBox = new SearchBox("searchBox", "search",false,'Search'); -
    Generated on Fri Sep 10 2010 02:56:16 for Snort AI preprocessor module by  +
    Generated on Sat Sep 11 2010 12:45:18 for Snort AI preprocessor module by  doxygen 1.7.1
    diff --git a/doc/html/globals_func.html b/doc/html/globals_func.html index e8c7aa2..ca1f02f 100644 --- a/doc/html/globals_func.html +++ b/doc/html/globals_func.html @@ -60,6 +60,7 @@ var searchBox = new SearchBox("searchBox", "search",false,'Search');
  • _
  • a
  • p
    • +
  • s
    • @@ -79,6 +80,9 @@ var searchBox = new SearchBox("searchBox", "search",false,'Search');
  • _AI_copy_clustered_alerts() : cluster.c
    • +
  • _AI_correlation_coefficient() +: correlation.c +
  • _AI_equal_alarms() : cluster.c
    • @@ -86,7 +90,10 @@ var searchBox = new SearchBox("searchBox", "search",false,'Search'); : cluster.c
  • _AI_hyperalert_from_XML() -: correlation.c +: correlation.c +
    • +
  • _AI_macro_subst() +: correlation.c
  • _AI_merge_alerts() : cluster.c @@ -172,6 +179,18 @@ var searchBox = new SearchBox("searchBox", "search",false,'Search'); , spp_ai.h
    • + + +

    - s -

    -
    Generated on Fri Sep 10 2010 02:56:16 for Snort AI preprocessor module by  +
    Generated on Sat Sep 11 2010 12:45:18 for Snort AI preprocessor module by  doxygen 1.7.1
    diff --git a/doc/html/globals_type.html b/doc/html/globals_type.html index fbde1b2..96c84e6 100644 --- a/doc/html/globals_type.html +++ b/doc/html/globals_type.html @@ -89,7 +89,7 @@ var searchBox = new SearchBox("searchBox", "search",false,'Search'); -
    Generated on Fri Sep 10 2010 02:56:16 for Snort AI preprocessor module by  +
    Generated on Sat Sep 11 2010 12:45:18 for Snort AI preprocessor module by  doxygen 1.7.1
    diff --git a/doc/html/globals_vars.html b/doc/html/globals_vars.html index 7c874c6..6ac306f 100644 --- a/doc/html/globals_vars.html +++ b/doc/html/globals_vars.html @@ -75,10 +75,14 @@ var searchBox = new SearchBox("searchBox", "search",false,'Search');
  • alerts : alert_parser.c +, correlation.c
  • conf : correlation.c
    • +
  • correlation_table +: correlation.c +
  • ex_config : spp_ai.c
    • @@ -95,7 +99,12 @@ var searchBox = new SearchBox("searchBox", "search",false,'Search'); : stream.c
  • hyperalerts -: correlation.c +: correlation.c +
    • +
  • lock_flag +: alert_parser.c +, correlation.c +, cluster.c
  • start_time : stream.c @@ -116,7 +125,7 @@ var searchBox = new SearchBox("searchBox", "search",false,'Search'); -
    Generated on Fri Sep 10 2010 02:56:16 for Snort AI preprocessor module by  +
    Generated on Sat Sep 11 2010 12:45:18 for Snort AI preprocessor module by  doxygen 1.7.1
    diff --git a/doc/html/group__alert__parser.html b/doc/html/group__alert__parser.html index b33d912..44c5005 100644 --- a/doc/html/group__alert__parser.html +++ b/doc/html/group__alert__parser.html @@ -174,7 +174,7 @@ Functions -
    Generated on Fri Sep 10 2010 02:56:16 for Snort AI preprocessor module by  +
    Generated on Sat Sep 11 2010 12:45:18 for Snort AI preprocessor module by  doxygen 1.7.1
    diff --git a/doc/html/group__cluster.html b/doc/html/group__cluster.html index d34b153..bd73f60 100644 --- a/doc/html/group__cluster.html +++ b/doc/html/group__cluster.html @@ -84,6 +84,7 @@ Variables
    • +
    PRIVATE hierarchy_nodeh_root [CLUSTER_TYPES] = { NULL }
    PRIVATE AI_config_config = NULL
    PRIVATE AI_snort_alertalert_log = NULL
    PRIVATE BOOL lock_flag = false

    Function Documentation

    @@ -510,6 +511,19 @@ Variables
    +
    + + +
    +
    + + + + +
    PRIVATE BOOL lock_flag = false
    +
    +
    +
    @@ -527,7 +541,7 @@ Variables -
    Generated on Fri Sep 10 2010 02:56:16 for Snort AI preprocessor module by  +
    Generated on Sat Sep 11 2010 12:45:18 for Snort AI preprocessor module by  doxygen 1.7.1
    diff --git a/doc/html/group__correlation.html b/doc/html/group__correlation.html index 659e11d..66b98bc 100644 --- a/doc/html/group__correlation.html +++ b/doc/html/group__correlation.html @@ -52,8 +52,7 @@ var searchBox = new SearchBox("searchBox", "search",false,'Search'); - - + } - - + + + + + + - + + + +

    Data Structures

    struct  hyperalert_key
    struct  hyperalert
    struct  AI_alert_correlation

    Enumerations

    enum  {
    @@ -67,14 +66,21 @@ Enumerations

    Functions

    PRIVATE hyperalert_AI_hyperalert_from_XML (hyperalert_key key)
     Parse info about a hyperalert from a correlation XML file, if it exists.
    double _AI_correlation_coefficient (AI_snort_alert *a, AI_snort_alert *b)
     Compute the correlation coefficient between two alerts, as INTERSECTION(pre(B), post(A) / UNION(pre(B), post(A)).
    void _AI_macro_subst (AI_snort_alert **alert)
     Substitute the macros in hyperalert pre-conditions and post-conditions with their associated values.
    PRIVATE AI_hyperalert_info_AI_hyperalert_from_XML (AI_hyperalert_key key)
     Parse info about a hyperalert from a correlation XML file, if it exists.
    void * AI_alert_correlation_thread (void *arg)
     Thread for correlating clustered alerts.

    Variables

    PRIVATE hyperalerthyperalerts = NULL
    PRIVATE AI_hyperalert_infohyperalerts = NULL
    PRIVATE AI_configconf = NULL
    PRIVATE AI_snort_alertalerts = NULL
    PRIVATE AI_alert_correlationcorrelation_table = NULL
    PRIVATE BOOL lock_flag = false

    Enumeration Type Documentation

    @@ -106,14 +112,51 @@ Variables

    Function Documentation

    - +
    - + - + + + + + + + + + + + + + + +
    PRIVATE hyperalert* _AI_hyperalert_from_XML double _AI_correlation_coefficient (hyperalert_key AI_snort_alert a,
    AI_snort_alert b 
    )
    +
    +
    + +

    Compute the correlation coefficient between two alerts, as INTERSECTION(pre(B), post(A) / UNION(pre(B), post(A)).

    +
    Parameters:
    + + + +
    a Alert a
    b Alert b
    +
    +
    +
    Returns:
    The correlation coefficient between A and B as coefficient in [0,1]
    + +
    +
    + +
    +
    + + + + + @@ -123,7 +166,6 @@ Variables

    Parse info about a hyperalert from a correlation XML file, if it exists.

    -

    FUNCTION: _AI_hyperalert_from_XML

    Parameters:
    PRIVATE AI_hyperalert_info* _AI_hyperalert_from_XML (AI_hyperalert_key  key  ) 
    @@ -132,6 +174,32 @@ Variables
    Returns:
    A hyperalert structure containing the info about the current alert, if the XML file was found
    + + + +
    +
    +
    key Key (gid, sid, rev) identifying the alert
    + + + + + + + + +
    void _AI_macro_subst (AI_snort_alert **  alert ) 
    +
    +
    + +

    Substitute the macros in hyperalert pre-conditions and post-conditions with their associated values.

    +
    Parameters:
    + + +
    alert Reference to the hyperalert to work on
    +
    +
    +
    @@ -161,6 +229,19 @@ Variables

    Variable Documentation

    + +
    +
    + + + + +
    PRIVATE AI_snort_alert* alerts = NULL
    +
    +
    + +
    +
    @@ -174,12 +255,38 @@ Variables
    - +
    - + + +
    PRIVATE hyperalert* hyperalerts = NULLPRIVATE AI_alert_correlation* correlation_table = NULL
    +
    +
    + +
    +
    + +
    +
    + + + + +
    PRIVATE AI_hyperalert_info* hyperalerts = NULL
    +
    +
    + +
    +
    + +
    +
    + + +
    PRIVATE BOOL lock_flag = false
    @@ -202,7 +309,7 @@ Variables
    -
    Generated on Fri Sep 10 2010 02:56:16 for Snort AI preprocessor module by  +
    Generated on Sat Sep 11 2010 12:45:18 for Snort AI preprocessor module by  doxygen 1.7.1
    diff --git a/doc/html/group__regex.html b/doc/html/group__regex.html index a3448e3..848c7dc 100644 --- a/doc/html/group__regex.html +++ b/doc/html/group__regex.html @@ -51,6 +51,10 @@ var searchBox = new SearchBox("searchBox", "search",false,'Search'); Functions int preg_match (const char *expr, char *str, char ***matches, int *nmatches)  Check if a string matches a regular expression.
    +char * str_replace (char *str, char *orig, char *rep) + Replace the content of 'orig' in 'str' with 'rep'.
    +char * str_replace_all (char *str, char *orig, char *rep) + Replace all of the occurrences of 'orig' in 'str' with 'rep'.

    Function Documentation

    @@ -102,6 +106,94 @@ Functions
    Returns:
    -1 if the regex is wrong, 0 if no match was found, 1 otherwise
    + + + +
    +
    + + + + + + + + + + + + + + + + + + + + + + + + +
    char* str_replace (char *  str,
    char *  orig,
    char *  rep 
    )
    +
    +
    + +

    Replace the content of 'orig' in 'str' with 'rep'.

    +
    Parameters:
    + + + + +
    str String to work on
    orig String to be replaced
    rep Replacement for 'orig'
    +
    +
    +
    Returns:
    The string with the replacement
    + +
    +
    + +
    +
    + + + + + + + + + + + + + + + + + + + + + + + + +
    char* str_replace_all (char *  str,
    char *  orig,
    char *  rep 
    )
    +
    +
    + +

    Replace all of the occurrences of 'orig' in 'str' with 'rep'.

    +
    Parameters:
    + + + + +
    str String to work on
    orig String to be replaced
    rep Replacement for 'orig'
    +
    +
    +
    Returns:
    The string with the replacement
    +
    @@ -119,7 +211,7 @@ Functions -
    Generated on Fri Sep 10 2010 02:56:16 for Snort AI preprocessor module by  +
    Generated on Sat Sep 11 2010 12:45:18 for Snort AI preprocessor module by  doxygen 1.7.1
    diff --git a/doc/html/group__spp__ai.html b/doc/html/group__spp__ai.html index e60c242..b142286 100644 --- a/doc/html/group__spp__ai.html +++ b/doc/html/group__spp__ai.html @@ -215,7 +215,7 @@ Variables -
    Generated on Fri Sep 10 2010 02:56:16 for Snort AI preprocessor module by  +
    Generated on Sat Sep 11 2010 12:45:18 for Snort AI preprocessor module by  doxygen 1.7.1
    diff --git a/doc/html/group__stream.html b/doc/html/group__stream.html index 090b98c..79d0e3e 100644 --- a/doc/html/group__stream.html +++ b/doc/html/group__stream.html @@ -207,7 +207,7 @@ Functions -
    Generated on Fri Sep 10 2010 02:56:16 for Snort AI preprocessor module by  +
    Generated on Sat Sep 11 2010 12:45:18 for Snort AI preprocessor module by  doxygen 1.7.1
    diff --git a/doc/html/index.html b/doc/html/index.html index 992bfb6..79433dd 100644 --- a/doc/html/index.html +++ b/doc/html/index.html @@ -59,7 +59,7 @@ var searchBox = new SearchBox("searchBox", "search",false,'Search'); -
    Generated on Fri Sep 10 2010 02:56:16 for Snort AI preprocessor module by  +
    Generated on Sat Sep 11 2010 12:45:18 for Snort AI preprocessor module by  doxygen 1.7.1
    diff --git a/doc/html/modules.html b/doc/html/modules.html index ccef6e7..7d8d85c 100644 --- a/doc/html/modules.html +++ b/doc/html/modules.html @@ -67,7 +67,7 @@ Here is a list of all modules:
      -
      Generated on Fri Sep 10 2010 02:56:16 for Snort AI preprocessor module by  +
      Generated on Sat Sep 11 2010 12:45:18 for Snort AI preprocessor module by  doxygen 1.7.1
      diff --git a/doc/html/mysql_8c.html b/doc/html/mysql_8c.html index cdd91d0..9f25937 100644 --- a/doc/html/mysql_8c.html +++ b/doc/html/mysql_8c.html @@ -68,7 +68,7 @@ var searchBox = new SearchBox("searchBox", "search",false,'Search'); -
      Generated on Fri Sep 10 2010 02:56:16 for Snort AI preprocessor module by  +
      Generated on Sat Sep 11 2010 12:45:18 for Snort AI preprocessor module by  doxygen 1.7.1
      diff --git a/doc/html/regex_8c.html b/doc/html/regex_8c.html index f0597b3..8fe13d8 100644 --- a/doc/html/regex_8c.html +++ b/doc/html/regex_8c.html @@ -62,6 +62,10 @@ var searchBox = new SearchBox("searchBox", "search",false,'Search'); Functions int preg_match (const char *expr, char *str, char ***matches, int *nmatches)  Check if a string matches a regular expression.
      +char * str_replace (char *str, char *orig, char *rep) + Replace the content of 'orig' in 'str' with 'rep'.
      +char * str_replace_all (char *str, char *orig, char *rep) + Replace all of the occurrences of 'orig' in 'str' with 'rep'.
      @@ -78,7 +82,7 @@ Functions -
      Generated on Fri Sep 10 2010 02:56:16 for Snort AI preprocessor module by  +
      Generated on Sat Sep 11 2010 12:45:18 for Snort AI preprocessor module by  doxygen 1.7.1
      diff --git a/doc/html/search/all_5f.html b/doc/html/search/all_5f.html index 29dde13..86c8c86 100644 --- a/doc/html/search/all_5f.html +++ b/doc/html/search/all_5f.html @@ -31,79 +31,91 @@ cluster.c +
      +
      + _AI_correlation_coefficient + correlation.c +
      +
      - _AI_equal_alarms + _AI_equal_alarms cluster.c
      - _AI_get_min_hierarchy_node + _AI_get_min_hierarchy_node cluster.c
      - _AI_hyperalert_from_XML + _AI_hyperalert_from_XML + correlation.c +
      +
      +
      +
      + _AI_macro_subst correlation.c
      - _AI_merge_alerts + _AI_merge_alerts cluster.c
      - _AI_print_clustered_alerts + _AI_print_clustered_alerts cluster.c
      - _AI_snort_alert + _AI_snort_alert
      - _AI_stream_free + _AI_stream_free stream.c
      - _config + _config cluster.c
      - _dpd + _dpd spp_ai.h
      - _heuristic_func + _heuristic_func cluster.c
      - _hierarchy_node + _hierarchy_node
      - _hierarchy_node_append + _hierarchy_node_append cluster.c
      - _hierarchy_node_new + _hierarchy_node_new cluster.c
      diff --git a/doc/html/search/all_61.html b/doc/html/search/all_61.html index 32d716f..6118213 100644 --- a/doc/html/search/all_61.html +++ b/doc/html/search/all_61.html @@ -7,183 +7,207 @@
      Loading...
      +
      +
      + a + AI_alert_correlation +
      +
      + + +
      - AI_init + AI_init spp_ai.c
      - AI_parse + AI_parse spp_ai.c
      - AI_process + AI_process spp_ai.c
      - alert_fp + alert_fp alert_parser.c
      - alert_log + alert_log cluster.c
      - alertfile + alertfile AI_config
      Searching...
      diff --git a/doc/html/search/all_62.html b/doc/html/search/all_62.html index 478a18f..c2641d0 100644 --- a/doc/html/search/all_62.html +++ b/doc/html/search/all_62.html @@ -7,15 +7,21 @@
      Loading...
      +
      +
      + b + AI_alert_correlation +
      +
      - BOOL + BOOL spp_ai.h
      - BUILD_VERSION + BUILD_VERSION sf_preproc_info.h
      diff --git a/doc/html/search/all_63.html b/doc/html/search/all_63.html index 3ae8467..434e40d 100644 --- a/doc/html/search/all_63.html +++ b/doc/html/search/all_63.html @@ -54,20 +54,32 @@ AI_config
      +
      +
      + correlation + AI_alert_correlation +
      +
      +
      +
      + correlation_table + correlation.c
      - count + count attribute_value
      diff --git a/doc/html/search/all_67.html b/doc/html/search/all_67.html index 497ff27..1685a45 100644 --- a/doc/html/search/all_67.html +++ b/doc/html/search/all_67.html @@ -17,7 +17,7 @@
      gid
      - hyperalert_key::gid() + AI_hyperalert_key::gid() _AI_snort_alert::gid()
      diff --git a/doc/html/search/all_68.html b/doc/html/search/all_68.html index 9ce1ec4..2a604fb 100644 --- a/doc/html/search/all_68.html +++ b/doc/html/search/all_68.html @@ -42,8 +42,9 @@ hh
      attribute_value::hh() - hyperalert::hh() + AI_alert_correlation::hh() pkt_info::hh() + AI_hyperalert_info::hh()
      @@ -55,17 +56,13 @@
      - hyperalert -
      -
      -
      -
      - hyperalert_key + hyperalert + _AI_snort_alert
      - hyperalerts + hyperalerts correlation.c
      diff --git a/doc/html/search/all_6b.html b/doc/html/search/all_6b.html index 4f2b179..e263d30 100644 --- a/doc/html/search/all_6b.html +++ b/doc/html/search/all_6b.html @@ -12,8 +12,8 @@ key
      attribute_value::key() - hyperalert::key() - pkt_info::key() + pkt_info::key() + AI_hyperalert_info::key()
      diff --git a/doc/html/search/all_6c.html b/doc/html/search/all_6c.html index 1eab44a..982d2cc 100644 --- a/doc/html/search/all_6c.html +++ b/doc/html/search/all_6c.html @@ -13,6 +13,16 @@ _hierarchy_node +
      Searching...
      No Matches
      + + + diff --git a/doc/html/search/variables_63.html b/doc/html/search/variables_63.html index d12758e..1458d07 100644 --- a/doc/html/search/variables_63.html +++ b/doc/html/search/variables_63.html @@ -37,15 +37,27 @@ AI_config +
      +
      + correlation + AI_alert_correlation +
      +
      +
      +
      + correlation_table + correlation.c +
      +
      - count + count attribute_value
      diff --git a/doc/html/search/variables_67.html b/doc/html/search/variables_67.html index 497ff27..1685a45 100644 --- a/doc/html/search/variables_67.html +++ b/doc/html/search/variables_67.html @@ -17,7 +17,7 @@
      gid
      - hyperalert_key::gid() + AI_hyperalert_key::gid() _AI_snort_alert::gid()
      diff --git a/doc/html/search/variables_68.html b/doc/html/search/variables_68.html index ed05725..8d075cc 100644 --- a/doc/html/search/variables_68.html +++ b/doc/html/search/variables_68.html @@ -42,14 +42,21 @@ hh
      attribute_value::hh() - hyperalert::hh() + AI_alert_correlation::hh() pkt_info::hh() + AI_hyperalert_info::hh()
      +
      +
      + hyperalert + _AI_snort_alert +
      +
      - hyperalerts + hyperalerts correlation.c
      diff --git a/doc/html/search/variables_6b.html b/doc/html/search/variables_6b.html index 4f2b179..e263d30 100644 --- a/doc/html/search/variables_6b.html +++ b/doc/html/search/variables_6b.html @@ -12,8 +12,8 @@ key
      attribute_value::key() - hyperalert::key() - pkt_info::key() + pkt_info::key() + AI_hyperalert_info::key()
      diff --git a/doc/html/search/variables_6c.html b/doc/html/search/variables_6c.html index 1eab44a..982d2cc 100644 --- a/doc/html/search/variables_6c.html +++ b/doc/html/search/variables_6c.html @@ -13,6 +13,16 @@ _hierarchy_node +
      Searching...
      No Matches
      + + + + + + +
      +
      +Data Fields
      +
      +

      AI_alert_correlation Struct Reference
      + +[Module for the correlation of hyperalerts] +

      +
      +
      + + + + + + +

      +Data Fields

      AI_snort_alerta
      AI_snort_alertb
      double correlation
      UT_hash_handle hh
      +

      Detailed Description

      +

      Struct representing the correlation between all the couples of alerts

      +

      Field Documentation

      + +
      +
      + + + + +
      AI_snort_alert* AI_alert_correlation::a
      +
      +
      +

      First alert

      + +
      +
      + +
      +
      + + + + +
      AI_snort_alert* AI_alert_correlation::b
      +
      +
      +

      Second alert

      + +
      +
      + +
      +
      + + + + +
      double AI_alert_correlation::correlation
      +
      +
      +

      Correlation coefficient

      + +
      +
      + +
      +
      + + + + +
      UT_hash_handle AI_alert_correlation::hh
      +
      +
      +

      Make the struct 'hashable'

      + +
      +
      +
      The documentation for this struct was generated from the following file: +
      + + + + +
      + +
      + +
      Generated on Sat Sep 11 2010 12:45:18 for Snort AI preprocessor module by  + +doxygen 1.7.1
      + + diff --git a/doc/html/structAI__config.html b/doc/html/structAI__config.html index f65da1c..b03cf4a 100644 --- a/doc/html/structAI__config.html +++ b/doc/html/structAI__config.html @@ -258,7 +258,7 @@ Data Fields -
      Generated on Fri Sep 10 2010 02:56:16 for Snort AI preprocessor module by  +
      Generated on Sat Sep 11 2010 12:45:18 for Snort AI preprocessor module by  doxygen 1.7.1
      diff --git a/doc/html/structAI__hyperalert__info.html b/doc/html/structAI__hyperalert__info.html new file mode 100644 index 0000000..6eab09a --- /dev/null +++ b/doc/html/structAI__hyperalert__info.html @@ -0,0 +1,177 @@ + + + + +Snort AI preprocessor module: AI_hyperalert_info Struct Reference + + + + + + + + + +
      +
      +Data Fields
      +
      +

      AI_hyperalert_info Struct Reference

      +
      +
      + +

      #include <spp_ai.h>

      + + + + + + + + +

      +Data Fields

      AI_hyperalert_key key
      char ** preconds
      unsigned int n_preconds
      char ** postconds
      unsigned int n_postconds
      UT_hash_handle hh
      +

      Detailed Description

      +

      Hyperalert hash table

      +

      Field Documentation

      + +
      +
      + + + + +
      UT_hash_handle AI_hyperalert_info::hh
      +
      +
      +

      Make the struct 'hashable'

      + +
      +
      + +
      +
      + + + + +
      AI_hyperalert_key AI_hyperalert_info::key
      +
      +
      +

      Hyperalert key

      + +
      +
      + +
      +
      + + + + +
      unsigned int AI_hyperalert_info::n_postconds
      +
      +
      +

      Number of post-conditions

      + +
      +
      + +
      +
      + + + + +
      unsigned int AI_hyperalert_info::n_preconds
      +
      +
      +

      Number of pre-conditions

      + +
      +
      + +
      +
      + + + + +
      char** AI_hyperalert_info::postconds
      +
      +
      +

      Post-conditions, as array of strings

      + +
      +
      + +
      +
      + + + + +
      char** AI_hyperalert_info::preconds
      +
      +
      +

      Pre-conditions, as array of strings

      + +
      +
      +
      The documentation for this struct was generated from the following file: +
      + + + + +
      + +
      + +
      Generated on Sat Sep 11 2010 12:45:18 for Snort AI preprocessor module by  + +doxygen 1.7.1
      + + diff --git a/doc/html/structAI__hyperalert__key.html b/doc/html/structAI__hyperalert__key.html new file mode 100644 index 0000000..71d4419 --- /dev/null +++ b/doc/html/structAI__hyperalert__key.html @@ -0,0 +1,129 @@ + + + + +Snort AI preprocessor module: AI_hyperalert_key Struct Reference + + + + + + + + + +
      +
      +Data Fields
      +
      +

      AI_hyperalert_key Struct Reference

      +
      +
      + +

      #include <spp_ai.h>

      + + + + + +

      +Data Fields

      unsigned int gid
      unsigned int sid
      unsigned int rev
      +

      Detailed Description

      +

      Key for the hyperalert hash table

      +

      Field Documentation

      + +
      +
      + + + + +
      unsigned int AI_hyperalert_key::gid
      +
      +
      + +
      +
      + +
      +
      + + + + +
      unsigned int AI_hyperalert_key::rev
      +
      +
      + +
      +
      + +
      +
      + + + + +
      unsigned int AI_hyperalert_key::sid
      +
      +
      + +
      +
      +
      The documentation for this struct was generated from the following file: +
      + + + + +
      + +
      + +
      Generated on Sat Sep 11 2010 12:45:18 for Snort AI preprocessor module by  + +doxygen 1.7.1
      + + diff --git a/doc/html/struct__AI__snort__alert.html b/doc/html/struct__AI__snort__alert.html index 61a7836..3bf60a1 100644 --- a/doc/html/struct__AI__snort__alert.html +++ b/doc/html/struct__AI__snort__alert.html @@ -83,6 +83,7 @@ Data Fields struct _AI_snort_alertnext hierarchy_nodeh_node [CLUSTER_TYPES] unsigned int grouped_alarms_count +AI_hyperalert_infohyperalert

      Detailed Description

      Data type for Snort alerts

      @@ -136,6 +137,7 @@ Data Fields
      +

      If the clustering algorithm is used, we also count how many alerts this single alert groups

      @@ -149,6 +151,21 @@ Data Fields
      +

      Hierarchies for addresses and ports, if the clustering algorithm is used

      + +
      + + +
      +
      + + + + +
      AI_hyperalert_info* _AI_snort_alert::hyperalert
      +
      +
      +

      Hyperalert information, pre-conditions and post-conditions

      @@ -253,6 +270,7 @@ Data Fields
      +

      Pointer to the next alert in the log, if any

      @@ -305,6 +323,7 @@ Data Fields
      +

      Reference to the TCP stream associated to the alert, if any

      @@ -430,7 +449,7 @@ Data Fields -
      Generated on Fri Sep 10 2010 02:56:16 for Snort AI preprocessor module by  +
      Generated on Sat Sep 11 2010 12:45:18 for Snort AI preprocessor module by  doxygen 1.7.1
      diff --git a/doc/html/struct__hierarchy__node.html b/doc/html/struct__hierarchy__node.html index 002b11a..4430635 100644 --- a/doc/html/struct__hierarchy__node.html +++ b/doc/html/struct__hierarchy__node.html @@ -66,6 +66,8 @@ Data Fields struct _hierarchy_nodeparent struct _hierarchy_node ** children +

      Detailed Description

      +

      Data type for hierarchies used for clustering

      Field Documentation

      @@ -176,7 +178,7 @@ Data Fields
      -
      Generated on Fri Sep 10 2010 02:56:16 for Snort AI preprocessor module by  +
      Generated on Sat Sep 11 2010 12:45:18 for Snort AI preprocessor module by  doxygen 1.7.1
      diff --git a/doc/html/structattribute__key.html b/doc/html/structattribute__key.html index 9f94ce1..d319b89 100644 --- a/doc/html/structattribute__key.html +++ b/doc/html/structattribute__key.html @@ -109,7 +109,7 @@ Data Fields -
      Generated on Fri Sep 10 2010 02:56:16 for Snort AI preprocessor module by  +
      Generated on Sat Sep 11 2010 12:45:18 for Snort AI preprocessor module by  doxygen 1.7.1
      diff --git a/doc/html/structattribute__value.html b/doc/html/structattribute__value.html index b08184a..fa515e2 100644 --- a/doc/html/structattribute__value.html +++ b/doc/html/structattribute__value.html @@ -137,7 +137,7 @@ Data Fields -
      Generated on Fri Sep 10 2010 02:56:16 for Snort AI preprocessor module by  +
      Generated on Sat Sep 11 2010 12:45:18 for Snort AI preprocessor module by  doxygen 1.7.1
      diff --git a/doc/html/structpkt__info.html b/doc/html/structpkt__info.html index b7f2242..cd76f93 100644 --- a/doc/html/structpkt__info.html +++ b/doc/html/structpkt__info.html @@ -170,7 +170,7 @@ Data Fields -
      Generated on Fri Sep 10 2010 02:56:16 for Snort AI preprocessor module by  +
      Generated on Sat Sep 11 2010 12:45:18 for Snort AI preprocessor module by  doxygen 1.7.1
      diff --git a/doc/html/structpkt__key.html b/doc/html/structpkt__key.html index f720282..3088d2d 100644 --- a/doc/html/structpkt__key.html +++ b/doc/html/structpkt__key.html @@ -108,7 +108,7 @@ Data Fields -
      Generated on Fri Sep 10 2010 02:56:16 for Snort AI preprocessor module by  +
      Generated on Sat Sep 11 2010 12:45:18 for Snort AI preprocessor module by  doxygen 1.7.1
      diff --git a/doc/latex/alert__parser_8c.tex b/doc/latex/alert__parser_8c.tex index 815de73..2c16e03 100644 --- a/doc/latex/alert__parser_8c.tex +++ b/doc/latex/alert__parser_8c.tex @@ -26,6 +26,8 @@ void \hyperlink{group__alert__parser_ga270e86669a0aa64a8da37bc16cda645b}{AI\_\-f PRIVATE \hyperlink{struct__AI__snort__alert}{AI\_\-snort\_\-alert} $\ast$ \hyperlink{alert__parser_8c_ae837fc04e61c0eb052f997c54b4fd9fe}{alerts} = NULL \item PRIVATE FILE $\ast$ \hyperlink{alert__parser_8c_abee2a33368912d9288c76b51160a9ed6}{alert\_\-fp} = NULL +\item +PRIVATE \hyperlink{spp__ai_8h_a3e5b8192e7d9ffaf3542f1210aec18dd}{BOOL} \hyperlink{alert__parser_8c_afebc81c042a632dc987e113b7f390274}{lock\_\-flag} = false \end{DoxyCompactItemize} @@ -40,3 +42,8 @@ PRIVATE FILE $\ast$ \hyperlink{alert__parser_8c_abee2a33368912d9288c76b51160a9ed \index{alerts@{alerts}!alert_parser.c@{alert\_\-parser.c}} \subsubsection[{alerts}]{\setlength{\rightskip}{0pt plus 5cm}PRIVATE {\bf AI\_\-snort\_\-alert}$\ast$ {\bf alerts} = NULL}} \label{alert__parser_8c_ae837fc04e61c0eb052f997c54b4fd9fe} +\hypertarget{alert__parser_8c_afebc81c042a632dc987e113b7f390274}{ +\index{alert\_\-parser.c@{alert\_\-parser.c}!lock\_\-flag@{lock\_\-flag}} +\index{lock\_\-flag@{lock\_\-flag}!alert_parser.c@{alert\_\-parser.c}} +\subsubsection[{lock\_\-flag}]{\setlength{\rightskip}{0pt plus 5cm}PRIVATE {\bf BOOL} {\bf lock\_\-flag} = false}} +\label{alert__parser_8c_afebc81c042a632dc987e113b7f390274} diff --git a/doc/latex/annotated.tex b/doc/latex/annotated.tex index 5be1de9..04e27ab 100644 --- a/doc/latex/annotated.tex +++ b/doc/latex/annotated.tex @@ -2,11 +2,12 @@ Here are the data structures with brief descriptions:\begin{DoxyCompactList} \item\contentsline{section}{\hyperlink{struct__AI__snort__alert}{\_\-AI\_\-snort\_\-alert} }{\pageref{struct__AI__snort__alert}}{} \item\contentsline{section}{\hyperlink{struct__hierarchy__node}{\_\-hierarchy\_\-node} }{\pageref{struct__hierarchy__node}}{} +\item\contentsline{section}{\hyperlink{structAI__alert__correlation}{AI\_\-alert\_\-correlation} }{\pageref{structAI__alert__correlation}}{} \item\contentsline{section}{\hyperlink{structAI__config}{AI\_\-config} }{\pageref{structAI__config}}{} +\item\contentsline{section}{\hyperlink{structAI__hyperalert__info}{AI\_\-hyperalert\_\-info} }{\pageref{structAI__hyperalert__info}}{} +\item\contentsline{section}{\hyperlink{structAI__hyperalert__key}{AI\_\-hyperalert\_\-key} }{\pageref{structAI__hyperalert__key}}{} \item\contentsline{section}{\hyperlink{structattribute__key}{attribute\_\-key} }{\pageref{structattribute__key}}{} \item\contentsline{section}{\hyperlink{structattribute__value}{attribute\_\-value} }{\pageref{structattribute__value}}{} -\item\contentsline{section}{\hyperlink{structhyperalert}{hyperalert} }{\pageref{structhyperalert}}{} -\item\contentsline{section}{\hyperlink{structhyperalert__key}{hyperalert\_\-key} }{\pageref{structhyperalert__key}}{} \item\contentsline{section}{\hyperlink{structpkt__info}{pkt\_\-info} }{\pageref{structpkt__info}}{} \item\contentsline{section}{\hyperlink{structpkt__key}{pkt\_\-key} }{\pageref{structpkt__key}}{} \end{DoxyCompactList} diff --git a/doc/latex/cluster_8c.tex b/doc/latex/cluster_8c.tex index ca9ff71..b9b2e7a 100644 --- a/doc/latex/cluster_8c.tex +++ b/doc/latex/cluster_8c.tex @@ -49,4 +49,6 @@ PRIVATE \hyperlink{struct__hierarchy__node}{hierarchy\_\-node} $\ast$ \hyperlink PRIVATE \hyperlink{structAI__config}{AI\_\-config} $\ast$ \hyperlink{group__cluster_ga91458e2d34595688e39fcb63ba418849}{\_\-config} = NULL \item PRIVATE \hyperlink{struct__AI__snort__alert}{AI\_\-snort\_\-alert} $\ast$ \hyperlink{group__cluster_gaaf4c19f60f48741b0890c6114dcff7d9}{alert\_\-log} = NULL +\item +PRIVATE \hyperlink{spp__ai_8h_a3e5b8192e7d9ffaf3542f1210aec18dd}{BOOL} \hyperlink{group__cluster_gafebc81c042a632dc987e113b7f390274}{lock\_\-flag} = false \end{DoxyCompactItemize} diff --git a/doc/latex/correlation_8c.tex b/doc/latex/correlation_8c.tex index 69e6c7c..8416742 100644 --- a/doc/latex/correlation_8c.tex +++ b/doc/latex/correlation_8c.tex @@ -10,9 +10,7 @@ \subsection*{Data Structures} \begin{DoxyCompactItemize} \item -struct \hyperlink{structhyperalert__key}{hyperalert\_\-key} -\item -struct \hyperlink{structhyperalert}{hyperalert} +struct \hyperlink{structAI__alert__correlation}{AI\_\-alert\_\-correlation} \end{DoxyCompactItemize} \subsection*{Enumerations} \begin{DoxyCompactItemize} @@ -29,14 +27,24 @@ enum \{ \par \subsection*{Functions} \begin{DoxyCompactItemize} \item -PRIVATE \hyperlink{structhyperalert}{hyperalert} $\ast$ \hyperlink{group__correlation_gacb46174cec5a2cce0a9bb1ca2b0f6850}{\_\-AI\_\-hyperalert\_\-from\_\-XML} (\hyperlink{structhyperalert__key}{hyperalert\_\-key} key) +double \hyperlink{group__correlation_ga130e82017fc0abcb76b1a7740ae2f4df}{\_\-AI\_\-correlation\_\-coefficient} (\hyperlink{struct__AI__snort__alert}{AI\_\-snort\_\-alert} $\ast$a, \hyperlink{struct__AI__snort__alert}{AI\_\-snort\_\-alert} $\ast$b) +\begin{DoxyCompactList}\small\item\em Compute the correlation coefficient between two alerts, as INTERSECTION(pre(B), post(A) / UNION(pre(B), post(A)). \item\end{DoxyCompactList}\item +void \hyperlink{group__correlation_ga0d094eae1d014d89a2de21263fa747da}{\_\-AI\_\-macro\_\-subst} (\hyperlink{struct__AI__snort__alert}{AI\_\-snort\_\-alert} $\ast$$\ast$alert) +\begin{DoxyCompactList}\small\item\em Substitute the macros in hyperalert pre-\/conditions and post-\/conditions with their associated values. \item\end{DoxyCompactList}\item +PRIVATE \hyperlink{structAI__hyperalert__info}{AI\_\-hyperalert\_\-info} $\ast$ \hyperlink{group__correlation_ga929e5c17fdb247a998d83ed6a4ae5a65}{\_\-AI\_\-hyperalert\_\-from\_\-XML} (\hyperlink{structAI__hyperalert__key}{AI\_\-hyperalert\_\-key} key) \begin{DoxyCompactList}\small\item\em Parse info about a hyperalert from a correlation XML file, if it exists. \item\end{DoxyCompactList}\item void $\ast$ \hyperlink{group__correlation_ga939353a4e15de7a8f4145ab986f584be}{AI\_\-alert\_\-correlation\_\-thread} (void $\ast$arg) \begin{DoxyCompactList}\small\item\em Thread for correlating clustered alerts. \item\end{DoxyCompactList}\end{DoxyCompactItemize} \subsection*{Variables} \begin{DoxyCompactItemize} \item -PRIVATE \hyperlink{structhyperalert}{hyperalert} $\ast$ \hyperlink{group__correlation_ga343192ed5e938536f3dc150e51f8acf6}{hyperalerts} = NULL +PRIVATE \hyperlink{structAI__hyperalert__info}{AI\_\-hyperalert\_\-info} $\ast$ \hyperlink{group__correlation_gae56c79aa018caaeebeeb709a9e51c9c2}{hyperalerts} = NULL \item PRIVATE \hyperlink{structAI__config}{AI\_\-config} $\ast$ \hyperlink{group__correlation_gaad7a982b6016390e7cd1164bd7db8bca}{conf} = NULL +\item +PRIVATE \hyperlink{struct__AI__snort__alert}{AI\_\-snort\_\-alert} $\ast$ \hyperlink{group__correlation_gae837fc04e61c0eb052f997c54b4fd9fe}{alerts} = NULL +\item +PRIVATE \hyperlink{structAI__alert__correlation}{AI\_\-alert\_\-correlation} $\ast$ \hyperlink{group__correlation_ga701934a296c51f2397d24e8bf4a9f021}{correlation\_\-table} = NULL +\item +PRIVATE \hyperlink{spp__ai_8h_a3e5b8192e7d9ffaf3542f1210aec18dd}{BOOL} \hyperlink{group__correlation_gafebc81c042a632dc987e113b7f390274}{lock\_\-flag} = false \end{DoxyCompactItemize} diff --git a/doc/latex/doxygen.sty b/doc/latex/doxygen.sty index 5a29b8e..98a04a0 100644 --- a/doc/latex/doxygen.sty +++ b/doc/latex/doxygen.sty @@ -27,9 +27,9 @@ \fancyplain{}{\bfseries\thepage}% } \rfoot[\fancyplain{}{\bfseries\scriptsize% - Generated on Fri Sep 10 2010 02:56:16 for Snort AI preprocessor module by Doxygen }]{} + Generated on Sat Sep 11 2010 12:45:18 for Snort AI preprocessor module by Doxygen }]{} \lfoot[]{\fancyplain{}{\bfseries\scriptsize% - Generated on Fri Sep 10 2010 02:56:16 for Snort AI preprocessor module by Doxygen }} + Generated on Sat Sep 11 2010 12:45:18 for Snort AI preprocessor module by Doxygen }} \cfoot{} %---------- Internal commands used in this style file ---------------- diff --git a/doc/latex/group__cluster.tex b/doc/latex/group__cluster.tex index 10df95f..5a4917e 100644 --- a/doc/latex/group__cluster.tex +++ b/doc/latex/group__cluster.tex @@ -44,6 +44,8 @@ PRIVATE \hyperlink{struct__hierarchy__node}{hierarchy\_\-node} $\ast$ \hyperlink PRIVATE \hyperlink{structAI__config}{AI\_\-config} $\ast$ \hyperlink{group__cluster_ga91458e2d34595688e39fcb63ba418849}{\_\-config} = NULL \item PRIVATE \hyperlink{struct__AI__snort__alert}{AI\_\-snort\_\-alert} $\ast$ \hyperlink{group__cluster_gaaf4c19f60f48741b0890c6114dcff7d9}{alert\_\-log} = NULL +\item +PRIVATE \hyperlink{spp__ai_8h_a3e5b8192e7d9ffaf3542f1210aec18dd}{BOOL} \hyperlink{group__cluster_gafebc81c042a632dc987e113b7f390274}{lock\_\-flag} = false \end{DoxyCompactItemize} @@ -282,3 +284,8 @@ Build the clustering hierarchy trees. \index{h\_\-root@{h\_\-root}!cluster@{cluster}} \subsubsection[{h\_\-root}]{\setlength{\rightskip}{0pt plus 5cm}PRIVATE {\bf hierarchy\_\-node}$\ast$ {\bf h\_\-root}\mbox{[}CLUSTER\_\-TYPES\mbox{]} = \{ NULL \}}} \label{group__cluster_ga97d35425cf5a0207fb50b64ee8cdda82} +\hypertarget{group__cluster_gafebc81c042a632dc987e113b7f390274}{ +\index{cluster@{cluster}!lock\_\-flag@{lock\_\-flag}} +\index{lock\_\-flag@{lock\_\-flag}!cluster@{cluster}} +\subsubsection[{lock\_\-flag}]{\setlength{\rightskip}{0pt plus 5cm}PRIVATE {\bf BOOL} {\bf lock\_\-flag} = false}} +\label{group__cluster_gafebc81c042a632dc987e113b7f390274} diff --git a/doc/latex/group__correlation.tex b/doc/latex/group__correlation.tex index 26ca452..b490929 100644 --- a/doc/latex/group__correlation.tex +++ b/doc/latex/group__correlation.tex @@ -5,9 +5,7 @@ \subsection*{Data Structures} \begin{DoxyCompactItemize} \item -struct \hyperlink{structhyperalert__key}{hyperalert\_\-key} -\item -struct \hyperlink{structhyperalert}{hyperalert} +struct \hyperlink{structAI__alert__correlation}{AI\_\-alert\_\-correlation} \end{DoxyCompactItemize} \subsection*{Enumerations} \begin{DoxyCompactItemize} @@ -24,16 +22,26 @@ enum \{ \par \subsection*{Functions} \begin{DoxyCompactItemize} \item -PRIVATE \hyperlink{structhyperalert}{hyperalert} $\ast$ \hyperlink{group__correlation_gacb46174cec5a2cce0a9bb1ca2b0f6850}{\_\-AI\_\-hyperalert\_\-from\_\-XML} (\hyperlink{structhyperalert__key}{hyperalert\_\-key} key) +double \hyperlink{group__correlation_ga130e82017fc0abcb76b1a7740ae2f4df}{\_\-AI\_\-correlation\_\-coefficient} (\hyperlink{struct__AI__snort__alert}{AI\_\-snort\_\-alert} $\ast$a, \hyperlink{struct__AI__snort__alert}{AI\_\-snort\_\-alert} $\ast$b) +\begin{DoxyCompactList}\small\item\em Compute the correlation coefficient between two alerts, as INTERSECTION(pre(B), post(A) / UNION(pre(B), post(A)). \item\end{DoxyCompactList}\item +void \hyperlink{group__correlation_ga0d094eae1d014d89a2de21263fa747da}{\_\-AI\_\-macro\_\-subst} (\hyperlink{struct__AI__snort__alert}{AI\_\-snort\_\-alert} $\ast$$\ast$alert) +\begin{DoxyCompactList}\small\item\em Substitute the macros in hyperalert pre-\/conditions and post-\/conditions with their associated values. \item\end{DoxyCompactList}\item +PRIVATE \hyperlink{structAI__hyperalert__info}{AI\_\-hyperalert\_\-info} $\ast$ \hyperlink{group__correlation_ga929e5c17fdb247a998d83ed6a4ae5a65}{\_\-AI\_\-hyperalert\_\-from\_\-XML} (\hyperlink{structAI__hyperalert__key}{AI\_\-hyperalert\_\-key} key) \begin{DoxyCompactList}\small\item\em Parse info about a hyperalert from a correlation XML file, if it exists. \item\end{DoxyCompactList}\item void $\ast$ \hyperlink{group__correlation_ga939353a4e15de7a8f4145ab986f584be}{AI\_\-alert\_\-correlation\_\-thread} (void $\ast$arg) \begin{DoxyCompactList}\small\item\em Thread for correlating clustered alerts. \item\end{DoxyCompactList}\end{DoxyCompactItemize} \subsection*{Variables} \begin{DoxyCompactItemize} \item -PRIVATE \hyperlink{structhyperalert}{hyperalert} $\ast$ \hyperlink{group__correlation_ga343192ed5e938536f3dc150e51f8acf6}{hyperalerts} = NULL +PRIVATE \hyperlink{structAI__hyperalert__info}{AI\_\-hyperalert\_\-info} $\ast$ \hyperlink{group__correlation_gae56c79aa018caaeebeeb709a9e51c9c2}{hyperalerts} = NULL \item PRIVATE \hyperlink{structAI__config}{AI\_\-config} $\ast$ \hyperlink{group__correlation_gaad7a982b6016390e7cd1164bd7db8bca}{conf} = NULL +\item +PRIVATE \hyperlink{struct__AI__snort__alert}{AI\_\-snort\_\-alert} $\ast$ \hyperlink{group__correlation_gae837fc04e61c0eb052f997c54b4fd9fe}{alerts} = NULL +\item +PRIVATE \hyperlink{structAI__alert__correlation}{AI\_\-alert\_\-correlation} $\ast$ \hyperlink{group__correlation_ga701934a296c51f2397d24e8bf4a9f021}{correlation\_\-table} = NULL +\item +PRIVATE \hyperlink{spp__ai_8h_a3e5b8192e7d9ffaf3542f1210aec18dd}{BOOL} \hyperlink{group__correlation_gafebc81c042a632dc987e113b7f390274}{lock\_\-flag} = false \end{DoxyCompactItemize} @@ -70,25 +78,61 @@ TAG\_\-NUM} \subsection{Function Documentation} -\hypertarget{group__correlation_gacb46174cec5a2cce0a9bb1ca2b0f6850}{ -\index{correlation@{correlation}!\_\-AI\_\-hyperalert\_\-from\_\-XML@{\_\-AI\_\-hyperalert\_\-from\_\-XML}} -\index{\_\-AI\_\-hyperalert\_\-from\_\-XML@{\_\-AI\_\-hyperalert\_\-from\_\-XML}!correlation@{correlation}} -\subsubsection[{\_\-AI\_\-hyperalert\_\-from\_\-XML}]{\setlength{\rightskip}{0pt plus 5cm}PRIVATE {\bf hyperalert}$\ast$ \_\-AI\_\-hyperalert\_\-from\_\-XML ( +\hypertarget{group__correlation_ga130e82017fc0abcb76b1a7740ae2f4df}{ +\index{correlation@{correlation}!\_\-AI\_\-correlation\_\-coefficient@{\_\-AI\_\-correlation\_\-coefficient}} +\index{\_\-AI\_\-correlation\_\-coefficient@{\_\-AI\_\-correlation\_\-coefficient}!correlation@{correlation}} +\subsubsection[{\_\-AI\_\-correlation\_\-coefficient}]{\setlength{\rightskip}{0pt plus 5cm}double \_\-AI\_\-correlation\_\-coefficient ( \begin{DoxyParamCaption} -\item[{{\bf hyperalert\_\-key}}]{ key} +\item[{{\bf AI\_\-snort\_\-alert} $\ast$}]{ a, } +\item[{{\bf AI\_\-snort\_\-alert} $\ast$}]{ b} \end{DoxyParamCaption} )}} -\label{group__correlation_gacb46174cec5a2cce0a9bb1ca2b0f6850} +\label{group__correlation_ga130e82017fc0abcb76b1a7740ae2f4df} + + +Compute the correlation coefficient between two alerts, as INTERSECTION(pre(B), post(A) / UNION(pre(B), post(A)). + + +\begin{DoxyParams}{Parameters} +\item[{\em a}]Alert a \item[{\em b}]Alert b \end{DoxyParams} +\begin{DoxyReturn}{Returns} +The correlation coefficient between A and B as coefficient in \mbox{[}0,1\mbox{]} +\end{DoxyReturn} +\hypertarget{group__correlation_ga929e5c17fdb247a998d83ed6a4ae5a65}{ +\index{correlation@{correlation}!\_\-AI\_\-hyperalert\_\-from\_\-XML@{\_\-AI\_\-hyperalert\_\-from\_\-XML}} +\index{\_\-AI\_\-hyperalert\_\-from\_\-XML@{\_\-AI\_\-hyperalert\_\-from\_\-XML}!correlation@{correlation}} +\subsubsection[{\_\-AI\_\-hyperalert\_\-from\_\-XML}]{\setlength{\rightskip}{0pt plus 5cm}PRIVATE {\bf AI\_\-hyperalert\_\-info}$\ast$ \_\-AI\_\-hyperalert\_\-from\_\-XML ( +\begin{DoxyParamCaption} +\item[{{\bf AI\_\-hyperalert\_\-key}}]{ key} +\end{DoxyParamCaption} +)}} +\label{group__correlation_ga929e5c17fdb247a998d83ed6a4ae5a65} Parse info about a hyperalert from a correlation XML file, if it exists. -FUNCTION: \_\-AI\_\-hyperalert\_\-from\_\-XML + \begin{DoxyParams}{Parameters} \item[{\em key}]Key (gid, sid, rev) identifying the alert \end{DoxyParams} \begin{DoxyReturn}{Returns} A hyperalert structure containing the info about the current alert, if the XML file was found \end{DoxyReturn} +\hypertarget{group__correlation_ga0d094eae1d014d89a2de21263fa747da}{ +\index{correlation@{correlation}!\_\-AI\_\-macro\_\-subst@{\_\-AI\_\-macro\_\-subst}} +\index{\_\-AI\_\-macro\_\-subst@{\_\-AI\_\-macro\_\-subst}!correlation@{correlation}} +\subsubsection[{\_\-AI\_\-macro\_\-subst}]{\setlength{\rightskip}{0pt plus 5cm}void \_\-AI\_\-macro\_\-subst ( +\begin{DoxyParamCaption} +\item[{{\bf AI\_\-snort\_\-alert} $\ast$$\ast$}]{ alert} +\end{DoxyParamCaption} +)}} +\label{group__correlation_ga0d094eae1d014d89a2de21263fa747da} + + +Substitute the macros in hyperalert pre-\/conditions and post-\/conditions with their associated values. + + +\begin{DoxyParams}{Parameters} +\item[{\em alert}]Reference to the hyperalert to work on \end{DoxyParams} \hypertarget{group__correlation_ga939353a4e15de7a8f4145ab986f584be}{ \index{correlation@{correlation}!AI\_\-alert\_\-correlation\_\-thread@{AI\_\-alert\_\-correlation\_\-thread}} \index{AI\_\-alert\_\-correlation\_\-thread@{AI\_\-alert\_\-correlation\_\-thread}!correlation@{correlation}} @@ -108,13 +152,28 @@ Thread for correlating clustered alerts. \subsection{Variable Documentation} +\hypertarget{group__correlation_gae837fc04e61c0eb052f997c54b4fd9fe}{ +\index{correlation@{correlation}!alerts@{alerts}} +\index{alerts@{alerts}!correlation@{correlation}} +\subsubsection[{alerts}]{\setlength{\rightskip}{0pt plus 5cm}PRIVATE {\bf AI\_\-snort\_\-alert}$\ast$ {\bf alerts} = NULL}} +\label{group__correlation_gae837fc04e61c0eb052f997c54b4fd9fe} \hypertarget{group__correlation_gaad7a982b6016390e7cd1164bd7db8bca}{ \index{correlation@{correlation}!conf@{conf}} \index{conf@{conf}!correlation@{correlation}} \subsubsection[{conf}]{\setlength{\rightskip}{0pt plus 5cm}PRIVATE {\bf AI\_\-config}$\ast$ {\bf conf} = NULL}} \label{group__correlation_gaad7a982b6016390e7cd1164bd7db8bca} -\hypertarget{group__correlation_ga343192ed5e938536f3dc150e51f8acf6}{ +\hypertarget{group__correlation_ga701934a296c51f2397d24e8bf4a9f021}{ +\index{correlation@{correlation}!correlation\_\-table@{correlation\_\-table}} +\index{correlation\_\-table@{correlation\_\-table}!correlation@{correlation}} +\subsubsection[{correlation\_\-table}]{\setlength{\rightskip}{0pt plus 5cm}PRIVATE {\bf AI\_\-alert\_\-correlation}$\ast$ {\bf correlation\_\-table} = NULL}} +\label{group__correlation_ga701934a296c51f2397d24e8bf4a9f021} +\hypertarget{group__correlation_gae56c79aa018caaeebeeb709a9e51c9c2}{ \index{correlation@{correlation}!hyperalerts@{hyperalerts}} \index{hyperalerts@{hyperalerts}!correlation@{correlation}} -\subsubsection[{hyperalerts}]{\setlength{\rightskip}{0pt plus 5cm}PRIVATE {\bf hyperalert}$\ast$ {\bf hyperalerts} = NULL}} -\label{group__correlation_ga343192ed5e938536f3dc150e51f8acf6} +\subsubsection[{hyperalerts}]{\setlength{\rightskip}{0pt plus 5cm}PRIVATE {\bf AI\_\-hyperalert\_\-info}$\ast$ {\bf hyperalerts} = NULL}} +\label{group__correlation_gae56c79aa018caaeebeeb709a9e51c9c2} +\hypertarget{group__correlation_gafebc81c042a632dc987e113b7f390274}{ +\index{correlation@{correlation}!lock\_\-flag@{lock\_\-flag}} +\index{lock\_\-flag@{lock\_\-flag}!correlation@{correlation}} +\subsubsection[{lock\_\-flag}]{\setlength{\rightskip}{0pt plus 5cm}PRIVATE {\bf BOOL} {\bf lock\_\-flag} = false}} +\label{group__correlation_gafebc81c042a632dc987e113b7f390274} diff --git a/doc/latex/group__regex.tex b/doc/latex/group__regex.tex index 63f92f3..f6d53c8 100644 --- a/doc/latex/group__regex.tex +++ b/doc/latex/group__regex.tex @@ -6,7 +6,11 @@ \begin{DoxyCompactItemize} \item int \hyperlink{group__regex_ga35f57c052a7de1ded54b67a1f7819791}{preg\_\-match} (const char $\ast$expr, char $\ast$str, char $\ast$$\ast$$\ast$matches, int $\ast$nmatches) -\begin{DoxyCompactList}\small\item\em Check if a string matches a regular expression. \item\end{DoxyCompactList}\end{DoxyCompactItemize} +\begin{DoxyCompactList}\small\item\em Check if a string matches a regular expression. \item\end{DoxyCompactList}\item +char $\ast$ \hyperlink{group__regex_ga736ba1abdc4938cbb1bf5861e7dbfd50}{str\_\-replace} (char $\ast$str, char $\ast$orig, char $\ast$rep) +\begin{DoxyCompactList}\small\item\em Replace the content of 'orig' in 'str' with 'rep'. \item\end{DoxyCompactList}\item +char $\ast$ \hyperlink{group__regex_gaff6c55cd04fc08dd582e244590dc25a4}{str\_\-replace\_\-all} (char $\ast$str, char $\ast$orig, char $\ast$rep) +\begin{DoxyCompactList}\small\item\em Replace all of the occurrences of 'orig' in 'str' with 'rep'. \item\end{DoxyCompactList}\end{DoxyCompactItemize} \subsection{Function Documentation} @@ -32,3 +36,45 @@ Check if a string matches a regular expression. \begin{DoxyReturn}{Returns} -\/1 if the regex is wrong, 0 if no match was found, 1 otherwise \end{DoxyReturn} +\hypertarget{group__regex_ga736ba1abdc4938cbb1bf5861e7dbfd50}{ +\index{regex@{regex}!str\_\-replace@{str\_\-replace}} +\index{str\_\-replace@{str\_\-replace}!regex@{regex}} +\subsubsection[{str\_\-replace}]{\setlength{\rightskip}{0pt plus 5cm}char$\ast$ str\_\-replace ( +\begin{DoxyParamCaption} +\item[{char $\ast$}]{ str, } +\item[{char $\ast$}]{ orig, } +\item[{char $\ast$}]{ rep} +\end{DoxyParamCaption} +)}} +\label{group__regex_ga736ba1abdc4938cbb1bf5861e7dbfd50} + + +Replace the content of 'orig' in 'str' with 'rep'. + + +\begin{DoxyParams}{Parameters} +\item[{\em str}]String to work on \item[{\em orig}]String to be replaced \item[{\em rep}]Replacement for 'orig' \end{DoxyParams} +\begin{DoxyReturn}{Returns} +The string with the replacement +\end{DoxyReturn} +\hypertarget{group__regex_gaff6c55cd04fc08dd582e244590dc25a4}{ +\index{regex@{regex}!str\_\-replace\_\-all@{str\_\-replace\_\-all}} +\index{str\_\-replace\_\-all@{str\_\-replace\_\-all}!regex@{regex}} +\subsubsection[{str\_\-replace\_\-all}]{\setlength{\rightskip}{0pt plus 5cm}char$\ast$ str\_\-replace\_\-all ( +\begin{DoxyParamCaption} +\item[{char $\ast$}]{ str, } +\item[{char $\ast$}]{ orig, } +\item[{char $\ast$}]{ rep} +\end{DoxyParamCaption} +)}} +\label{group__regex_gaff6c55cd04fc08dd582e244590dc25a4} + + +Replace all of the occurrences of 'orig' in 'str' with 'rep'. + + +\begin{DoxyParams}{Parameters} +\item[{\em str}]String to work on \item[{\em orig}]String to be replaced \item[{\em rep}]Replacement for 'orig' \end{DoxyParams} +\begin{DoxyReturn}{Returns} +The string with the replacement +\end{DoxyReturn} diff --git a/doc/latex/refman.tex b/doc/latex/refman.tex index 34992b4..dbe8904 100644 --- a/doc/latex/refman.tex +++ b/doc/latex/refman.tex @@ -41,7 +41,7 @@ \vspace*{1cm} {\large Generated by Doxygen 1.7.1}\\ \vspace*{0.5cm} -{\small Fri Sep 10 2010 02:56:16}\\ +{\small Sat Sep 11 2010 12:45:18}\\ \end{center} \end{titlepage} \clearemptydoublepage @@ -66,11 +66,12 @@ \chapter{Data Structure Documentation} \input{struct__AI__snort__alert} \input{struct__hierarchy__node} +\input{structAI__alert__correlation} \input{structAI__config} +\input{structAI__hyperalert__info} +\input{structAI__hyperalert__key} \input{structattribute__key} \input{structattribute__value} -\input{structhyperalert} -\input{structhyperalert__key} \input{structpkt__info} \input{structpkt__key} \chapter{File Documentation} diff --git a/doc/latex/regex_8c.tex b/doc/latex/regex_8c.tex index a8cb7e6..30975bd 100644 --- a/doc/latex/regex_8c.tex +++ b/doc/latex/regex_8c.tex @@ -11,4 +11,8 @@ \begin{DoxyCompactItemize} \item int \hyperlink{group__regex_ga35f57c052a7de1ded54b67a1f7819791}{preg\_\-match} (const char $\ast$expr, char $\ast$str, char $\ast$$\ast$$\ast$matches, int $\ast$nmatches) -\begin{DoxyCompactList}\small\item\em Check if a string matches a regular expression. \item\end{DoxyCompactList}\end{DoxyCompactItemize} +\begin{DoxyCompactList}\small\item\em Check if a string matches a regular expression. \item\end{DoxyCompactList}\item +char $\ast$ \hyperlink{group__regex_ga736ba1abdc4938cbb1bf5861e7dbfd50}{str\_\-replace} (char $\ast$str, char $\ast$orig, char $\ast$rep) +\begin{DoxyCompactList}\small\item\em Replace the content of 'orig' in 'str' with 'rep'. \item\end{DoxyCompactList}\item +char $\ast$ \hyperlink{group__regex_gaff6c55cd04fc08dd582e244590dc25a4}{str\_\-replace\_\-all} (char $\ast$str, char $\ast$orig, char $\ast$rep) +\begin{DoxyCompactList}\small\item\em Replace all of the occurrences of 'orig' in 'str' with 'rep'. \item\end{DoxyCompactList}\end{DoxyCompactItemize} diff --git a/doc/latex/spp__ai_8h.tex b/doc/latex/spp__ai_8h.tex index 066a0b9..2fdf940 100644 --- a/doc/latex/spp__ai_8h.tex +++ b/doc/latex/spp__ai_8h.tex @@ -16,6 +16,10 @@ struct \hyperlink{structAI__config}{AI\_\-config} \item struct \hyperlink{struct__hierarchy__node}{\_\-hierarchy\_\-node} \item +struct \hyperlink{structAI__hyperalert__key}{AI\_\-hyperalert\_\-key} +\item +struct \hyperlink{structAI__hyperalert__info}{AI\_\-hyperalert\_\-info} +\item struct \hyperlink{struct__AI__snort__alert}{\_\-AI\_\-snort\_\-alert} \end{DoxyCompactItemize} \subsection*{Defines} @@ -74,6 +78,10 @@ enum \hyperlink{spp__ai_8h_ae2ff3c6586aa2ab211a102abfde86640}{cluster\_\-type} \ \item int \hyperlink{group__regex_ga35f57c052a7de1ded54b67a1f7819791}{preg\_\-match} (const char $\ast$, char $\ast$, char $\ast$$\ast$$\ast$, int $\ast$) \begin{DoxyCompactList}\small\item\em Check if a string matches a regular expression. \item\end{DoxyCompactList}\item +char $\ast$ \hyperlink{group__regex_ga736ba1abdc4938cbb1bf5861e7dbfd50}{str\_\-replace} (char $\ast$str, char $\ast$orig, char $\ast$rep) +\begin{DoxyCompactList}\small\item\em Replace the content of 'orig' in 'str' with 'rep'. \item\end{DoxyCompactList}\item +char $\ast$ \hyperlink{group__regex_gaff6c55cd04fc08dd582e244590dc25a4}{str\_\-replace\_\-all} (char $\ast$str, char $\ast$orig, char $\ast$rep) +\begin{DoxyCompactList}\small\item\em Replace all of the occurrences of 'orig' in 'str' with 'rep'. \item\end{DoxyCompactList}\item void $\ast$ \hyperlink{group__stream_ga24b1131374e5059564b8a12380c4eb75}{AI\_\-hashcleanup\_\-thread} (void $\ast$) \begin{DoxyCompactList}\small\item\em Thread called for cleaning up the hash table from the traffic streams older than a certain threshold. \item\end{DoxyCompactList}\item void $\ast$ \hyperlink{group__alert__parser_ga5aab8d9bdf0e92a51731442fd787f61f}{AI\_\-file\_\-alertparser\_\-thread} (void $\ast$) @@ -162,7 +170,7 @@ Data type for Snort alerts \hypertarget{spp__ai_8h_a466391129919ef12366d311d5015 \index{hierarchy\_\-node@{hierarchy\_\-node}!spp_ai.h@{spp\_\-ai.h}} \subsubsection[{hierarchy\_\-node}]{\setlength{\rightskip}{0pt plus 5cm}typedef struct {\bf \_\-hierarchy\_\-node} {\bf hierarchy\_\-node}}} \label{spp__ai_8h_a466391129919ef12366d311d501552fa} -\hypertarget{spp__ai_8h_a273cf69d639a59973b6019625df33e30}{ +Data type for hierarchies used for clustering \hypertarget{spp__ai_8h_a273cf69d639a59973b6019625df33e30}{ \index{spp\_\-ai.h@{spp\_\-ai.h}!uint16\_\-t@{uint16\_\-t}} \index{uint16\_\-t@{uint16\_\-t}!spp_ai.h@{spp\_\-ai.h}} \subsubsection[{uint16\_\-t}]{\setlength{\rightskip}{0pt plus 5cm}typedef unsigned short {\bf uint16\_\-t}}} diff --git a/doc/latex/structAI__alert__correlation.tex b/doc/latex/structAI__alert__correlation.tex new file mode 100644 index 0000000..a210236 --- /dev/null +++ b/doc/latex/structAI__alert__correlation.tex @@ -0,0 +1,46 @@ +\hypertarget{structAI__alert__correlation}{ +\section{AI\_\-alert\_\-correlation Struct Reference} +\label{structAI__alert__correlation}\index{AI\_\-alert\_\-correlation@{AI\_\-alert\_\-correlation}} +} +\subsection*{Data Fields} +\begin{DoxyCompactItemize} +\item +\hyperlink{struct__AI__snort__alert}{AI\_\-snort\_\-alert} $\ast$ \hyperlink{structAI__alert__correlation_a8737f171e1c1b2305c8fe77101d6aeb7}{a} +\item +\hyperlink{struct__AI__snort__alert}{AI\_\-snort\_\-alert} $\ast$ \hyperlink{structAI__alert__correlation_a478f1a6f18f9c083b203efdf776379cd}{b} +\item +double \hyperlink{structAI__alert__correlation_aad417b2126ae26d7576f006a3dbcdc81}{correlation} +\item +UT\_\-hash\_\-handle \hyperlink{structAI__alert__correlation_ad3020a87936a2193a92f09331401ad42}{hh} +\end{DoxyCompactItemize} + + +\subsection{Detailed Description} +Struct representing the correlation between all the couples of alerts + +\subsection{Field Documentation} +\hypertarget{structAI__alert__correlation_a8737f171e1c1b2305c8fe77101d6aeb7}{ +\index{AI\_\-alert\_\-correlation@{AI\_\-alert\_\-correlation}!a@{a}} +\index{a@{a}!AI_alert_correlation@{AI\_\-alert\_\-correlation}} +\subsubsection[{a}]{\setlength{\rightskip}{0pt plus 5cm}{\bf AI\_\-snort\_\-alert}$\ast$ {\bf AI\_\-alert\_\-correlation::a}}} +\label{structAI__alert__correlation_a8737f171e1c1b2305c8fe77101d6aeb7} +First alert \hypertarget{structAI__alert__correlation_a478f1a6f18f9c083b203efdf776379cd}{ +\index{AI\_\-alert\_\-correlation@{AI\_\-alert\_\-correlation}!b@{b}} +\index{b@{b}!AI_alert_correlation@{AI\_\-alert\_\-correlation}} +\subsubsection[{b}]{\setlength{\rightskip}{0pt plus 5cm}{\bf AI\_\-snort\_\-alert}$\ast$ {\bf AI\_\-alert\_\-correlation::b}}} +\label{structAI__alert__correlation_a478f1a6f18f9c083b203efdf776379cd} +Second alert \hypertarget{structAI__alert__correlation_aad417b2126ae26d7576f006a3dbcdc81}{ +\index{AI\_\-alert\_\-correlation@{AI\_\-alert\_\-correlation}!correlation@{correlation}} +\index{correlation@{correlation}!AI_alert_correlation@{AI\_\-alert\_\-correlation}} +\subsubsection[{correlation}]{\setlength{\rightskip}{0pt plus 5cm}double {\bf AI\_\-alert\_\-correlation::correlation}}} +\label{structAI__alert__correlation_aad417b2126ae26d7576f006a3dbcdc81} +Correlation coefficient \hypertarget{structAI__alert__correlation_ad3020a87936a2193a92f09331401ad42}{ +\index{AI\_\-alert\_\-correlation@{AI\_\-alert\_\-correlation}!hh@{hh}} +\index{hh@{hh}!AI_alert_correlation@{AI\_\-alert\_\-correlation}} +\subsubsection[{hh}]{\setlength{\rightskip}{0pt plus 5cm}UT\_\-hash\_\-handle {\bf AI\_\-alert\_\-correlation::hh}}} +\label{structAI__alert__correlation_ad3020a87936a2193a92f09331401ad42} +Make the struct 'hashable' + +The documentation for this struct was generated from the following file:\begin{DoxyCompactItemize} +\item +\hyperlink{correlation_8c}{correlation.c}\end{DoxyCompactItemize} diff --git a/doc/latex/structAI__hyperalert__info.tex b/doc/latex/structAI__hyperalert__info.tex new file mode 100644 index 0000000..121d004 --- /dev/null +++ b/doc/latex/structAI__hyperalert__info.tex @@ -0,0 +1,64 @@ +\hypertarget{structAI__hyperalert__info}{ +\section{AI\_\-hyperalert\_\-info Struct Reference} +\label{structAI__hyperalert__info}\index{AI\_\-hyperalert\_\-info@{AI\_\-hyperalert\_\-info}} +} + + +{\ttfamily \#include $<$spp\_\-ai.h$>$} + +\subsection*{Data Fields} +\begin{DoxyCompactItemize} +\item +\hyperlink{structAI__hyperalert__key}{AI\_\-hyperalert\_\-key} \hyperlink{structAI__hyperalert__info_a9d461da8f00415ef03b24edb3bbd6cf8}{key} +\item +char $\ast$$\ast$ \hyperlink{structAI__hyperalert__info_a8ac4e028c47a98a8be5afd4363164031}{preconds} +\item +unsigned int \hyperlink{structAI__hyperalert__info_a616c16f364dbb2d726e88df6b364ea40}{n\_\-preconds} +\item +char $\ast$$\ast$ \hyperlink{structAI__hyperalert__info_a6a63385397bf814153d7bb20b52840d9}{postconds} +\item +unsigned int \hyperlink{structAI__hyperalert__info_a73322b6cad3e883abed03b62c6c21719}{n\_\-postconds} +\item +UT\_\-hash\_\-handle \hyperlink{structAI__hyperalert__info_a6915bec67d383f374e758b44f50b48ff}{hh} +\end{DoxyCompactItemize} + + +\subsection{Detailed Description} +Hyperalert hash table + +\subsection{Field Documentation} +\hypertarget{structAI__hyperalert__info_a6915bec67d383f374e758b44f50b48ff}{ +\index{AI\_\-hyperalert\_\-info@{AI\_\-hyperalert\_\-info}!hh@{hh}} +\index{hh@{hh}!AI_hyperalert_info@{AI\_\-hyperalert\_\-info}} +\subsubsection[{hh}]{\setlength{\rightskip}{0pt plus 5cm}UT\_\-hash\_\-handle {\bf AI\_\-hyperalert\_\-info::hh}}} +\label{structAI__hyperalert__info_a6915bec67d383f374e758b44f50b48ff} +Make the struct 'hashable' \hypertarget{structAI__hyperalert__info_a9d461da8f00415ef03b24edb3bbd6cf8}{ +\index{AI\_\-hyperalert\_\-info@{AI\_\-hyperalert\_\-info}!key@{key}} +\index{key@{key}!AI_hyperalert_info@{AI\_\-hyperalert\_\-info}} +\subsubsection[{key}]{\setlength{\rightskip}{0pt plus 5cm}{\bf AI\_\-hyperalert\_\-key} {\bf AI\_\-hyperalert\_\-info::key}}} +\label{structAI__hyperalert__info_a9d461da8f00415ef03b24edb3bbd6cf8} +Hyperalert key \hypertarget{structAI__hyperalert__info_a73322b6cad3e883abed03b62c6c21719}{ +\index{AI\_\-hyperalert\_\-info@{AI\_\-hyperalert\_\-info}!n\_\-postconds@{n\_\-postconds}} +\index{n\_\-postconds@{n\_\-postconds}!AI_hyperalert_info@{AI\_\-hyperalert\_\-info}} +\subsubsection[{n\_\-postconds}]{\setlength{\rightskip}{0pt plus 5cm}unsigned int {\bf AI\_\-hyperalert\_\-info::n\_\-postconds}}} +\label{structAI__hyperalert__info_a73322b6cad3e883abed03b62c6c21719} +Number of post-\/conditions \hypertarget{structAI__hyperalert__info_a616c16f364dbb2d726e88df6b364ea40}{ +\index{AI\_\-hyperalert\_\-info@{AI\_\-hyperalert\_\-info}!n\_\-preconds@{n\_\-preconds}} +\index{n\_\-preconds@{n\_\-preconds}!AI_hyperalert_info@{AI\_\-hyperalert\_\-info}} +\subsubsection[{n\_\-preconds}]{\setlength{\rightskip}{0pt plus 5cm}unsigned int {\bf AI\_\-hyperalert\_\-info::n\_\-preconds}}} +\label{structAI__hyperalert__info_a616c16f364dbb2d726e88df6b364ea40} +Number of pre-\/conditions \hypertarget{structAI__hyperalert__info_a6a63385397bf814153d7bb20b52840d9}{ +\index{AI\_\-hyperalert\_\-info@{AI\_\-hyperalert\_\-info}!postconds@{postconds}} +\index{postconds@{postconds}!AI_hyperalert_info@{AI\_\-hyperalert\_\-info}} +\subsubsection[{postconds}]{\setlength{\rightskip}{0pt plus 5cm}char$\ast$$\ast$ {\bf AI\_\-hyperalert\_\-info::postconds}}} +\label{structAI__hyperalert__info_a6a63385397bf814153d7bb20b52840d9} +Post-\/conditions, as array of strings \hypertarget{structAI__hyperalert__info_a8ac4e028c47a98a8be5afd4363164031}{ +\index{AI\_\-hyperalert\_\-info@{AI\_\-hyperalert\_\-info}!preconds@{preconds}} +\index{preconds@{preconds}!AI_hyperalert_info@{AI\_\-hyperalert\_\-info}} +\subsubsection[{preconds}]{\setlength{\rightskip}{0pt plus 5cm}char$\ast$$\ast$ {\bf AI\_\-hyperalert\_\-info::preconds}}} +\label{structAI__hyperalert__info_a8ac4e028c47a98a8be5afd4363164031} +Pre-\/conditions, as array of strings + +The documentation for this struct was generated from the following file:\begin{DoxyCompactItemize} +\item +\hyperlink{spp__ai_8h}{spp\_\-ai.h}\end{DoxyCompactItemize} diff --git a/doc/latex/structAI__hyperalert__key.tex b/doc/latex/structAI__hyperalert__key.tex new file mode 100644 index 0000000..3f4348c --- /dev/null +++ b/doc/latex/structAI__hyperalert__key.tex @@ -0,0 +1,43 @@ +\hypertarget{structAI__hyperalert__key}{ +\section{AI\_\-hyperalert\_\-key Struct Reference} +\label{structAI__hyperalert__key}\index{AI\_\-hyperalert\_\-key@{AI\_\-hyperalert\_\-key}} +} + + +{\ttfamily \#include $<$spp\_\-ai.h$>$} + +\subsection*{Data Fields} +\begin{DoxyCompactItemize} +\item +unsigned int \hyperlink{structAI__hyperalert__key_a711afeb45b534480e85bf9abe569a602}{gid} +\item +unsigned int \hyperlink{structAI__hyperalert__key_a854676c9125ae0aeaeaef2b201ce542f}{sid} +\item +unsigned int \hyperlink{structAI__hyperalert__key_a3aa6fed74469f1f2c08573c5d7298670}{rev} +\end{DoxyCompactItemize} + + +\subsection{Detailed Description} +Key for the hyperalert hash table + +\subsection{Field Documentation} +\hypertarget{structAI__hyperalert__key_a711afeb45b534480e85bf9abe569a602}{ +\index{AI\_\-hyperalert\_\-key@{AI\_\-hyperalert\_\-key}!gid@{gid}} +\index{gid@{gid}!AI_hyperalert_key@{AI\_\-hyperalert\_\-key}} +\subsubsection[{gid}]{\setlength{\rightskip}{0pt plus 5cm}unsigned int {\bf AI\_\-hyperalert\_\-key::gid}}} +\label{structAI__hyperalert__key_a711afeb45b534480e85bf9abe569a602} +\hypertarget{structAI__hyperalert__key_a3aa6fed74469f1f2c08573c5d7298670}{ +\index{AI\_\-hyperalert\_\-key@{AI\_\-hyperalert\_\-key}!rev@{rev}} +\index{rev@{rev}!AI_hyperalert_key@{AI\_\-hyperalert\_\-key}} +\subsubsection[{rev}]{\setlength{\rightskip}{0pt plus 5cm}unsigned int {\bf AI\_\-hyperalert\_\-key::rev}}} +\label{structAI__hyperalert__key_a3aa6fed74469f1f2c08573c5d7298670} +\hypertarget{structAI__hyperalert__key_a854676c9125ae0aeaeaef2b201ce542f}{ +\index{AI\_\-hyperalert\_\-key@{AI\_\-hyperalert\_\-key}!sid@{sid}} +\index{sid@{sid}!AI_hyperalert_key@{AI\_\-hyperalert\_\-key}} +\subsubsection[{sid}]{\setlength{\rightskip}{0pt plus 5cm}unsigned int {\bf AI\_\-hyperalert\_\-key::sid}}} +\label{structAI__hyperalert__key_a854676c9125ae0aeaeaef2b201ce542f} + + +The documentation for this struct was generated from the following file:\begin{DoxyCompactItemize} +\item +\hyperlink{spp__ai_8h}{spp\_\-ai.h}\end{DoxyCompactItemize} diff --git a/doc/latex/struct__AI__snort__alert.tex b/doc/latex/struct__AI__snort__alert.tex index 9fe6691..1f775d3 100644 --- a/doc/latex/struct__AI__snort__alert.tex +++ b/doc/latex/struct__AI__snort__alert.tex @@ -58,6 +58,8 @@ struct \hyperlink{struct__AI__snort__alert}{\_\-AI\_\-snort\_\-alert} $\ast$ \hy \hyperlink{struct__hierarchy__node}{hierarchy\_\-node} $\ast$ \hyperlink{struct__AI__snort__alert_ac53765584296ead1328eabfaba8a3aed}{h\_\-node} \mbox{[}CLUSTER\_\-TYPES\mbox{]} \item unsigned int \hyperlink{struct__AI__snort__alert_a285aff12d6bac03c316ccc5305d28e53}{grouped\_\-alarms\_\-count} +\item +\hyperlink{structAI__hyperalert__info}{AI\_\-hyperalert\_\-info} $\ast$ \hyperlink{struct__AI__snort__alert_ac101de15b4f9451f235b82122f77b62a}{hyperalert} \end{DoxyCompactItemize} @@ -85,12 +87,17 @@ Data type for Snort alerts \index{grouped\_\-alarms\_\-count@{grouped\_\-alarms\_\-count}!_AI_snort_alert@{\_\-AI\_\-snort\_\-alert}} \subsubsection[{grouped\_\-alarms\_\-count}]{\setlength{\rightskip}{0pt plus 5cm}unsigned int {\bf \_\-AI\_\-snort\_\-alert::grouped\_\-alarms\_\-count}}} \label{struct__AI__snort__alert_a285aff12d6bac03c316ccc5305d28e53} -\hypertarget{struct__AI__snort__alert_ac53765584296ead1328eabfaba8a3aed}{ +If the clustering algorithm is used, we also count how many alerts this single alert groups \hypertarget{struct__AI__snort__alert_ac53765584296ead1328eabfaba8a3aed}{ \index{\_\-AI\_\-snort\_\-alert@{\_\-AI\_\-snort\_\-alert}!h\_\-node@{h\_\-node}} \index{h\_\-node@{h\_\-node}!_AI_snort_alert@{\_\-AI\_\-snort\_\-alert}} \subsubsection[{h\_\-node}]{\setlength{\rightskip}{0pt plus 5cm}{\bf hierarchy\_\-node}$\ast$ {\bf \_\-AI\_\-snort\_\-alert::h\_\-node}\mbox{[}CLUSTER\_\-TYPES\mbox{]}}} \label{struct__AI__snort__alert_ac53765584296ead1328eabfaba8a3aed} -\hypertarget{struct__AI__snort__alert_a754ca683593c838e4032fa8c13b1512b}{ +Hierarchies for addresses and ports, if the clustering algorithm is used \hypertarget{struct__AI__snort__alert_ac101de15b4f9451f235b82122f77b62a}{ +\index{\_\-AI\_\-snort\_\-alert@{\_\-AI\_\-snort\_\-alert}!hyperalert@{hyperalert}} +\index{hyperalert@{hyperalert}!_AI_snort_alert@{\_\-AI\_\-snort\_\-alert}} +\subsubsection[{hyperalert}]{\setlength{\rightskip}{0pt plus 5cm}{\bf AI\_\-hyperalert\_\-info}$\ast$ {\bf \_\-AI\_\-snort\_\-alert::hyperalert}}} +\label{struct__AI__snort__alert_ac101de15b4f9451f235b82122f77b62a} +Hyperalert information, pre-\/conditions and post-\/conditions \hypertarget{struct__AI__snort__alert_a754ca683593c838e4032fa8c13b1512b}{ \index{\_\-AI\_\-snort\_\-alert@{\_\-AI\_\-snort\_\-alert}!ip\_\-dst\_\-addr@{ip\_\-dst\_\-addr}} \index{ip\_\-dst\_\-addr@{ip\_\-dst\_\-addr}!_AI_snort_alert@{\_\-AI\_\-snort\_\-alert}} \subsubsection[{ip\_\-dst\_\-addr}]{\setlength{\rightskip}{0pt plus 5cm}{\bf uint32\_\-t} {\bf \_\-AI\_\-snort\_\-alert::ip\_\-dst\_\-addr}}} @@ -130,7 +137,7 @@ Data type for Snort alerts \index{next@{next}!_AI_snort_alert@{\_\-AI\_\-snort\_\-alert}} \subsubsection[{next}]{\setlength{\rightskip}{0pt plus 5cm}struct {\bf \_\-AI\_\-snort\_\-alert}$\ast$ {\bf \_\-AI\_\-snort\_\-alert::next}}} \label{struct__AI__snort__alert_aa8336d4b3359015ed8ea312ca1fd1173} -\hypertarget{struct__AI__snort__alert_a25661fa4e212c5e30af5e6a892985ec9}{ +Pointer to the next alert in the log, if any \hypertarget{struct__AI__snort__alert_a25661fa4e212c5e30af5e6a892985ec9}{ \index{\_\-AI\_\-snort\_\-alert@{\_\-AI\_\-snort\_\-alert}!priority@{priority}} \index{priority@{priority}!_AI_snort_alert@{\_\-AI\_\-snort\_\-alert}} \subsubsection[{priority}]{\setlength{\rightskip}{0pt plus 5cm}unsigned short {\bf \_\-AI\_\-snort\_\-alert::priority}}} @@ -150,7 +157,7 @@ Data type for Snort alerts \index{stream@{stream}!_AI_snort_alert@{\_\-AI\_\-snort\_\-alert}} \subsubsection[{stream}]{\setlength{\rightskip}{0pt plus 5cm}struct {\bf pkt\_\-info}$\ast$ {\bf \_\-AI\_\-snort\_\-alert::stream}}} \label{struct__AI__snort__alert_a09dfe0a841fd3912ec78060d4547cb31} -\hypertarget{struct__AI__snort__alert_a8aac577224a4325ec50511c6d79b4b79}{ +Reference to the TCP stream associated to the alert, if any \hypertarget{struct__AI__snort__alert_a8aac577224a4325ec50511c6d79b4b79}{ \index{\_\-AI\_\-snort\_\-alert@{\_\-AI\_\-snort\_\-alert}!tcp\_\-ack@{tcp\_\-ack}} \index{tcp\_\-ack@{tcp\_\-ack}!_AI_snort_alert@{\_\-AI\_\-snort\_\-alert}} \subsubsection[{tcp\_\-ack}]{\setlength{\rightskip}{0pt plus 5cm}{\bf uint32\_\-t} {\bf \_\-AI\_\-snort\_\-alert::tcp\_\-ack}}} diff --git a/doc/latex/struct__hierarchy__node.tex b/doc/latex/struct__hierarchy__node.tex index d49d5b3..501833b 100644 --- a/doc/latex/struct__hierarchy__node.tex +++ b/doc/latex/struct__hierarchy__node.tex @@ -25,6 +25,9 @@ struct \hyperlink{struct__hierarchy__node}{\_\-hierarchy\_\-node} $\ast$$\ast$ \ \end{DoxyCompactItemize} +\subsection{Detailed Description} +Data type for hierarchies used for clustering + \subsection{Field Documentation} \hypertarget{struct__hierarchy__node_afc23d4fe6426873164cdaab2f3d4f0cd}{ \index{\_\-hierarchy\_\-node@{\_\-hierarchy\_\-node}!children@{children}}