From a1d157487cc5584cde2467722b83662e50d3327f Mon Sep 17 00:00:00 2001
From: BlackLight <blacklight@autistici.org>
Date: Mon, 16 Aug 2010 22:09:34 +0200
Subject: [PATCH] 16 ago 2010 commit

---
 ChangeLog                                  |   6 +
 TODO                                       |   4 +
 alert_parser.c                             |  54 ++-
 cluster.c                                  | 469 +++++++++++++++----
 doc/html/alert__parser_8c.html             | 229 +++++++++
 doc/html/annotated.html                    |   8 +-
 doc/html/classes.html                      |  11 +-
 doc/html/cluster_8c.html                   | 509 +++++++++++++++++++++
 doc/html/files.html                        |   5 +-
 doc/html/functions.html                    | 213 ++++++++-
 doc/html/functions_vars.html               | 213 ++++++++-
 doc/html/globals.html                      | 163 +++++--
 doc/html/globals_defs.html                 |  29 +-
 doc/html/globals_enum.html                 |   5 +-
 doc/html/globals_eval.html                 |  20 +-
 doc/html/globals_func.html                 | 105 ++++-
 doc/html/globals_type.html                 |  12 +-
 doc/html/globals_vars.html                 |  26 +-
 doc/html/group__sfPolicyConfig.html        |   2 +-
 doc/html/index.html                        |   2 +-
 doc/html/modules.html                      |   2 +-
 doc/html/regex_8c.html                     | 137 ++++++
 doc/html/search/all_5f.html                |  83 +++-
 doc/html/search/all_61.html                | 138 +++++-
 doc/html/search/all_63.html                |  61 +++
 doc/html/search/all_64.html                |  69 ++-
 doc/html/search/all_67.html                |  12 +-
 doc/html/search/all_68.html                |  31 +-
 doc/html/search/all_69.html                |  20 +-
 doc/html/search/all_6b.html                |   7 +-
 doc/html/search/all_6c.html                |   8 +-
 doc/html/search/all_6d.html                |  26 +-
 doc/html/search/all_6e.html                |  19 +-
 doc/html/search/all_6f.html                |  26 ++
 doc/html/search/all_70.html                |  37 +-
 doc/html/search/all_72.html                |  13 +-
 doc/html/search/all_73.html                |  70 ++-
 doc/html/search/all_74.html                |  42 +-
 doc/html/search/all_75.html                |   6 +
 doc/html/search/all_77.html                |  26 ++
 doc/html/search/classes_5f.html            |   9 +-
 doc/html/search/classes_61.html            |  35 ++
 doc/html/search/defines_64.html            |  32 +-
 doc/html/search/defines_70.html            |   6 +
 doc/html/search/enums_63.html              |  26 ++
 doc/html/search/enumvalues_63.html         |  26 ++
 doc/html/search/enumvalues_64.html         |  32 ++
 doc/html/search/enumvalues_6e.html         |  26 ++
 doc/html/search/enumvalues_73.html         |  32 ++
 doc/html/search/files_61.html              |  25 +
 doc/html/search/files_63.html              |  25 +
 doc/html/search/files_72.html              |  25 +
 doc/html/search/functions_5f.html          |  62 ++-
 doc/html/search/functions_61.html          |  78 +++-
 doc/html/search/functions_70.html          |  29 ++
 doc/html/search/search.js                  |  18 +-
 doc/html/search/typedefs_61.html           |   4 +-
 doc/html/search/typedefs_68.html           |  26 ++
 doc/html/search/typedefs_75.html           |   6 +
 doc/html/search/variables_5f.html          |  12 +-
 doc/html/search/variables_61.html          |  56 +++
 doc/html/search/variables_63.html          |  44 ++
 doc/html/search/variables_64.html          |  19 +-
 doc/html/search/variables_67.html          |  32 ++
 doc/html/search/variables_68.html          |  25 +-
 doc/html/search/variables_69.html          |  38 ++
 doc/html/search/variables_6b.html          |   7 +-
 doc/html/search/variables_6c.html          |  26 ++
 doc/html/search/variables_6d.html          |  44 ++
 doc/html/search/variables_6e.html          |  13 +-
 doc/html/search/variables_6f.html          |  26 ++
 doc/html/search/variables_70.html          |  16 +-
 doc/html/search/variables_72.html          |   8 +-
 doc/html/search/variables_73.html          |  42 +-
 doc/html/search/variables_74.html          |  40 +-
 doc/html/search/variables_77.html          |  26 ++
 doc/html/sfPolicyUserData_8c.html          |   2 +-
 doc/html/sf__dynamic__preproc__lib_8c.html |   4 +-
 doc/html/sf__preproc__info_8h.html         |   2 +-
 doc/html/sf__preproc__info_8h_source.html  |   2 +-
 doc/html/spp__ai_8c.html                   | 105 +----
 doc/html/spp__ai_8h.html                   | 442 +++++++++++++++++-
 doc/html/spp__ai_8h_source.html            | 151 +++++-
 doc/html/stream_8c.html                    | 103 ++++-
 doc/html/structAI__config.html             | 155 +++++++
 doc/html/struct__AI__snort__alert.html     | 435 ++++++++++++++++++
 doc/html/struct__hierarchy__node.html      | 183 ++++++++
 doc/html/structattribute__key.html         | 111 +++++
 doc/html/structattribute__value.html       | 139 ++++++
 doc/html/structpkt__info.html              |  22 +-
 doc/html/structpkt__key.html               |   8 +-
 doc/latex/alert__parser_8c.tex             | 111 +++++
 doc/latex/annotated.tex                    |   6 +-
 doc/latex/cluster_8c.tex                   | 253 ++++++++++
 doc/latex/doxygen.sty                      |   4 +-
 doc/latex/files.tex                        |   3 +
 doc/latex/refman.tex                       |  11 +-
 doc/latex/regex_8c.tex                     |  38 ++
 doc/latex/spp__ai_8c.tex                   |  61 +--
 doc/latex/spp__ai_8h.tex                   | 289 +++++++++++-
 doc/latex/stream_8c.tex                    |  78 +++-
 doc/latex/structAI__config.tex             |  54 +++
 doc/latex/struct__AI__snort__alert.tex     | 194 ++++++++
 doc/latex/struct__hierarchy__node.tex      |  68 +++
 doc/latex/structattribute__key.tex         |  29 ++
 doc/latex/structattribute__value.tex       |  43 ++
 doc/latex/structpkt__info.tex              |  13 +-
 doc/latex/structpkt__key.tex               |   6 +-
 spp_ai.c                                   |  31 +-
 spp_ai.h                                   |  15 +-
 tags                                       | 108 +++--
 111 files changed, 6555 insertions(+), 638 deletions(-)
 create mode 100644 ChangeLog
 create mode 100644 doc/html/alert__parser_8c.html
 create mode 100644 doc/html/cluster_8c.html
 create mode 100644 doc/html/regex_8c.html
 create mode 100644 doc/html/search/all_63.html
 create mode 100644 doc/html/search/all_6f.html
 create mode 100644 doc/html/search/all_77.html
 create mode 100644 doc/html/search/classes_61.html
 create mode 100644 doc/html/search/enums_63.html
 create mode 100644 doc/html/search/enumvalues_63.html
 create mode 100644 doc/html/search/enumvalues_64.html
 create mode 100644 doc/html/search/enumvalues_6e.html
 create mode 100644 doc/html/search/enumvalues_73.html
 create mode 100644 doc/html/search/files_61.html
 create mode 100644 doc/html/search/files_63.html
 create mode 100644 doc/html/search/files_72.html
 create mode 100644 doc/html/search/functions_70.html
 create mode 100644 doc/html/search/typedefs_68.html
 create mode 100644 doc/html/search/variables_61.html
 create mode 100644 doc/html/search/variables_63.html
 create mode 100644 doc/html/search/variables_67.html
 create mode 100644 doc/html/search/variables_69.html
 create mode 100644 doc/html/search/variables_6c.html
 create mode 100644 doc/html/search/variables_6d.html
 create mode 100644 doc/html/search/variables_6f.html
 create mode 100644 doc/html/search/variables_77.html
 create mode 100644 doc/html/structAI__config.html
 create mode 100644 doc/html/struct__AI__snort__alert.html
 create mode 100644 doc/html/struct__hierarchy__node.html
 create mode 100644 doc/html/structattribute__key.html
 create mode 100644 doc/html/structattribute__value.html
 create mode 100644 doc/latex/alert__parser_8c.tex
 create mode 100644 doc/latex/cluster_8c.tex
 create mode 100644 doc/latex/regex_8c.tex
 create mode 100644 doc/latex/structAI__config.tex
 create mode 100644 doc/latex/struct__AI__snort__alert.tex
 create mode 100644 doc/latex/struct__hierarchy__node.tex
 create mode 100644 doc/latex/structattribute__key.tex
 create mode 100644 doc/latex/structattribute__value.tex

diff --git a/ChangeLog b/ChangeLog
new file mode 100644
index 0000000..25c0345
--- /dev/null
+++ b/ChangeLog
@@ -0,0 +1,6 @@
+2010-16-08  Fabio "BlackLight" Manganiello <blacklight@autistici.org>
+	* cluster.c: Finished clustering algorithm and clustering log management
+
+2010-26-07  Fabio "BlackLight" Manganiello <blacklight@autistici.org>
+	* all: First version
+
diff --git a/TODO b/TODO
index 6a622b7..536f6bd 100644
--- a/TODO
+++ b/TODO
@@ -1,2 +1,6 @@
+- Check cluster ranges are NEVER on the same ranges
 - Managing clusters for addresses, timestamps (and more?)
+- MySQL alert log parsing
+- Dynamic cluster_min_size algorithm
+- Alerts for port scan, grouped alerts, UDP and ICMP too
 
diff --git a/alert_parser.c b/alert_parser.c
index 17f2240..25304d1 100644
--- a/alert_parser.c
+++ b/alert_parser.c
@@ -302,6 +302,39 @@ AI_alertparser_thread ( void* arg )
 }		/* -----  end of function AI_alertparser_thread  ----- */
 
 
+
+/**
+ * FUNCTION: _AI_copy_alerts
+ * \brief  Create a copy of the alert log struct (this is done for leaving the alert log structure in this file as read-only)
+ * \param  node 	Starting node (used for the recursion)
+ * \return A copy of the alert log linked list
+ */
+PRIVATE AI_snort_alert*
+_AI_copy_alerts ( AI_snort_alert *node )
+{
+	AI_snort_alert *current = NULL, *next = NULL;
+
+	if ( !node )
+	{
+		return NULL;
+	}
+
+	if ( node->next )
+	{
+		next = _AI_copy_alerts ( node->next );
+	}
+
+	if ( !( current = ( AI_snort_alert* ) malloc ( sizeof ( AI_snort_alert )) ))
+	{
+		_dpd.fatalMsg ( "Fatal dynamic memory allocation failure at %s:%d\n", __FILE__, __LINE__ );
+	}
+
+	memcpy ( current, node, sizeof ( AI_snort_alert ));
+	current->next = next;
+	return current;
+}		/* -----  end of function _AI_copy_alerts  ----- */
+
+
 /**
  * FUNCTION: AI_get_alerts
  * \brief  Return the alerts parsed so far as a linked list
@@ -310,6 +343,25 @@ AI_alertparser_thread ( void* arg )
 AI_snort_alert*
 AI_get_alerts ()
 {
-	return alerts;
+	return _AI_copy_alerts ( alerts );
 }		/* -----  end of function AI_get_alerts  ----- */
 
+
+/**
+ * FUNCTION: AI_free_alerts
+ * \brief  Deallocate the memory of a log alert linked list
+ * \param  node 	Linked list to be freed
+ */
+void
+AI_free_alerts ( AI_snort_alert *node )
+{
+	if ( !node )
+		return;
+
+	if ( node->next )
+		AI_free_alerts ( node->next );
+
+	free ( node );
+	node = NULL;
+}		/* -----  end of function AI_free_alerts  ----- */
+
diff --git a/cluster.c b/cluster.c
index b17f04b..f853be3 100644
--- a/cluster.c
+++ b/cluster.c
@@ -18,17 +18,99 @@
  */
 
 #include	"spp_ai.h"
+
 #include	<stdio.h>
 #include	<unistd.h>
+#include	<limits.h>
 #include	<pthread.h>
 
-PRIVATE hierarchy_node *src_port_root = NULL;
-PRIVATE hierarchy_node *src_addr_root = NULL;
-PRIVATE hierarchy_node *dst_port_root = NULL;
-PRIVATE hierarchy_node *dst_addr_root = NULL;
-PRIVATE AI_config      *_config       = NULL;
-PRIVATE AI_snort_alert *alert_log     = NULL;
+/* Identifier key for a cluster attribute value */
+typedef struct  {
+	int min;
+	int max;
+} attribute_key;
 
+/* Representation of a cluster attribute value */
+typedef struct  {
+	attribute_key   key;
+	cluster_type    type;
+	unsigned int    count;
+	UT_hash_handle  hh;
+} attribute_value;
+
+
+PRIVATE hierarchy_node *h_root[CLUSTER_TYPES] = { NULL };
+PRIVATE AI_config      *_config               = NULL;
+PRIVATE AI_snort_alert *alert_log             = NULL;
+
+
+/**
+ * FUNCTION: _heuristic_func
+ * \brief  Function that picks up the heuristic value for a clustering attribute in according to Julisch's heuristic (ACM, Vol.2, No.3, 09 2002, pag.124)
+ * \param  type 	Attribute type
+ * \return The heuristic coefficient for that attribute, -1 if no clustering information is available for that attribute
+ */
+
+PRIVATE int
+_heuristic_func ( cluster_type type )
+{
+	AI_snort_alert  *alert_iterator;
+	attribute_key   key;
+	attribute_value *values = NULL;
+	attribute_value *value  = NULL;
+	attribute_value *found  = NULL;
+	int             max     = 0;
+	
+	if ( type == none || !alert_log || !h_root[type] )
+		return -1;
+
+	for ( alert_iterator = alert_log; alert_iterator; alert_iterator = alert_iterator->next )
+	{
+		if ( !alert_iterator->h_node[type] )
+			continue;
+
+		key.min = alert_iterator->h_node[type]->min_val;
+		key.max = alert_iterator->h_node[type]->max_val;
+
+		if ( values )
+		{
+			HASH_FIND ( hh, values, &key, sizeof ( attribute_key ), found );
+		}
+
+		if ( !found )
+		{
+			if ( !( value = ( attribute_value* ) malloc ( sizeof ( attribute_value )) ))
+			{
+				_dpd.fatalMsg ( "Fatal dynamic memory allocation failure at %s:%d\n", __FILE__, __LINE__ );
+			}
+
+			memset ( value, 0, sizeof ( attribute_value ));
+			value->key   = key;
+			value->type  = type;
+			value->count = 1;
+			HASH_ADD ( hh, values, key, sizeof ( attribute_key ), value );
+		} else {
+			found->count++;
+		}
+	}
+
+	for ( value = values; value; value = ( attribute_value* ) value->hh.next )
+	{
+		if ( value->count > max )
+		{
+			max = value->count;
+		}
+	}
+
+	while ( values )
+	{
+		value = values;
+		HASH_DEL ( values, value );
+		free ( value );
+	}
+
+	return max;
+}		/* -----  end of function _heuristic_func  ----- */
 
 /**
  * FUNCTION: _hierarchy_node_new
@@ -136,6 +218,158 @@ _AI_get_min_hierarchy_node ( int val, hierarchy_node *root )
 	return _AI_get_min_hierarchy_node ( val, next );
 }		/* -----  end of function _AI_get_min_hierarchy_node  ----- */
 
+/**
+ * FUNCTION: _AI_equal_alarms
+ * \brief  Check if two alerts are semantically equal
+ * \param  a1 	First alert
+ * \param  a2 	Second alert
+ * \return True if they are equal, false otherwise
+ */
+
+PRIVATE BOOL
+_AI_equal_alarms ( AI_snort_alert *a1, AI_snort_alert *a2 )
+{
+	if ( a1->gid != a2->gid || a1->sid != a2->sid || a1->rev != a2->rev )
+	{
+		return false;
+	}
+
+	if ( a1->h_node[src_addr] && a2->h_node[src_addr] )
+	{
+		if ( a1->h_node[src_addr]->min_val != a2->h_node[src_addr]->min_val ||
+				a1->h_node[src_addr]->max_val != a2->h_node[src_addr]->max_val )
+			return false;
+	}
+
+	if ( a1->h_node[dst_addr] && a2->h_node[dst_addr] )
+	{
+		if ( a1->h_node[dst_addr]->min_val != a2->h_node[dst_addr]->min_val ||
+				a1->h_node[dst_addr]->max_val != a2->h_node[dst_addr]->max_val )
+			return false;
+	}
+
+	if ( a1->h_node[src_port] && a2->h_node[src_port] )
+	{
+		if ( a1->h_node[src_port]->min_val != a2->h_node[src_port]->min_val ||
+				a1->h_node[src_port]->max_val != a2->h_node[src_port]->max_val )
+			return false;
+	}
+
+	if ( a1->h_node[dst_port] && a2->h_node[dst_port] )
+	{
+		if ( a1->h_node[dst_port]->min_val != a2->h_node[dst_port]->min_val ||
+				a1->h_node[dst_port]->max_val != a2->h_node[dst_port]->max_val )
+			return false;
+	}
+
+	return true;
+}		/* -----  end of function _AI_equal_alarms  ----- */
+
+
+/**
+ * FUNCTION: _AI_merge_alerts
+ * \brief  Merge the alerts marked as equal in the log
+ * \param  log 	Alert log reference
+ * \return The number of merged couples
+ */
+
+PRIVATE int
+_AI_merge_alerts ( AI_snort_alert **log )
+{
+	AI_snort_alert *tmp, *tmp2, *tmp3;
+	int count = 0;
+
+	for ( tmp = *log; tmp; tmp = tmp->next )
+	{
+		for ( tmp2 = *log; tmp2; )
+		{
+			if ( tmp2->next )
+			{
+				if ( tmp != tmp2->next )
+				{
+					if ( _AI_equal_alarms ( tmp, tmp2->next ))
+					{
+						tmp3 = tmp2->next->next;
+						free ( tmp2->next );
+						tmp2->next = tmp3;
+
+						tmp->grouped_alarms_count++;
+						count++;
+					}
+				}
+
+				tmp2 = tmp2->next;
+			} else
+				break;
+		}
+	}
+
+	return count;
+}		/* -----  end of function _AI_merge_alerts  ----- */
+
+
+/**
+ * FUNCTION: _AI_print_clustered_alerts
+ * \brief  Print the clustered alerts to a log file
+ * \param  log 	Log containing the alerts
+ * \param  fp 		File pointer where the alerts will be printed
+ */
+
+PRIVATE void
+_AI_print_clustered_alerts ( AI_snort_alert *log, FILE *fp )
+{
+	AI_snort_alert *tmp;
+	char ip[INET_ADDRSTRLEN];
+	char *timestamp;
+
+	for ( tmp = log; tmp; tmp = tmp->next )
+	{
+		fprintf ( fp, "[**] [%d:%d:%d] %s [**]\n", tmp->gid, tmp->sid, tmp->rev, tmp->desc );
+
+		if ( tmp->classification )
+			fprintf ( fp, "[Classification: %s] ", tmp->classification );
+
+		fprintf ( fp, "[Priority: %d]\n", tmp->priority );
+
+		timestamp = ctime ( &tmp->timestamp );
+		timestamp[ strlen(timestamp)-1 ] = 0;
+		fprintf ( fp, "[Grouped alerts: %d] [Starting from: %s]\n", tmp->grouped_alarms_count, timestamp );
+
+		if ( h_root[src_addr] )
+		{
+			fprintf ( fp, "[%s]:", tmp->h_node[src_addr]->label );
+		} else {
+			inet_ntop ( AF_INET, &(tmp->src_addr), ip, INET_ADDRSTRLEN );
+			fprintf ( fp, "%s:", ip );
+		}
+
+		if ( h_root[src_port] )
+		{
+			fprintf ( fp, "[%s] -> ", tmp->h_node[src_port]->label );
+		} else {
+			fprintf ( fp, "%d -> ", htons ( tmp->src_port ));
+		}
+
+		if ( h_root[dst_addr] )
+		{
+			fprintf ( fp, "[%s]:", tmp->h_node[dst_addr]->label );
+		} else {
+			inet_ntop ( AF_INET, &(tmp->dst_addr), ip, INET_ADDRSTRLEN );
+			fprintf ( fp, "%s:", ip );
+		}
+
+		if ( h_root[dst_port] )
+		{
+			fprintf ( fp, "[%s]\n", tmp->h_node[dst_port]->label );
+		} else {
+			fprintf ( fp, "%d\n", htons ( tmp->dst_port ));
+		}
+
+		fprintf ( fp, "\n" );
+	}
+}		/* -----  end of function _AI_print_clustered_alerts  ----- */
+
+
 /**
  * FUNCTION: _AI_cluster_thread
  * \brief  Thread for periodically clustering the log information
@@ -145,11 +379,26 @@ _AI_cluster_thread ( void* arg )
 {
 	AI_snort_alert *tmp;
 	hierarchy_node *node, *child;
+	cluster_type   type;
+	cluster_type   best_type;
+	BOOL           has_small_clusters = true;
+	FILE           *cluster_fp;
 	char           label[256];
+	int            hostval;
+	int            netval;
+	int            minval;
+	int            heuristic_val;
+	int            cluster_min_size = 2;
+	int            alert_count = 0;
+	int            old_alert_count = 0;
 
 	while ( 1 )
 	{
+		/* Between an execution of the thread and the next one, sleep for alert_clustering_interval seconds */
 		sleep ( _config->alertClusteringInterval );
+
+		/* Free the current alert log and get the latest one */
+		AI_free_alerts ( alert_log );
 		
 		if ( !( alert_log = AI_get_alerts() ))
 		{
@@ -157,86 +406,109 @@ _AI_cluster_thread ( void* arg )
 		}
 
 		FILE *fp = fopen ( "/home/blacklight/LOG", "a" );
+		has_small_clusters = true;
 
-		for ( tmp = alert_log; tmp; tmp = tmp->next )
+		for ( tmp = alert_log, alert_count=0; tmp; tmp = tmp->next, alert_count++ )
 		{
-			if ( src_addr_root && !tmp->src_addr_node )
+			/* If an alert has an unitialized "grouped alarms count", set its counter to 1 (it only groupes the current alert) */
+			if ( tmp->grouped_alarms_count == 0 )
 			{
-				node = _AI_get_min_hierarchy_node ( ntohl ( tmp->src_addr ), src_addr_root );
-
-				if ( node )
-				{
-					if ( node->min_val < node->max_val )
-					{
-						inet_ntop ( AF_INET, &(tmp->src_addr), label, INET_ADDRSTRLEN );
-						child = _hierarchy_node_new ( label, ntohl ( tmp->src_addr ), ntohl ( tmp->src_addr ));
-						_hierarchy_node_append ( node, child );
-						node = child;
-					}
-
-					tmp->src_addr_node = node;
-					fprintf ( fp, "minimum range holding %s: %s (prev: %s)\n", label, tmp->src_addr_node->label, tmp->src_addr_node->parent->label );
-				}
+				tmp->grouped_alarms_count = 1;
 			}
 
-			if ( dst_addr_root && !tmp->dst_addr_node )
+			/* If the current alarm already group at least min_size alarms, then no need to do further clusterization */
+			if ( tmp->grouped_alarms_count >= cluster_min_size )
 			{
-				node = _AI_get_min_hierarchy_node ( ntohl ( tmp->dst_addr ), dst_addr_root );
-
-				if ( node )
-				{
-					if ( node->min_val < node->max_val )
-					{
-						/* snprintf ( label, sizeof(label), "%d", ntohl ( tmp->dst_addr )); */
-						inet_ntop ( AF_INET, &(tmp->src_addr), label, INET_ADDRSTRLEN );
-						child = _hierarchy_node_new ( label, ntohl ( tmp->dst_addr ), ntohl ( tmp->dst_addr ));
-						_hierarchy_node_append ( node, child );
-						node = child;
-					}
-
-					tmp->dst_addr_node = node;
-				}
+				has_small_clusters = false;
 			}
 
-			if ( src_port_root && !tmp->src_port_node )
+			/* Initialize the clustering hierarchies in the current alert */
+			for ( type=0; type < CLUSTER_TYPES; type++ )
 			{
-				node = _AI_get_min_hierarchy_node ( ntohs ( tmp->src_port ), src_port_root );
-
-				if ( node )
+				/* If "type" is a valid clustering hierarchy but the corresponding node in the alert is not initialized, initialize it */
+				if ( h_root[type] && !tmp->h_node[type] )
 				{
-					if ( node->min_val < node->max_val )
+					switch ( type )
 					{
-						snprintf ( label, sizeof(label), "%d", ntohs ( tmp->src_port ));
-						child = _hierarchy_node_new ( label, ntohs ( tmp->src_port ), ntohs ( tmp->src_port ));
-						_hierarchy_node_append ( node, child );
-						node = child;
+						case src_addr:
+						case dst_addr:
+							netval  = ( type == src_addr ) ? tmp->src_addr : tmp->dst_addr;
+							hostval = ntohl ( netval );
+							inet_ntop ( AF_INET, &(netval), label, INET_ADDRSTRLEN );
+							break;
+
+						case src_port:
+						case dst_port:
+							netval  = ( type == src_port ) ? tmp->src_port : tmp->dst_port;
+							hostval = ntohs ( netval );
+							snprintf ( label, sizeof(label), "%d", hostval );
+							break;
+
+						default:
+							return (void*) 0;
 					}
 
-					tmp->src_port_node = node;
-					fprintf ( fp, "minimum range holding %d: %s (prev: %s)\n", ntohs(tmp->src_port), tmp->src_port_node->label, tmp->src_port_node->parent->label );
-				}
-			}
+					node = _AI_get_min_hierarchy_node ( hostval, h_root[type] );
 
-			if ( dst_port_root && !tmp->dst_port_node )
-			{
-				node = _AI_get_min_hierarchy_node ( ntohs ( tmp->dst_port ), dst_port_root );
-
-				if ( node )
-				{
-					if ( node->min_val < node->max_val )
+					if ( node )
 					{
-						snprintf ( label, sizeof(label), "%d", ntohs ( tmp->dst_port ));
-						child = _hierarchy_node_new ( label, ntohs ( tmp->dst_port ), ntohs ( tmp->dst_port ));
-						_hierarchy_node_append ( node, child );
-						node = child;
-					}
+						if ( node->min_val < node->max_val )
+						{
+							child = _hierarchy_node_new ( label, hostval, hostval);
+							_hierarchy_node_append ( node, child );
+							node = child;
+						}
 
-					tmp->dst_port_node = node;
-					fprintf ( fp, "minimum range holding %d: %s (prev: %s)\n", ntohs(tmp->dst_port), tmp->dst_port_node->label, tmp->dst_port_node->parent->label );
+						tmp->h_node[type] = node;
+					}
 				}
 			}
 		}
 
+		alert_count -= _AI_merge_alerts ( &alert_log );
+
+		while ( has_small_clusters && alert_count > cluster_min_size )
+		{
+			old_alert_count = alert_count;
+			minval = INT_MAX;
+			best_type = none;
+
+			/* Choose the best attribute to cluster using the heuristic function */
+			for ( type = 0; type < CLUSTER_TYPES; type++ )
+			{
+				if ( type != none && h_root[type] )
+				{
+					if (( heuristic_val = _heuristic_func ( type )) > 0 && heuristic_val < minval )
+					{
+						minval = heuristic_val;
+						best_type = type;
+					}
+				}
+			}
+
+			/* For all the alerts, the corresponing clustering value is the parent of the current one in the hierarchy */
+			for ( tmp = alert_log; tmp; tmp = tmp->next )
+			{
+				if ( tmp->h_node[best_type]->parent )
+				{
+					tmp->h_node[best_type] = tmp->h_node[best_type]->parent;
+				}
+			}
+
+			alert_count -= _AI_merge_alerts ( &alert_log );
+
+			if ( old_alert_count == alert_count )
+				break;
+		}
+
+		if ( !( cluster_fp = fopen ( _config->clusterfile, "w" )) )
+		{
+			return (void*) 0;
+		}
+
+		_AI_print_clustered_alerts ( alert_log, cluster_fp );
+		fclose ( cluster_fp );
+
 		fclose ( fp );
 	}
 
@@ -244,6 +516,33 @@ _AI_cluster_thread ( void* arg )
 }		/* -----  end of function AI_cluster_thread  ----- */
 
 
+/**
+ * FUNCTION: _AI_check_duplicate
+ * \brief  Check if a certain node's range (minimum and maximum value) are already present in a clustering hierarchy
+ * \param  node 	Node to be checked
+ * \param  root 	Clustering hierarchy
+ * \return True if 'node' is already in 'root', false otherwise
+ */
+PRIVATE BOOL
+_AI_check_duplicate ( hierarchy_node *node, hierarchy_node *root )
+{
+	int i;
+	
+	if ( !node || !root )
+		return false;
+
+	if ( root->min_val == node->min_val && root->max_val == node->max_val )
+		return true;
+
+	for ( i=0; i < root->nchildren; i++ )
+	{
+		if ( _AI_check_duplicate ( node, root->children[i] ))
+			return true;
+	}
+
+	return false;
+}		/* -----  end of function _AI_check_duplicate  ----- */
+
 /**
  * FUNCTION: AI_hierarchies_build
  * \brief  Build the clustering hierarchy trees
@@ -267,46 +566,34 @@ AI_hierarchies_build ( AI_config *conf, hierarchy_node **nodes, int n_nodes )
 		switch ( nodes[i]->type )
 		{
 			case src_port:
-				if ( !src_port_root )
-					src_port_root = _hierarchy_node_new ( "1-65535", 1, 65535 );
-
-				root = src_port_root;
-				min_range = 65534;
-				break;
-
 			case dst_port:
-				if ( !dst_port_root )
-					dst_port_root = _hierarchy_node_new ( "1-65535", 1, 65535 );
+				if ( !h_root[ nodes[i]->type ] )
+					h_root[ nodes[i]->type ] = _hierarchy_node_new ( "1-65535", 1, 65535 );
 
-				root = dst_port_root;
 				min_range = 65534;
 				break;
 
 			case src_addr:
-				if ( !src_addr_root )
-					src_addr_root = _hierarchy_node_new ( "0.0.0.0/0",
-							0x0, 0xffffffff );
-				
-				root = src_addr_root;
-				min_range = 0xffffffff;
-				break;
-
 			case dst_addr:
-				if ( !dst_addr_root )
-					dst_addr_root = _hierarchy_node_new ( "0.0.0.0/0",
-							0x0, 0xffffffff );
-
-				root = dst_addr_root;
+				if ( !h_root[ nodes[i]->type ] )
+					h_root[ nodes[i]->type ] = _hierarchy_node_new ( "0.0.0.0/0", 0x0, 0xffffffff );
+				
 				min_range = 0xffffffff;
 				break;
 
-			/* TODO Manage range for timestamps (and something more?) */
+			/* TODO Manage ranges for timestamps (and something more?) */
 			default:
-				break;
+				return;
 		}
 
+		root = h_root[ nodes[i]->type ];
 		cover = NULL;
 
+		if ( _AI_check_duplicate ( nodes[i], root ))
+		{
+			_dpd.fatalMsg ( "AIPreproc: Parse error: duplicate cluster range '%d-%d' in configuration\n", nodes[i]->min_val, nodes[i]->max_val );
+		}
+
 		for ( j=0; j < n_nodes; j++ )
 		{
 			if ( i != j )
diff --git a/doc/html/alert__parser_8c.html b/doc/html/alert__parser_8c.html
new file mode 100644
index 0000000..143afee
--- /dev/null
+++ b/doc/html/alert__parser_8c.html
@@ -0,0 +1,229 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+<head>
+<meta http-equiv="Content-Type" content="text/xhtml;charset=UTF-8"/>
+<title>Snort AI preprocessor module: alert_parser.c File Reference</title>
+<link href="tabs.css" rel="stylesheet" type="text/css"/>
+<link href="search/search.css" rel="stylesheet" type="text/css"/>
+<script type="text/javaScript" src="search/search.js"></script>
+<link href="doxygen.css" rel="stylesheet" type="text/css"/>
+</head>
+<body onload='searchBox.OnSelectItem(0);'>
+<!-- Generated by Doxygen 1.7.1 -->
+<script type="text/javascript"><!--
+var searchBox = new SearchBox("searchBox", "search",false,'Search');
+--></script>
+<div class="navigation" id="top">
+  <div class="tabs">
+    <ul class="tablist">
+      <li><a href="index.html"><span>Main&nbsp;Page</span></a></li>
+      <li><a href="modules.html"><span>Modules</span></a></li>
+      <li><a href="annotated.html"><span>Data&nbsp;Structures</span></a></li>
+      <li class="current"><a href="files.html"><span>Files</span></a></li>
+      <li id="searchli">
+        <div id="MSearchBox" class="MSearchBoxInactive">
+        <span class="left">
+          <img id="MSearchSelect" src="search/mag_sel.png"
+               onmouseover="return searchBox.OnSearchSelectShow()"
+               onmouseout="return searchBox.OnSearchSelectHide()"
+               alt=""/>
+          <input type="text" id="MSearchField" value="Search" accesskey="S"
+               onfocus="searchBox.OnSearchFieldFocus(true)" 
+               onblur="searchBox.OnSearchFieldFocus(false)" 
+               onkeyup="searchBox.OnSearchFieldChange(event)"/>
+          </span><span class="right">
+            <a id="MSearchClose" href="javascript:searchBox.CloseResultsWindow()"><img id="MSearchCloseImg" border="0" src="search/close.png" alt=""/></a>
+          </span>
+        </div>
+      </li>
+    </ul>
+  </div>
+  <div class="tabs2">
+    <ul class="tablist">
+      <li><a href="files.html"><span>File&nbsp;List</span></a></li>
+      <li><a href="globals.html"><span>Globals</span></a></li>
+    </ul>
+  </div>
+</div>
+<div class="header">
+  <div class="summary">
+<a href="#func-members">Functions</a> &#124;
+<a href="#var-members">Variables</a>  </div>
+  <div class="headertitle">
+<h1>alert_parser.c File Reference</h1>  </div>
+</div>
+<div class="contents">
+<code>#include &quot;<a class="el" href="spp__ai_8h_source.html">spp_ai.h</a>&quot;</code><br/>
+<code>#include &lt;stdio.h&gt;</code><br/>
+<code>#include &lt;unistd.h&gt;</code><br/>
+<code>#include &lt;time.h&gt;</code><br/>
+<code>#include &lt;sys/inotify.h&gt;</code><br/>
+<code>#include &lt;sys/stat.h&gt;</code><br/>
+<table class="memberdecls">
+<tr><td colspan="2"><h2><a name="func-members"></a>
+Functions</h2></td></tr>
+<tr><td class="memItemLeft" align="right" valign="top">void *&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="alert__parser_8c.html#ad68c45b5846743a54ad3fa92c8e48f8a">AI_alertparser_thread</a> (void *arg)</td></tr>
+<tr><td class="mdescLeft">&nbsp;</td><td class="mdescRight">Thread for parsing Snort's alert file.  <a href="#ad68c45b5846743a54ad3fa92c8e48f8a"></a><br/></td></tr>
+<tr><td class="memItemLeft" align="right" valign="top">PRIVATE <a class="el" href="struct__AI__snort__alert.html">AI_snort_alert</a> *&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="alert__parser_8c.html#a6c5014cae9155379fdc4db649b2c862d">_AI_copy_alerts</a> (<a class="el" href="struct__AI__snort__alert.html">AI_snort_alert</a> *node)</td></tr>
+<tr><td class="mdescLeft">&nbsp;</td><td class="mdescRight">Create a copy of the alert log struct (this is done for leaving the alert log structure in this file as read-only).  <a href="#a6c5014cae9155379fdc4db649b2c862d"></a><br/></td></tr>
+<tr><td class="memItemLeft" align="right" valign="top"><a class="el" href="struct__AI__snort__alert.html">AI_snort_alert</a> *&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="alert__parser_8c.html#a99474495643197b3075ac22ec6f6c70f">AI_get_alerts</a> ()</td></tr>
+<tr><td class="mdescLeft">&nbsp;</td><td class="mdescRight">Return the alerts parsed so far as a linked list.  <a href="#a99474495643197b3075ac22ec6f6c70f"></a><br/></td></tr>
+<tr><td class="memItemLeft" align="right" valign="top">void&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="alert__parser_8c.html#a270e86669a0aa64a8da37bc16cda645b">AI_free_alerts</a> (<a class="el" href="struct__AI__snort__alert.html">AI_snort_alert</a> *node)</td></tr>
+<tr><td class="mdescLeft">&nbsp;</td><td class="mdescRight">Deallocate the memory of a log alert linked list.  <a href="#a270e86669a0aa64a8da37bc16cda645b"></a><br/></td></tr>
+<tr><td colspan="2"><h2><a name="var-members"></a>
+Variables</h2></td></tr>
+<tr><td class="memItemLeft" align="right" valign="top">PRIVATE <a class="el" href="struct__AI__snort__alert.html">AI_snort_alert</a> *&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="alert__parser_8c.html#ae837fc04e61c0eb052f997c54b4fd9fe">alerts</a> = NULL</td></tr>
+<tr><td class="memItemLeft" align="right" valign="top">PRIVATE FILE *&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="alert__parser_8c.html#abee2a33368912d9288c76b51160a9ed6">alert_fp</a> = NULL</td></tr>
+</table>
+<hr/><h2>Function Documentation</h2>
+<a class="anchor" id="a6c5014cae9155379fdc4db649b2c862d"></a><!-- doxytag: member="alert_parser.c::_AI_copy_alerts" ref="a6c5014cae9155379fdc4db649b2c862d" args="(AI_snort_alert *node)" -->
+<div class="memitem">
+<div class="memproto">
+      <table class="memname">
+        <tr>
+          <td class="memname">PRIVATE <a class="el" href="struct__AI__snort__alert.html">AI_snort_alert</a>* _AI_copy_alerts </td>
+          <td>(</td>
+          <td class="paramtype"><a class="el" href="struct__AI__snort__alert.html">AI_snort_alert</a> *&nbsp;</td>
+          <td class="paramname"> <em>node</em></td>
+          <td>&nbsp;)&nbsp;</td>
+          <td></td>
+        </tr>
+      </table>
+</div>
+<div class="memdoc">
+
+<p>Create a copy of the alert log struct (this is done for leaving the alert log structure in this file as read-only). </p>
+<p>FUNCTION: _AI_copy_alerts </p>
+<dl><dt><b>Parameters:</b></dt><dd>
+  <table border="0" cellspacing="2" cellpadding="0">
+    <tr><td valign="top"></td><td valign="top"><em>node</em>&nbsp;</td><td>Starting node (used for the recursion) </td></tr>
+  </table>
+  </dd>
+</dl>
+<dl class="return"><dt><b>Returns:</b></dt><dd>A copy of the alert log linked list </dd></dl>
+
+</div>
+</div>
+<a class="anchor" id="ad68c45b5846743a54ad3fa92c8e48f8a"></a><!-- doxytag: member="alert_parser.c::AI_alertparser_thread" ref="ad68c45b5846743a54ad3fa92c8e48f8a" args="(void *arg)" -->
+<div class="memitem">
+<div class="memproto">
+      <table class="memname">
+        <tr>
+          <td class="memname">void* AI_alertparser_thread </td>
+          <td>(</td>
+          <td class="paramtype">void *&nbsp;</td>
+          <td class="paramname"> <em>arg</em></td>
+          <td>&nbsp;)&nbsp;</td>
+          <td></td>
+        </tr>
+      </table>
+</div>
+<div class="memdoc">
+
+<p>Thread for parsing Snort's alert file. </p>
+<p>FUNCTION: AI_alertparser_thread </p>
+<dl><dt><b>Parameters:</b></dt><dd>
+  <table border="0" cellspacing="2" cellpadding="0">
+    <tr><td valign="top"></td><td valign="top"><em>arg</em>&nbsp;</td><td>void* pointer to module's configuration </td></tr>
+  </table>
+  </dd>
+</dl>
+
+</div>
+</div>
+<a class="anchor" id="a270e86669a0aa64a8da37bc16cda645b"></a><!-- doxytag: member="alert_parser.c::AI_free_alerts" ref="a270e86669a0aa64a8da37bc16cda645b" args="(AI_snort_alert *node)" -->
+<div class="memitem">
+<div class="memproto">
+      <table class="memname">
+        <tr>
+          <td class="memname">void AI_free_alerts </td>
+          <td>(</td>
+          <td class="paramtype"><a class="el" href="struct__AI__snort__alert.html">AI_snort_alert</a> *&nbsp;</td>
+          <td class="paramname"> <em>node</em></td>
+          <td>&nbsp;)&nbsp;</td>
+          <td></td>
+        </tr>
+      </table>
+</div>
+<div class="memdoc">
+
+<p>Deallocate the memory of a log alert linked list. </p>
+<p>FUNCTION: AI_free_alerts </p>
+<dl><dt><b>Parameters:</b></dt><dd>
+  <table border="0" cellspacing="2" cellpadding="0">
+    <tr><td valign="top"></td><td valign="top"><em>node</em>&nbsp;</td><td>Linked list to be freed </td></tr>
+  </table>
+  </dd>
+</dl>
+
+</div>
+</div>
+<a class="anchor" id="a99474495643197b3075ac22ec6f6c70f"></a><!-- doxytag: member="alert_parser.c::AI_get_alerts" ref="a99474495643197b3075ac22ec6f6c70f" args="()" -->
+<div class="memitem">
+<div class="memproto">
+      <table class="memname">
+        <tr>
+          <td class="memname"><a class="el" href="struct__AI__snort__alert.html">AI_snort_alert</a>* AI_get_alerts </td>
+          <td>(</td>
+          <td class="paramtype">void&nbsp;</td>
+          <td class="paramname"></td>
+          <td>&nbsp;)&nbsp;</td>
+          <td></td>
+        </tr>
+      </table>
+</div>
+<div class="memdoc">
+
+<p>Return the alerts parsed so far as a linked list. </p>
+<p>FUNCTION: AI_get_alerts </p>
+<dl class="return"><dt><b>Returns:</b></dt><dd>An AI_snort_alert pointer identifying the list of alerts </dd></dl>
+
+</div>
+</div>
+<hr/><h2>Variable Documentation</h2>
+<a class="anchor" id="abee2a33368912d9288c76b51160a9ed6"></a><!-- doxytag: member="alert_parser.c::alert_fp" ref="abee2a33368912d9288c76b51160a9ed6" args="" -->
+<div class="memitem">
+<div class="memproto">
+      <table class="memname">
+        <tr>
+          <td class="memname">PRIVATE FILE* <a class="el" href="alert__parser_8c.html#abee2a33368912d9288c76b51160a9ed6">alert_fp</a> = NULL</td>
+        </tr>
+      </table>
+</div>
+<div class="memdoc">
+
+</div>
+</div>
+<a class="anchor" id="ae837fc04e61c0eb052f997c54b4fd9fe"></a><!-- doxytag: member="alert_parser.c::alerts" ref="ae837fc04e61c0eb052f997c54b4fd9fe" args="" -->
+<div class="memitem">
+<div class="memproto">
+      <table class="memname">
+        <tr>
+          <td class="memname">PRIVATE <a class="el" href="struct__AI__snort__alert.html">AI_snort_alert</a>* <a class="el" href="alert__parser_8c.html#ae837fc04e61c0eb052f997c54b4fd9fe">alerts</a> = NULL</td>
+        </tr>
+      </table>
+</div>
+<div class="memdoc">
+
+</div>
+</div>
+</div>
+<!--- window showing the filter options -->
+<div id="MSearchSelectWindow"
+     onmouseover="return searchBox.OnSearchSelectShow()"
+     onmouseout="return searchBox.OnSearchSelectHide()"
+     onkeydown="return searchBox.OnSearchSelectKey(event)">
+<a class="SelectItem" href="javascript:void(0)" onclick="searchBox.OnSelectItem(0)"><span class="SelectionMark">&nbsp;</span>All</a><a class="SelectItem" href="javascript:void(0)" onclick="searchBox.OnSelectItem(1)"><span class="SelectionMark">&nbsp;</span>Data Structures</a><a class="SelectItem" href="javascript:void(0)" onclick="searchBox.OnSelectItem(2)"><span class="SelectionMark">&nbsp;</span>Files</a><a class="SelectItem" href="javascript:void(0)" onclick="searchBox.OnSelectItem(3)"><span class="SelectionMark">&nbsp;</span>Functions</a><a class="SelectItem" href="javascript:void(0)" onclick="searchBox.OnSelectItem(4)"><span class="SelectionMark">&nbsp;</span>Variables</a><a class="SelectItem" href="javascript:void(0)" onclick="searchBox.OnSelectItem(5)"><span class="SelectionMark">&nbsp;</span>Typedefs</a><a class="SelectItem" href="javascript:void(0)" onclick="searchBox.OnSelectItem(6)"><span class="SelectionMark">&nbsp;</span>Enumerations</a><a class="SelectItem" href="javascript:void(0)" onclick="searchBox.OnSelectItem(7)"><span class="SelectionMark">&nbsp;</span>Enumerator</a><a class="SelectItem" href="javascript:void(0)" onclick="searchBox.OnSelectItem(8)"><span class="SelectionMark">&nbsp;</span>Defines</a></div>
+
+<!-- iframe showing the search results (closed by default) -->
+<div id="MSearchResultsWindow">
+<iframe src="" frameborder="0" 
+        name="MSearchResults" id="MSearchResults">
+</iframe>
+</div>
+
+<hr class="footer"/><address class="footer"><small>Generated on Mon Aug 16 2010 22:05:38 for Snort AI preprocessor module by&nbsp;
+<a href="http://www.doxygen.org/index.html">
+<img class="footer" src="doxygen.png" alt="doxygen"/></a> 1.7.1 </small></address>
+</body>
+</html>
diff --git a/doc/html/annotated.html b/doc/html/annotated.html
index c082cfd..0f7d8f6 100644
--- a/doc/html/annotated.html
+++ b/doc/html/annotated.html
@@ -52,7 +52,11 @@ var searchBox = new SearchBox("searchBox", "search",false,'Search');
 </div>
 <div class="contents">
 Here are the data structures with brief descriptions:<table>
-  <tr><td class="indexkey"><a class="el" href="struct__AI__config.html">_AI_config</a></td><td class="indexvalue"></td></tr>
+  <tr><td class="indexkey"><a class="el" href="struct__AI__snort__alert.html">_AI_snort_alert</a></td><td class="indexvalue"></td></tr>
+  <tr><td class="indexkey"><a class="el" href="struct__hierarchy__node.html">_hierarchy_node</a></td><td class="indexvalue"></td></tr>
+  <tr><td class="indexkey"><a class="el" href="structAI__config.html">AI_config</a></td><td class="indexvalue"></td></tr>
+  <tr><td class="indexkey"><a class="el" href="structattribute__key.html">attribute_key</a></td><td class="indexvalue"></td></tr>
+  <tr><td class="indexkey"><a class="el" href="structattribute__value.html">attribute_value</a></td><td class="indexvalue"></td></tr>
   <tr><td class="indexkey"><a class="el" href="structpkt__info.html">pkt_info</a></td><td class="indexvalue"></td></tr>
   <tr><td class="indexkey"><a class="el" href="structpkt__key.html">pkt_key</a></td><td class="indexvalue"></td></tr>
 </table>
@@ -71,7 +75,7 @@ Here are the data structures with brief descriptions:<table>
 </iframe>
 </div>
 
-<hr class="footer"/><address class="footer"><small>Generated on Wed Aug 4 2010 11:30:57 for Snort AI preprocessor module by&nbsp;
+<hr class="footer"/><address class="footer"><small>Generated on Mon Aug 16 2010 22:05:38 for Snort AI preprocessor module by&nbsp;
 <a href="http://www.doxygen.org/index.html">
 <img class="footer" src="doxygen.png" alt="doxygen"/></a> 1.7.1 </small></address>
 </body>
diff --git a/doc/html/classes.html b/doc/html/classes.html
index ed906f1..d938728 100644
--- a/doc/html/classes.html
+++ b/doc/html/classes.html
@@ -51,11 +51,12 @@ var searchBox = new SearchBox("searchBox", "search",false,'Search');
 <h1>Data Structure Index</h1>  </div>
 </div>
 <div class="contents">
-<div class="qindex"><a class="qindex" href="#letter_P">P</a>&nbsp;|&nbsp;<a class="qindex" href="#letter__">_</a></div>
+<div class="qindex"><a class="qindex" href="#letter_A">A</a>&nbsp;|&nbsp;<a class="qindex" href="#letter_P">P</a>&nbsp;|&nbsp;<a class="qindex" href="#letter__">_</a></div>
 <table align="center" width="95%" border="0" cellspacing="0" cellpadding="0">
-<tr><td><a name="letter_P"></a><table border="0" cellspacing="0" cellpadding="0"><tr><td><div class="ah">&nbsp;&nbsp;P&nbsp;&nbsp;</div></td></tr></table>
-</td><td><a class="el" href="structpkt__info.html">pkt_info</a>&nbsp;&nbsp;&nbsp;</td><td><a class="el" href="structpkt__key.html">pkt_key</a>&nbsp;&nbsp;&nbsp;</td><td><a name="letter__"></a><table border="0" cellspacing="0" cellpadding="0"><tr><td><div class="ah">&nbsp;&nbsp;_&nbsp;&nbsp;</div></td></tr></table>
-</td><td><a class="el" href="struct__AI__config.html">_AI_config</a>&nbsp;&nbsp;&nbsp;</td></tr></table><div class="qindex"><a class="qindex" href="#letter_P">P</a>&nbsp;|&nbsp;<a class="qindex" href="#letter__">_</a></div>
+<tr><td><a name="letter_A"></a><table border="0" cellspacing="0" cellpadding="0"><tr><td><div class="ah">&nbsp;&nbsp;A&nbsp;&nbsp;</div></td></tr></table>
+</td><td><a class="el" href="structattribute__key.html">attribute_key</a>&nbsp;&nbsp;&nbsp;</td><td><a name="letter_P"></a><table border="0" cellspacing="0" cellpadding="0"><tr><td><div class="ah">&nbsp;&nbsp;P&nbsp;&nbsp;</div></td></tr></table>
+</td><td><a class="el" href="structpkt__key.html">pkt_key</a>&nbsp;&nbsp;&nbsp;</td><td><a class="el" href="struct__AI__snort__alert.html">_AI_snort_alert</a>&nbsp;&nbsp;&nbsp;</td></tr><tr><td><a class="el" href="structAI__config.html">AI_config</a>&nbsp;&nbsp;&nbsp;</td><td><a class="el" href="structattribute__value.html">attribute_value</a>&nbsp;&nbsp;&nbsp;</td><td><a class="el" href="structpkt__info.html">pkt_info</a>&nbsp;&nbsp;&nbsp;</td><td><a name="letter__"></a><table border="0" cellspacing="0" cellpadding="0"><tr><td><div class="ah">&nbsp;&nbsp;_&nbsp;&nbsp;</div></td></tr></table>
+</td><td><a class="el" href="struct__hierarchy__node.html">_hierarchy_node</a>&nbsp;&nbsp;&nbsp;</td></tr></table><div class="qindex"><a class="qindex" href="#letter_A">A</a>&nbsp;|&nbsp;<a class="qindex" href="#letter_P">P</a>&nbsp;|&nbsp;<a class="qindex" href="#letter__">_</a></div>
 </div>
 <!--- window showing the filter options -->
 <div id="MSearchSelectWindow"
@@ -71,7 +72,7 @@ var searchBox = new SearchBox("searchBox", "search",false,'Search');
 </iframe>
 </div>
 
-<hr class="footer"/><address class="footer"><small>Generated on Wed Aug 4 2010 11:30:57 for Snort AI preprocessor module by&nbsp;
+<hr class="footer"/><address class="footer"><small>Generated on Mon Aug 16 2010 22:05:38 for Snort AI preprocessor module by&nbsp;
 <a href="http://www.doxygen.org/index.html">
 <img class="footer" src="doxygen.png" alt="doxygen"/></a> 1.7.1 </small></address>
 </body>
diff --git a/doc/html/cluster_8c.html b/doc/html/cluster_8c.html
new file mode 100644
index 0000000..fcae483
--- /dev/null
+++ b/doc/html/cluster_8c.html
@@ -0,0 +1,509 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+<head>
+<meta http-equiv="Content-Type" content="text/xhtml;charset=UTF-8"/>
+<title>Snort AI preprocessor module: cluster.c File Reference</title>
+<link href="tabs.css" rel="stylesheet" type="text/css"/>
+<link href="search/search.css" rel="stylesheet" type="text/css"/>
+<script type="text/javaScript" src="search/search.js"></script>
+<link href="doxygen.css" rel="stylesheet" type="text/css"/>
+</head>
+<body onload='searchBox.OnSelectItem(0);'>
+<!-- Generated by Doxygen 1.7.1 -->
+<script type="text/javascript"><!--
+var searchBox = new SearchBox("searchBox", "search",false,'Search');
+--></script>
+<div class="navigation" id="top">
+  <div class="tabs">
+    <ul class="tablist">
+      <li><a href="index.html"><span>Main&nbsp;Page</span></a></li>
+      <li><a href="modules.html"><span>Modules</span></a></li>
+      <li><a href="annotated.html"><span>Data&nbsp;Structures</span></a></li>
+      <li class="current"><a href="files.html"><span>Files</span></a></li>
+      <li id="searchli">
+        <div id="MSearchBox" class="MSearchBoxInactive">
+        <span class="left">
+          <img id="MSearchSelect" src="search/mag_sel.png"
+               onmouseover="return searchBox.OnSearchSelectShow()"
+               onmouseout="return searchBox.OnSearchSelectHide()"
+               alt=""/>
+          <input type="text" id="MSearchField" value="Search" accesskey="S"
+               onfocus="searchBox.OnSearchFieldFocus(true)" 
+               onblur="searchBox.OnSearchFieldFocus(false)" 
+               onkeyup="searchBox.OnSearchFieldChange(event)"/>
+          </span><span class="right">
+            <a id="MSearchClose" href="javascript:searchBox.CloseResultsWindow()"><img id="MSearchCloseImg" border="0" src="search/close.png" alt=""/></a>
+          </span>
+        </div>
+      </li>
+    </ul>
+  </div>
+  <div class="tabs2">
+    <ul class="tablist">
+      <li><a href="files.html"><span>File&nbsp;List</span></a></li>
+      <li><a href="globals.html"><span>Globals</span></a></li>
+    </ul>
+  </div>
+</div>
+<div class="header">
+  <div class="summary">
+<a href="#nested-classes">Data Structures</a> &#124;
+<a href="#func-members">Functions</a> &#124;
+<a href="#var-members">Variables</a>  </div>
+  <div class="headertitle">
+<h1>cluster.c File Reference</h1>  </div>
+</div>
+<div class="contents">
+<code>#include &quot;<a class="el" href="spp__ai_8h_source.html">spp_ai.h</a>&quot;</code><br/>
+<code>#include &lt;stdio.h&gt;</code><br/>
+<code>#include &lt;unistd.h&gt;</code><br/>
+<code>#include &lt;limits.h&gt;</code><br/>
+<code>#include &lt;pthread.h&gt;</code><br/>
+<table class="memberdecls">
+<tr><td colspan="2"><h2><a name="nested-classes"></a>
+Data Structures</h2></td></tr>
+<tr><td class="memItemLeft" align="right" valign="top">struct &nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="structattribute__key.html">attribute_key</a></td></tr>
+<tr><td class="memItemLeft" align="right" valign="top">struct &nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="structattribute__value.html">attribute_value</a></td></tr>
+<tr><td colspan="2"><h2><a name="func-members"></a>
+Functions</h2></td></tr>
+<tr><td class="memItemLeft" align="right" valign="top">PRIVATE int&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="cluster_8c.html#a81f5fa721719fdb281595a568eef2101">_heuristic_func</a> (<a class="el" href="spp__ai_8h.html#ae2ff3c6586aa2ab211a102abfde86640">cluster_type</a> type)</td></tr>
+<tr><td class="mdescLeft">&nbsp;</td><td class="mdescRight">Function that picks up the heuristic value for a clustering attribute in according to Julisch's heuristic (ACM, Vol.2, No.3, 09 2002, pag.124).  <a href="#a81f5fa721719fdb281595a568eef2101"></a><br/></td></tr>
+<tr><td class="memItemLeft" align="right" valign="top">PRIVATE <a class="el" href="struct__hierarchy__node.html">hierarchy_node</a> *&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="cluster_8c.html#a2f1a22cfea64e4669da0467620c3e3b3">_hierarchy_node_new</a> (char *label, int min_val, int max_val)</td></tr>
+<tr><td class="mdescLeft">&nbsp;</td><td class="mdescRight">Create a new clustering hierarchy node.  <a href="#a2f1a22cfea64e4669da0467620c3e3b3"></a><br/></td></tr>
+<tr><td class="memItemLeft" align="right" valign="top">PRIVATE void&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="cluster_8c.html#a5601a1f603d9c870ef6e2df192e30c30">_hierarchy_node_append</a> (<a class="el" href="struct__hierarchy__node.html">hierarchy_node</a> *parent, <a class="el" href="struct__hierarchy__node.html">hierarchy_node</a> *child)</td></tr>
+<tr><td class="mdescLeft">&nbsp;</td><td class="mdescRight">Append a node to a clustering hierarchy node.  <a href="#a5601a1f603d9c870ef6e2df192e30c30"></a><br/></td></tr>
+<tr><td class="memItemLeft" align="right" valign="top">PRIVATE <a class="el" href="struct__hierarchy__node.html">hierarchy_node</a> *&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="cluster_8c.html#a6ddddcd505b1f763c339e81fc143e079">_AI_get_min_hierarchy_node</a> (int val, <a class="el" href="struct__hierarchy__node.html">hierarchy_node</a> *root)</td></tr>
+<tr><td class="mdescLeft">&nbsp;</td><td class="mdescRight">Get the minimum node in a hierarchy tree that matches a certain value.  <a href="#a6ddddcd505b1f763c339e81fc143e079"></a><br/></td></tr>
+<tr><td class="memItemLeft" align="right" valign="top">PRIVATE <a class="el" href="spp__ai_8h.html#a3e5b8192e7d9ffaf3542f1210aec18dd">BOOL</a>&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="cluster_8c.html#a0f91c8bfc37a3975f5c26b19fd6c5cba">_AI_equal_alarms</a> (<a class="el" href="struct__AI__snort__alert.html">AI_snort_alert</a> *a1, <a class="el" href="struct__AI__snort__alert.html">AI_snort_alert</a> *a2)</td></tr>
+<tr><td class="mdescLeft">&nbsp;</td><td class="mdescRight">Check if two alerts are semantically equal.  <a href="#a0f91c8bfc37a3975f5c26b19fd6c5cba"></a><br/></td></tr>
+<tr><td class="memItemLeft" align="right" valign="top">PRIVATE int&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="cluster_8c.html#a8ce8e5a5d8954672297fa2dedb380dcd">_AI_merge_alerts</a> (<a class="el" href="struct__AI__snort__alert.html">AI_snort_alert</a> **log)</td></tr>
+<tr><td class="mdescLeft">&nbsp;</td><td class="mdescRight">Merge the alerts marked as equal in the log.  <a href="#a8ce8e5a5d8954672297fa2dedb380dcd"></a><br/></td></tr>
+<tr><td class="memItemLeft" align="right" valign="top">PRIVATE void&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="cluster_8c.html#a7d151880080470b542e99643dc0426a7">_AI_print_clustered_alerts</a> (<a class="el" href="struct__AI__snort__alert.html">AI_snort_alert</a> *log, FILE *fp)</td></tr>
+<tr><td class="mdescLeft">&nbsp;</td><td class="mdescRight">Print the clustered alerts to a log file.  <a href="#a7d151880080470b542e99643dc0426a7"></a><br/></td></tr>
+<tr><td class="memItemLeft" align="right" valign="top">PRIVATE void *&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="cluster_8c.html#a8a5eae61dc9fd0f13e0acdfa5f4478e2">_AI_cluster_thread</a> (void *arg)</td></tr>
+<tr><td class="mdescLeft">&nbsp;</td><td class="mdescRight">Thread for periodically clustering the log information.  <a href="#a8a5eae61dc9fd0f13e0acdfa5f4478e2"></a><br/></td></tr>
+<tr><td class="memItemLeft" align="right" valign="top">PRIVATE <a class="el" href="spp__ai_8h.html#a3e5b8192e7d9ffaf3542f1210aec18dd">BOOL</a>&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="cluster_8c.html#a29c35cd6c56f54e27b5b190c6d6c487a">_AI_check_duplicate</a> (<a class="el" href="struct__hierarchy__node.html">hierarchy_node</a> *node, <a class="el" href="struct__hierarchy__node.html">hierarchy_node</a> *root)</td></tr>
+<tr><td class="mdescLeft">&nbsp;</td><td class="mdescRight">Check if a certain node's range (minimum and maximum value) are already present in a clustering hierarchy.  <a href="#a29c35cd6c56f54e27b5b190c6d6c487a"></a><br/></td></tr>
+<tr><td class="memItemLeft" align="right" valign="top">void&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="cluster_8c.html#a1445818b37483f78cc3fb2890155842c">AI_hierarchies_build</a> (<a class="el" href="structAI__config.html">AI_config</a> *conf, <a class="el" href="struct__hierarchy__node.html">hierarchy_node</a> **nodes, int n_nodes)</td></tr>
+<tr><td class="mdescLeft">&nbsp;</td><td class="mdescRight">Build the clustering hierarchy trees.  <a href="#a1445818b37483f78cc3fb2890155842c"></a><br/></td></tr>
+<tr><td colspan="2"><h2><a name="var-members"></a>
+Variables</h2></td></tr>
+<tr><td class="memItemLeft" align="right" valign="top">PRIVATE <a class="el" href="struct__hierarchy__node.html">hierarchy_node</a> *&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="cluster_8c.html#a97d35425cf5a0207fb50b64ee8cdda82">h_root</a> [CLUSTER_TYPES] = { NULL }</td></tr>
+<tr><td class="memItemLeft" align="right" valign="top">PRIVATE <a class="el" href="structAI__config.html">AI_config</a> *&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="cluster_8c.html#a91458e2d34595688e39fcb63ba418849">_config</a> = NULL</td></tr>
+<tr><td class="memItemLeft" align="right" valign="top">PRIVATE <a class="el" href="struct__AI__snort__alert.html">AI_snort_alert</a> *&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="cluster_8c.html#aaf4c19f60f48741b0890c6114dcff7d9">alert_log</a> = NULL</td></tr>
+</table>
+<hr/><h2>Function Documentation</h2>
+<a class="anchor" id="a29c35cd6c56f54e27b5b190c6d6c487a"></a><!-- doxytag: member="cluster.c::_AI_check_duplicate" ref="a29c35cd6c56f54e27b5b190c6d6c487a" args="(hierarchy_node *node, hierarchy_node *root)" -->
+<div class="memitem">
+<div class="memproto">
+      <table class="memname">
+        <tr>
+          <td class="memname">PRIVATE <a class="el" href="spp__ai_8h.html#a3e5b8192e7d9ffaf3542f1210aec18dd">BOOL</a> _AI_check_duplicate </td>
+          <td>(</td>
+          <td class="paramtype"><a class="el" href="struct__hierarchy__node.html">hierarchy_node</a> *&nbsp;</td>
+          <td class="paramname"> <em>node</em>, </td>
+        </tr>
+        <tr>
+          <td class="paramkey"></td>
+          <td></td>
+          <td class="paramtype"><a class="el" href="struct__hierarchy__node.html">hierarchy_node</a> *&nbsp;</td>
+          <td class="paramname"> <em>root</em></td><td>&nbsp;</td>
+        </tr>
+        <tr>
+          <td></td>
+          <td>)</td>
+          <td></td><td></td><td></td>
+        </tr>
+      </table>
+</div>
+<div class="memdoc">
+
+<p>Check if a certain node's range (minimum and maximum value) are already present in a clustering hierarchy. </p>
+<p>FUNCTION: _AI_check_duplicate </p>
+<dl><dt><b>Parameters:</b></dt><dd>
+  <table border="0" cellspacing="2" cellpadding="0">
+    <tr><td valign="top"></td><td valign="top"><em>node</em>&nbsp;</td><td>Node to be checked </td></tr>
+    <tr><td valign="top"></td><td valign="top"><em>root</em>&nbsp;</td><td>Clustering hierarchy </td></tr>
+  </table>
+  </dd>
+</dl>
+<dl class="return"><dt><b>Returns:</b></dt><dd>True if 'node' is already in 'root', false otherwise </dd></dl>
+
+</div>
+</div>
+<a class="anchor" id="a8a5eae61dc9fd0f13e0acdfa5f4478e2"></a><!-- doxytag: member="cluster.c::_AI_cluster_thread" ref="a8a5eae61dc9fd0f13e0acdfa5f4478e2" args="(void *arg)" -->
+<div class="memitem">
+<div class="memproto">
+      <table class="memname">
+        <tr>
+          <td class="memname">PRIVATE void* _AI_cluster_thread </td>
+          <td>(</td>
+          <td class="paramtype">void *&nbsp;</td>
+          <td class="paramname"> <em>arg</em></td>
+          <td>&nbsp;)&nbsp;</td>
+          <td></td>
+        </tr>
+      </table>
+</div>
+<div class="memdoc">
+
+<p>Thread for periodically clustering the log information. </p>
+<p>FUNCTION: _AI_cluster_thread </p>
+
+</div>
+</div>
+<a class="anchor" id="a0f91c8bfc37a3975f5c26b19fd6c5cba"></a><!-- doxytag: member="cluster.c::_AI_equal_alarms" ref="a0f91c8bfc37a3975f5c26b19fd6c5cba" args="(AI_snort_alert *a1, AI_snort_alert *a2)" -->
+<div class="memitem">
+<div class="memproto">
+      <table class="memname">
+        <tr>
+          <td class="memname">PRIVATE <a class="el" href="spp__ai_8h.html#a3e5b8192e7d9ffaf3542f1210aec18dd">BOOL</a> _AI_equal_alarms </td>
+          <td>(</td>
+          <td class="paramtype"><a class="el" href="struct__AI__snort__alert.html">AI_snort_alert</a> *&nbsp;</td>
+          <td class="paramname"> <em>a1</em>, </td>
+        </tr>
+        <tr>
+          <td class="paramkey"></td>
+          <td></td>
+          <td class="paramtype"><a class="el" href="struct__AI__snort__alert.html">AI_snort_alert</a> *&nbsp;</td>
+          <td class="paramname"> <em>a2</em></td><td>&nbsp;</td>
+        </tr>
+        <tr>
+          <td></td>
+          <td>)</td>
+          <td></td><td></td><td></td>
+        </tr>
+      </table>
+</div>
+<div class="memdoc">
+
+<p>Check if two alerts are semantically equal. </p>
+<p>FUNCTION: _AI_equal_alarms </p>
+<dl><dt><b>Parameters:</b></dt><dd>
+  <table border="0" cellspacing="2" cellpadding="0">
+    <tr><td valign="top"></td><td valign="top"><em>a1</em>&nbsp;</td><td>First alert </td></tr>
+    <tr><td valign="top"></td><td valign="top"><em>a2</em>&nbsp;</td><td>Second alert </td></tr>
+  </table>
+  </dd>
+</dl>
+<dl class="return"><dt><b>Returns:</b></dt><dd>True if they are equal, false otherwise </dd></dl>
+
+</div>
+</div>
+<a class="anchor" id="a6ddddcd505b1f763c339e81fc143e079"></a><!-- doxytag: member="cluster.c::_AI_get_min_hierarchy_node" ref="a6ddddcd505b1f763c339e81fc143e079" args="(int val, hierarchy_node *root)" -->
+<div class="memitem">
+<div class="memproto">
+      <table class="memname">
+        <tr>
+          <td class="memname">PRIVATE <a class="el" href="struct__hierarchy__node.html">hierarchy_node</a>* _AI_get_min_hierarchy_node </td>
+          <td>(</td>
+          <td class="paramtype">int&nbsp;</td>
+          <td class="paramname"> <em>val</em>, </td>
+        </tr>
+        <tr>
+          <td class="paramkey"></td>
+          <td></td>
+          <td class="paramtype"><a class="el" href="struct__hierarchy__node.html">hierarchy_node</a> *&nbsp;</td>
+          <td class="paramname"> <em>root</em></td><td>&nbsp;</td>
+        </tr>
+        <tr>
+          <td></td>
+          <td>)</td>
+          <td></td><td></td><td></td>
+        </tr>
+      </table>
+</div>
+<div class="memdoc">
+
+<p>Get the minimum node in a hierarchy tree that matches a certain value. </p>
+<p>FUNCTION: _AI_get_min_hierarchy_node </p>
+<dl><dt><b>Parameters:</b></dt><dd>
+  <table border="0" cellspacing="2" cellpadding="0">
+    <tr><td valign="top"></td><td valign="top"><em>val</em>&nbsp;</td><td>Value to be matched in the range </td></tr>
+    <tr><td valign="top"></td><td valign="top"><em>root</em>&nbsp;</td><td>Root of the hierarchy </td></tr>
+  </table>
+  </dd>
+</dl>
+<dl class="return"><dt><b>Returns:</b></dt><dd>The minimum node that matches the value if any, NULL otherwise </dd></dl>
+
+</div>
+</div>
+<a class="anchor" id="a8ce8e5a5d8954672297fa2dedb380dcd"></a><!-- doxytag: member="cluster.c::_AI_merge_alerts" ref="a8ce8e5a5d8954672297fa2dedb380dcd" args="(AI_snort_alert **log)" -->
+<div class="memitem">
+<div class="memproto">
+      <table class="memname">
+        <tr>
+          <td class="memname">PRIVATE int _AI_merge_alerts </td>
+          <td>(</td>
+          <td class="paramtype"><a class="el" href="struct__AI__snort__alert.html">AI_snort_alert</a> **&nbsp;</td>
+          <td class="paramname"> <em>log</em></td>
+          <td>&nbsp;)&nbsp;</td>
+          <td></td>
+        </tr>
+      </table>
+</div>
+<div class="memdoc">
+
+<p>Merge the alerts marked as equal in the log. </p>
+<p>FUNCTION: _AI_merge_alerts </p>
+<dl><dt><b>Parameters:</b></dt><dd>
+  <table border="0" cellspacing="2" cellpadding="0">
+    <tr><td valign="top"></td><td valign="top"><em>log</em>&nbsp;</td><td>Alert log reference </td></tr>
+  </table>
+  </dd>
+</dl>
+<dl class="return"><dt><b>Returns:</b></dt><dd>The number of merged couples </dd></dl>
+
+</div>
+</div>
+<a class="anchor" id="a7d151880080470b542e99643dc0426a7"></a><!-- doxytag: member="cluster.c::_AI_print_clustered_alerts" ref="a7d151880080470b542e99643dc0426a7" args="(AI_snort_alert *log, FILE *fp)" -->
+<div class="memitem">
+<div class="memproto">
+      <table class="memname">
+        <tr>
+          <td class="memname">PRIVATE void _AI_print_clustered_alerts </td>
+          <td>(</td>
+          <td class="paramtype"><a class="el" href="struct__AI__snort__alert.html">AI_snort_alert</a> *&nbsp;</td>
+          <td class="paramname"> <em>log</em>, </td>
+        </tr>
+        <tr>
+          <td class="paramkey"></td>
+          <td></td>
+          <td class="paramtype">FILE *&nbsp;</td>
+          <td class="paramname"> <em>fp</em></td><td>&nbsp;</td>
+        </tr>
+        <tr>
+          <td></td>
+          <td>)</td>
+          <td></td><td></td><td></td>
+        </tr>
+      </table>
+</div>
+<div class="memdoc">
+
+<p>Print the clustered alerts to a log file. </p>
+<p>FUNCTION: _AI_print_clustered_alerts </p>
+<dl><dt><b>Parameters:</b></dt><dd>
+  <table border="0" cellspacing="2" cellpadding="0">
+    <tr><td valign="top"></td><td valign="top"><em>log</em>&nbsp;</td><td>Log containing the alerts </td></tr>
+    <tr><td valign="top"></td><td valign="top"><em>fp</em>&nbsp;</td><td>File pointer where the alerts will be printed </td></tr>
+  </table>
+  </dd>
+</dl>
+
+</div>
+</div>
+<a class="anchor" id="a81f5fa721719fdb281595a568eef2101"></a><!-- doxytag: member="cluster.c::_heuristic_func" ref="a81f5fa721719fdb281595a568eef2101" args="(cluster_type type)" -->
+<div class="memitem">
+<div class="memproto">
+      <table class="memname">
+        <tr>
+          <td class="memname">PRIVATE int _heuristic_func </td>
+          <td>(</td>
+          <td class="paramtype"><a class="el" href="spp__ai_8h.html#ae2ff3c6586aa2ab211a102abfde86640">cluster_type</a>&nbsp;</td>
+          <td class="paramname"> <em>type</em></td>
+          <td>&nbsp;)&nbsp;</td>
+          <td></td>
+        </tr>
+      </table>
+</div>
+<div class="memdoc">
+
+<p>Function that picks up the heuristic value for a clustering attribute in according to Julisch's heuristic (ACM, Vol.2, No.3, 09 2002, pag.124). </p>
+<p>FUNCTION: _heuristic_func </p>
+<dl><dt><b>Parameters:</b></dt><dd>
+  <table border="0" cellspacing="2" cellpadding="0">
+    <tr><td valign="top"></td><td valign="top"><em>type</em>&nbsp;</td><td>Attribute type </td></tr>
+  </table>
+  </dd>
+</dl>
+<dl class="return"><dt><b>Returns:</b></dt><dd>The heuristic coefficient for that attribute, -1 if no clustering information is available for that attribute </dd></dl>
+
+</div>
+</div>
+<a class="anchor" id="a5601a1f603d9c870ef6e2df192e30c30"></a><!-- doxytag: member="cluster.c::_hierarchy_node_append" ref="a5601a1f603d9c870ef6e2df192e30c30" args="(hierarchy_node *parent, hierarchy_node *child)" -->
+<div class="memitem">
+<div class="memproto">
+      <table class="memname">
+        <tr>
+          <td class="memname">PRIVATE void _hierarchy_node_append </td>
+          <td>(</td>
+          <td class="paramtype"><a class="el" href="struct__hierarchy__node.html">hierarchy_node</a> *&nbsp;</td>
+          <td class="paramname"> <em>parent</em>, </td>
+        </tr>
+        <tr>
+          <td class="paramkey"></td>
+          <td></td>
+          <td class="paramtype"><a class="el" href="struct__hierarchy__node.html">hierarchy_node</a> *&nbsp;</td>
+          <td class="paramname"> <em>child</em></td><td>&nbsp;</td>
+        </tr>
+        <tr>
+          <td></td>
+          <td>)</td>
+          <td></td><td></td><td></td>
+        </tr>
+      </table>
+</div>
+<div class="memdoc">
+
+<p>Append a node to a clustering hierarchy node. </p>
+<p>FUNCTION: _hierarchy_node_append </p>
+<dl><dt><b>Parameters:</b></dt><dd>
+  <table border="0" cellspacing="2" cellpadding="0">
+    <tr><td valign="top"></td><td valign="top"><em>parent</em>&nbsp;</td><td>Parent node </td></tr>
+    <tr><td valign="top"></td><td valign="top"><em>child</em>&nbsp;</td><td>Child node </td></tr>
+  </table>
+  </dd>
+</dl>
+
+</div>
+</div>
+<a class="anchor" id="a2f1a22cfea64e4669da0467620c3e3b3"></a><!-- doxytag: member="cluster.c::_hierarchy_node_new" ref="a2f1a22cfea64e4669da0467620c3e3b3" args="(char *label, int min_val, int max_val)" -->
+<div class="memitem">
+<div class="memproto">
+      <table class="memname">
+        <tr>
+          <td class="memname">PRIVATE <a class="el" href="struct__hierarchy__node.html">hierarchy_node</a>* _hierarchy_node_new </td>
+          <td>(</td>
+          <td class="paramtype">char *&nbsp;</td>
+          <td class="paramname"> <em>label</em>, </td>
+        </tr>
+        <tr>
+          <td class="paramkey"></td>
+          <td></td>
+          <td class="paramtype">int&nbsp;</td>
+          <td class="paramname"> <em>min_val</em>, </td>
+        </tr>
+        <tr>
+          <td class="paramkey"></td>
+          <td></td>
+          <td class="paramtype">int&nbsp;</td>
+          <td class="paramname"> <em>max_val</em></td><td>&nbsp;</td>
+        </tr>
+        <tr>
+          <td></td>
+          <td>)</td>
+          <td></td><td></td><td></td>
+        </tr>
+      </table>
+</div>
+<div class="memdoc">
+
+<p>Create a new clustering hierarchy node. </p>
+<p>FUNCTION: _hierarchy_node_new </p>
+<dl><dt><b>Parameters:</b></dt><dd>
+  <table border="0" cellspacing="2" cellpadding="0">
+    <tr><td valign="top"></td><td valign="top"><em>label</em>&nbsp;</td><td>Label for the node </td></tr>
+    <tr><td valign="top"></td><td valign="top"><em>min_val</em>&nbsp;</td><td>Minimum value for the range represented by the node </td></tr>
+    <tr><td valign="top"></td><td valign="top"><em>max_val</em>&nbsp;</td><td>Maximum value for the range represented by the node </td></tr>
+  </table>
+  </dd>
+</dl>
+<dl class="return"><dt><b>Returns:</b></dt><dd>The brand new node if the allocation was ok, otherwise abort the application </dd></dl>
+
+</div>
+</div>
+<a class="anchor" id="a1445818b37483f78cc3fb2890155842c"></a><!-- doxytag: member="cluster.c::AI_hierarchies_build" ref="a1445818b37483f78cc3fb2890155842c" args="(AI_config *conf, hierarchy_node **nodes, int n_nodes)" -->
+<div class="memitem">
+<div class="memproto">
+      <table class="memname">
+        <tr>
+          <td class="memname">void AI_hierarchies_build </td>
+          <td>(</td>
+          <td class="paramtype"><a class="el" href="structAI__config.html">AI_config</a> *&nbsp;</td>
+          <td class="paramname"> <em>conf</em>, </td>
+        </tr>
+        <tr>
+          <td class="paramkey"></td>
+          <td></td>
+          <td class="paramtype"><a class="el" href="struct__hierarchy__node.html">hierarchy_node</a> **&nbsp;</td>
+          <td class="paramname"> <em>nodes</em>, </td>
+        </tr>
+        <tr>
+          <td class="paramkey"></td>
+          <td></td>
+          <td class="paramtype">int&nbsp;</td>
+          <td class="paramname"> <em>n_nodes</em></td><td>&nbsp;</td>
+        </tr>
+        <tr>
+          <td></td>
+          <td>)</td>
+          <td></td><td></td><td></td>
+        </tr>
+      </table>
+</div>
+<div class="memdoc">
+
+<p>Build the clustering hierarchy trees. </p>
+<p>FUNCTION: AI_hierarchies_build </p>
+<dl><dt><b>Parameters:</b></dt><dd>
+  <table border="0" cellspacing="2" cellpadding="0">
+    <tr><td valign="top"></td><td valign="top"><em>conf</em>&nbsp;</td><td>Reference to the configuration of the module </td></tr>
+    <tr><td valign="top"></td><td valign="top"><em>nodes</em>&nbsp;</td><td>Nodes containing the information about the clustering ranges </td></tr>
+    <tr><td valign="top"></td><td valign="top"><em>n_nodes</em>&nbsp;</td><td>Number of nodes </td></tr>
+  </table>
+  </dd>
+</dl>
+
+</div>
+</div>
+<hr/><h2>Variable Documentation</h2>
+<a class="anchor" id="a91458e2d34595688e39fcb63ba418849"></a><!-- doxytag: member="cluster.c::_config" ref="a91458e2d34595688e39fcb63ba418849" args="" -->
+<div class="memitem">
+<div class="memproto">
+      <table class="memname">
+        <tr>
+          <td class="memname">PRIVATE <a class="el" href="structAI__config.html">AI_config</a>* <a class="el" href="cluster_8c.html#a91458e2d34595688e39fcb63ba418849">_config</a> = NULL</td>
+        </tr>
+      </table>
+</div>
+<div class="memdoc">
+
+</div>
+</div>
+<a class="anchor" id="aaf4c19f60f48741b0890c6114dcff7d9"></a><!-- doxytag: member="cluster.c::alert_log" ref="aaf4c19f60f48741b0890c6114dcff7d9" args="" -->
+<div class="memitem">
+<div class="memproto">
+      <table class="memname">
+        <tr>
+          <td class="memname">PRIVATE <a class="el" href="struct__AI__snort__alert.html">AI_snort_alert</a>* <a class="el" href="cluster_8c.html#aaf4c19f60f48741b0890c6114dcff7d9">alert_log</a> = NULL</td>
+        </tr>
+      </table>
+</div>
+<div class="memdoc">
+
+</div>
+</div>
+<a class="anchor" id="a97d35425cf5a0207fb50b64ee8cdda82"></a><!-- doxytag: member="cluster.c::h_root" ref="a97d35425cf5a0207fb50b64ee8cdda82" args="[CLUSTER_TYPES]" -->
+<div class="memitem">
+<div class="memproto">
+      <table class="memname">
+        <tr>
+          <td class="memname">PRIVATE <a class="el" href="struct__hierarchy__node.html">hierarchy_node</a>* <a class="el" href="cluster_8c.html#a97d35425cf5a0207fb50b64ee8cdda82">h_root</a>[CLUSTER_TYPES] = { NULL }</td>
+        </tr>
+      </table>
+</div>
+<div class="memdoc">
+
+</div>
+</div>
+</div>
+<!--- window showing the filter options -->
+<div id="MSearchSelectWindow"
+     onmouseover="return searchBox.OnSearchSelectShow()"
+     onmouseout="return searchBox.OnSearchSelectHide()"
+     onkeydown="return searchBox.OnSearchSelectKey(event)">
+<a class="SelectItem" href="javascript:void(0)" onclick="searchBox.OnSelectItem(0)"><span class="SelectionMark">&nbsp;</span>All</a><a class="SelectItem" href="javascript:void(0)" onclick="searchBox.OnSelectItem(1)"><span class="SelectionMark">&nbsp;</span>Data Structures</a><a class="SelectItem" href="javascript:void(0)" onclick="searchBox.OnSelectItem(2)"><span class="SelectionMark">&nbsp;</span>Files</a><a class="SelectItem" href="javascript:void(0)" onclick="searchBox.OnSelectItem(3)"><span class="SelectionMark">&nbsp;</span>Functions</a><a class="SelectItem" href="javascript:void(0)" onclick="searchBox.OnSelectItem(4)"><span class="SelectionMark">&nbsp;</span>Variables</a><a class="SelectItem" href="javascript:void(0)" onclick="searchBox.OnSelectItem(5)"><span class="SelectionMark">&nbsp;</span>Typedefs</a><a class="SelectItem" href="javascript:void(0)" onclick="searchBox.OnSelectItem(6)"><span class="SelectionMark">&nbsp;</span>Enumerations</a><a class="SelectItem" href="javascript:void(0)" onclick="searchBox.OnSelectItem(7)"><span class="SelectionMark">&nbsp;</span>Enumerator</a><a class="SelectItem" href="javascript:void(0)" onclick="searchBox.OnSelectItem(8)"><span class="SelectionMark">&nbsp;</span>Defines</a></div>
+
+<!-- iframe showing the search results (closed by default) -->
+<div id="MSearchResultsWindow">
+<iframe src="" frameborder="0" 
+        name="MSearchResults" id="MSearchResults">
+</iframe>
+</div>
+
+<hr class="footer"/><address class="footer"><small>Generated on Mon Aug 16 2010 22:05:38 for Snort AI preprocessor module by&nbsp;
+<a href="http://www.doxygen.org/index.html">
+<img class="footer" src="doxygen.png" alt="doxygen"/></a> 1.7.1 </small></address>
+</body>
+</html>
diff --git a/doc/html/files.html b/doc/html/files.html
index fecb8d8..49092e7 100644
--- a/doc/html/files.html
+++ b/doc/html/files.html
@@ -51,6 +51,9 @@ var searchBox = new SearchBox("searchBox", "search",false,'Search');
 </div>
 <div class="contents">
 Here is a list of all files with brief descriptions:<table>
+  <tr><td class="indexkey"><a class="el" href="alert__parser_8c.html">alert_parser.c</a></td><td class="indexvalue"></td></tr>
+  <tr><td class="indexkey"><a class="el" href="cluster_8c.html">cluster.c</a></td><td class="indexvalue"></td></tr>
+  <tr><td class="indexkey"><a class="el" href="regex_8c.html">regex.c</a></td><td class="indexvalue"></td></tr>
   <tr><td class="indexkey"><a class="el" href="sf__dynamic__preproc__lib_8c.html">sf_dynamic_preproc_lib.c</a></td><td class="indexvalue"></td></tr>
   <tr><td class="indexkey"><a class="el" href="sf__preproc__info_8h.html">sf_preproc_info.h</a> <a href="sf__preproc__info_8h_source.html">[code]</a></td><td class="indexvalue"></td></tr>
   <tr><td class="indexkey"><a class="el" href="sfPolicyUserData_8c.html">sfPolicyUserData.c</a></td><td class="indexvalue"></td></tr>
@@ -73,7 +76,7 @@ Here is a list of all files with brief descriptions:<table>
 </iframe>
 </div>
 
-<hr class="footer"/><address class="footer"><small>Generated on Wed Aug 4 2010 11:30:57 for Snort AI preprocessor module by&nbsp;
+<hr class="footer"/><address class="footer"><small>Generated on Mon Aug 16 2010 22:05:38 for Snort AI preprocessor module by&nbsp;
 <a href="http://www.doxygen.org/index.html">
 <img class="footer" src="doxygen.png" alt="doxygen"/></a> 1.7.1 </small></address>
 </body>
diff --git a/doc/html/functions.html b/doc/html/functions.html
index 119b287..b42b19f 100644
--- a/doc/html/functions.html
+++ b/doc/html/functions.html
@@ -51,38 +51,231 @@ var searchBox = new SearchBox("searchBox", "search",false,'Search');
       <li><a href="functions_vars.html"><span>Variables</span></a></li>
     </ul>
   </div>
+  <div class="tabs3">
+    <ul class="tablist">
+      <li><a href="#index_a"><span>a</span></a></li>
+      <li><a href="#index_c"><span>c</span></a></li>
+      <li><a href="#index_d"><span>d</span></a></li>
+      <li><a href="#index_g"><span>g</span></a></li>
+      <li><a href="#index_h"><span>h</span></a></li>
+      <li><a href="#index_i"><span>i</span></a></li>
+      <li><a href="#index_k"><span>k</span></a></li>
+      <li><a href="#index_l"><span>l</span></a></li>
+      <li><a href="#index_m"><span>m</span></a></li>
+      <li><a href="#index_n"><span>n</span></a></li>
+      <li><a href="#index_o"><span>o</span></a></li>
+      <li><a href="#index_p"><span>p</span></a></li>
+      <li><a href="#index_r"><span>r</span></a></li>
+      <li><a href="#index_s"><span>s</span></a></li>
+      <li><a href="#index_t"><span>t</span></a></li>
+      <li><a href="#index_w"><span>w</span></a></li>
+    </ul>
+  </div>
 </div>
 <div class="contents">
-Here is a list of all struct and union fields with links to the structures/unions they belong to:<ul>
+Here is a list of all struct and union fields with links to the structures/unions they belong to:
+
+<h3><a class="anchor" id="index_a"></a>- a -</h3><ul>
+<li>ack
+: <a class="el" href="struct__AI__snort__alert.html#a2b185c678d3a7f1207b2119b0b567c37">_AI_snort_alert</a>
+</li>
+<li>alertClusteringInterval
+: <a class="el" href="structAI__config.html#a7d0d098b8263aa3d8415b11d1ec7f93d">AI_config</a>
+</li>
+<li>alertfile
+: <a class="el" href="structAI__config.html#a2efa9590d7eea6dce8b5dd9aa76ed8ca">AI_config</a>
+</li>
+</ul>
+
+
+<h3><a class="anchor" id="index_c"></a>- c -</h3><ul>
+<li>children
+: <a class="el" href="struct__hierarchy__node.html#afc23d4fe6426873164cdaab2f3d4f0cd">_hierarchy_node</a>
+</li>
+<li>classification
+: <a class="el" href="struct__AI__snort__alert.html#aa89585e14acb2c4e684a1552d322632f">_AI_snort_alert</a>
+</li>
+<li>clusterfile
+: <a class="el" href="structAI__config.html#a6da02a3f7116fd3810a41b738e8883a3">AI_config</a>
+</li>
+<li>count
+: <a class="el" href="structattribute__value.html#a5579c0304c2e9ab488ac94905b385045">attribute_value</a>
+</li>
+</ul>
+
+
+<h3><a class="anchor" id="index_d"></a>- d -</h3><ul>
+<li>desc
+: <a class="el" href="struct__AI__snort__alert.html#ac0902d7c756ec675fb06347ce4706135">_AI_snort_alert</a>
+</li>
+<li>dst_addr
+: <a class="el" href="struct__AI__snort__alert.html#a69cc2ba171c8c808a0b45caa9426cd8c">_AI_snort_alert</a>
+</li>
 <li>dst_port
 : <a class="el" href="structpkt__key.html#af77f5eb1f4cd88b43fe99fd73553351d">pkt_key</a>
+, <a class="el" href="struct__AI__snort__alert.html#a6b323c07ae501d221e330e13646a96a3">_AI_snort_alert</a>
+</li>
+</ul>
+
+
+<h3><a class="anchor" id="index_g"></a>- g -</h3><ul>
+<li>gid
+: <a class="el" href="struct__AI__snort__alert.html#af8408be5da59cda853442dd13465c0f6">_AI_snort_alert</a>
+</li>
+<li>grouped_alarms_count
+: <a class="el" href="struct__AI__snort__alert.html#a285aff12d6bac03c316ccc5305d28e53">_AI_snort_alert</a>
+</li>
+</ul>
+
+
+<h3><a class="anchor" id="index_h"></a>- h -</h3><ul>
+<li>h_node
+: <a class="el" href="struct__AI__snort__alert.html#ac53765584296ead1328eabfaba8a3aed">_AI_snort_alert</a>
 </li>
 <li>hashCleanupInterval
-: <a class="el" href="struct__AI__config.html#a890e6756dc637e9d41b7051a4d1ddc93">_AI_config</a>
+: <a class="el" href="structAI__config.html#a9f7680615027d4fb74b4aa144a7028a4">AI_config</a>
 </li>
 <li>hh
-: <a class="el" href="structpkt__info.html#a264e90d4b5d490de040f38c1072e142f">pkt_info</a>
+: <a class="el" href="structattribute__value.html#a9abf5d1758ee0cc4803e3b40fc4481cc">attribute_value</a>
+, <a class="el" href="structpkt__info.html#a264e90d4b5d490de040f38c1072e142f">pkt_info</a>
 </li>
+</ul>
+
+
+<h3><a class="anchor" id="index_i"></a>- i -</h3><ul>
+<li>id
+: <a class="el" href="struct__AI__snort__alert.html#a45e4acf90450a5f9efd4e0c290f84bcf">_AI_snort_alert</a>
+</li>
+<li>iplen
+: <a class="el" href="struct__AI__snort__alert.html#a523ef8842d01a1bc4ea3c0bf27518e78">_AI_snort_alert</a>
+</li>
+<li>ipproto
+: <a class="el" href="struct__AI__snort__alert.html#a2a5f2741918c3c13890f2b617a7f23a4">_AI_snort_alert</a>
+</li>
+</ul>
+
+
+<h3><a class="anchor" id="index_k"></a>- k -</h3><ul>
 <li>key
-: <a class="el" href="structpkt__info.html#a231d4734d3c62292b06eb9ea4b49c339">pkt_info</a>
+: <a class="el" href="structattribute__value.html#aa8b5ae41c150e4fefb800d3b1924278d">attribute_value</a>
+, <a class="el" href="structpkt__info.html#a231d4734d3c62292b06eb9ea4b49c339">pkt_info</a>
+</li>
+</ul>
+
+
+<h3><a class="anchor" id="index_l"></a>- l -</h3><ul>
+<li>label
+: <a class="el" href="struct__hierarchy__node.html#ae498f6fd14ca058a3ae0a95d5425451a">_hierarchy_node</a>
+</li>
+</ul>
+
+
+<h3><a class="anchor" id="index_m"></a>- m -</h3><ul>
+<li>max
+: <a class="el" href="structattribute__key.html#a82b7e5ac49820b816871a4ddf30c462d">attribute_key</a>
+</li>
+<li>max_val
+: <a class="el" href="struct__hierarchy__node.html#a79ea88029938dc30ab8f159405d12c87">_hierarchy_node</a>
+</li>
+<li>min
+: <a class="el" href="structattribute__key.html#a4fdb3d7aabeac6b1052b59e05e3d8842">attribute_key</a>
+</li>
+<li>min_val
+: <a class="el" href="struct__hierarchy__node.html#a13ceebd7b435b9ef347fb90d9e6bbfe4">_hierarchy_node</a>
+</li>
+</ul>
+
+
+<h3><a class="anchor" id="index_n"></a>- n -</h3><ul>
+<li>nchildren
+: <a class="el" href="struct__hierarchy__node.html#a849256ce1039e2cefaaf64d91171be0a">_hierarchy_node</a>
 </li>
 <li>next
-: <a class="el" href="structpkt__info.html#a5ee3c51f2ca5768b94819182641ef168">pkt_info</a>
+: <a class="el" href="struct__AI__snort__alert.html#aa8336d4b3359015ed8ea312ca1fd1173">_AI_snort_alert</a>
+, <a class="el" href="structpkt__info.html#a5ee3c51f2ca5768b94819182641ef168">pkt_info</a>
+</li>
+</ul>
+
+
+<h3><a class="anchor" id="index_o"></a>- o -</h3><ul>
+<li>observed
+: <a class="el" href="structpkt__info.html#ac7ff78ea5faf333fc91f92e3085ea7c9">pkt_info</a>
+</li>
+</ul>
+
+
+<h3><a class="anchor" id="index_p"></a>- p -</h3><ul>
+<li>parent
+: <a class="el" href="struct__hierarchy__node.html#a5c94c89d7e2aea393f1c550afb766bbe">_hierarchy_node</a>
 </li>
 <li>pkt
 : <a class="el" href="structpkt__info.html#a8d5ebd04a32067b05387e5c5056fe168">pkt_info</a>
 </li>
-<li>portToCheck
-: <a class="el" href="struct__AI__config.html#ab22e082ad6637f6280134e882bf53b0d">_AI_config</a>
+<li>priority
+: <a class="el" href="struct__AI__snort__alert.html#a25661fa4e212c5e30af5e6a892985ec9">_AI_snort_alert</a>
+</li>
+</ul>
+
+
+<h3><a class="anchor" id="index_r"></a>- r -</h3><ul>
+<li>rev
+: <a class="el" href="struct__AI__snort__alert.html#a864d3baa48586d6a31639f4cd27d9d37">_AI_snort_alert</a>
+</li>
+</ul>
+
+
+<h3><a class="anchor" id="index_s"></a>- s -</h3><ul>
+<li>sequence
+: <a class="el" href="struct__AI__snort__alert.html#acb20c4c55149d5806d7523720786ab77">_AI_snort_alert</a>
+</li>
+<li>sid
+: <a class="el" href="struct__AI__snort__alert.html#a3349aa68d2234f8ffd897367c3a8a137">_AI_snort_alert</a>
+</li>
+<li>src_addr
+: <a class="el" href="struct__AI__snort__alert.html#ab16a24f368020e4b40e65b53cae33b48">_AI_snort_alert</a>
 </li>
 <li>src_ip
 : <a class="el" href="structpkt__key.html#a3a091c20dafb8b3f689db00c5b2f8ddb">pkt_key</a>
 </li>
+<li>src_port
+: <a class="el" href="struct__AI__snort__alert.html#a856cccd3eaabd38aa9974f26d3edc5e3">_AI_snort_alert</a>
+</li>
+<li>stream
+: <a class="el" href="struct__AI__snort__alert.html#a09dfe0a841fd3912ec78060d4547cb31">_AI_snort_alert</a>
+</li>
 <li>streamExpireInterval
-: <a class="el" href="struct__AI__config.html#a338358f23bf15f567a015a99d892c8e7">_AI_config</a>
+: <a class="el" href="structAI__config.html#abbe77d5f94b8c5164bea47acba09c98b">AI_config</a>
+</li>
+</ul>
+
+
+<h3><a class="anchor" id="index_t"></a>- t -</h3><ul>
+<li>tcp_flags
+: <a class="el" href="struct__AI__snort__alert.html#aa643f11db93b70242b57f0a04775e507">_AI_snort_alert</a>
+</li>
+<li>tcplen
+: <a class="el" href="struct__AI__snort__alert.html#a519a103f5e8f1cb006c0c137b7c6a1c0">_AI_snort_alert</a>
 </li>
 <li>timestamp
-: <a class="el" href="structpkt__info.html#a7f5090443f21e6290f0439f1bb872e92">pkt_info</a>
+: <a class="el" href="struct__AI__snort__alert.html#a10a67f60ca3da339a2104849a0b2ac19">_AI_snort_alert</a>
+, <a class="el" href="structpkt__info.html#a7f5090443f21e6290f0439f1bb872e92">pkt_info</a>
+</li>
+<li>tos
+: <a class="el" href="struct__AI__snort__alert.html#a882ae6db43dc0fe08071947ccb044b93">_AI_snort_alert</a>
+</li>
+<li>ttl
+: <a class="el" href="struct__AI__snort__alert.html#ab9b1ce8ee440a324af116403ac9c51a2">_AI_snort_alert</a>
+</li>
+<li>type
+: <a class="el" href="struct__hierarchy__node.html#a3b18e3ddfa2212c5e4ff9c0b4bde4296">_hierarchy_node</a>
+, <a class="el" href="structattribute__value.html#a5322c4edde771a7ee0d9fc5f5e45484c">attribute_value</a>
+</li>
+</ul>
+
+
+<h3><a class="anchor" id="index_w"></a>- w -</h3><ul>
+<li>window
+: <a class="el" href="struct__AI__snort__alert.html#a63e94be3d248cf4beb0d4d5ab75331b1">_AI_snort_alert</a>
 </li>
 </ul>
 </div>
@@ -100,7 +293,7 @@ Here is a list of all struct and union fields with links to the structures/union
 </iframe>
 </div>
 
-<hr class="footer"/><address class="footer"><small>Generated on Wed Aug 4 2010 11:30:57 for Snort AI preprocessor module by&nbsp;
+<hr class="footer"/><address class="footer"><small>Generated on Mon Aug 16 2010 22:05:38 for Snort AI preprocessor module by&nbsp;
 <a href="http://www.doxygen.org/index.html">
 <img class="footer" src="doxygen.png" alt="doxygen"/></a> 1.7.1 </small></address>
 </body>
diff --git a/doc/html/functions_vars.html b/doc/html/functions_vars.html
index c2988a4..3caa8e1 100644
--- a/doc/html/functions_vars.html
+++ b/doc/html/functions_vars.html
@@ -51,38 +51,231 @@ var searchBox = new SearchBox("searchBox", "search",false,'Search');
       <li class="current"><a href="functions_vars.html"><span>Variables</span></a></li>
     </ul>
   </div>
+  <div class="tabs3">
+    <ul class="tablist">
+      <li><a href="#index_a"><span>a</span></a></li>
+      <li><a href="#index_c"><span>c</span></a></li>
+      <li><a href="#index_d"><span>d</span></a></li>
+      <li><a href="#index_g"><span>g</span></a></li>
+      <li><a href="#index_h"><span>h</span></a></li>
+      <li><a href="#index_i"><span>i</span></a></li>
+      <li><a href="#index_k"><span>k</span></a></li>
+      <li><a href="#index_l"><span>l</span></a></li>
+      <li><a href="#index_m"><span>m</span></a></li>
+      <li><a href="#index_n"><span>n</span></a></li>
+      <li><a href="#index_o"><span>o</span></a></li>
+      <li><a href="#index_p"><span>p</span></a></li>
+      <li><a href="#index_r"><span>r</span></a></li>
+      <li><a href="#index_s"><span>s</span></a></li>
+      <li><a href="#index_t"><span>t</span></a></li>
+      <li><a href="#index_w"><span>w</span></a></li>
+    </ul>
+  </div>
 </div>
 <div class="contents">
-&nbsp;<ul>
+&nbsp;
+
+<h3><a class="anchor" id="index_a"></a>- a -</h3><ul>
+<li>ack
+: <a class="el" href="struct__AI__snort__alert.html#a2b185c678d3a7f1207b2119b0b567c37">_AI_snort_alert</a>
+</li>
+<li>alertClusteringInterval
+: <a class="el" href="structAI__config.html#a7d0d098b8263aa3d8415b11d1ec7f93d">AI_config</a>
+</li>
+<li>alertfile
+: <a class="el" href="structAI__config.html#a2efa9590d7eea6dce8b5dd9aa76ed8ca">AI_config</a>
+</li>
+</ul>
+
+
+<h3><a class="anchor" id="index_c"></a>- c -</h3><ul>
+<li>children
+: <a class="el" href="struct__hierarchy__node.html#afc23d4fe6426873164cdaab2f3d4f0cd">_hierarchy_node</a>
+</li>
+<li>classification
+: <a class="el" href="struct__AI__snort__alert.html#aa89585e14acb2c4e684a1552d322632f">_AI_snort_alert</a>
+</li>
+<li>clusterfile
+: <a class="el" href="structAI__config.html#a6da02a3f7116fd3810a41b738e8883a3">AI_config</a>
+</li>
+<li>count
+: <a class="el" href="structattribute__value.html#a5579c0304c2e9ab488ac94905b385045">attribute_value</a>
+</li>
+</ul>
+
+
+<h3><a class="anchor" id="index_d"></a>- d -</h3><ul>
+<li>desc
+: <a class="el" href="struct__AI__snort__alert.html#ac0902d7c756ec675fb06347ce4706135">_AI_snort_alert</a>
+</li>
+<li>dst_addr
+: <a class="el" href="struct__AI__snort__alert.html#a69cc2ba171c8c808a0b45caa9426cd8c">_AI_snort_alert</a>
+</li>
 <li>dst_port
 : <a class="el" href="structpkt__key.html#af77f5eb1f4cd88b43fe99fd73553351d">pkt_key</a>
+, <a class="el" href="struct__AI__snort__alert.html#a6b323c07ae501d221e330e13646a96a3">_AI_snort_alert</a>
+</li>
+</ul>
+
+
+<h3><a class="anchor" id="index_g"></a>- g -</h3><ul>
+<li>gid
+: <a class="el" href="struct__AI__snort__alert.html#af8408be5da59cda853442dd13465c0f6">_AI_snort_alert</a>
+</li>
+<li>grouped_alarms_count
+: <a class="el" href="struct__AI__snort__alert.html#a285aff12d6bac03c316ccc5305d28e53">_AI_snort_alert</a>
+</li>
+</ul>
+
+
+<h3><a class="anchor" id="index_h"></a>- h -</h3><ul>
+<li>h_node
+: <a class="el" href="struct__AI__snort__alert.html#ac53765584296ead1328eabfaba8a3aed">_AI_snort_alert</a>
 </li>
 <li>hashCleanupInterval
-: <a class="el" href="struct__AI__config.html#a890e6756dc637e9d41b7051a4d1ddc93">_AI_config</a>
+: <a class="el" href="structAI__config.html#a9f7680615027d4fb74b4aa144a7028a4">AI_config</a>
 </li>
 <li>hh
-: <a class="el" href="structpkt__info.html#a264e90d4b5d490de040f38c1072e142f">pkt_info</a>
+: <a class="el" href="structattribute__value.html#a9abf5d1758ee0cc4803e3b40fc4481cc">attribute_value</a>
+, <a class="el" href="structpkt__info.html#a264e90d4b5d490de040f38c1072e142f">pkt_info</a>
 </li>
+</ul>
+
+
+<h3><a class="anchor" id="index_i"></a>- i -</h3><ul>
+<li>id
+: <a class="el" href="struct__AI__snort__alert.html#a45e4acf90450a5f9efd4e0c290f84bcf">_AI_snort_alert</a>
+</li>
+<li>iplen
+: <a class="el" href="struct__AI__snort__alert.html#a523ef8842d01a1bc4ea3c0bf27518e78">_AI_snort_alert</a>
+</li>
+<li>ipproto
+: <a class="el" href="struct__AI__snort__alert.html#a2a5f2741918c3c13890f2b617a7f23a4">_AI_snort_alert</a>
+</li>
+</ul>
+
+
+<h3><a class="anchor" id="index_k"></a>- k -</h3><ul>
 <li>key
-: <a class="el" href="structpkt__info.html#a231d4734d3c62292b06eb9ea4b49c339">pkt_info</a>
+: <a class="el" href="structattribute__value.html#aa8b5ae41c150e4fefb800d3b1924278d">attribute_value</a>
+, <a class="el" href="structpkt__info.html#a231d4734d3c62292b06eb9ea4b49c339">pkt_info</a>
+</li>
+</ul>
+
+
+<h3><a class="anchor" id="index_l"></a>- l -</h3><ul>
+<li>label
+: <a class="el" href="struct__hierarchy__node.html#ae498f6fd14ca058a3ae0a95d5425451a">_hierarchy_node</a>
+</li>
+</ul>
+
+
+<h3><a class="anchor" id="index_m"></a>- m -</h3><ul>
+<li>max
+: <a class="el" href="structattribute__key.html#a82b7e5ac49820b816871a4ddf30c462d">attribute_key</a>
+</li>
+<li>max_val
+: <a class="el" href="struct__hierarchy__node.html#a79ea88029938dc30ab8f159405d12c87">_hierarchy_node</a>
+</li>
+<li>min
+: <a class="el" href="structattribute__key.html#a4fdb3d7aabeac6b1052b59e05e3d8842">attribute_key</a>
+</li>
+<li>min_val
+: <a class="el" href="struct__hierarchy__node.html#a13ceebd7b435b9ef347fb90d9e6bbfe4">_hierarchy_node</a>
+</li>
+</ul>
+
+
+<h3><a class="anchor" id="index_n"></a>- n -</h3><ul>
+<li>nchildren
+: <a class="el" href="struct__hierarchy__node.html#a849256ce1039e2cefaaf64d91171be0a">_hierarchy_node</a>
 </li>
 <li>next
-: <a class="el" href="structpkt__info.html#a5ee3c51f2ca5768b94819182641ef168">pkt_info</a>
+: <a class="el" href="struct__AI__snort__alert.html#aa8336d4b3359015ed8ea312ca1fd1173">_AI_snort_alert</a>
+, <a class="el" href="structpkt__info.html#a5ee3c51f2ca5768b94819182641ef168">pkt_info</a>
+</li>
+</ul>
+
+
+<h3><a class="anchor" id="index_o"></a>- o -</h3><ul>
+<li>observed
+: <a class="el" href="structpkt__info.html#ac7ff78ea5faf333fc91f92e3085ea7c9">pkt_info</a>
+</li>
+</ul>
+
+
+<h3><a class="anchor" id="index_p"></a>- p -</h3><ul>
+<li>parent
+: <a class="el" href="struct__hierarchy__node.html#a5c94c89d7e2aea393f1c550afb766bbe">_hierarchy_node</a>
 </li>
 <li>pkt
 : <a class="el" href="structpkt__info.html#a8d5ebd04a32067b05387e5c5056fe168">pkt_info</a>
 </li>
-<li>portToCheck
-: <a class="el" href="struct__AI__config.html#ab22e082ad6637f6280134e882bf53b0d">_AI_config</a>
+<li>priority
+: <a class="el" href="struct__AI__snort__alert.html#a25661fa4e212c5e30af5e6a892985ec9">_AI_snort_alert</a>
+</li>
+</ul>
+
+
+<h3><a class="anchor" id="index_r"></a>- r -</h3><ul>
+<li>rev
+: <a class="el" href="struct__AI__snort__alert.html#a864d3baa48586d6a31639f4cd27d9d37">_AI_snort_alert</a>
+</li>
+</ul>
+
+
+<h3><a class="anchor" id="index_s"></a>- s -</h3><ul>
+<li>sequence
+: <a class="el" href="struct__AI__snort__alert.html#acb20c4c55149d5806d7523720786ab77">_AI_snort_alert</a>
+</li>
+<li>sid
+: <a class="el" href="struct__AI__snort__alert.html#a3349aa68d2234f8ffd897367c3a8a137">_AI_snort_alert</a>
+</li>
+<li>src_addr
+: <a class="el" href="struct__AI__snort__alert.html#ab16a24f368020e4b40e65b53cae33b48">_AI_snort_alert</a>
 </li>
 <li>src_ip
 : <a class="el" href="structpkt__key.html#a3a091c20dafb8b3f689db00c5b2f8ddb">pkt_key</a>
 </li>
+<li>src_port
+: <a class="el" href="struct__AI__snort__alert.html#a856cccd3eaabd38aa9974f26d3edc5e3">_AI_snort_alert</a>
+</li>
+<li>stream
+: <a class="el" href="struct__AI__snort__alert.html#a09dfe0a841fd3912ec78060d4547cb31">_AI_snort_alert</a>
+</li>
 <li>streamExpireInterval
-: <a class="el" href="struct__AI__config.html#a338358f23bf15f567a015a99d892c8e7">_AI_config</a>
+: <a class="el" href="structAI__config.html#abbe77d5f94b8c5164bea47acba09c98b">AI_config</a>
+</li>
+</ul>
+
+
+<h3><a class="anchor" id="index_t"></a>- t -</h3><ul>
+<li>tcp_flags
+: <a class="el" href="struct__AI__snort__alert.html#aa643f11db93b70242b57f0a04775e507">_AI_snort_alert</a>
+</li>
+<li>tcplen
+: <a class="el" href="struct__AI__snort__alert.html#a519a103f5e8f1cb006c0c137b7c6a1c0">_AI_snort_alert</a>
 </li>
 <li>timestamp
-: <a class="el" href="structpkt__info.html#a7f5090443f21e6290f0439f1bb872e92">pkt_info</a>
+: <a class="el" href="struct__AI__snort__alert.html#a10a67f60ca3da339a2104849a0b2ac19">_AI_snort_alert</a>
+, <a class="el" href="structpkt__info.html#a7f5090443f21e6290f0439f1bb872e92">pkt_info</a>
+</li>
+<li>tos
+: <a class="el" href="struct__AI__snort__alert.html#a882ae6db43dc0fe08071947ccb044b93">_AI_snort_alert</a>
+</li>
+<li>ttl
+: <a class="el" href="struct__AI__snort__alert.html#ab9b1ce8ee440a324af116403ac9c51a2">_AI_snort_alert</a>
+</li>
+<li>type
+: <a class="el" href="struct__hierarchy__node.html#a3b18e3ddfa2212c5e4ff9c0b4bde4296">_hierarchy_node</a>
+, <a class="el" href="structattribute__value.html#a5322c4edde771a7ee0d9fc5f5e45484c">attribute_value</a>
+</li>
+</ul>
+
+
+<h3><a class="anchor" id="index_w"></a>- w -</h3><ul>
+<li>window
+: <a class="el" href="struct__AI__snort__alert.html#a63e94be3d248cf4beb0d4d5ab75331b1">_AI_snort_alert</a>
 </li>
 </ul>
 </div>
@@ -100,7 +293,7 @@ var searchBox = new SearchBox("searchBox", "search",false,'Search');
 </iframe>
 </div>
 
-<hr class="footer"/><address class="footer"><small>Generated on Wed Aug 4 2010 11:30:57 for Snort AI preprocessor module by&nbsp;
+<hr class="footer"/><address class="footer"><small>Generated on Mon Aug 16 2010 22:05:38 for Snort AI preprocessor module by&nbsp;
 <a href="http://www.doxygen.org/index.html">
 <img class="footer" src="doxygen.png" alt="doxygen"/></a> 1.7.1 </small></address>
 </body>
diff --git a/doc/html/globals.html b/doc/html/globals.html
index a55e9a8..7afa922 100644
--- a/doc/html/globals.html
+++ b/doc/html/globals.html
@@ -60,14 +60,15 @@ var searchBox = new SearchBox("searchBox", "search",false,'Search');
       <li><a href="#index__"><span>_</span></a></li>
       <li><a href="#index_a"><span>a</span></a></li>
       <li><a href="#index_b"><span>b</span></a></li>
+      <li><a href="#index_c"><span>c</span></a></li>
       <li><a href="#index_d"><span>d</span></a></li>
       <li><a href="#index_e"><span>e</span></a></li>
       <li><a href="#index_f"><span>f</span></a></li>
-      <li><a href="#index_g"><span>g</span></a></li>
       <li><a href="#index_h"><span>h</span></a></li>
       <li><a href="#index_i"><span>i</span></a></li>
       <li><a href="#index_l"><span>l</span></a></li>
       <li><a href="#index_m"><span>m</span></a></li>
+      <li><a href="#index_n"><span>n</span></a></li>
       <li><a href="#index_p"><span>p</span></a></li>
       <li><a href="#index_r"><span>r</span></a></li>
       <li><a href="#index_s"><span>s</span></a></li>
@@ -80,24 +81,74 @@ var searchBox = new SearchBox("searchBox", "search",false,'Search');
 Here is a list of all functions, variables, defines, enums, and typedefs with links to the files they belong to:
 
 <h3><a class="anchor" id="index__"></a>- _ -</h3><ul>
+<li>_AI_check_duplicate()
+: <a class="el" href="cluster_8c.html#a29c35cd6c56f54e27b5b190c6d6c487a">cluster.c</a>
+</li>
+<li>_AI_cluster_thread()
+: <a class="el" href="cluster_8c.html#a8a5eae61dc9fd0f13e0acdfa5f4478e2">cluster.c</a>
+</li>
+<li>_AI_copy_alerts()
+: <a class="el" href="alert__parser_8c.html#a6c5014cae9155379fdc4db649b2c862d">alert_parser.c</a>
+</li>
+<li>_AI_equal_alarms()
+: <a class="el" href="cluster_8c.html#a0f91c8bfc37a3975f5c26b19fd6c5cba">cluster.c</a>
+</li>
+<li>_AI_get_min_hierarchy_node()
+: <a class="el" href="cluster_8c.html#a6ddddcd505b1f763c339e81fc143e079">cluster.c</a>
+</li>
+<li>_AI_merge_alerts()
+: <a class="el" href="cluster_8c.html#a8ce8e5a5d8954672297fa2dedb380dcd">cluster.c</a>
+</li>
+<li>_AI_print_clustered_alerts()
+: <a class="el" href="cluster_8c.html#a7d151880080470b542e99643dc0426a7">cluster.c</a>
+</li>
 <li>_AI_stream_free()
-: <a class="el" href="stream_8c.html#a2a0c295a6828df716311977538cabd4a">stream.c</a>
+: <a class="el" href="stream_8c.html#a80016adf701c717a6ebfb5b15b8a5749">stream.c</a>
+</li>
+<li>_config
+: <a class="el" href="cluster_8c.html#a91458e2d34595688e39fcb63ba418849">cluster.c</a>
 </li>
 <li>_dpd
-: <a class="el" href="spp__ai_8c.html#ab46420126c43c1aac5eabc5db266a71c">spp_ai.c</a>
-, <a class="el" href="sf__dynamic__preproc__lib_8c.html#ab46420126c43c1aac5eabc5db266a71c">sf_dynamic_preproc_lib.c</a>
+: <a class="el" href="sf__dynamic__preproc__lib_8c.html#ab46420126c43c1aac5eabc5db266a71c">sf_dynamic_preproc_lib.c</a>
+, <a class="el" href="spp__ai_8h.html#ab46420126c43c1aac5eabc5db266a71c">spp_ai.h</a>
+</li>
+<li>_heuristic_func()
+: <a class="el" href="cluster_8c.html#a81f5fa721719fdb281595a568eef2101">cluster.c</a>
+</li>
+<li>_hierarchy_node_append()
+: <a class="el" href="cluster_8c.html#a5601a1f603d9c870ef6e2df192e30c30">cluster.c</a>
+</li>
+<li>_hierarchy_node_new()
+: <a class="el" href="cluster_8c.html#a2f1a22cfea64e4669da0467620c3e3b3">cluster.c</a>
 </li>
 </ul>
 
 
 <h3><a class="anchor" id="index_a"></a>- a -</h3><ul>
-<li>AI_config
-: <a class="el" href="spp__ai_8h.html#a3fc526e5a55f5d137402b1bbd1b6072c">spp_ai.h</a>
+<li>AI_alertparser_thread()
+: <a class="el" href="alert__parser_8c.html#ad68c45b5846743a54ad3fa92c8e48f8a">alert_parser.c</a>
+, <a class="el" href="spp__ai_8h.html#a842a3204c6e067a9920990b573757181">spp_ai.h</a>
+</li>
+<li>AI_free_alerts()
+: <a class="el" href="spp__ai_8h.html#a270e86669a0aa64a8da37bc16cda645b">spp_ai.h</a>
+, <a class="el" href="alert__parser_8c.html#a270e86669a0aa64a8da37bc16cda645b">alert_parser.c</a>
+</li>
+<li>AI_get_alerts()
+: <a class="el" href="alert__parser_8c.html#a99474495643197b3075ac22ec6f6c70f">alert_parser.c</a>
+, <a class="el" href="spp__ai_8h.html#af19a28f7cbcdfeb2b66fb3b625b75076">spp_ai.h</a>
+</li>
+<li>AI_get_stream_by_key()
+: <a class="el" href="stream_8c.html#a2efedcabbfd12c5345f0c93a3dd4735c">stream.c</a>
+, <a class="el" href="spp__ai_8h.html#a3054f06297a9caefd4d9b1283bb8b69a">spp_ai.h</a>
 </li>
 <li>AI_hashcleanup_thread()
 : <a class="el" href="spp__ai_8h.html#ad56f71be823eead743972274b99c82ff">spp_ai.h</a>
 , <a class="el" href="stream_8c.html#a24b1131374e5059564b8a12380c4eb75">stream.c</a>
 </li>
+<li>AI_hierarchies_build()
+: <a class="el" href="cluster_8c.html#a1445818b37483f78cc3fb2890155842c">cluster.c</a>
+, <a class="el" href="spp__ai_8h.html#a857348424b9db45c90f95631eb96fd7c">spp_ai.h</a>
+</li>
 <li>AI_init()
 : <a class="el" href="spp__ai_8c.html#a3524cbdf8fddbcf38c4ed55241002242">spp_ai.c</a>
 </li>
@@ -111,9 +162,25 @@ Here is a list of all functions, variables, defines, enums, and typedefs with li
 <li>AI_process()
 : <a class="el" href="spp__ai_8c.html#a57c05cda012c443cb4c358dc327cd3d1">spp_ai.c</a>
 </li>
+<li>AI_set_stream_observed()
+: <a class="el" href="spp__ai_8h.html#a8749989cee2ac05a7de058faac280c02">spp_ai.h</a>
+, <a class="el" href="stream_8c.html#a8749989cee2ac05a7de058faac280c02">stream.c</a>
+</li>
 <li>AI_setup()
-: <a class="el" href="spp__ai_8c.html#a1b9ebb5c719c7d9426ddfc1f3da36570">spp_ai.c</a>
-, <a class="el" href="sf__preproc__info_8h.html#ad81716bc3f0fec4df74198a7cbdbd43c">sf_preproc_info.h</a>
+: <a class="el" href="sf__preproc__info_8h.html#ad81716bc3f0fec4df74198a7cbdbd43c">sf_preproc_info.h</a>
+, <a class="el" href="spp__ai_8c.html#a1b9ebb5c719c7d9426ddfc1f3da36570">spp_ai.c</a>
+</li>
+<li>AI_snort_alert
+: <a class="el" href="spp__ai_8h.html#a982be90e72362e88d09f28336c9a1897">spp_ai.h</a>
+</li>
+<li>alert_fp
+: <a class="el" href="alert__parser_8c.html#abee2a33368912d9288c76b51160a9ed6">alert_parser.c</a>
+</li>
+<li>alert_log
+: <a class="el" href="cluster_8c.html#aaf4c19f60f48741b0890c6114dcff7d9">cluster.c</a>
+</li>
+<li>alerts
+: <a class="el" href="alert__parser_8c.html#ae837fc04e61c0eb052f997c54b4fd9fe">alert_parser.c</a>
 </li>
 </ul>
 
@@ -128,12 +195,37 @@ Here is a list of all functions, variables, defines, enums, and typedefs with li
 </ul>
 
 
-<h3><a class="anchor" id="index_d"></a>- d -</h3><ul>
-<li>DST_PORT_MATCH
-: <a class="el" href="spp__ai_8c.html#a8ab13e8ad1dfd19b9237a99ae6130146">spp_ai.c</a>
+<h3><a class="anchor" id="index_c"></a>- c -</h3><ul>
+<li>cluster_type
+: <a class="el" href="spp__ai_8h.html#ae2ff3c6586aa2ab211a102abfde86640">spp_ai.h</a>
 </li>
-<li>DST_PORT_MATCH_STR
-: <a class="el" href="spp__ai_8c.html#a1f3521b9bcf5daf99190be58473a4110">spp_ai.c</a>
+<li>CLUSTER_TYPES
+: <a class="el" href="spp__ai_8h.html#ae2ff3c6586aa2ab211a102abfde86640ab16bb5c4b330d5db02e2d852cd2ba451">spp_ai.h</a>
+</li>
+</ul>
+
+
+<h3><a class="anchor" id="index_d"></a>- d -</h3><ul>
+<li>DEFAULT_ALERT_CLUSTERING_INTERVAL
+: <a class="el" href="spp__ai_8h.html#a0c4b6fce670e46083e33b9f53b78f39e">spp_ai.h</a>
+</li>
+<li>DEFAULT_ALERT_LOG_FILE
+: <a class="el" href="spp__ai_8h.html#a6d9bf552c32371e0144dc6a6209c7e4a">spp_ai.h</a>
+</li>
+<li>DEFAULT_CLUSTER_LOG_FILE
+: <a class="el" href="spp__ai_8h.html#a803dc913297ccdace9e604dbfecda97d">spp_ai.h</a>
+</li>
+<li>DEFAULT_HASH_CLEANUP_INTERVAL
+: <a class="el" href="spp__ai_8h.html#a5f555c0ebd29ce2771a3e2dd4f526746">spp_ai.h</a>
+</li>
+<li>DEFAULT_STREAM_EXPIRE_INTERVAL
+: <a class="el" href="spp__ai_8h.html#a0f6a189af15ef783fb46ed37c144e031">spp_ai.h</a>
+</li>
+<li>dst_addr
+: <a class="el" href="spp__ai_8h.html#ae2ff3c6586aa2ab211a102abfde86640aa000f955ef1374c60cdb16bf43a1593c">spp_ai.h</a>
+</li>
+<li>dst_port
+: <a class="el" href="spp__ai_8h.html#ae2ff3c6586aa2ab211a102abfde86640abc4f89a184ada44073bd6f54d7fc11c9">spp_ai.h</a>
 </li>
 <li>DYNAMIC_PREPROC_SETUP
 : <a class="el" href="sf__preproc__info_8h.html#aba4c0d0af324a3861e662ed4650aae44">sf_preproc_info.h</a>
@@ -158,16 +250,15 @@ Here is a list of all functions, variables, defines, enums, and typedefs with li
 </ul>
 
 
-<h3><a class="anchor" id="index_g"></a>- g -</h3><ul>
-<li>GENERATOR_EXAMPLE
-: <a class="el" href="spp__ai_8c.html#a9e7d446fc8b40be2cfbb5c69c3e132ca">spp_ai.c</a>
-</li>
-</ul>
-
-
 <h3><a class="anchor" id="index_h"></a>- h -</h3><ul>
+<li>h_root
+: <a class="el" href="cluster_8c.html#a97d35425cf5a0207fb50b64ee8cdda82">cluster.c</a>
+</li>
 <li>hash
-: <a class="el" href="stream_8c.html#a96fbc549c67e0d852ced3cb72980e923">stream.c</a>
+: <a class="el" href="stream_8c.html#a57e23cda853e9d11c37723a962ef2f68">stream.c</a>
+</li>
+<li>hierarchy_node
+: <a class="el" href="spp__ai_8h.html#a466391129919ef12366d311d501552fa">spp_ai.h</a>
 </li>
 </ul>
 
@@ -196,13 +287,27 @@ Here is a list of all functions, variables, defines, enums, and typedefs with li
 </ul>
 
 
+<h3><a class="anchor" id="index_n"></a>- n -</h3><ul>
+<li>none
+: <a class="el" href="spp__ai_8h.html#ae2ff3c6586aa2ab211a102abfde86640ab7e4e0120a041dbe6528b050c04269e0">spp_ai.h</a>
+</li>
+</ul>
+
+
 <h3><a class="anchor" id="index_p"></a>- p -</h3><ul>
 <li>parserPolicyId
 : <a class="el" href="sfPolicyUserData_8c.html#a0a415b8e70250b11e64a463134d00b4f">sfPolicyUserData.c</a>
 </li>
+<li>preg_match()
+: <a class="el" href="regex_8c.html#a35f57c052a7de1ded54b67a1f7819791">regex.c</a>
+, <a class="el" href="spp__ai_8h.html#a85c0852b05b60cbfe0130534160c9876">spp_ai.h</a>
+</li>
 <li>PREPROC_NAME
 : <a class="el" href="sf__preproc__info_8h.html#af5d5329206253ca0c1a3b8d4a43195af">sf_preproc_info.h</a>
 </li>
+<li>PRIVATE
+: <a class="el" href="spp__ai_8h.html#a5e151c615eda34903514212f05a5ccf8">spp_ai.h</a>
+</li>
 </ul>
 
 
@@ -229,11 +334,14 @@ Here is a list of all functions, variables, defines, enums, and typedefs with li
 <li>sfPolicyUserDataSet()
 : <a class="el" href="group__sfPolicyConfig.html#ga8e14fd83397b9bbb14568070183db80b">sfPolicyUserData.c</a>
 </li>
-<li>SRC_PORT_MATCH
-: <a class="el" href="spp__ai_8c.html#af4c767ae0346026264c851108f42be63">spp_ai.c</a>
+<li>src_addr
+: <a class="el" href="spp__ai_8h.html#ae2ff3c6586aa2ab211a102abfde86640abc900639df18f0f5f2f63a1f033fe42f">spp_ai.h</a>
 </li>
-<li>SRC_PORT_MATCH_STR
-: <a class="el" href="spp__ai_8c.html#a3ec4dd8f1ebed73c13175d9b9c820e2e">spp_ai.c</a>
+<li>src_port
+: <a class="el" href="spp__ai_8h.html#ae2ff3c6586aa2ab211a102abfde86640ac1335c508143eb06843af2ce5ff3027b">spp_ai.h</a>
+</li>
+<li>start_time
+: <a class="el" href="stream_8c.html#a0597864b078ff448f28432db86950309">stream.c</a>
 </li>
 </ul>
 
@@ -252,6 +360,9 @@ Here is a list of all functions, variables, defines, enums, and typedefs with li
 <li>uint32_t
 : <a class="el" href="spp__ai_8h.html#a435d1572bf3f880d55459d9805097f62">spp_ai.h</a>
 </li>
+<li>uint8_t
+: <a class="el" href="spp__ai_8h.html#aba7bc1797add20fe3efdf37ced1182c5">spp_ai.h</a>
+</li>
 </ul>
 </div>
 <!--- window showing the filter options -->
@@ -268,7 +379,7 @@ Here is a list of all functions, variables, defines, enums, and typedefs with li
 </iframe>
 </div>
 
-<hr class="footer"/><address class="footer"><small>Generated on Wed Aug 4 2010 11:30:57 for Snort AI preprocessor module by&nbsp;
+<hr class="footer"/><address class="footer"><small>Generated on Mon Aug 16 2010 22:05:38 for Snort AI preprocessor module by&nbsp;
 <a href="http://www.doxygen.org/index.html">
 <img class="footer" src="doxygen.png" alt="doxygen"/></a> 1.7.1 </small></address>
 </body>
diff --git a/doc/html/globals_defs.html b/doc/html/globals_defs.html
index 8d4bdf9..75c70fc 100644
--- a/doc/html/globals_defs.html
+++ b/doc/html/globals_defs.html
@@ -61,18 +61,24 @@ var searchBox = new SearchBox("searchBox", "search",false,'Search');
 <li>BUILD_VERSION
 : <a class="el" href="sf__preproc__info_8h.html#ad7a967dd260384e94010b31b1412a0b4">sf_preproc_info.h</a>
 </li>
-<li>DST_PORT_MATCH
-: <a class="el" href="spp__ai_8c.html#a8ab13e8ad1dfd19b9237a99ae6130146">spp_ai.c</a>
+<li>DEFAULT_ALERT_CLUSTERING_INTERVAL
+: <a class="el" href="spp__ai_8h.html#a0c4b6fce670e46083e33b9f53b78f39e">spp_ai.h</a>
 </li>
-<li>DST_PORT_MATCH_STR
-: <a class="el" href="spp__ai_8c.html#a1f3521b9bcf5daf99190be58473a4110">spp_ai.c</a>
+<li>DEFAULT_ALERT_LOG_FILE
+: <a class="el" href="spp__ai_8h.html#a6d9bf552c32371e0144dc6a6209c7e4a">spp_ai.h</a>
+</li>
+<li>DEFAULT_CLUSTER_LOG_FILE
+: <a class="el" href="spp__ai_8h.html#a803dc913297ccdace9e604dbfecda97d">spp_ai.h</a>
+</li>
+<li>DEFAULT_HASH_CLEANUP_INTERVAL
+: <a class="el" href="spp__ai_8h.html#a5f555c0ebd29ce2771a3e2dd4f526746">spp_ai.h</a>
+</li>
+<li>DEFAULT_STREAM_EXPIRE_INTERVAL
+: <a class="el" href="spp__ai_8h.html#a0f6a189af15ef783fb46ed37c144e031">spp_ai.h</a>
 </li>
 <li>DYNAMIC_PREPROC_SETUP
 : <a class="el" href="sf__preproc__info_8h.html#aba4c0d0af324a3861e662ed4650aae44">sf_preproc_info.h</a>
 </li>
-<li>GENERATOR_EXAMPLE
-: <a class="el" href="spp__ai_8c.html#a9e7d446fc8b40be2cfbb5c69c3e132ca">spp_ai.c</a>
-</li>
 <li>MAJOR_VERSION
 : <a class="el" href="sf__preproc__info_8h.html#aa9e8f3bb466bb421d13913df7aeaa20c">sf_preproc_info.h</a>
 </li>
@@ -82,11 +88,8 @@ var searchBox = new SearchBox("searchBox", "search",false,'Search');
 <li>PREPROC_NAME
 : <a class="el" href="sf__preproc__info_8h.html#af5d5329206253ca0c1a3b8d4a43195af">sf_preproc_info.h</a>
 </li>
-<li>SRC_PORT_MATCH
-: <a class="el" href="spp__ai_8c.html#af4c767ae0346026264c851108f42be63">spp_ai.c</a>
-</li>
-<li>SRC_PORT_MATCH_STR
-: <a class="el" href="spp__ai_8c.html#a3ec4dd8f1ebed73c13175d9b9c820e2e">spp_ai.c</a>
+<li>PRIVATE
+: <a class="el" href="spp__ai_8h.html#a5e151c615eda34903514212f05a5ccf8">spp_ai.h</a>
 </li>
 </ul>
 </div>
@@ -104,7 +107,7 @@ var searchBox = new SearchBox("searchBox", "search",false,'Search');
 </iframe>
 </div>
 
-<hr class="footer"/><address class="footer"><small>Generated on Wed Aug 4 2010 11:30:57 for Snort AI preprocessor module by&nbsp;
+<hr class="footer"/><address class="footer"><small>Generated on Mon Aug 16 2010 22:05:38 for Snort AI preprocessor module by&nbsp;
 <a href="http://www.doxygen.org/index.html">
 <img class="footer" src="doxygen.png" alt="doxygen"/></a> 1.7.1 </small></address>
 </body>
diff --git a/doc/html/globals_enum.html b/doc/html/globals_enum.html
index d58719c..d89a918 100644
--- a/doc/html/globals_enum.html
+++ b/doc/html/globals_enum.html
@@ -61,6 +61,9 @@ var searchBox = new SearchBox("searchBox", "search",false,'Search');
 <li>BOOL
 : <a class="el" href="spp__ai_8h.html#a3e5b8192e7d9ffaf3542f1210aec18dd">spp_ai.h</a>
 </li>
+<li>cluster_type
+: <a class="el" href="spp__ai_8h.html#ae2ff3c6586aa2ab211a102abfde86640">spp_ai.h</a>
+</li>
 </ul>
 </div>
 <!--- window showing the filter options -->
@@ -77,7 +80,7 @@ var searchBox = new SearchBox("searchBox", "search",false,'Search');
 </iframe>
 </div>
 
-<hr class="footer"/><address class="footer"><small>Generated on Wed Aug 4 2010 11:30:57 for Snort AI preprocessor module by&nbsp;
+<hr class="footer"/><address class="footer"><small>Generated on Mon Aug 16 2010 22:05:38 for Snort AI preprocessor module by&nbsp;
 <a href="http://www.doxygen.org/index.html">
 <img class="footer" src="doxygen.png" alt="doxygen"/></a> 1.7.1 </small></address>
 </body>
diff --git a/doc/html/globals_eval.html b/doc/html/globals_eval.html
index 411e132..2583ce3 100644
--- a/doc/html/globals_eval.html
+++ b/doc/html/globals_eval.html
@@ -58,9 +58,27 @@ var searchBox = new SearchBox("searchBox", "search",false,'Search');
 </div>
 <div class="contents">
 &nbsp;<ul>
+<li>CLUSTER_TYPES
+: <a class="el" href="spp__ai_8h.html#ae2ff3c6586aa2ab211a102abfde86640ab16bb5c4b330d5db02e2d852cd2ba451">spp_ai.h</a>
+</li>
+<li>dst_addr
+: <a class="el" href="spp__ai_8h.html#ae2ff3c6586aa2ab211a102abfde86640aa000f955ef1374c60cdb16bf43a1593c">spp_ai.h</a>
+</li>
+<li>dst_port
+: <a class="el" href="spp__ai_8h.html#ae2ff3c6586aa2ab211a102abfde86640abc4f89a184ada44073bd6f54d7fc11c9">spp_ai.h</a>
+</li>
 <li>false
 : <a class="el" href="spp__ai_8h.html#a3e5b8192e7d9ffaf3542f1210aec18ddae9de385ef6fe9bf3360d1038396b884c">spp_ai.h</a>
 </li>
+<li>none
+: <a class="el" href="spp__ai_8h.html#ae2ff3c6586aa2ab211a102abfde86640ab7e4e0120a041dbe6528b050c04269e0">spp_ai.h</a>
+</li>
+<li>src_addr
+: <a class="el" href="spp__ai_8h.html#ae2ff3c6586aa2ab211a102abfde86640abc900639df18f0f5f2f63a1f033fe42f">spp_ai.h</a>
+</li>
+<li>src_port
+: <a class="el" href="spp__ai_8h.html#ae2ff3c6586aa2ab211a102abfde86640ac1335c508143eb06843af2ce5ff3027b">spp_ai.h</a>
+</li>
 <li>true
 : <a class="el" href="spp__ai_8h.html#a3e5b8192e7d9ffaf3542f1210aec18dda08f175a5505a10b9ed657defeb050e4b">spp_ai.h</a>
 </li>
@@ -80,7 +98,7 @@ var searchBox = new SearchBox("searchBox", "search",false,'Search');
 </iframe>
 </div>
 
-<hr class="footer"/><address class="footer"><small>Generated on Wed Aug 4 2010 11:30:57 for Snort AI preprocessor module by&nbsp;
+<hr class="footer"/><address class="footer"><small>Generated on Mon Aug 16 2010 22:05:38 for Snort AI preprocessor module by&nbsp;
 <a href="http://www.doxygen.org/index.html">
 <img class="footer" src="doxygen.png" alt="doxygen"/></a> 1.7.1 </small></address>
 </body>
diff --git a/doc/html/globals_func.html b/doc/html/globals_func.html
index c534670..e311b0a 100644
--- a/doc/html/globals_func.html
+++ b/doc/html/globals_func.html
@@ -55,16 +55,83 @@ var searchBox = new SearchBox("searchBox", "search",false,'Search');
       <li><a href="globals_defs.html"><span>Defines</span></a></li>
     </ul>
   </div>
+  <div class="tabs3">
+    <ul class="tablist">
+      <li><a href="#index__"><span>_</span></a></li>
+      <li><a href="#index_a"><span>a</span></a></li>
+      <li><a href="#index_d"><span>d</span></a></li>
+      <li><a href="#index_i"><span>i</span></a></li>
+      <li><a href="#index_l"><span>l</span></a></li>
+      <li><a href="#index_p"><span>p</span></a></li>
+      <li><a href="#index_s"><span>s</span></a></li>
+    </ul>
+  </div>
 </div>
 <div class="contents">
-&nbsp;<ul>
+&nbsp;
+
+<h3><a class="anchor" id="index__"></a>- _ -</h3><ul>
+<li>_AI_check_duplicate()
+: <a class="el" href="cluster_8c.html#a29c35cd6c56f54e27b5b190c6d6c487a">cluster.c</a>
+</li>
+<li>_AI_cluster_thread()
+: <a class="el" href="cluster_8c.html#a8a5eae61dc9fd0f13e0acdfa5f4478e2">cluster.c</a>
+</li>
+<li>_AI_copy_alerts()
+: <a class="el" href="alert__parser_8c.html#a6c5014cae9155379fdc4db649b2c862d">alert_parser.c</a>
+</li>
+<li>_AI_equal_alarms()
+: <a class="el" href="cluster_8c.html#a0f91c8bfc37a3975f5c26b19fd6c5cba">cluster.c</a>
+</li>
+<li>_AI_get_min_hierarchy_node()
+: <a class="el" href="cluster_8c.html#a6ddddcd505b1f763c339e81fc143e079">cluster.c</a>
+</li>
+<li>_AI_merge_alerts()
+: <a class="el" href="cluster_8c.html#a8ce8e5a5d8954672297fa2dedb380dcd">cluster.c</a>
+</li>
+<li>_AI_print_clustered_alerts()
+: <a class="el" href="cluster_8c.html#a7d151880080470b542e99643dc0426a7">cluster.c</a>
+</li>
 <li>_AI_stream_free()
-: <a class="el" href="stream_8c.html#a2a0c295a6828df716311977538cabd4a">stream.c</a>
+: <a class="el" href="stream_8c.html#a80016adf701c717a6ebfb5b15b8a5749">stream.c</a>
+</li>
+<li>_heuristic_func()
+: <a class="el" href="cluster_8c.html#a81f5fa721719fdb281595a568eef2101">cluster.c</a>
+</li>
+<li>_hierarchy_node_append()
+: <a class="el" href="cluster_8c.html#a5601a1f603d9c870ef6e2df192e30c30">cluster.c</a>
+</li>
+<li>_hierarchy_node_new()
+: <a class="el" href="cluster_8c.html#a2f1a22cfea64e4669da0467620c3e3b3">cluster.c</a>
+</li>
+</ul>
+
+
+<h3><a class="anchor" id="index_a"></a>- a -</h3><ul>
+<li>AI_alertparser_thread()
+: <a class="el" href="alert__parser_8c.html#ad68c45b5846743a54ad3fa92c8e48f8a">alert_parser.c</a>
+, <a class="el" href="spp__ai_8h.html#a842a3204c6e067a9920990b573757181">spp_ai.h</a>
+</li>
+<li>AI_free_alerts()
+: <a class="el" href="spp__ai_8h.html#a270e86669a0aa64a8da37bc16cda645b">spp_ai.h</a>
+, <a class="el" href="alert__parser_8c.html#a270e86669a0aa64a8da37bc16cda645b">alert_parser.c</a>
+</li>
+<li>AI_get_alerts()
+: <a class="el" href="alert__parser_8c.html#a99474495643197b3075ac22ec6f6c70f">alert_parser.c</a>
+, <a class="el" href="spp__ai_8h.html#af19a28f7cbcdfeb2b66fb3b625b75076">spp_ai.h</a>
+</li>
+<li>AI_get_stream_by_key()
+: <a class="el" href="stream_8c.html#a2efedcabbfd12c5345f0c93a3dd4735c">stream.c</a>
+, <a class="el" href="spp__ai_8h.html#a3054f06297a9caefd4d9b1283bb8b69a">spp_ai.h</a>
 </li>
 <li>AI_hashcleanup_thread()
 : <a class="el" href="spp__ai_8h.html#ad56f71be823eead743972274b99c82ff">spp_ai.h</a>
 , <a class="el" href="stream_8c.html#a24b1131374e5059564b8a12380c4eb75">stream.c</a>
 </li>
+<li>AI_hierarchies_build()
+: <a class="el" href="cluster_8c.html#a1445818b37483f78cc3fb2890155842c">cluster.c</a>
+, <a class="el" href="spp__ai_8h.html#a857348424b9db45c90f95631eb96fd7c">spp_ai.h</a>
+</li>
 <li>AI_init()
 : <a class="el" href="spp__ai_8c.html#a3524cbdf8fddbcf38c4ed55241002242">spp_ai.c</a>
 </li>
@@ -72,25 +139,53 @@ var searchBox = new SearchBox("searchBox", "search",false,'Search');
 : <a class="el" href="spp__ai_8c.html#ae1c5c4b38ee2819d427848eb3046373e">spp_ai.c</a>
 </li>
 <li>AI_pkt_enqueue()
-: <a class="el" href="spp__ai_8h.html#af6f7d167c3623bbc669e8d31c2719b29">spp_ai.h</a>
-, <a class="el" href="stream_8c.html#a7d71c5645b9baff7b6c4b9a181bf80c5">stream.c</a>
+: <a class="el" href="stream_8c.html#a7d71c5645b9baff7b6c4b9a181bf80c5">stream.c</a>
+, <a class="el" href="spp__ai_8h.html#af6f7d167c3623bbc669e8d31c2719b29">spp_ai.h</a>
 </li>
 <li>AI_process()
 : <a class="el" href="spp__ai_8c.html#a57c05cda012c443cb4c358dc327cd3d1">spp_ai.c</a>
 </li>
+<li>AI_set_stream_observed()
+: <a class="el" href="stream_8c.html#a8749989cee2ac05a7de058faac280c02">stream.c</a>
+, <a class="el" href="spp__ai_8h.html#a8749989cee2ac05a7de058faac280c02">spp_ai.h</a>
+</li>
 <li>AI_setup()
 : <a class="el" href="sf__preproc__info_8h.html#ad81716bc3f0fec4df74198a7cbdbd43c">sf_preproc_info.h</a>
 , <a class="el" href="spp__ai_8c.html#a1b9ebb5c719c7d9426ddfc1f3da36570">spp_ai.c</a>
 </li>
+</ul>
+
+
+<h3><a class="anchor" id="index_d"></a>- d -</h3><ul>
 <li>DynamicPreprocessorFatalMessage()
 : <a class="el" href="sf__dynamic__preproc__lib_8c.html#a57c853c0f626bde2af6619cdeeb7471b">sf_dynamic_preproc_lib.c</a>
 </li>
+</ul>
+
+
+<h3><a class="anchor" id="index_i"></a>- i -</h3><ul>
 <li>InitializePreprocessor()
 : <a class="el" href="sf__dynamic__preproc__lib_8c.html#a16439ea02cc5c66c842c21c5b537b1d9">sf_dynamic_preproc_lib.c</a>
 </li>
+</ul>
+
+
+<h3><a class="anchor" id="index_l"></a>- l -</h3><ul>
 <li>LibVersion()
 : <a class="el" href="sf__dynamic__preproc__lib_8c.html#a06d857402af54fb10872f43051e86494">sf_dynamic_preproc_lib.c</a>
 </li>
+</ul>
+
+
+<h3><a class="anchor" id="index_p"></a>- p -</h3><ul>
+<li>preg_match()
+: <a class="el" href="regex_8c.html#a35f57c052a7de1ded54b67a1f7819791">regex.c</a>
+, <a class="el" href="spp__ai_8h.html#a85c0852b05b60cbfe0130534160c9876">spp_ai.h</a>
+</li>
+</ul>
+
+
+<h3><a class="anchor" id="index_s"></a>- s -</h3><ul>
 <li>sfPolicyConfigCreate()
 : <a class="el" href="group__sfPolicyConfig.html#gac62cd5838bee4a9d3f40561eae920cdd">sfPolicyUserData.c</a>
 </li>
@@ -122,7 +217,7 @@ var searchBox = new SearchBox("searchBox", "search",false,'Search');
 </iframe>
 </div>
 
-<hr class="footer"/><address class="footer"><small>Generated on Wed Aug 4 2010 11:30:57 for Snort AI preprocessor module by&nbsp;
+<hr class="footer"/><address class="footer"><small>Generated on Mon Aug 16 2010 22:05:38 for Snort AI preprocessor module by&nbsp;
 <a href="http://www.doxygen.org/index.html">
 <img class="footer" src="doxygen.png" alt="doxygen"/></a> 1.7.1 </small></address>
 </body>
diff --git a/doc/html/globals_type.html b/doc/html/globals_type.html
index 177e922..1ea1518 100644
--- a/doc/html/globals_type.html
+++ b/doc/html/globals_type.html
@@ -58,8 +58,11 @@ var searchBox = new SearchBox("searchBox", "search",false,'Search');
 </div>
 <div class="contents">
 &nbsp;<ul>
-<li>AI_config
-: <a class="el" href="spp__ai_8h.html#a3fc526e5a55f5d137402b1bbd1b6072c">spp_ai.h</a>
+<li>AI_snort_alert
+: <a class="el" href="spp__ai_8h.html#a982be90e72362e88d09f28336c9a1897">spp_ai.h</a>
+</li>
+<li>hierarchy_node
+: <a class="el" href="spp__ai_8h.html#a466391129919ef12366d311d501552fa">spp_ai.h</a>
 </li>
 <li>uint16_t
 : <a class="el" href="spp__ai_8h.html#a273cf69d639a59973b6019625df33e30">spp_ai.h</a>
@@ -67,6 +70,9 @@ var searchBox = new SearchBox("searchBox", "search",false,'Search');
 <li>uint32_t
 : <a class="el" href="spp__ai_8h.html#a435d1572bf3f880d55459d9805097f62">spp_ai.h</a>
 </li>
+<li>uint8_t
+: <a class="el" href="spp__ai_8h.html#aba7bc1797add20fe3efdf37ced1182c5">spp_ai.h</a>
+</li>
 </ul>
 </div>
 <!--- window showing the filter options -->
@@ -83,7 +89,7 @@ var searchBox = new SearchBox("searchBox", "search",false,'Search');
 </iframe>
 </div>
 
-<hr class="footer"/><address class="footer"><small>Generated on Wed Aug 4 2010 11:30:57 for Snort AI preprocessor module by&nbsp;
+<hr class="footer"/><address class="footer"><small>Generated on Mon Aug 16 2010 22:05:38 for Snort AI preprocessor module by&nbsp;
 <a href="http://www.doxygen.org/index.html">
 <img class="footer" src="doxygen.png" alt="doxygen"/></a> 1.7.1 </small></address>
 </body>
diff --git a/doc/html/globals_vars.html b/doc/html/globals_vars.html
index dda05d3..c216cf0 100644
--- a/doc/html/globals_vars.html
+++ b/doc/html/globals_vars.html
@@ -58,15 +58,30 @@ var searchBox = new SearchBox("searchBox", "search",false,'Search');
 </div>
 <div class="contents">
 &nbsp;<ul>
+<li>_config
+: <a class="el" href="cluster_8c.html#a91458e2d34595688e39fcb63ba418849">cluster.c</a>
+</li>
 <li>_dpd
-: <a class="el" href="sf__dynamic__preproc__lib_8c.html#ab46420126c43c1aac5eabc5db266a71c">sf_dynamic_preproc_lib.c</a>
-, <a class="el" href="spp__ai_8c.html#ab46420126c43c1aac5eabc5db266a71c">spp_ai.c</a>
+: <a class="el" href="spp__ai_8h.html#ab46420126c43c1aac5eabc5db266a71c">spp_ai.h</a>
+, <a class="el" href="sf__dynamic__preproc__lib_8c.html#ab46420126c43c1aac5eabc5db266a71c">sf_dynamic_preproc_lib.c</a>
+</li>
+<li>alert_fp
+: <a class="el" href="alert__parser_8c.html#abee2a33368912d9288c76b51160a9ed6">alert_parser.c</a>
+</li>
+<li>alert_log
+: <a class="el" href="cluster_8c.html#aaf4c19f60f48741b0890c6114dcff7d9">cluster.c</a>
+</li>
+<li>alerts
+: <a class="el" href="alert__parser_8c.html#ae837fc04e61c0eb052f997c54b4fd9fe">alert_parser.c</a>
 </li>
 <li>ex_config
 : <a class="el" href="spp__ai_8c.html#a3dd75596c540d148643fe6d1fdc02628">spp_ai.c</a>
 </li>
+<li>h_root
+: <a class="el" href="cluster_8c.html#a97d35425cf5a0207fb50b64ee8cdda82">cluster.c</a>
+</li>
 <li>hash
-: <a class="el" href="stream_8c.html#a96fbc549c67e0d852ced3cb72980e923">stream.c</a>
+: <a class="el" href="stream_8c.html#a57e23cda853e9d11c37723a962ef2f68">stream.c</a>
 </li>
 <li>parserPolicyId
 : <a class="el" href="sfPolicyUserData_8c.html#a0a415b8e70250b11e64a463134d00b4f">sfPolicyUserData.c</a>
@@ -74,6 +89,9 @@ var searchBox = new SearchBox("searchBox", "search",false,'Search');
 <li>runtimePolicyId
 : <a class="el" href="sfPolicyUserData_8c.html#a281b418c0dc978a74cd7ab5e46ee0fa4">sfPolicyUserData.c</a>
 </li>
+<li>start_time
+: <a class="el" href="stream_8c.html#a0597864b078ff448f28432db86950309">stream.c</a>
+</li>
 </ul>
 </div>
 <!--- window showing the filter options -->
@@ -90,7 +108,7 @@ var searchBox = new SearchBox("searchBox", "search",false,'Search');
 </iframe>
 </div>
 
-<hr class="footer"/><address class="footer"><small>Generated on Wed Aug 4 2010 11:30:57 for Snort AI preprocessor module by&nbsp;
+<hr class="footer"/><address class="footer"><small>Generated on Mon Aug 16 2010 22:05:38 for Snort AI preprocessor module by&nbsp;
 <a href="http://www.doxygen.org/index.html">
 <img class="footer" src="doxygen.png" alt="doxygen"/></a> 1.7.1 </small></address>
 </body>
diff --git a/doc/html/group__sfPolicyConfig.html b/doc/html/group__sfPolicyConfig.html
index d768f02..6967d09 100644
--- a/doc/html/group__sfPolicyConfig.html
+++ b/doc/html/group__sfPolicyConfig.html
@@ -216,7 +216,7 @@ Functions</h2></td></tr>
 </iframe>
 </div>
 
-<hr class="footer"/><address class="footer"><small>Generated on Wed Aug 4 2010 11:30:57 for Snort AI preprocessor module by&nbsp;
+<hr class="footer"/><address class="footer"><small>Generated on Mon Aug 16 2010 22:05:38 for Snort AI preprocessor module by&nbsp;
 <a href="http://www.doxygen.org/index.html">
 <img class="footer" src="doxygen.png" alt="doxygen"/></a> 1.7.1 </small></address>
 </body>
diff --git a/doc/html/index.html b/doc/html/index.html
index 2bd2436..896c9d0 100644
--- a/doc/html/index.html
+++ b/doc/html/index.html
@@ -59,7 +59,7 @@ var searchBox = new SearchBox("searchBox", "search",false,'Search');
 </iframe>
 </div>
 
-<hr class="footer"/><address class="footer"><small>Generated on Wed Aug 4 2010 11:30:57 for Snort AI preprocessor module by&nbsp;
+<hr class="footer"/><address class="footer"><small>Generated on Mon Aug 16 2010 22:05:38 for Snort AI preprocessor module by&nbsp;
 <a href="http://www.doxygen.org/index.html">
 <img class="footer" src="doxygen.png" alt="doxygen"/></a> 1.7.1 </small></address>
 </body>
diff --git a/doc/html/modules.html b/doc/html/modules.html
index b099071..fb4f7d9 100644
--- a/doc/html/modules.html
+++ b/doc/html/modules.html
@@ -62,7 +62,7 @@ Here is a list of all modules:<ul>
 </iframe>
 </div>
 
-<hr class="footer"/><address class="footer"><small>Generated on Wed Aug 4 2010 11:30:57 for Snort AI preprocessor module by&nbsp;
+<hr class="footer"/><address class="footer"><small>Generated on Mon Aug 16 2010 22:05:38 for Snort AI preprocessor module by&nbsp;
 <a href="http://www.doxygen.org/index.html">
 <img class="footer" src="doxygen.png" alt="doxygen"/></a> 1.7.1 </small></address>
 </body>
diff --git a/doc/html/regex_8c.html b/doc/html/regex_8c.html
new file mode 100644
index 0000000..412b743
--- /dev/null
+++ b/doc/html/regex_8c.html
@@ -0,0 +1,137 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+<head>
+<meta http-equiv="Content-Type" content="text/xhtml;charset=UTF-8"/>
+<title>Snort AI preprocessor module: regex.c File Reference</title>
+<link href="tabs.css" rel="stylesheet" type="text/css"/>
+<link href="search/search.css" rel="stylesheet" type="text/css"/>
+<script type="text/javaScript" src="search/search.js"></script>
+<link href="doxygen.css" rel="stylesheet" type="text/css"/>
+</head>
+<body onload='searchBox.OnSelectItem(0);'>
+<!-- Generated by Doxygen 1.7.1 -->
+<script type="text/javascript"><!--
+var searchBox = new SearchBox("searchBox", "search",false,'Search');
+--></script>
+<div class="navigation" id="top">
+  <div class="tabs">
+    <ul class="tablist">
+      <li><a href="index.html"><span>Main&nbsp;Page</span></a></li>
+      <li><a href="modules.html"><span>Modules</span></a></li>
+      <li><a href="annotated.html"><span>Data&nbsp;Structures</span></a></li>
+      <li class="current"><a href="files.html"><span>Files</span></a></li>
+      <li id="searchli">
+        <div id="MSearchBox" class="MSearchBoxInactive">
+        <span class="left">
+          <img id="MSearchSelect" src="search/mag_sel.png"
+               onmouseover="return searchBox.OnSearchSelectShow()"
+               onmouseout="return searchBox.OnSearchSelectHide()"
+               alt=""/>
+          <input type="text" id="MSearchField" value="Search" accesskey="S"
+               onfocus="searchBox.OnSearchFieldFocus(true)" 
+               onblur="searchBox.OnSearchFieldFocus(false)" 
+               onkeyup="searchBox.OnSearchFieldChange(event)"/>
+          </span><span class="right">
+            <a id="MSearchClose" href="javascript:searchBox.CloseResultsWindow()"><img id="MSearchCloseImg" border="0" src="search/close.png" alt=""/></a>
+          </span>
+        </div>
+      </li>
+    </ul>
+  </div>
+  <div class="tabs2">
+    <ul class="tablist">
+      <li><a href="files.html"><span>File&nbsp;List</span></a></li>
+      <li><a href="globals.html"><span>Globals</span></a></li>
+    </ul>
+  </div>
+</div>
+<div class="header">
+  <div class="summary">
+<a href="#func-members">Functions</a>  </div>
+  <div class="headertitle">
+<h1>regex.c File Reference</h1>  </div>
+</div>
+<div class="contents">
+<code>#include &lt;stdio.h&gt;</code><br/>
+<code>#include &lt;stdlib.h&gt;</code><br/>
+<code>#include &lt;string.h&gt;</code><br/>
+<code>#include &lt;regex.h&gt;</code><br/>
+<table class="memberdecls">
+<tr><td colspan="2"><h2><a name="func-members"></a>
+Functions</h2></td></tr>
+<tr><td class="memItemLeft" align="right" valign="top">int&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="regex_8c.html#a35f57c052a7de1ded54b67a1f7819791">preg_match</a> (const char *expr, char *str, char ***matches, int *nmatches)</td></tr>
+<tr><td class="mdescLeft">&nbsp;</td><td class="mdescRight">Check if a string matches a regular expression.  <a href="#a35f57c052a7de1ded54b67a1f7819791"></a><br/></td></tr>
+</table>
+<hr/><h2>Function Documentation</h2>
+<a class="anchor" id="a35f57c052a7de1ded54b67a1f7819791"></a><!-- doxytag: member="regex.c::preg_match" ref="a35f57c052a7de1ded54b67a1f7819791" args="(const char *expr, char *str, char ***matches, int *nmatches)" -->
+<div class="memitem">
+<div class="memproto">
+      <table class="memname">
+        <tr>
+          <td class="memname">int preg_match </td>
+          <td>(</td>
+          <td class="paramtype">const char *&nbsp;</td>
+          <td class="paramname"> <em>expr</em>, </td>
+        </tr>
+        <tr>
+          <td class="paramkey"></td>
+          <td></td>
+          <td class="paramtype">char *&nbsp;</td>
+          <td class="paramname"> <em>str</em>, </td>
+        </tr>
+        <tr>
+          <td class="paramkey"></td>
+          <td></td>
+          <td class="paramtype">char ***&nbsp;</td>
+          <td class="paramname"> <em>matches</em>, </td>
+        </tr>
+        <tr>
+          <td class="paramkey"></td>
+          <td></td>
+          <td class="paramtype">int *&nbsp;</td>
+          <td class="paramname"> <em>nmatches</em></td><td>&nbsp;</td>
+        </tr>
+        <tr>
+          <td></td>
+          <td>)</td>
+          <td></td><td></td><td></td>
+        </tr>
+      </table>
+</div>
+<div class="memdoc">
+
+<p>Check if a string matches a regular expression. </p>
+<p>FUNCTION: preg_match </p>
+<dl><dt><b>Parameters:</b></dt><dd>
+  <table border="0" cellspacing="2" cellpadding="0">
+    <tr><td valign="top"></td><td valign="top"><em>expr</em>&nbsp;</td><td>Regular expression to be matched </td></tr>
+    <tr><td valign="top"></td><td valign="top"><em>str</em>&nbsp;</td><td>String to be checked </td></tr>
+    <tr><td valign="top"></td><td valign="top"><em>matches</em>&nbsp;</td><td>Reference to a char** that will contain the submatches (NULL if you don't need it) </td></tr>
+    <tr><td valign="top"></td><td valign="top"><em>nmatches</em>&nbsp;</td><td>Reference to a int containing the number of submatches found (NULL if you don't need it) </td></tr>
+  </table>
+  </dd>
+</dl>
+<dl class="return"><dt><b>Returns:</b></dt><dd>-1 if the regex is wrong, 0 if no match was found, 1 otherwise </dd></dl>
+
+</div>
+</div>
+</div>
+<!--- window showing the filter options -->
+<div id="MSearchSelectWindow"
+     onmouseover="return searchBox.OnSearchSelectShow()"
+     onmouseout="return searchBox.OnSearchSelectHide()"
+     onkeydown="return searchBox.OnSearchSelectKey(event)">
+<a class="SelectItem" href="javascript:void(0)" onclick="searchBox.OnSelectItem(0)"><span class="SelectionMark">&nbsp;</span>All</a><a class="SelectItem" href="javascript:void(0)" onclick="searchBox.OnSelectItem(1)"><span class="SelectionMark">&nbsp;</span>Data Structures</a><a class="SelectItem" href="javascript:void(0)" onclick="searchBox.OnSelectItem(2)"><span class="SelectionMark">&nbsp;</span>Files</a><a class="SelectItem" href="javascript:void(0)" onclick="searchBox.OnSelectItem(3)"><span class="SelectionMark">&nbsp;</span>Functions</a><a class="SelectItem" href="javascript:void(0)" onclick="searchBox.OnSelectItem(4)"><span class="SelectionMark">&nbsp;</span>Variables</a><a class="SelectItem" href="javascript:void(0)" onclick="searchBox.OnSelectItem(5)"><span class="SelectionMark">&nbsp;</span>Typedefs</a><a class="SelectItem" href="javascript:void(0)" onclick="searchBox.OnSelectItem(6)"><span class="SelectionMark">&nbsp;</span>Enumerations</a><a class="SelectItem" href="javascript:void(0)" onclick="searchBox.OnSelectItem(7)"><span class="SelectionMark">&nbsp;</span>Enumerator</a><a class="SelectItem" href="javascript:void(0)" onclick="searchBox.OnSelectItem(8)"><span class="SelectionMark">&nbsp;</span>Defines</a></div>
+
+<!-- iframe showing the search results (closed by default) -->
+<div id="MSearchResultsWindow">
+<iframe src="" frameborder="0" 
+        name="MSearchResults" id="MSearchResults">
+</iframe>
+</div>
+
+<hr class="footer"/><address class="footer"><small>Generated on Mon Aug 16 2010 22:05:38 for Snort AI preprocessor module by&nbsp;
+<a href="http://www.doxygen.org/index.html">
+<img class="footer" src="doxygen.png" alt="doxygen"/></a> 1.7.1 </small></address>
+</body>
+</html>
diff --git a/doc/html/search/all_5f.html b/doc/html/search/all_5f.html
index 3524402..d115b18 100644
--- a/doc/html/search/all_5f.html
+++ b/doc/html/search/all_5f.html
@@ -7,26 +7,97 @@
 <body class="SRPage">
 <div id="SRIndex">
 <div class="SRStatus" id="Loading">Loading...</div>
-<div class="SRResult" id="SR__5fai_5fconfig">
+<div class="SRResult" id="SR__5fai_5fcheck_5fduplicate">
  <div class="SREntry">
-  <a id="Item0" onkeydown="return searchResults.Nav(event,0)" onkeypress="return searchResults.Nav(event,0)" onkeyup="return searchResults.Nav(event,0)" class="SRSymbol" href="../struct__AI__config.html" target="_parent">_AI_config</a>
+  <a id="Item0" onkeydown="return searchResults.Nav(event,0)" onkeypress="return searchResults.Nav(event,0)" onkeyup="return searchResults.Nav(event,0)" class="SRSymbol" href="../cluster_8c.html#a29c35cd6c56f54e27b5b190c6d6c487a" target="_parent">_AI_check_duplicate</a>
+  <span class="SRScope">cluster.c</span>
+ </div>
+</div>
+<div class="SRResult" id="SR__5fai_5fcluster_5fthread">
+ <div class="SREntry">
+  <a id="Item1" onkeydown="return searchResults.Nav(event,1)" onkeypress="return searchResults.Nav(event,1)" onkeyup="return searchResults.Nav(event,1)" class="SRSymbol" href="../cluster_8c.html#a8a5eae61dc9fd0f13e0acdfa5f4478e2" target="_parent">_AI_cluster_thread</a>
+  <span class="SRScope">cluster.c</span>
+ </div>
+</div>
+<div class="SRResult" id="SR__5fai_5fcopy_5falerts">
+ <div class="SREntry">
+  <a id="Item2" onkeydown="return searchResults.Nav(event,2)" onkeypress="return searchResults.Nav(event,2)" onkeyup="return searchResults.Nav(event,2)" class="SRSymbol" href="../alert__parser_8c.html#a6c5014cae9155379fdc4db649b2c862d" target="_parent">_AI_copy_alerts</a>
+  <span class="SRScope">alert_parser.c</span>
+ </div>
+</div>
+<div class="SRResult" id="SR__5fai_5fequal_5falarms">
+ <div class="SREntry">
+  <a id="Item3" onkeydown="return searchResults.Nav(event,3)" onkeypress="return searchResults.Nav(event,3)" onkeyup="return searchResults.Nav(event,3)" class="SRSymbol" href="../cluster_8c.html#a0f91c8bfc37a3975f5c26b19fd6c5cba" target="_parent">_AI_equal_alarms</a>
+  <span class="SRScope">cluster.c</span>
+ </div>
+</div>
+<div class="SRResult" id="SR__5fai_5fget_5fmin_5fhierarchy_5fnode">
+ <div class="SREntry">
+  <a id="Item4" onkeydown="return searchResults.Nav(event,4)" onkeypress="return searchResults.Nav(event,4)" onkeyup="return searchResults.Nav(event,4)" class="SRSymbol" href="../cluster_8c.html#a6ddddcd505b1f763c339e81fc143e079" target="_parent">_AI_get_min_hierarchy_node</a>
+  <span class="SRScope">cluster.c</span>
+ </div>
+</div>
+<div class="SRResult" id="SR__5fai_5fmerge_5falerts">
+ <div class="SREntry">
+  <a id="Item5" onkeydown="return searchResults.Nav(event,5)" onkeypress="return searchResults.Nav(event,5)" onkeyup="return searchResults.Nav(event,5)" class="SRSymbol" href="../cluster_8c.html#a8ce8e5a5d8954672297fa2dedb380dcd" target="_parent">_AI_merge_alerts</a>
+  <span class="SRScope">cluster.c</span>
+ </div>
+</div>
+<div class="SRResult" id="SR__5fai_5fprint_5fclustered_5falerts">
+ <div class="SREntry">
+  <a id="Item6" onkeydown="return searchResults.Nav(event,6)" onkeypress="return searchResults.Nav(event,6)" onkeyup="return searchResults.Nav(event,6)" class="SRSymbol" href="../cluster_8c.html#a7d151880080470b542e99643dc0426a7" target="_parent">_AI_print_clustered_alerts</a>
+  <span class="SRScope">cluster.c</span>
+ </div>
+</div>
+<div class="SRResult" id="SR__5fai_5fsnort_5falert">
+ <div class="SREntry">
+  <a id="Item7" onkeydown="return searchResults.Nav(event,7)" onkeypress="return searchResults.Nav(event,7)" onkeyup="return searchResults.Nav(event,7)" class="SRSymbol" href="../struct__AI__snort__alert.html" target="_parent">_AI_snort_alert</a>
  </div>
 </div>
 <div class="SRResult" id="SR__5fai_5fstream_5ffree">
  <div class="SREntry">
-  <a id="Item1" onkeydown="return searchResults.Nav(event,1)" onkeypress="return searchResults.Nav(event,1)" onkeyup="return searchResults.Nav(event,1)" class="SRSymbol" href="../stream_8c.html#a2a0c295a6828df716311977538cabd4a" target="_parent">_AI_stream_free</a>
+  <a id="Item8" onkeydown="return searchResults.Nav(event,8)" onkeypress="return searchResults.Nav(event,8)" onkeyup="return searchResults.Nav(event,8)" class="SRSymbol" href="../stream_8c.html#a80016adf701c717a6ebfb5b15b8a5749" target="_parent">_AI_stream_free</a>
   <span class="SRScope">stream.c</span>
  </div>
 </div>
+<div class="SRResult" id="SR__5fconfig">
+ <div class="SREntry">
+  <a id="Item9" onkeydown="return searchResults.Nav(event,9)" onkeypress="return searchResults.Nav(event,9)" onkeyup="return searchResults.Nav(event,9)" class="SRSymbol" href="../cluster_8c.html#a91458e2d34595688e39fcb63ba418849" target="_parent">_config</a>
+  <span class="SRScope">cluster.c</span>
+ </div>
+</div>
 <div class="SRResult" id="SR__5fdpd">
  <div class="SREntry">
-  <a id="Item2" onkeydown="return searchResults.Nav(event,2)" onkeypress="return searchResults.Nav(event,2)" onkeyup="return searchResults.Nav(event,2)" class="SRSymbol" href="javascript:searchResults.Toggle('SR__5fdpd')">_dpd</a>
+  <a id="Item10" onkeydown="return searchResults.Nav(event,10)" onkeypress="return searchResults.Nav(event,10)" onkeyup="return searchResults.Nav(event,10)" class="SRSymbol" href="javascript:searchResults.Toggle('SR__5fdpd')">_dpd</a>
   <div class="SRChildren">
-    <a id="Item2_c0" onkeydown="return searchResults.NavChild(event,2,0)" onkeypress="return searchResults.NavChild(event,2,0)" onkeyup="return searchResults.NavChild(event,2,0)" class="SRScope" href="../sf__dynamic__preproc__lib_8c.html#ab46420126c43c1aac5eabc5db266a71c" target="_parent">_dpd():&nbsp;sf_dynamic_preproc_lib.c</a>
-    <a id="Item2_c1" onkeydown="return searchResults.NavChild(event,2,1)" onkeypress="return searchResults.NavChild(event,2,1)" onkeyup="return searchResults.NavChild(event,2,1)" class="SRScope" href="../spp__ai_8c.html#ab46420126c43c1aac5eabc5db266a71c" target="_parent">_dpd():&nbsp;sf_dynamic_preproc_lib.c</a>
+    <a id="Item10_c0" onkeydown="return searchResults.NavChild(event,10,0)" onkeypress="return searchResults.NavChild(event,10,0)" onkeyup="return searchResults.NavChild(event,10,0)" class="SRScope" href="../sf__dynamic__preproc__lib_8c.html#ab46420126c43c1aac5eabc5db266a71c" target="_parent">_dpd():&nbsp;sf_dynamic_preproc_lib.c</a>
+    <a id="Item10_c1" onkeydown="return searchResults.NavChild(event,10,1)" onkeypress="return searchResults.NavChild(event,10,1)" onkeyup="return searchResults.NavChild(event,10,1)" class="SRScope" href="../spp__ai_8h.html#ab46420126c43c1aac5eabc5db266a71c" target="_parent">_dpd():&nbsp;sf_dynamic_preproc_lib.c</a>
   </div>
  </div>
 </div>
+<div class="SRResult" id="SR__5fheuristic_5ffunc">
+ <div class="SREntry">
+  <a id="Item11" onkeydown="return searchResults.Nav(event,11)" onkeypress="return searchResults.Nav(event,11)" onkeyup="return searchResults.Nav(event,11)" class="SRSymbol" href="../cluster_8c.html#a81f5fa721719fdb281595a568eef2101" target="_parent">_heuristic_func</a>
+  <span class="SRScope">cluster.c</span>
+ </div>
+</div>
+<div class="SRResult" id="SR__5fhierarchy_5fnode">
+ <div class="SREntry">
+  <a id="Item12" onkeydown="return searchResults.Nav(event,12)" onkeypress="return searchResults.Nav(event,12)" onkeyup="return searchResults.Nav(event,12)" class="SRSymbol" href="../struct__hierarchy__node.html" target="_parent">_hierarchy_node</a>
+ </div>
+</div>
+<div class="SRResult" id="SR__5fhierarchy_5fnode_5fappend">
+ <div class="SREntry">
+  <a id="Item13" onkeydown="return searchResults.Nav(event,13)" onkeypress="return searchResults.Nav(event,13)" onkeyup="return searchResults.Nav(event,13)" class="SRSymbol" href="../cluster_8c.html#a5601a1f603d9c870ef6e2df192e30c30" target="_parent">_hierarchy_node_append</a>
+  <span class="SRScope">cluster.c</span>
+ </div>
+</div>
+<div class="SRResult" id="SR__5fhierarchy_5fnode_5fnew">
+ <div class="SREntry">
+  <a id="Item14" onkeydown="return searchResults.Nav(event,14)" onkeypress="return searchResults.Nav(event,14)" onkeyup="return searchResults.Nav(event,14)" class="SRSymbol" href="../cluster_8c.html#a2f1a22cfea64e4669da0467620c3e3b3" target="_parent">_hierarchy_node_new</a>
+  <span class="SRScope">cluster.c</span>
+ </div>
+</div>
 <div class="SRStatus" id="Searching">Searching...</div>
 <div class="SRStatus" id="NoMatches">No Matches</div>
 <script type="text/javascript"><!--
diff --git a/doc/html/search/all_61.html b/doc/html/search/all_61.html
index da33e78..cda30b8 100644
--- a/doc/html/search/all_61.html
+++ b/doc/html/search/all_61.html
@@ -7,57 +7,167 @@
 <body class="SRPage">
 <div id="SRIndex">
 <div class="SRStatus" id="Loading">Loading...</div>
+<div class="SRResult" id="SR_ack">
+ <div class="SREntry">
+  <a id="Item0" onkeydown="return searchResults.Nav(event,0)" onkeypress="return searchResults.Nav(event,0)" onkeyup="return searchResults.Nav(event,0)" class="SRSymbol" href="../struct__AI__snort__alert.html#a2b185c678d3a7f1207b2119b0b567c37" target="_parent">ack</a>
+  <span class="SRScope">_AI_snort_alert</span>
+ </div>
+</div>
+<div class="SRResult" id="SR_ai_5falertparser_5fthread">
+ <div class="SREntry">
+  <a id="Item1" onkeydown="return searchResults.Nav(event,1)" onkeypress="return searchResults.Nav(event,1)" onkeyup="return searchResults.Nav(event,1)" class="SRSymbol" href="javascript:searchResults.Toggle('SR_ai_5falertparser_5fthread')">AI_alertparser_thread</a>
+  <div class="SRChildren">
+    <a id="Item1_c0" onkeydown="return searchResults.NavChild(event,1,0)" onkeypress="return searchResults.NavChild(event,1,0)" onkeyup="return searchResults.NavChild(event,1,0)" class="SRScope" href="../alert__parser_8c.html#ad68c45b5846743a54ad3fa92c8e48f8a" target="_parent">AI_alertparser_thread(void *arg):&nbsp;alert_parser.c</a>
+    <a id="Item1_c1" onkeydown="return searchResults.NavChild(event,1,1)" onkeypress="return searchResults.NavChild(event,1,1)" onkeyup="return searchResults.NavChild(event,1,1)" class="SRScope" href="../spp__ai_8h.html#a842a3204c6e067a9920990b573757181" target="_parent">AI_alertparser_thread(void *):&nbsp;alert_parser.c</a>
+  </div>
+ </div>
+</div>
 <div class="SRResult" id="SR_ai_5fconfig">
  <div class="SREntry">
-  <a id="Item0" onkeydown="return searchResults.Nav(event,0)" onkeypress="return searchResults.Nav(event,0)" onkeyup="return searchResults.Nav(event,0)" class="SRSymbol" href="../spp__ai_8h.html#a3fc526e5a55f5d137402b1bbd1b6072c" target="_parent">AI_config</a>
-  <span class="SRScope">spp_ai.h</span>
+  <a id="Item2" onkeydown="return searchResults.Nav(event,2)" onkeypress="return searchResults.Nav(event,2)" onkeyup="return searchResults.Nav(event,2)" class="SRSymbol" href="../structAI__config.html" target="_parent">AI_config</a>
+ </div>
+</div>
+<div class="SRResult" id="SR_ai_5ffree_5falerts">
+ <div class="SREntry">
+  <a id="Item3" onkeydown="return searchResults.Nav(event,3)" onkeypress="return searchResults.Nav(event,3)" onkeyup="return searchResults.Nav(event,3)" class="SRSymbol" href="javascript:searchResults.Toggle('SR_ai_5ffree_5falerts')">AI_free_alerts</a>
+  <div class="SRChildren">
+    <a id="Item3_c0" onkeydown="return searchResults.NavChild(event,3,0)" onkeypress="return searchResults.NavChild(event,3,0)" onkeyup="return searchResults.NavChild(event,3,0)" class="SRScope" href="../alert__parser_8c.html#a270e86669a0aa64a8da37bc16cda645b" target="_parent">AI_free_alerts(AI_snort_alert *node):&nbsp;alert_parser.c</a>
+    <a id="Item3_c1" onkeydown="return searchResults.NavChild(event,3,1)" onkeypress="return searchResults.NavChild(event,3,1)" onkeyup="return searchResults.NavChild(event,3,1)" class="SRScope" href="../spp__ai_8h.html#a270e86669a0aa64a8da37bc16cda645b" target="_parent">AI_free_alerts(AI_snort_alert *node):&nbsp;alert_parser.c</a>
+  </div>
+ </div>
+</div>
+<div class="SRResult" id="SR_ai_5fget_5falerts">
+ <div class="SREntry">
+  <a id="Item4" onkeydown="return searchResults.Nav(event,4)" onkeypress="return searchResults.Nav(event,4)" onkeyup="return searchResults.Nav(event,4)" class="SRSymbol" href="javascript:searchResults.Toggle('SR_ai_5fget_5falerts')">AI_get_alerts</a>
+  <div class="SRChildren">
+    <a id="Item4_c0" onkeydown="return searchResults.NavChild(event,4,0)" onkeypress="return searchResults.NavChild(event,4,0)" onkeyup="return searchResults.NavChild(event,4,0)" class="SRScope" href="../alert__parser_8c.html#a99474495643197b3075ac22ec6f6c70f" target="_parent">AI_get_alerts():&nbsp;alert_parser.c</a>
+    <a id="Item4_c1" onkeydown="return searchResults.NavChild(event,4,1)" onkeypress="return searchResults.NavChild(event,4,1)" onkeyup="return searchResults.NavChild(event,4,1)" class="SRScope" href="../spp__ai_8h.html#af19a28f7cbcdfeb2b66fb3b625b75076" target="_parent">AI_get_alerts(void):&nbsp;alert_parser.c</a>
+  </div>
+ </div>
+</div>
+<div class="SRResult" id="SR_ai_5fget_5fstream_5fby_5fkey">
+ <div class="SREntry">
+  <a id="Item5" onkeydown="return searchResults.Nav(event,5)" onkeypress="return searchResults.Nav(event,5)" onkeyup="return searchResults.Nav(event,5)" class="SRSymbol" href="javascript:searchResults.Toggle('SR_ai_5fget_5fstream_5fby_5fkey')">AI_get_stream_by_key</a>
+  <div class="SRChildren">
+    <a id="Item5_c0" onkeydown="return searchResults.NavChild(event,5,0)" onkeypress="return searchResults.NavChild(event,5,0)" onkeyup="return searchResults.NavChild(event,5,0)" class="SRScope" href="../spp__ai_8h.html#a3054f06297a9caefd4d9b1283bb8b69a" target="_parent">AI_get_stream_by_key(struct pkt_key):&nbsp;stream.c</a>
+    <a id="Item5_c1" onkeydown="return searchResults.NavChild(event,5,1)" onkeypress="return searchResults.NavChild(event,5,1)" onkeyup="return searchResults.NavChild(event,5,1)" class="SRScope" href="../stream_8c.html#a2efedcabbfd12c5345f0c93a3dd4735c" target="_parent">AI_get_stream_by_key(struct pkt_key key):&nbsp;stream.c</a>
+  </div>
  </div>
 </div>
 <div class="SRResult" id="SR_ai_5fhashcleanup_5fthread">
  <div class="SREntry">
-  <a id="Item1" onkeydown="return searchResults.Nav(event,1)" onkeypress="return searchResults.Nav(event,1)" onkeyup="return searchResults.Nav(event,1)" class="SRSymbol" href="javascript:searchResults.Toggle('SR_ai_5fhashcleanup_5fthread')">AI_hashcleanup_thread</a>
+  <a id="Item6" onkeydown="return searchResults.Nav(event,6)" onkeypress="return searchResults.Nav(event,6)" onkeyup="return searchResults.Nav(event,6)" class="SRSymbol" href="javascript:searchResults.Toggle('SR_ai_5fhashcleanup_5fthread')">AI_hashcleanup_thread</a>
   <div class="SRChildren">
-    <a id="Item1_c0" onkeydown="return searchResults.NavChild(event,1,0)" onkeypress="return searchResults.NavChild(event,1,0)" onkeyup="return searchResults.NavChild(event,1,0)" class="SRScope" href="../spp__ai_8h.html#ad56f71be823eead743972274b99c82ff" target="_parent">AI_hashcleanup_thread(void *):&nbsp;stream.c</a>
-    <a id="Item1_c1" onkeydown="return searchResults.NavChild(event,1,1)" onkeypress="return searchResults.NavChild(event,1,1)" onkeyup="return searchResults.NavChild(event,1,1)" class="SRScope" href="../stream_8c.html#a24b1131374e5059564b8a12380c4eb75" target="_parent">AI_hashcleanup_thread(void *arg):&nbsp;stream.c</a>
+    <a id="Item6_c0" onkeydown="return searchResults.NavChild(event,6,0)" onkeypress="return searchResults.NavChild(event,6,0)" onkeyup="return searchResults.NavChild(event,6,0)" class="SRScope" href="../spp__ai_8h.html#ad56f71be823eead743972274b99c82ff" target="_parent">AI_hashcleanup_thread(void *):&nbsp;stream.c</a>
+    <a id="Item6_c1" onkeydown="return searchResults.NavChild(event,6,1)" onkeypress="return searchResults.NavChild(event,6,1)" onkeyup="return searchResults.NavChild(event,6,1)" class="SRScope" href="../stream_8c.html#a24b1131374e5059564b8a12380c4eb75" target="_parent">AI_hashcleanup_thread(void *arg):&nbsp;stream.c</a>
+  </div>
+ </div>
+</div>
+<div class="SRResult" id="SR_ai_5fhierarchies_5fbuild">
+ <div class="SREntry">
+  <a id="Item7" onkeydown="return searchResults.Nav(event,7)" onkeypress="return searchResults.Nav(event,7)" onkeyup="return searchResults.Nav(event,7)" class="SRSymbol" href="javascript:searchResults.Toggle('SR_ai_5fhierarchies_5fbuild')">AI_hierarchies_build</a>
+  <div class="SRChildren">
+    <a id="Item7_c0" onkeydown="return searchResults.NavChild(event,7,0)" onkeypress="return searchResults.NavChild(event,7,0)" onkeyup="return searchResults.NavChild(event,7,0)" class="SRScope" href="../cluster_8c.html#a1445818b37483f78cc3fb2890155842c" target="_parent">AI_hierarchies_build(AI_config *conf, hierarchy_node **nodes, int n_nodes):&nbsp;cluster.c</a>
+    <a id="Item7_c1" onkeydown="return searchResults.NavChild(event,7,1)" onkeypress="return searchResults.NavChild(event,7,1)" onkeyup="return searchResults.NavChild(event,7,1)" class="SRScope" href="../spp__ai_8h.html#a857348424b9db45c90f95631eb96fd7c" target="_parent">AI_hierarchies_build(AI_config *, hierarchy_node **, int):&nbsp;cluster.c</a>
   </div>
  </div>
 </div>
 <div class="SRResult" id="SR_ai_5finit">
  <div class="SREntry">
-  <a id="Item2" onkeydown="return searchResults.Nav(event,2)" onkeypress="return searchResults.Nav(event,2)" onkeyup="return searchResults.Nav(event,2)" class="SRSymbol" href="../spp__ai_8c.html#a3524cbdf8fddbcf38c4ed55241002242" target="_parent">AI_init</a>
+  <a id="Item8" onkeydown="return searchResults.Nav(event,8)" onkeypress="return searchResults.Nav(event,8)" onkeyup="return searchResults.Nav(event,8)" class="SRSymbol" href="../spp__ai_8c.html#a3524cbdf8fddbcf38c4ed55241002242" target="_parent">AI_init</a>
   <span class="SRScope">spp_ai.c</span>
  </div>
 </div>
 <div class="SRResult" id="SR_ai_5fparse">
  <div class="SREntry">
-  <a id="Item3" onkeydown="return searchResults.Nav(event,3)" onkeypress="return searchResults.Nav(event,3)" onkeyup="return searchResults.Nav(event,3)" class="SRSymbol" href="../spp__ai_8c.html#ae1c5c4b38ee2819d427848eb3046373e" target="_parent">AI_parse</a>
+  <a id="Item9" onkeydown="return searchResults.Nav(event,9)" onkeypress="return searchResults.Nav(event,9)" onkeyup="return searchResults.Nav(event,9)" class="SRSymbol" href="../spp__ai_8c.html#ae1c5c4b38ee2819d427848eb3046373e" target="_parent">AI_parse</a>
   <span class="SRScope">spp_ai.c</span>
  </div>
 </div>
 <div class="SRResult" id="SR_ai_5fpkt_5fenqueue">
  <div class="SREntry">
-  <a id="Item4" onkeydown="return searchResults.Nav(event,4)" onkeypress="return searchResults.Nav(event,4)" onkeyup="return searchResults.Nav(event,4)" class="SRSymbol" href="javascript:searchResults.Toggle('SR_ai_5fpkt_5fenqueue')">AI_pkt_enqueue</a>
+  <a id="Item10" onkeydown="return searchResults.Nav(event,10)" onkeypress="return searchResults.Nav(event,10)" onkeyup="return searchResults.Nav(event,10)" class="SRSymbol" href="javascript:searchResults.Toggle('SR_ai_5fpkt_5fenqueue')">AI_pkt_enqueue</a>
   <div class="SRChildren">
-    <a id="Item4_c0" onkeydown="return searchResults.NavChild(event,4,0)" onkeypress="return searchResults.NavChild(event,4,0)" onkeyup="return searchResults.NavChild(event,4,0)" class="SRScope" href="../spp__ai_8h.html#af6f7d167c3623bbc669e8d31c2719b29" target="_parent">AI_pkt_enqueue(SFSnortPacket *):&nbsp;stream.c</a>
-    <a id="Item4_c1" onkeydown="return searchResults.NavChild(event,4,1)" onkeypress="return searchResults.NavChild(event,4,1)" onkeyup="return searchResults.NavChild(event,4,1)" class="SRScope" href="../stream_8c.html#a7d71c5645b9baff7b6c4b9a181bf80c5" target="_parent">AI_pkt_enqueue(SFSnortPacket *pkt):&nbsp;stream.c</a>
+    <a id="Item10_c0" onkeydown="return searchResults.NavChild(event,10,0)" onkeypress="return searchResults.NavChild(event,10,0)" onkeyup="return searchResults.NavChild(event,10,0)" class="SRScope" href="../spp__ai_8h.html#af6f7d167c3623bbc669e8d31c2719b29" target="_parent">AI_pkt_enqueue(SFSnortPacket *):&nbsp;stream.c</a>
+    <a id="Item10_c1" onkeydown="return searchResults.NavChild(event,10,1)" onkeypress="return searchResults.NavChild(event,10,1)" onkeyup="return searchResults.NavChild(event,10,1)" class="SRScope" href="../stream_8c.html#a7d71c5645b9baff7b6c4b9a181bf80c5" target="_parent">AI_pkt_enqueue(SFSnortPacket *pkt):&nbsp;stream.c</a>
   </div>
  </div>
 </div>
 <div class="SRResult" id="SR_ai_5fprocess">
  <div class="SREntry">
-  <a id="Item5" onkeydown="return searchResults.Nav(event,5)" onkeypress="return searchResults.Nav(event,5)" onkeyup="return searchResults.Nav(event,5)" class="SRSymbol" href="../spp__ai_8c.html#a57c05cda012c443cb4c358dc327cd3d1" target="_parent">AI_process</a>
+  <a id="Item11" onkeydown="return searchResults.Nav(event,11)" onkeypress="return searchResults.Nav(event,11)" onkeyup="return searchResults.Nav(event,11)" class="SRSymbol" href="../spp__ai_8c.html#a57c05cda012c443cb4c358dc327cd3d1" target="_parent">AI_process</a>
   <span class="SRScope">spp_ai.c</span>
  </div>
 </div>
+<div class="SRResult" id="SR_ai_5fset_5fstream_5fobserved">
+ <div class="SREntry">
+  <a id="Item12" onkeydown="return searchResults.Nav(event,12)" onkeypress="return searchResults.Nav(event,12)" onkeyup="return searchResults.Nav(event,12)" class="SRSymbol" href="javascript:searchResults.Toggle('SR_ai_5fset_5fstream_5fobserved')">AI_set_stream_observed</a>
+  <div class="SRChildren">
+    <a id="Item12_c0" onkeydown="return searchResults.NavChild(event,12,0)" onkeypress="return searchResults.NavChild(event,12,0)" onkeyup="return searchResults.NavChild(event,12,0)" class="SRScope" href="../spp__ai_8h.html#a8749989cee2ac05a7de058faac280c02" target="_parent">AI_set_stream_observed(struct pkt_key key):&nbsp;stream.c</a>
+    <a id="Item12_c1" onkeydown="return searchResults.NavChild(event,12,1)" onkeypress="return searchResults.NavChild(event,12,1)" onkeyup="return searchResults.NavChild(event,12,1)" class="SRScope" href="../stream_8c.html#a8749989cee2ac05a7de058faac280c02" target="_parent">AI_set_stream_observed(struct pkt_key key):&nbsp;stream.c</a>
+  </div>
+ </div>
+</div>
 <div class="SRResult" id="SR_ai_5fsetup">
  <div class="SREntry">
-  <a id="Item6" onkeydown="return searchResults.Nav(event,6)" onkeypress="return searchResults.Nav(event,6)" onkeyup="return searchResults.Nav(event,6)" class="SRSymbol" href="javascript:searchResults.Toggle('SR_ai_5fsetup')">AI_setup</a>
+  <a id="Item13" onkeydown="return searchResults.Nav(event,13)" onkeypress="return searchResults.Nav(event,13)" onkeyup="return searchResults.Nav(event,13)" class="SRSymbol" href="javascript:searchResults.Toggle('SR_ai_5fsetup')">AI_setup</a>
   <div class="SRChildren">
-    <a id="Item6_c0" onkeydown="return searchResults.NavChild(event,6,0)" onkeypress="return searchResults.NavChild(event,6,0)" onkeyup="return searchResults.NavChild(event,6,0)" class="SRScope" href="../sf__preproc__info_8h.html#ad81716bc3f0fec4df74198a7cbdbd43c" target="_parent">AI_setup():&nbsp;spp_ai.c</a>
-    <a id="Item6_c1" onkeydown="return searchResults.NavChild(event,6,1)" onkeypress="return searchResults.NavChild(event,6,1)" onkeyup="return searchResults.NavChild(event,6,1)" class="SRScope" href="../spp__ai_8c.html#a1b9ebb5c719c7d9426ddfc1f3da36570" target="_parent">AI_setup(void):&nbsp;spp_ai.c</a>
+    <a id="Item13_c0" onkeydown="return searchResults.NavChild(event,13,0)" onkeypress="return searchResults.NavChild(event,13,0)" onkeyup="return searchResults.NavChild(event,13,0)" class="SRScope" href="../sf__preproc__info_8h.html#ad81716bc3f0fec4df74198a7cbdbd43c" target="_parent">AI_setup():&nbsp;spp_ai.c</a>
+    <a id="Item13_c1" onkeydown="return searchResults.NavChild(event,13,1)" onkeypress="return searchResults.NavChild(event,13,1)" onkeyup="return searchResults.NavChild(event,13,1)" class="SRScope" href="../spp__ai_8c.html#a1b9ebb5c719c7d9426ddfc1f3da36570" target="_parent">AI_setup(void):&nbsp;spp_ai.c</a>
   </div>
  </div>
 </div>
+<div class="SRResult" id="SR_ai_5fsnort_5falert">
+ <div class="SREntry">
+  <a id="Item14" onkeydown="return searchResults.Nav(event,14)" onkeypress="return searchResults.Nav(event,14)" onkeyup="return searchResults.Nav(event,14)" class="SRSymbol" href="../spp__ai_8h.html#a982be90e72362e88d09f28336c9a1897" target="_parent">AI_snort_alert</a>
+  <span class="SRScope">spp_ai.h</span>
+ </div>
+</div>
+<div class="SRResult" id="SR_alert_5ffp">
+ <div class="SREntry">
+  <a id="Item15" onkeydown="return searchResults.Nav(event,15)" onkeypress="return searchResults.Nav(event,15)" onkeyup="return searchResults.Nav(event,15)" class="SRSymbol" href="../alert__parser_8c.html#abee2a33368912d9288c76b51160a9ed6" target="_parent">alert_fp</a>
+  <span class="SRScope">alert_parser.c</span>
+ </div>
+</div>
+<div class="SRResult" id="SR_alert_5flog">
+ <div class="SREntry">
+  <a id="Item16" onkeydown="return searchResults.Nav(event,16)" onkeypress="return searchResults.Nav(event,16)" onkeyup="return searchResults.Nav(event,16)" class="SRSymbol" href="../cluster_8c.html#aaf4c19f60f48741b0890c6114dcff7d9" target="_parent">alert_log</a>
+  <span class="SRScope">cluster.c</span>
+ </div>
+</div>
+<div class="SRResult" id="SR_alert_5fparser_2ec">
+ <div class="SREntry">
+  <a id="Item17" onkeydown="return searchResults.Nav(event,17)" onkeypress="return searchResults.Nav(event,17)" onkeyup="return searchResults.Nav(event,17)" class="SRSymbol" href="../alert__parser_8c.html" target="_parent">alert_parser.c</a>
+ </div>
+</div>
+<div class="SRResult" id="SR_alertclusteringinterval">
+ <div class="SREntry">
+  <a id="Item18" onkeydown="return searchResults.Nav(event,18)" onkeypress="return searchResults.Nav(event,18)" onkeyup="return searchResults.Nav(event,18)" class="SRSymbol" href="../structAI__config.html#a7d0d098b8263aa3d8415b11d1ec7f93d" target="_parent">alertClusteringInterval</a>
+  <span class="SRScope">AI_config</span>
+ </div>
+</div>
+<div class="SRResult" id="SR_alertfile">
+ <div class="SREntry">
+  <a id="Item19" onkeydown="return searchResults.Nav(event,19)" onkeypress="return searchResults.Nav(event,19)" onkeyup="return searchResults.Nav(event,19)" class="SRSymbol" href="../structAI__config.html#a2efa9590d7eea6dce8b5dd9aa76ed8ca" target="_parent">alertfile</a>
+  <span class="SRScope">AI_config</span>
+ </div>
+</div>
+<div class="SRResult" id="SR_alerts">
+ <div class="SREntry">
+  <a id="Item20" onkeydown="return searchResults.Nav(event,20)" onkeypress="return searchResults.Nav(event,20)" onkeyup="return searchResults.Nav(event,20)" class="SRSymbol" href="../alert__parser_8c.html#ae837fc04e61c0eb052f997c54b4fd9fe" target="_parent">alerts</a>
+  <span class="SRScope">alert_parser.c</span>
+ </div>
+</div>
+<div class="SRResult" id="SR_attribute_5fkey">
+ <div class="SREntry">
+  <a id="Item21" onkeydown="return searchResults.Nav(event,21)" onkeypress="return searchResults.Nav(event,21)" onkeyup="return searchResults.Nav(event,21)" class="SRSymbol" href="../structattribute__key.html" target="_parent">attribute_key</a>
+ </div>
+</div>
+<div class="SRResult" id="SR_attribute_5fvalue">
+ <div class="SREntry">
+  <a id="Item22" onkeydown="return searchResults.Nav(event,22)" onkeypress="return searchResults.Nav(event,22)" onkeyup="return searchResults.Nav(event,22)" class="SRSymbol" href="../structattribute__value.html" target="_parent">attribute_value</a>
+ </div>
+</div>
 <div class="SRStatus" id="Searching">Searching...</div>
 <div class="SRStatus" id="NoMatches">No Matches</div>
 <script type="text/javascript"><!--
diff --git a/doc/html/search/all_63.html b/doc/html/search/all_63.html
new file mode 100644
index 0000000..90b4fbb
--- /dev/null
+++ b/doc/html/search/all_63.html
@@ -0,0 +1,61 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html><head><title></title>
+<meta http-equiv="Content-Type" content="text/xhtml;charset=UTF-8"/>
+<link rel="stylesheet" type="text/css" href="search.css"/>
+<script type="text/javascript" src="search.js"></script>
+</head>
+<body class="SRPage">
+<div id="SRIndex">
+<div class="SRStatus" id="Loading">Loading...</div>
+<div class="SRResult" id="SR_children">
+ <div class="SREntry">
+  <a id="Item0" onkeydown="return searchResults.Nav(event,0)" onkeypress="return searchResults.Nav(event,0)" onkeyup="return searchResults.Nav(event,0)" class="SRSymbol" href="../struct__hierarchy__node.html#afc23d4fe6426873164cdaab2f3d4f0cd" target="_parent">children</a>
+  <span class="SRScope">_hierarchy_node</span>
+ </div>
+</div>
+<div class="SRResult" id="SR_classification">
+ <div class="SREntry">
+  <a id="Item1" onkeydown="return searchResults.Nav(event,1)" onkeypress="return searchResults.Nav(event,1)" onkeyup="return searchResults.Nav(event,1)" class="SRSymbol" href="../struct__AI__snort__alert.html#aa89585e14acb2c4e684a1552d322632f" target="_parent">classification</a>
+  <span class="SRScope">_AI_snort_alert</span>
+ </div>
+</div>
+<div class="SRResult" id="SR_cluster_2ec">
+ <div class="SREntry">
+  <a id="Item2" onkeydown="return searchResults.Nav(event,2)" onkeypress="return searchResults.Nav(event,2)" onkeyup="return searchResults.Nav(event,2)" class="SRSymbol" href="../cluster_8c.html" target="_parent">cluster.c</a>
+ </div>
+</div>
+<div class="SRResult" id="SR_cluster_5ftype">
+ <div class="SREntry">
+  <a id="Item3" onkeydown="return searchResults.Nav(event,3)" onkeypress="return searchResults.Nav(event,3)" onkeyup="return searchResults.Nav(event,3)" class="SRSymbol" href="../spp__ai_8h.html#ae2ff3c6586aa2ab211a102abfde86640" target="_parent">cluster_type</a>
+  <span class="SRScope">spp_ai.h</span>
+ </div>
+</div>
+<div class="SRResult" id="SR_cluster_5ftypes">
+ <div class="SREntry">
+  <a id="Item4" onkeydown="return searchResults.Nav(event,4)" onkeypress="return searchResults.Nav(event,4)" onkeyup="return searchResults.Nav(event,4)" class="SRSymbol" href="../spp__ai_8h.html#ae2ff3c6586aa2ab211a102abfde86640ab16bb5c4b330d5db02e2d852cd2ba451" target="_parent">CLUSTER_TYPES</a>
+  <span class="SRScope">spp_ai.h</span>
+ </div>
+</div>
+<div class="SRResult" id="SR_clusterfile">
+ <div class="SREntry">
+  <a id="Item5" onkeydown="return searchResults.Nav(event,5)" onkeypress="return searchResults.Nav(event,5)" onkeyup="return searchResults.Nav(event,5)" class="SRSymbol" href="../structAI__config.html#a6da02a3f7116fd3810a41b738e8883a3" target="_parent">clusterfile</a>
+  <span class="SRScope">AI_config</span>
+ </div>
+</div>
+<div class="SRResult" id="SR_count">
+ <div class="SREntry">
+  <a id="Item6" onkeydown="return searchResults.Nav(event,6)" onkeypress="return searchResults.Nav(event,6)" onkeyup="return searchResults.Nav(event,6)" class="SRSymbol" href="../structattribute__value.html#a5579c0304c2e9ab488ac94905b385045" target="_parent">count</a>
+  <span class="SRScope">attribute_value</span>
+ </div>
+</div>
+<div class="SRStatus" id="Searching">Searching...</div>
+<div class="SRStatus" id="NoMatches">No Matches</div>
+<script type="text/javascript"><!--
+document.getElementById("Loading").style.display="none";
+document.getElementById("NoMatches").style.display="none";
+var searchResults = new SearchResults("searchResults");
+searchResults.Search();
+--></script>
+</div>
+</body>
+</html>
diff --git a/doc/html/search/all_64.html b/doc/html/search/all_64.html
index a2a37bd..b4d6b24 100644
--- a/doc/html/search/all_64.html
+++ b/doc/html/search/all_64.html
@@ -7,33 +7,70 @@
 <body class="SRPage">
 <div id="SRIndex">
 <div class="SRStatus" id="Loading">Loading...</div>
+<div class="SRResult" id="SR_default_5falert_5fclustering_5finterval">
+ <div class="SREntry">
+  <a id="Item0" onkeydown="return searchResults.Nav(event,0)" onkeypress="return searchResults.Nav(event,0)" onkeyup="return searchResults.Nav(event,0)" class="SRSymbol" href="../spp__ai_8h.html#a0c4b6fce670e46083e33b9f53b78f39e" target="_parent">DEFAULT_ALERT_CLUSTERING_INTERVAL</a>
+  <span class="SRScope">spp_ai.h</span>
+ </div>
+</div>
+<div class="SRResult" id="SR_default_5falert_5flog_5ffile">
+ <div class="SREntry">
+  <a id="Item1" onkeydown="return searchResults.Nav(event,1)" onkeypress="return searchResults.Nav(event,1)" onkeyup="return searchResults.Nav(event,1)" class="SRSymbol" href="../spp__ai_8h.html#a6d9bf552c32371e0144dc6a6209c7e4a" target="_parent">DEFAULT_ALERT_LOG_FILE</a>
+  <span class="SRScope">spp_ai.h</span>
+ </div>
+</div>
+<div class="SRResult" id="SR_default_5fcluster_5flog_5ffile">
+ <div class="SREntry">
+  <a id="Item2" onkeydown="return searchResults.Nav(event,2)" onkeypress="return searchResults.Nav(event,2)" onkeyup="return searchResults.Nav(event,2)" class="SRSymbol" href="../spp__ai_8h.html#a803dc913297ccdace9e604dbfecda97d" target="_parent">DEFAULT_CLUSTER_LOG_FILE</a>
+  <span class="SRScope">spp_ai.h</span>
+ </div>
+</div>
+<div class="SRResult" id="SR_default_5fhash_5fcleanup_5finterval">
+ <div class="SREntry">
+  <a id="Item3" onkeydown="return searchResults.Nav(event,3)" onkeypress="return searchResults.Nav(event,3)" onkeyup="return searchResults.Nav(event,3)" class="SRSymbol" href="../spp__ai_8h.html#a5f555c0ebd29ce2771a3e2dd4f526746" target="_parent">DEFAULT_HASH_CLEANUP_INTERVAL</a>
+  <span class="SRScope">spp_ai.h</span>
+ </div>
+</div>
+<div class="SRResult" id="SR_default_5fstream_5fexpire_5finterval">
+ <div class="SREntry">
+  <a id="Item4" onkeydown="return searchResults.Nav(event,4)" onkeypress="return searchResults.Nav(event,4)" onkeyup="return searchResults.Nav(event,4)" class="SRSymbol" href="../spp__ai_8h.html#a0f6a189af15ef783fb46ed37c144e031" target="_parent">DEFAULT_STREAM_EXPIRE_INTERVAL</a>
+  <span class="SRScope">spp_ai.h</span>
+ </div>
+</div>
+<div class="SRResult" id="SR_desc">
+ <div class="SREntry">
+  <a id="Item5" onkeydown="return searchResults.Nav(event,5)" onkeypress="return searchResults.Nav(event,5)" onkeyup="return searchResults.Nav(event,5)" class="SRSymbol" href="../struct__AI__snort__alert.html#ac0902d7c756ec675fb06347ce4706135" target="_parent">desc</a>
+  <span class="SRScope">_AI_snort_alert</span>
+ </div>
+</div>
+<div class="SRResult" id="SR_dst_5faddr">
+ <div class="SREntry">
+  <a id="Item6" onkeydown="return searchResults.Nav(event,6)" onkeypress="return searchResults.Nav(event,6)" onkeyup="return searchResults.Nav(event,6)" class="SRSymbol" href="javascript:searchResults.Toggle('SR_dst_5faddr')">dst_addr</a>
+  <div class="SRChildren">
+    <a id="Item6_c0" onkeydown="return searchResults.NavChild(event,6,0)" onkeypress="return searchResults.NavChild(event,6,0)" onkeyup="return searchResults.NavChild(event,6,0)" class="SRScope" href="../struct__AI__snort__alert.html#a69cc2ba171c8c808a0b45caa9426cd8c" target="_parent">_AI_snort_alert::dst_addr()</a>
+    <a id="Item6_c1" onkeydown="return searchResults.NavChild(event,6,1)" onkeypress="return searchResults.NavChild(event,6,1)" onkeyup="return searchResults.NavChild(event,6,1)" class="SRScope" href="../spp__ai_8h.html#ae2ff3c6586aa2ab211a102abfde86640aa000f955ef1374c60cdb16bf43a1593c" target="_parent">dst_addr():&nbsp;spp_ai.h</a>
+  </div>
+ </div>
+</div>
 <div class="SRResult" id="SR_dst_5fport">
  <div class="SREntry">
-  <a id="Item0" onkeydown="return searchResults.Nav(event,0)" onkeypress="return searchResults.Nav(event,0)" onkeyup="return searchResults.Nav(event,0)" class="SRSymbol" href="../structpkt__key.html#af77f5eb1f4cd88b43fe99fd73553351d" target="_parent">dst_port</a>
-  <span class="SRScope">pkt_key</span>
- </div>
-</div>
-<div class="SRResult" id="SR_dst_5fport_5fmatch">
- <div class="SREntry">
-  <a id="Item1" onkeydown="return searchResults.Nav(event,1)" onkeypress="return searchResults.Nav(event,1)" onkeyup="return searchResults.Nav(event,1)" class="SRSymbol" href="../spp__ai_8c.html#a8ab13e8ad1dfd19b9237a99ae6130146" target="_parent">DST_PORT_MATCH</a>
-  <span class="SRScope">spp_ai.c</span>
- </div>
-</div>
-<div class="SRResult" id="SR_dst_5fport_5fmatch_5fstr">
- <div class="SREntry">
-  <a id="Item2" onkeydown="return searchResults.Nav(event,2)" onkeypress="return searchResults.Nav(event,2)" onkeyup="return searchResults.Nav(event,2)" class="SRSymbol" href="../spp__ai_8c.html#a1f3521b9bcf5daf99190be58473a4110" target="_parent">DST_PORT_MATCH_STR</a>
-  <span class="SRScope">spp_ai.c</span>
+  <a id="Item7" onkeydown="return searchResults.Nav(event,7)" onkeypress="return searchResults.Nav(event,7)" onkeyup="return searchResults.Nav(event,7)" class="SRSymbol" href="javascript:searchResults.Toggle('SR_dst_5fport')">dst_port</a>
+  <div class="SRChildren">
+    <a id="Item7_c0" onkeydown="return searchResults.NavChild(event,7,0)" onkeypress="return searchResults.NavChild(event,7,0)" onkeyup="return searchResults.NavChild(event,7,0)" class="SRScope" href="../structpkt__key.html#af77f5eb1f4cd88b43fe99fd73553351d" target="_parent">pkt_key::dst_port()</a>
+    <a id="Item7_c1" onkeydown="return searchResults.NavChild(event,7,1)" onkeypress="return searchResults.NavChild(event,7,1)" onkeyup="return searchResults.NavChild(event,7,1)" class="SRScope" href="../struct__AI__snort__alert.html#a6b323c07ae501d221e330e13646a96a3" target="_parent">_AI_snort_alert::dst_port()</a>
+    <a id="Item7_c2" onkeydown="return searchResults.NavChild(event,7,2)" onkeypress="return searchResults.NavChild(event,7,2)" onkeyup="return searchResults.NavChild(event,7,2)" class="SRScope" href="../spp__ai_8h.html#ae2ff3c6586aa2ab211a102abfde86640abc4f89a184ada44073bd6f54d7fc11c9" target="_parent">dst_port():&nbsp;spp_ai.h</a>
+  </div>
  </div>
 </div>
 <div class="SRResult" id="SR_dynamic_5fpreproc_5fsetup">
  <div class="SREntry">
-  <a id="Item3" onkeydown="return searchResults.Nav(event,3)" onkeypress="return searchResults.Nav(event,3)" onkeyup="return searchResults.Nav(event,3)" class="SRSymbol" href="../sf__preproc__info_8h.html#aba4c0d0af324a3861e662ed4650aae44" target="_parent">DYNAMIC_PREPROC_SETUP</a>
+  <a id="Item8" onkeydown="return searchResults.Nav(event,8)" onkeypress="return searchResults.Nav(event,8)" onkeyup="return searchResults.Nav(event,8)" class="SRSymbol" href="../sf__preproc__info_8h.html#aba4c0d0af324a3861e662ed4650aae44" target="_parent">DYNAMIC_PREPROC_SETUP</a>
   <span class="SRScope">sf_preproc_info.h</span>
  </div>
 </div>
 <div class="SRResult" id="SR_dynamicpreprocessorfatalmessage">
  <div class="SREntry">
-  <a id="Item4" onkeydown="return searchResults.Nav(event,4)" onkeypress="return searchResults.Nav(event,4)" onkeyup="return searchResults.Nav(event,4)" class="SRSymbol" href="../sf__dynamic__preproc__lib_8c.html#a57c853c0f626bde2af6619cdeeb7471b" target="_parent">DynamicPreprocessorFatalMessage</a>
+  <a id="Item9" onkeydown="return searchResults.Nav(event,9)" onkeypress="return searchResults.Nav(event,9)" onkeyup="return searchResults.Nav(event,9)" class="SRSymbol" href="../sf__dynamic__preproc__lib_8c.html#a57c853c0f626bde2af6619cdeeb7471b" target="_parent">DynamicPreprocessorFatalMessage</a>
   <span class="SRScope">sf_dynamic_preproc_lib.c</span>
  </div>
 </div>
diff --git a/doc/html/search/all_67.html b/doc/html/search/all_67.html
index 5804711..acc0a17 100644
--- a/doc/html/search/all_67.html
+++ b/doc/html/search/all_67.html
@@ -7,10 +7,16 @@
 <body class="SRPage">
 <div id="SRIndex">
 <div class="SRStatus" id="Loading">Loading...</div>
-<div class="SRResult" id="SR_generator_5fexample">
+<div class="SRResult" id="SR_gid">
  <div class="SREntry">
-  <a id="Item0" onkeydown="return searchResults.Nav(event,0)" onkeypress="return searchResults.Nav(event,0)" onkeyup="return searchResults.Nav(event,0)" class="SRSymbol" href="../spp__ai_8c.html#a9e7d446fc8b40be2cfbb5c69c3e132ca" target="_parent">GENERATOR_EXAMPLE</a>
-  <span class="SRScope">spp_ai.c</span>
+  <a id="Item0" onkeydown="return searchResults.Nav(event,0)" onkeypress="return searchResults.Nav(event,0)" onkeyup="return searchResults.Nav(event,0)" class="SRSymbol" href="../struct__AI__snort__alert.html#af8408be5da59cda853442dd13465c0f6" target="_parent">gid</a>
+  <span class="SRScope">_AI_snort_alert</span>
+ </div>
+</div>
+<div class="SRResult" id="SR_grouped_5falarms_5fcount">
+ <div class="SREntry">
+  <a id="Item1" onkeydown="return searchResults.Nav(event,1)" onkeypress="return searchResults.Nav(event,1)" onkeyup="return searchResults.Nav(event,1)" class="SRSymbol" href="../struct__AI__snort__alert.html#a285aff12d6bac03c316ccc5305d28e53" target="_parent">grouped_alarms_count</a>
+  <span class="SRScope">_AI_snort_alert</span>
  </div>
 </div>
 <div class="SRStatus" id="Searching">Searching...</div>
diff --git a/doc/html/search/all_68.html b/doc/html/search/all_68.html
index 46500ff..1f440a1 100644
--- a/doc/html/search/all_68.html
+++ b/doc/html/search/all_68.html
@@ -7,22 +7,43 @@
 <body class="SRPage">
 <div id="SRIndex">
 <div class="SRStatus" id="Loading">Loading...</div>
+<div class="SRResult" id="SR_h_5fnode">
+ <div class="SREntry">
+  <a id="Item0" onkeydown="return searchResults.Nav(event,0)" onkeypress="return searchResults.Nav(event,0)" onkeyup="return searchResults.Nav(event,0)" class="SRSymbol" href="../struct__AI__snort__alert.html#ac53765584296ead1328eabfaba8a3aed" target="_parent">h_node</a>
+  <span class="SRScope">_AI_snort_alert</span>
+ </div>
+</div>
+<div class="SRResult" id="SR_h_5froot">
+ <div class="SREntry">
+  <a id="Item1" onkeydown="return searchResults.Nav(event,1)" onkeypress="return searchResults.Nav(event,1)" onkeyup="return searchResults.Nav(event,1)" class="SRSymbol" href="../cluster_8c.html#a97d35425cf5a0207fb50b64ee8cdda82" target="_parent">h_root</a>
+  <span class="SRScope">cluster.c</span>
+ </div>
+</div>
 <div class="SRResult" id="SR_hash">
  <div class="SREntry">
-  <a id="Item0" onkeydown="return searchResults.Nav(event,0)" onkeypress="return searchResults.Nav(event,0)" onkeyup="return searchResults.Nav(event,0)" class="SRSymbol" href="../stream_8c.html#a96fbc549c67e0d852ced3cb72980e923" target="_parent">hash</a>
+  <a id="Item2" onkeydown="return searchResults.Nav(event,2)" onkeypress="return searchResults.Nav(event,2)" onkeyup="return searchResults.Nav(event,2)" class="SRSymbol" href="../stream_8c.html#a57e23cda853e9d11c37723a962ef2f68" target="_parent">hash</a>
   <span class="SRScope">stream.c</span>
  </div>
 </div>
 <div class="SRResult" id="SR_hashcleanupinterval">
  <div class="SREntry">
-  <a id="Item1" onkeydown="return searchResults.Nav(event,1)" onkeypress="return searchResults.Nav(event,1)" onkeyup="return searchResults.Nav(event,1)" class="SRSymbol" href="../struct__AI__config.html#a890e6756dc637e9d41b7051a4d1ddc93" target="_parent">hashCleanupInterval</a>
-  <span class="SRScope">_AI_config</span>
+  <a id="Item3" onkeydown="return searchResults.Nav(event,3)" onkeypress="return searchResults.Nav(event,3)" onkeyup="return searchResults.Nav(event,3)" class="SRSymbol" href="../structAI__config.html#a9f7680615027d4fb74b4aa144a7028a4" target="_parent">hashCleanupInterval</a>
+  <span class="SRScope">AI_config</span>
  </div>
 </div>
 <div class="SRResult" id="SR_hh">
  <div class="SREntry">
-  <a id="Item2" onkeydown="return searchResults.Nav(event,2)" onkeypress="return searchResults.Nav(event,2)" onkeyup="return searchResults.Nav(event,2)" class="SRSymbol" href="../structpkt__info.html#a264e90d4b5d490de040f38c1072e142f" target="_parent">hh</a>
-  <span class="SRScope">pkt_info</span>
+  <a id="Item4" onkeydown="return searchResults.Nav(event,4)" onkeypress="return searchResults.Nav(event,4)" onkeyup="return searchResults.Nav(event,4)" class="SRSymbol" href="javascript:searchResults.Toggle('SR_hh')">hh</a>
+  <div class="SRChildren">
+    <a id="Item4_c0" onkeydown="return searchResults.NavChild(event,4,0)" onkeypress="return searchResults.NavChild(event,4,0)" onkeyup="return searchResults.NavChild(event,4,0)" class="SRScope" href="../structattribute__value.html#a9abf5d1758ee0cc4803e3b40fc4481cc" target="_parent">attribute_value::hh()</a>
+    <a id="Item4_c1" onkeydown="return searchResults.NavChild(event,4,1)" onkeypress="return searchResults.NavChild(event,4,1)" onkeyup="return searchResults.NavChild(event,4,1)" class="SRScope" href="../structpkt__info.html#a264e90d4b5d490de040f38c1072e142f" target="_parent">pkt_info::hh()</a>
+  </div>
+ </div>
+</div>
+<div class="SRResult" id="SR_hierarchy_5fnode">
+ <div class="SREntry">
+  <a id="Item5" onkeydown="return searchResults.Nav(event,5)" onkeypress="return searchResults.Nav(event,5)" onkeyup="return searchResults.Nav(event,5)" class="SRSymbol" href="../spp__ai_8h.html#a466391129919ef12366d311d501552fa" target="_parent">hierarchy_node</a>
+  <span class="SRScope">spp_ai.h</span>
  </div>
 </div>
 <div class="SRStatus" id="Searching">Searching...</div>
diff --git a/doc/html/search/all_69.html b/doc/html/search/all_69.html
index 129334f..8b31f3e 100644
--- a/doc/html/search/all_69.html
+++ b/doc/html/search/all_69.html
@@ -7,12 +7,30 @@
 <body class="SRPage">
 <div id="SRIndex">
 <div class="SRStatus" id="Loading">Loading...</div>
+<div class="SRResult" id="SR_id">
+ <div class="SREntry">
+  <a id="Item0" onkeydown="return searchResults.Nav(event,0)" onkeypress="return searchResults.Nav(event,0)" onkeyup="return searchResults.Nav(event,0)" class="SRSymbol" href="../struct__AI__snort__alert.html#a45e4acf90450a5f9efd4e0c290f84bcf" target="_parent">id</a>
+  <span class="SRScope">_AI_snort_alert</span>
+ </div>
+</div>
 <div class="SRResult" id="SR_initializepreprocessor">
  <div class="SREntry">
-  <a id="Item0" onkeydown="return searchResults.Nav(event,0)" onkeypress="return searchResults.Nav(event,0)" onkeyup="return searchResults.Nav(event,0)" class="SRSymbol" href="../sf__dynamic__preproc__lib_8c.html#a16439ea02cc5c66c842c21c5b537b1d9" target="_parent">InitializePreprocessor</a>
+  <a id="Item1" onkeydown="return searchResults.Nav(event,1)" onkeypress="return searchResults.Nav(event,1)" onkeyup="return searchResults.Nav(event,1)" class="SRSymbol" href="../sf__dynamic__preproc__lib_8c.html#a16439ea02cc5c66c842c21c5b537b1d9" target="_parent">InitializePreprocessor</a>
   <span class="SRScope">sf_dynamic_preproc_lib.c</span>
  </div>
 </div>
+<div class="SRResult" id="SR_iplen">
+ <div class="SREntry">
+  <a id="Item2" onkeydown="return searchResults.Nav(event,2)" onkeypress="return searchResults.Nav(event,2)" onkeyup="return searchResults.Nav(event,2)" class="SRSymbol" href="../struct__AI__snort__alert.html#a523ef8842d01a1bc4ea3c0bf27518e78" target="_parent">iplen</a>
+  <span class="SRScope">_AI_snort_alert</span>
+ </div>
+</div>
+<div class="SRResult" id="SR_ipproto">
+ <div class="SREntry">
+  <a id="Item3" onkeydown="return searchResults.Nav(event,3)" onkeypress="return searchResults.Nav(event,3)" onkeyup="return searchResults.Nav(event,3)" class="SRSymbol" href="../struct__AI__snort__alert.html#a2a5f2741918c3c13890f2b617a7f23a4" target="_parent">ipproto</a>
+  <span class="SRScope">_AI_snort_alert</span>
+ </div>
+</div>
 <div class="SRStatus" id="Searching">Searching...</div>
 <div class="SRStatus" id="NoMatches">No Matches</div>
 <script type="text/javascript"><!--
diff --git a/doc/html/search/all_6b.html b/doc/html/search/all_6b.html
index 765184f..2fda50e 100644
--- a/doc/html/search/all_6b.html
+++ b/doc/html/search/all_6b.html
@@ -9,8 +9,11 @@
 <div class="SRStatus" id="Loading">Loading...</div>
 <div class="SRResult" id="SR_key">
  <div class="SREntry">
-  <a id="Item0" onkeydown="return searchResults.Nav(event,0)" onkeypress="return searchResults.Nav(event,0)" onkeyup="return searchResults.Nav(event,0)" class="SRSymbol" href="../structpkt__info.html#a231d4734d3c62292b06eb9ea4b49c339" target="_parent">key</a>
-  <span class="SRScope">pkt_info</span>
+  <a id="Item0" onkeydown="return searchResults.Nav(event,0)" onkeypress="return searchResults.Nav(event,0)" onkeyup="return searchResults.Nav(event,0)" class="SRSymbol" href="javascript:searchResults.Toggle('SR_key')">key</a>
+  <div class="SRChildren">
+    <a id="Item0_c0" onkeydown="return searchResults.NavChild(event,0,0)" onkeypress="return searchResults.NavChild(event,0,0)" onkeyup="return searchResults.NavChild(event,0,0)" class="SRScope" href="../structattribute__value.html#aa8b5ae41c150e4fefb800d3b1924278d" target="_parent">attribute_value::key()</a>
+    <a id="Item0_c1" onkeydown="return searchResults.NavChild(event,0,1)" onkeypress="return searchResults.NavChild(event,0,1)" onkeyup="return searchResults.NavChild(event,0,1)" class="SRScope" href="../structpkt__info.html#a231d4734d3c62292b06eb9ea4b49c339" target="_parent">pkt_info::key()</a>
+  </div>
  </div>
 </div>
 <div class="SRStatus" id="Searching">Searching...</div>
diff --git a/doc/html/search/all_6c.html b/doc/html/search/all_6c.html
index a17e561..a307679 100644
--- a/doc/html/search/all_6c.html
+++ b/doc/html/search/all_6c.html
@@ -7,9 +7,15 @@
 <body class="SRPage">
 <div id="SRIndex">
 <div class="SRStatus" id="Loading">Loading...</div>
+<div class="SRResult" id="SR_label">
+ <div class="SREntry">
+  <a id="Item0" onkeydown="return searchResults.Nav(event,0)" onkeypress="return searchResults.Nav(event,0)" onkeyup="return searchResults.Nav(event,0)" class="SRSymbol" href="../struct__hierarchy__node.html#ae498f6fd14ca058a3ae0a95d5425451a" target="_parent">label</a>
+  <span class="SRScope">_hierarchy_node</span>
+ </div>
+</div>
 <div class="SRResult" id="SR_libversion">
  <div class="SREntry">
-  <a id="Item0" onkeydown="return searchResults.Nav(event,0)" onkeypress="return searchResults.Nav(event,0)" onkeyup="return searchResults.Nav(event,0)" class="SRSymbol" href="../sf__dynamic__preproc__lib_8c.html#a06d857402af54fb10872f43051e86494" target="_parent">LibVersion</a>
+  <a id="Item1" onkeydown="return searchResults.Nav(event,1)" onkeypress="return searchResults.Nav(event,1)" onkeyup="return searchResults.Nav(event,1)" class="SRSymbol" href="../sf__dynamic__preproc__lib_8c.html#a06d857402af54fb10872f43051e86494" target="_parent">LibVersion</a>
   <span class="SRScope">sf_dynamic_preproc_lib.c</span>
  </div>
 </div>
diff --git a/doc/html/search/all_6d.html b/doc/html/search/all_6d.html
index 70215d7..f1ebe43 100644
--- a/doc/html/search/all_6d.html
+++ b/doc/html/search/all_6d.html
@@ -13,9 +13,33 @@
   <span class="SRScope">sf_preproc_info.h</span>
  </div>
 </div>
+<div class="SRResult" id="SR_max">
+ <div class="SREntry">
+  <a id="Item1" onkeydown="return searchResults.Nav(event,1)" onkeypress="return searchResults.Nav(event,1)" onkeyup="return searchResults.Nav(event,1)" class="SRSymbol" href="../structattribute__key.html#a82b7e5ac49820b816871a4ddf30c462d" target="_parent">max</a>
+  <span class="SRScope">attribute_key</span>
+ </div>
+</div>
+<div class="SRResult" id="SR_max_5fval">
+ <div class="SREntry">
+  <a id="Item2" onkeydown="return searchResults.Nav(event,2)" onkeypress="return searchResults.Nav(event,2)" onkeyup="return searchResults.Nav(event,2)" class="SRSymbol" href="../struct__hierarchy__node.html#a79ea88029938dc30ab8f159405d12c87" target="_parent">max_val</a>
+  <span class="SRScope">_hierarchy_node</span>
+ </div>
+</div>
+<div class="SRResult" id="SR_min">
+ <div class="SREntry">
+  <a id="Item3" onkeydown="return searchResults.Nav(event,3)" onkeypress="return searchResults.Nav(event,3)" onkeyup="return searchResults.Nav(event,3)" class="SRSymbol" href="../structattribute__key.html#a4fdb3d7aabeac6b1052b59e05e3d8842" target="_parent">min</a>
+  <span class="SRScope">attribute_key</span>
+ </div>
+</div>
+<div class="SRResult" id="SR_min_5fval">
+ <div class="SREntry">
+  <a id="Item4" onkeydown="return searchResults.Nav(event,4)" onkeypress="return searchResults.Nav(event,4)" onkeyup="return searchResults.Nav(event,4)" class="SRSymbol" href="../struct__hierarchy__node.html#a13ceebd7b435b9ef347fb90d9e6bbfe4" target="_parent">min_val</a>
+  <span class="SRScope">_hierarchy_node</span>
+ </div>
+</div>
 <div class="SRResult" id="SR_minor_5fversion">
  <div class="SREntry">
-  <a id="Item1" onkeydown="return searchResults.Nav(event,1)" onkeypress="return searchResults.Nav(event,1)" onkeyup="return searchResults.Nav(event,1)" class="SRSymbol" href="../sf__preproc__info_8h.html#a320988aa2655ee094f3a34a52da10831" target="_parent">MINOR_VERSION</a>
+  <a id="Item5" onkeydown="return searchResults.Nav(event,5)" onkeypress="return searchResults.Nav(event,5)" onkeyup="return searchResults.Nav(event,5)" class="SRSymbol" href="../sf__preproc__info_8h.html#a320988aa2655ee094f3a34a52da10831" target="_parent">MINOR_VERSION</a>
   <span class="SRScope">sf_preproc_info.h</span>
  </div>
 </div>
diff --git a/doc/html/search/all_6e.html b/doc/html/search/all_6e.html
index 7db4670..1a4f5f4 100644
--- a/doc/html/search/all_6e.html
+++ b/doc/html/search/all_6e.html
@@ -7,10 +7,25 @@
 <body class="SRPage">
 <div id="SRIndex">
 <div class="SRStatus" id="Loading">Loading...</div>
+<div class="SRResult" id="SR_nchildren">
+ <div class="SREntry">
+  <a id="Item0" onkeydown="return searchResults.Nav(event,0)" onkeypress="return searchResults.Nav(event,0)" onkeyup="return searchResults.Nav(event,0)" class="SRSymbol" href="../struct__hierarchy__node.html#a849256ce1039e2cefaaf64d91171be0a" target="_parent">nchildren</a>
+  <span class="SRScope">_hierarchy_node</span>
+ </div>
+</div>
 <div class="SRResult" id="SR_next">
  <div class="SREntry">
-  <a id="Item0" onkeydown="return searchResults.Nav(event,0)" onkeypress="return searchResults.Nav(event,0)" onkeyup="return searchResults.Nav(event,0)" class="SRSymbol" href="../structpkt__info.html#a5ee3c51f2ca5768b94819182641ef168" target="_parent">next</a>
-  <span class="SRScope">pkt_info</span>
+  <a id="Item1" onkeydown="return searchResults.Nav(event,1)" onkeypress="return searchResults.Nav(event,1)" onkeyup="return searchResults.Nav(event,1)" class="SRSymbol" href="javascript:searchResults.Toggle('SR_next')">next</a>
+  <div class="SRChildren">
+    <a id="Item1_c0" onkeydown="return searchResults.NavChild(event,1,0)" onkeypress="return searchResults.NavChild(event,1,0)" onkeyup="return searchResults.NavChild(event,1,0)" class="SRScope" href="../structpkt__info.html#a5ee3c51f2ca5768b94819182641ef168" target="_parent">pkt_info::next()</a>
+    <a id="Item1_c1" onkeydown="return searchResults.NavChild(event,1,1)" onkeypress="return searchResults.NavChild(event,1,1)" onkeyup="return searchResults.NavChild(event,1,1)" class="SRScope" href="../struct__AI__snort__alert.html#aa8336d4b3359015ed8ea312ca1fd1173" target="_parent">_AI_snort_alert::next()</a>
+  </div>
+ </div>
+</div>
+<div class="SRResult" id="SR_none">
+ <div class="SREntry">
+  <a id="Item2" onkeydown="return searchResults.Nav(event,2)" onkeypress="return searchResults.Nav(event,2)" onkeyup="return searchResults.Nav(event,2)" class="SRSymbol" href="../spp__ai_8h.html#ae2ff3c6586aa2ab211a102abfde86640ab7e4e0120a041dbe6528b050c04269e0" target="_parent">none</a>
+  <span class="SRScope">spp_ai.h</span>
  </div>
 </div>
 <div class="SRStatus" id="Searching">Searching...</div>
diff --git a/doc/html/search/all_6f.html b/doc/html/search/all_6f.html
new file mode 100644
index 0000000..16cdef2
--- /dev/null
+++ b/doc/html/search/all_6f.html
@@ -0,0 +1,26 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html><head><title></title>
+<meta http-equiv="Content-Type" content="text/xhtml;charset=UTF-8"/>
+<link rel="stylesheet" type="text/css" href="search.css"/>
+<script type="text/javascript" src="search.js"></script>
+</head>
+<body class="SRPage">
+<div id="SRIndex">
+<div class="SRStatus" id="Loading">Loading...</div>
+<div class="SRResult" id="SR_observed">
+ <div class="SREntry">
+  <a id="Item0" onkeydown="return searchResults.Nav(event,0)" onkeypress="return searchResults.Nav(event,0)" onkeyup="return searchResults.Nav(event,0)" class="SRSymbol" href="../structpkt__info.html#ac7ff78ea5faf333fc91f92e3085ea7c9" target="_parent">observed</a>
+  <span class="SRScope">pkt_info</span>
+ </div>
+</div>
+<div class="SRStatus" id="Searching">Searching...</div>
+<div class="SRStatus" id="NoMatches">No Matches</div>
+<script type="text/javascript"><!--
+document.getElementById("Loading").style.display="none";
+document.getElementById("NoMatches").style.display="none";
+var searchResults = new SearchResults("searchResults");
+searchResults.Search();
+--></script>
+</div>
+</body>
+</html>
diff --git a/doc/html/search/all_70.html b/doc/html/search/all_70.html
index 9688127..f5e7c02 100644
--- a/doc/html/search/all_70.html
+++ b/doc/html/search/all_70.html
@@ -7,40 +7,61 @@
 <body class="SRPage">
 <div id="SRIndex">
 <div class="SRStatus" id="Loading">Loading...</div>
+<div class="SRResult" id="SR_parent">
+ <div class="SREntry">
+  <a id="Item0" onkeydown="return searchResults.Nav(event,0)" onkeypress="return searchResults.Nav(event,0)" onkeyup="return searchResults.Nav(event,0)" class="SRSymbol" href="../struct__hierarchy__node.html#a5c94c89d7e2aea393f1c550afb766bbe" target="_parent">parent</a>
+  <span class="SRScope">_hierarchy_node</span>
+ </div>
+</div>
 <div class="SRResult" id="SR_parserpolicyid">
  <div class="SREntry">
-  <a id="Item0" onkeydown="return searchResults.Nav(event,0)" onkeypress="return searchResults.Nav(event,0)" onkeyup="return searchResults.Nav(event,0)" class="SRSymbol" href="../sfPolicyUserData_8c.html#a0a415b8e70250b11e64a463134d00b4f" target="_parent">parserPolicyId</a>
+  <a id="Item1" onkeydown="return searchResults.Nav(event,1)" onkeypress="return searchResults.Nav(event,1)" onkeyup="return searchResults.Nav(event,1)" class="SRSymbol" href="../sfPolicyUserData_8c.html#a0a415b8e70250b11e64a463134d00b4f" target="_parent">parserPolicyId</a>
   <span class="SRScope">sfPolicyUserData.c</span>
  </div>
 </div>
 <div class="SRResult" id="SR_pkt">
  <div class="SREntry">
-  <a id="Item1" onkeydown="return searchResults.Nav(event,1)" onkeypress="return searchResults.Nav(event,1)" onkeyup="return searchResults.Nav(event,1)" class="SRSymbol" href="../structpkt__info.html#a8d5ebd04a32067b05387e5c5056fe168" target="_parent">pkt</a>
+  <a id="Item2" onkeydown="return searchResults.Nav(event,2)" onkeypress="return searchResults.Nav(event,2)" onkeyup="return searchResults.Nav(event,2)" class="SRSymbol" href="../structpkt__info.html#a8d5ebd04a32067b05387e5c5056fe168" target="_parent">pkt</a>
   <span class="SRScope">pkt_info</span>
  </div>
 </div>
 <div class="SRResult" id="SR_pkt_5finfo">
  <div class="SREntry">
-  <a id="Item2" onkeydown="return searchResults.Nav(event,2)" onkeypress="return searchResults.Nav(event,2)" onkeyup="return searchResults.Nav(event,2)" class="SRSymbol" href="../structpkt__info.html" target="_parent">pkt_info</a>
+  <a id="Item3" onkeydown="return searchResults.Nav(event,3)" onkeypress="return searchResults.Nav(event,3)" onkeyup="return searchResults.Nav(event,3)" class="SRSymbol" href="../structpkt__info.html" target="_parent">pkt_info</a>
  </div>
 </div>
 <div class="SRResult" id="SR_pkt_5fkey">
  <div class="SREntry">
-  <a id="Item3" onkeydown="return searchResults.Nav(event,3)" onkeypress="return searchResults.Nav(event,3)" onkeyup="return searchResults.Nav(event,3)" class="SRSymbol" href="../structpkt__key.html" target="_parent">pkt_key</a>
+  <a id="Item4" onkeydown="return searchResults.Nav(event,4)" onkeypress="return searchResults.Nav(event,4)" onkeyup="return searchResults.Nav(event,4)" class="SRSymbol" href="../structpkt__key.html" target="_parent">pkt_key</a>
  </div>
 </div>
-<div class="SRResult" id="SR_porttocheck">
+<div class="SRResult" id="SR_preg_5fmatch">
  <div class="SREntry">
-  <a id="Item4" onkeydown="return searchResults.Nav(event,4)" onkeypress="return searchResults.Nav(event,4)" onkeyup="return searchResults.Nav(event,4)" class="SRSymbol" href="../struct__AI__config.html#ab22e082ad6637f6280134e882bf53b0d" target="_parent">portToCheck</a>
-  <span class="SRScope">_AI_config</span>
+  <a id="Item5" onkeydown="return searchResults.Nav(event,5)" onkeypress="return searchResults.Nav(event,5)" onkeyup="return searchResults.Nav(event,5)" class="SRSymbol" href="javascript:searchResults.Toggle('SR_preg_5fmatch')">preg_match</a>
+  <div class="SRChildren">
+    <a id="Item5_c0" onkeydown="return searchResults.NavChild(event,5,0)" onkeypress="return searchResults.NavChild(event,5,0)" onkeyup="return searchResults.NavChild(event,5,0)" class="SRScope" href="../regex_8c.html#a35f57c052a7de1ded54b67a1f7819791" target="_parent">preg_match(const char *expr, char *str, char ***matches, int *nmatches):&nbsp;regex.c</a>
+    <a id="Item5_c1" onkeydown="return searchResults.NavChild(event,5,1)" onkeypress="return searchResults.NavChild(event,5,1)" onkeyup="return searchResults.NavChild(event,5,1)" class="SRScope" href="../spp__ai_8h.html#a85c0852b05b60cbfe0130534160c9876" target="_parent">preg_match(const char *, char *, char ***, int *):&nbsp;regex.c</a>
+  </div>
  </div>
 </div>
 <div class="SRResult" id="SR_preproc_5fname">
  <div class="SREntry">
-  <a id="Item5" onkeydown="return searchResults.Nav(event,5)" onkeypress="return searchResults.Nav(event,5)" onkeyup="return searchResults.Nav(event,5)" class="SRSymbol" href="../sf__preproc__info_8h.html#af5d5329206253ca0c1a3b8d4a43195af" target="_parent">PREPROC_NAME</a>
+  <a id="Item6" onkeydown="return searchResults.Nav(event,6)" onkeypress="return searchResults.Nav(event,6)" onkeyup="return searchResults.Nav(event,6)" class="SRSymbol" href="../sf__preproc__info_8h.html#af5d5329206253ca0c1a3b8d4a43195af" target="_parent">PREPROC_NAME</a>
   <span class="SRScope">sf_preproc_info.h</span>
  </div>
 </div>
+<div class="SRResult" id="SR_priority">
+ <div class="SREntry">
+  <a id="Item7" onkeydown="return searchResults.Nav(event,7)" onkeypress="return searchResults.Nav(event,7)" onkeyup="return searchResults.Nav(event,7)" class="SRSymbol" href="../struct__AI__snort__alert.html#a25661fa4e212c5e30af5e6a892985ec9" target="_parent">priority</a>
+  <span class="SRScope">_AI_snort_alert</span>
+ </div>
+</div>
+<div class="SRResult" id="SR_private">
+ <div class="SREntry">
+  <a id="Item8" onkeydown="return searchResults.Nav(event,8)" onkeypress="return searchResults.Nav(event,8)" onkeyup="return searchResults.Nav(event,8)" class="SRSymbol" href="../spp__ai_8h.html#a5e151c615eda34903514212f05a5ccf8" target="_parent">PRIVATE</a>
+  <span class="SRScope">spp_ai.h</span>
+ </div>
+</div>
 <div class="SRStatus" id="Searching">Searching...</div>
 <div class="SRStatus" id="NoMatches">No Matches</div>
 <script type="text/javascript"><!--
diff --git a/doc/html/search/all_72.html b/doc/html/search/all_72.html
index 02e5703..79ddb16 100644
--- a/doc/html/search/all_72.html
+++ b/doc/html/search/all_72.html
@@ -7,9 +7,20 @@
 <body class="SRPage">
 <div id="SRIndex">
 <div class="SRStatus" id="Loading">Loading...</div>
+<div class="SRResult" id="SR_regex_2ec">
+ <div class="SREntry">
+  <a id="Item0" onkeydown="return searchResults.Nav(event,0)" onkeypress="return searchResults.Nav(event,0)" onkeyup="return searchResults.Nav(event,0)" class="SRSymbol" href="../regex_8c.html" target="_parent">regex.c</a>
+ </div>
+</div>
+<div class="SRResult" id="SR_rev">
+ <div class="SREntry">
+  <a id="Item1" onkeydown="return searchResults.Nav(event,1)" onkeypress="return searchResults.Nav(event,1)" onkeyup="return searchResults.Nav(event,1)" class="SRSymbol" href="../struct__AI__snort__alert.html#a864d3baa48586d6a31639f4cd27d9d37" target="_parent">rev</a>
+  <span class="SRScope">_AI_snort_alert</span>
+ </div>
+</div>
 <div class="SRResult" id="SR_runtimepolicyid">
  <div class="SREntry">
-  <a id="Item0" onkeydown="return searchResults.Nav(event,0)" onkeypress="return searchResults.Nav(event,0)" onkeyup="return searchResults.Nav(event,0)" class="SRSymbol" href="../sfPolicyUserData_8c.html#a281b418c0dc978a74cd7ab5e46ee0fa4" target="_parent">runtimePolicyId</a>
+  <a id="Item2" onkeydown="return searchResults.Nav(event,2)" onkeypress="return searchResults.Nav(event,2)" onkeyup="return searchResults.Nav(event,2)" class="SRSymbol" href="../sfPolicyUserData_8c.html#a281b418c0dc978a74cd7ab5e46ee0fa4" target="_parent">runtimePolicyId</a>
   <span class="SRScope">sfPolicyUserData.c</span>
  </div>
 </div>
diff --git a/doc/html/search/all_73.html b/doc/html/search/all_73.html
index e55c20a..c07ede8 100644
--- a/doc/html/search/all_73.html
+++ b/doc/html/search/all_73.html
@@ -7,88 +7,118 @@
 <body class="SRPage">
 <div id="SRIndex">
 <div class="SRStatus" id="Loading">Loading...</div>
+<div class="SRResult" id="SR_sequence">
+ <div class="SREntry">
+  <a id="Item0" onkeydown="return searchResults.Nav(event,0)" onkeypress="return searchResults.Nav(event,0)" onkeyup="return searchResults.Nav(event,0)" class="SRSymbol" href="../struct__AI__snort__alert.html#acb20c4c55149d5806d7523720786ab77" target="_parent">sequence</a>
+  <span class="SRScope">_AI_snort_alert</span>
+ </div>
+</div>
 <div class="SRResult" id="SR_sf_5fdynamic_5fpreproc_5flib_2ec">
  <div class="SREntry">
-  <a id="Item0" onkeydown="return searchResults.Nav(event,0)" onkeypress="return searchResults.Nav(event,0)" onkeyup="return searchResults.Nav(event,0)" class="SRSymbol" href="../sf__dynamic__preproc__lib_8c.html" target="_parent">sf_dynamic_preproc_lib.c</a>
+  <a id="Item1" onkeydown="return searchResults.Nav(event,1)" onkeypress="return searchResults.Nav(event,1)" onkeyup="return searchResults.Nav(event,1)" class="SRSymbol" href="../sf__dynamic__preproc__lib_8c.html" target="_parent">sf_dynamic_preproc_lib.c</a>
  </div>
 </div>
 <div class="SRResult" id="SR_sf_5fpreproc_5finfo_2eh">
  <div class="SREntry">
-  <a id="Item1" onkeydown="return searchResults.Nav(event,1)" onkeypress="return searchResults.Nav(event,1)" onkeyup="return searchResults.Nav(event,1)" class="SRSymbol" href="../sf__preproc__info_8h.html" target="_parent">sf_preproc_info.h</a>
+  <a id="Item2" onkeydown="return searchResults.Nav(event,2)" onkeypress="return searchResults.Nav(event,2)" onkeyup="return searchResults.Nav(event,2)" class="SRSymbol" href="../sf__preproc__info_8h.html" target="_parent">sf_preproc_info.h</a>
  </div>
 </div>
 <div class="SRResult" id="SR_sfpolicyconfigcreate">
  <div class="SREntry">
-  <a id="Item2" onkeydown="return searchResults.Nav(event,2)" onkeypress="return searchResults.Nav(event,2)" onkeyup="return searchResults.Nav(event,2)" class="SRSymbol" href="../group__sfPolicyConfig.html#gac62cd5838bee4a9d3f40561eae920cdd" target="_parent">sfPolicyConfigCreate</a>
+  <a id="Item3" onkeydown="return searchResults.Nav(event,3)" onkeypress="return searchResults.Nav(event,3)" onkeyup="return searchResults.Nav(event,3)" class="SRSymbol" href="../group__sfPolicyConfig.html#gac62cd5838bee4a9d3f40561eae920cdd" target="_parent">sfPolicyConfigCreate</a>
   <span class="SRScope">sfPolicyUserData.c</span>
  </div>
 </div>
 <div class="SRResult" id="SR_sfpolicyconfigdelete">
  <div class="SREntry">
-  <a id="Item3" onkeydown="return searchResults.Nav(event,3)" onkeypress="return searchResults.Nav(event,3)" onkeyup="return searchResults.Nav(event,3)" class="SRSymbol" href="../group__sfPolicyConfig.html#ga189d09ed6d1203ebace6ea2c2aafc1b8" target="_parent">sfPolicyConfigDelete</a>
+  <a id="Item4" onkeydown="return searchResults.Nav(event,4)" onkeypress="return searchResults.Nav(event,4)" onkeyup="return searchResults.Nav(event,4)" class="SRSymbol" href="../group__sfPolicyConfig.html#ga189d09ed6d1203ebace6ea2c2aafc1b8" target="_parent">sfPolicyConfigDelete</a>
   <span class="SRScope">sfPolicyUserData.c</span>
  </div>
 </div>
 <div class="SRResult" id="SR_sfpolicyuserdata_2ec">
  <div class="SREntry">
-  <a id="Item4" onkeydown="return searchResults.Nav(event,4)" onkeypress="return searchResults.Nav(event,4)" onkeyup="return searchResults.Nav(event,4)" class="SRSymbol" href="../sfPolicyUserData_8c.html" target="_parent">sfPolicyUserData.c</a>
+  <a id="Item5" onkeydown="return searchResults.Nav(event,5)" onkeypress="return searchResults.Nav(event,5)" onkeyup="return searchResults.Nav(event,5)" class="SRSymbol" href="../sfPolicyUserData_8c.html" target="_parent">sfPolicyUserData.c</a>
  </div>
 </div>
 <div class="SRResult" id="SR_sfpolicyuserdataclear">
  <div class="SREntry">
-  <a id="Item5" onkeydown="return searchResults.Nav(event,5)" onkeypress="return searchResults.Nav(event,5)" onkeyup="return searchResults.Nav(event,5)" class="SRSymbol" href="../group__sfPolicyConfig.html#gae8f2ae426b1f1a50eabfade6d22c2c85" target="_parent">sfPolicyUserDataClear</a>
+  <a id="Item6" onkeydown="return searchResults.Nav(event,6)" onkeypress="return searchResults.Nav(event,6)" onkeyup="return searchResults.Nav(event,6)" class="SRSymbol" href="../group__sfPolicyConfig.html#gae8f2ae426b1f1a50eabfade6d22c2c85" target="_parent">sfPolicyUserDataClear</a>
   <span class="SRScope">sfPolicyUserData.c</span>
  </div>
 </div>
 <div class="SRResult" id="SR_sfpolicyuserdataiterate">
  <div class="SREntry">
-  <a id="Item6" onkeydown="return searchResults.Nav(event,6)" onkeypress="return searchResults.Nav(event,6)" onkeyup="return searchResults.Nav(event,6)" class="SRSymbol" href="../group__sfPolicyConfig.html#ga3f3ab9314d29d2ee2a8285289b388f17" target="_parent">sfPolicyUserDataIterate</a>
+  <a id="Item7" onkeydown="return searchResults.Nav(event,7)" onkeypress="return searchResults.Nav(event,7)" onkeyup="return searchResults.Nav(event,7)" class="SRSymbol" href="../group__sfPolicyConfig.html#ga3f3ab9314d29d2ee2a8285289b388f17" target="_parent">sfPolicyUserDataIterate</a>
   <span class="SRScope">sfPolicyUserData.c</span>
  </div>
 </div>
 <div class="SRResult" id="SR_sfpolicyuserdataset">
  <div class="SREntry">
-  <a id="Item7" onkeydown="return searchResults.Nav(event,7)" onkeypress="return searchResults.Nav(event,7)" onkeyup="return searchResults.Nav(event,7)" class="SRSymbol" href="../group__sfPolicyConfig.html#ga8e14fd83397b9bbb14568070183db80b" target="_parent">sfPolicyUserDataSet</a>
+  <a id="Item8" onkeydown="return searchResults.Nav(event,8)" onkeypress="return searchResults.Nav(event,8)" onkeyup="return searchResults.Nav(event,8)" class="SRSymbol" href="../group__sfPolicyConfig.html#ga8e14fd83397b9bbb14568070183db80b" target="_parent">sfPolicyUserDataSet</a>
   <span class="SRScope">sfPolicyUserData.c</span>
  </div>
 </div>
+<div class="SRResult" id="SR_sid">
+ <div class="SREntry">
+  <a id="Item9" onkeydown="return searchResults.Nav(event,9)" onkeypress="return searchResults.Nav(event,9)" onkeyup="return searchResults.Nav(event,9)" class="SRSymbol" href="../struct__AI__snort__alert.html#a3349aa68d2234f8ffd897367c3a8a137" target="_parent">sid</a>
+  <span class="SRScope">_AI_snort_alert</span>
+ </div>
+</div>
 <div class="SRResult" id="SR_spp_5fai_2ec">
  <div class="SREntry">
-  <a id="Item8" onkeydown="return searchResults.Nav(event,8)" onkeypress="return searchResults.Nav(event,8)" onkeyup="return searchResults.Nav(event,8)" class="SRSymbol" href="../spp__ai_8c.html" target="_parent">spp_ai.c</a>
+  <a id="Item10" onkeydown="return searchResults.Nav(event,10)" onkeypress="return searchResults.Nav(event,10)" onkeyup="return searchResults.Nav(event,10)" class="SRSymbol" href="../spp__ai_8c.html" target="_parent">spp_ai.c</a>
  </div>
 </div>
 <div class="SRResult" id="SR_spp_5fai_2eh">
  <div class="SREntry">
-  <a id="Item9" onkeydown="return searchResults.Nav(event,9)" onkeypress="return searchResults.Nav(event,9)" onkeyup="return searchResults.Nav(event,9)" class="SRSymbol" href="../spp__ai_8h.html" target="_parent">spp_ai.h</a>
+  <a id="Item11" onkeydown="return searchResults.Nav(event,11)" onkeypress="return searchResults.Nav(event,11)" onkeyup="return searchResults.Nav(event,11)" class="SRSymbol" href="../spp__ai_8h.html" target="_parent">spp_ai.h</a>
+ </div>
+</div>
+<div class="SRResult" id="SR_src_5faddr">
+ <div class="SREntry">
+  <a id="Item12" onkeydown="return searchResults.Nav(event,12)" onkeypress="return searchResults.Nav(event,12)" onkeyup="return searchResults.Nav(event,12)" class="SRSymbol" href="javascript:searchResults.Toggle('SR_src_5faddr')">src_addr</a>
+  <div class="SRChildren">
+    <a id="Item12_c0" onkeydown="return searchResults.NavChild(event,12,0)" onkeypress="return searchResults.NavChild(event,12,0)" onkeyup="return searchResults.NavChild(event,12,0)" class="SRScope" href="../struct__AI__snort__alert.html#ab16a24f368020e4b40e65b53cae33b48" target="_parent">_AI_snort_alert::src_addr()</a>
+    <a id="Item12_c1" onkeydown="return searchResults.NavChild(event,12,1)" onkeypress="return searchResults.NavChild(event,12,1)" onkeyup="return searchResults.NavChild(event,12,1)" class="SRScope" href="../spp__ai_8h.html#ae2ff3c6586aa2ab211a102abfde86640abc900639df18f0f5f2f63a1f033fe42f" target="_parent">src_addr():&nbsp;spp_ai.h</a>
+  </div>
  </div>
 </div>
 <div class="SRResult" id="SR_src_5fip">
  <div class="SREntry">
-  <a id="Item10" onkeydown="return searchResults.Nav(event,10)" onkeypress="return searchResults.Nav(event,10)" onkeyup="return searchResults.Nav(event,10)" class="SRSymbol" href="../structpkt__key.html#a3a091c20dafb8b3f689db00c5b2f8ddb" target="_parent">src_ip</a>
+  <a id="Item13" onkeydown="return searchResults.Nav(event,13)" onkeypress="return searchResults.Nav(event,13)" onkeyup="return searchResults.Nav(event,13)" class="SRSymbol" href="../structpkt__key.html#a3a091c20dafb8b3f689db00c5b2f8ddb" target="_parent">src_ip</a>
   <span class="SRScope">pkt_key</span>
  </div>
 </div>
-<div class="SRResult" id="SR_src_5fport_5fmatch">
+<div class="SRResult" id="SR_src_5fport">
  <div class="SREntry">
-  <a id="Item11" onkeydown="return searchResults.Nav(event,11)" onkeypress="return searchResults.Nav(event,11)" onkeyup="return searchResults.Nav(event,11)" class="SRSymbol" href="../spp__ai_8c.html#af4c767ae0346026264c851108f42be63" target="_parent">SRC_PORT_MATCH</a>
-  <span class="SRScope">spp_ai.c</span>
+  <a id="Item14" onkeydown="return searchResults.Nav(event,14)" onkeypress="return searchResults.Nav(event,14)" onkeyup="return searchResults.Nav(event,14)" class="SRSymbol" href="javascript:searchResults.Toggle('SR_src_5fport')">src_port</a>
+  <div class="SRChildren">
+    <a id="Item14_c0" onkeydown="return searchResults.NavChild(event,14,0)" onkeypress="return searchResults.NavChild(event,14,0)" onkeyup="return searchResults.NavChild(event,14,0)" class="SRScope" href="../struct__AI__snort__alert.html#a856cccd3eaabd38aa9974f26d3edc5e3" target="_parent">_AI_snort_alert::src_port()</a>
+    <a id="Item14_c1" onkeydown="return searchResults.NavChild(event,14,1)" onkeypress="return searchResults.NavChild(event,14,1)" onkeyup="return searchResults.NavChild(event,14,1)" class="SRScope" href="../spp__ai_8h.html#ae2ff3c6586aa2ab211a102abfde86640ac1335c508143eb06843af2ce5ff3027b" target="_parent">src_port():&nbsp;spp_ai.h</a>
+  </div>
  </div>
 </div>
-<div class="SRResult" id="SR_src_5fport_5fmatch_5fstr">
+<div class="SRResult" id="SR_start_5ftime">
  <div class="SREntry">
-  <a id="Item12" onkeydown="return searchResults.Nav(event,12)" onkeypress="return searchResults.Nav(event,12)" onkeyup="return searchResults.Nav(event,12)" class="SRSymbol" href="../spp__ai_8c.html#a3ec4dd8f1ebed73c13175d9b9c820e2e" target="_parent">SRC_PORT_MATCH_STR</a>
-  <span class="SRScope">spp_ai.c</span>
+  <a id="Item15" onkeydown="return searchResults.Nav(event,15)" onkeypress="return searchResults.Nav(event,15)" onkeyup="return searchResults.Nav(event,15)" class="SRSymbol" href="../stream_8c.html#a0597864b078ff448f28432db86950309" target="_parent">start_time</a>
+  <span class="SRScope">stream.c</span>
+ </div>
+</div>
+<div class="SRResult" id="SR_stream">
+ <div class="SREntry">
+  <a id="Item16" onkeydown="return searchResults.Nav(event,16)" onkeypress="return searchResults.Nav(event,16)" onkeyup="return searchResults.Nav(event,16)" class="SRSymbol" href="../struct__AI__snort__alert.html#a09dfe0a841fd3912ec78060d4547cb31" target="_parent">stream</a>
+  <span class="SRScope">_AI_snort_alert</span>
  </div>
 </div>
 <div class="SRResult" id="SR_stream_2ec">
  <div class="SREntry">
-  <a id="Item13" onkeydown="return searchResults.Nav(event,13)" onkeypress="return searchResults.Nav(event,13)" onkeyup="return searchResults.Nav(event,13)" class="SRSymbol" href="../stream_8c.html" target="_parent">stream.c</a>
+  <a id="Item17" onkeydown="return searchResults.Nav(event,17)" onkeypress="return searchResults.Nav(event,17)" onkeyup="return searchResults.Nav(event,17)" class="SRSymbol" href="../stream_8c.html" target="_parent">stream.c</a>
  </div>
 </div>
 <div class="SRResult" id="SR_streamexpireinterval">
  <div class="SREntry">
-  <a id="Item14" onkeydown="return searchResults.Nav(event,14)" onkeypress="return searchResults.Nav(event,14)" onkeyup="return searchResults.Nav(event,14)" class="SRSymbol" href="../struct__AI__config.html#a338358f23bf15f567a015a99d892c8e7" target="_parent">streamExpireInterval</a>
-  <span class="SRScope">_AI_config</span>
+  <a id="Item18" onkeydown="return searchResults.Nav(event,18)" onkeypress="return searchResults.Nav(event,18)" onkeyup="return searchResults.Nav(event,18)" class="SRSymbol" href="../structAI__config.html#abbe77d5f94b8c5164bea47acba09c98b" target="_parent">streamExpireInterval</a>
+  <span class="SRScope">AI_config</span>
  </div>
 </div>
 <div class="SRStatus" id="Searching">Searching...</div>
diff --git a/doc/html/search/all_74.html b/doc/html/search/all_74.html
index d9a5a00..107f23d 100644
--- a/doc/html/search/all_74.html
+++ b/doc/html/search/all_74.html
@@ -7,18 +7,54 @@
 <body class="SRPage">
 <div id="SRIndex">
 <div class="SRStatus" id="Loading">Loading...</div>
+<div class="SRResult" id="SR_tcp_5fflags">
+ <div class="SREntry">
+  <a id="Item0" onkeydown="return searchResults.Nav(event,0)" onkeypress="return searchResults.Nav(event,0)" onkeyup="return searchResults.Nav(event,0)" class="SRSymbol" href="../struct__AI__snort__alert.html#aa643f11db93b70242b57f0a04775e507" target="_parent">tcp_flags</a>
+  <span class="SRScope">_AI_snort_alert</span>
+ </div>
+</div>
+<div class="SRResult" id="SR_tcplen">
+ <div class="SREntry">
+  <a id="Item1" onkeydown="return searchResults.Nav(event,1)" onkeypress="return searchResults.Nav(event,1)" onkeyup="return searchResults.Nav(event,1)" class="SRSymbol" href="../struct__AI__snort__alert.html#a519a103f5e8f1cb006c0c137b7c6a1c0" target="_parent">tcplen</a>
+  <span class="SRScope">_AI_snort_alert</span>
+ </div>
+</div>
 <div class="SRResult" id="SR_timestamp">
  <div class="SREntry">
-  <a id="Item0" onkeydown="return searchResults.Nav(event,0)" onkeypress="return searchResults.Nav(event,0)" onkeyup="return searchResults.Nav(event,0)" class="SRSymbol" href="../structpkt__info.html#a7f5090443f21e6290f0439f1bb872e92" target="_parent">timestamp</a>
-  <span class="SRScope">pkt_info</span>
+  <a id="Item2" onkeydown="return searchResults.Nav(event,2)" onkeypress="return searchResults.Nav(event,2)" onkeyup="return searchResults.Nav(event,2)" class="SRSymbol" href="javascript:searchResults.Toggle('SR_timestamp')">timestamp</a>
+  <div class="SRChildren">
+    <a id="Item2_c0" onkeydown="return searchResults.NavChild(event,2,0)" onkeypress="return searchResults.NavChild(event,2,0)" onkeyup="return searchResults.NavChild(event,2,0)" class="SRScope" href="../structpkt__info.html#a7f5090443f21e6290f0439f1bb872e92" target="_parent">pkt_info::timestamp()</a>
+    <a id="Item2_c1" onkeydown="return searchResults.NavChild(event,2,1)" onkeypress="return searchResults.NavChild(event,2,1)" onkeyup="return searchResults.NavChild(event,2,1)" class="SRScope" href="../struct__AI__snort__alert.html#a10a67f60ca3da339a2104849a0b2ac19" target="_parent">_AI_snort_alert::timestamp()</a>
+  </div>
+ </div>
+</div>
+<div class="SRResult" id="SR_tos">
+ <div class="SREntry">
+  <a id="Item3" onkeydown="return searchResults.Nav(event,3)" onkeypress="return searchResults.Nav(event,3)" onkeyup="return searchResults.Nav(event,3)" class="SRSymbol" href="../struct__AI__snort__alert.html#a882ae6db43dc0fe08071947ccb044b93" target="_parent">tos</a>
+  <span class="SRScope">_AI_snort_alert</span>
  </div>
 </div>
 <div class="SRResult" id="SR_true">
  <div class="SREntry">
-  <a id="Item1" onkeydown="return searchResults.Nav(event,1)" onkeypress="return searchResults.Nav(event,1)" onkeyup="return searchResults.Nav(event,1)" class="SRSymbol" href="../spp__ai_8h.html#a3e5b8192e7d9ffaf3542f1210aec18dda08f175a5505a10b9ed657defeb050e4b" target="_parent">true</a>
+  <a id="Item4" onkeydown="return searchResults.Nav(event,4)" onkeypress="return searchResults.Nav(event,4)" onkeyup="return searchResults.Nav(event,4)" class="SRSymbol" href="../spp__ai_8h.html#a3e5b8192e7d9ffaf3542f1210aec18dda08f175a5505a10b9ed657defeb050e4b" target="_parent">true</a>
   <span class="SRScope">spp_ai.h</span>
  </div>
 </div>
+<div class="SRResult" id="SR_ttl">
+ <div class="SREntry">
+  <a id="Item5" onkeydown="return searchResults.Nav(event,5)" onkeypress="return searchResults.Nav(event,5)" onkeyup="return searchResults.Nav(event,5)" class="SRSymbol" href="../struct__AI__snort__alert.html#ab9b1ce8ee440a324af116403ac9c51a2" target="_parent">ttl</a>
+  <span class="SRScope">_AI_snort_alert</span>
+ </div>
+</div>
+<div class="SRResult" id="SR_type">
+ <div class="SREntry">
+  <a id="Item6" onkeydown="return searchResults.Nav(event,6)" onkeypress="return searchResults.Nav(event,6)" onkeyup="return searchResults.Nav(event,6)" class="SRSymbol" href="javascript:searchResults.Toggle('SR_type')">type</a>
+  <div class="SRChildren">
+    <a id="Item6_c0" onkeydown="return searchResults.NavChild(event,6,0)" onkeypress="return searchResults.NavChild(event,6,0)" onkeyup="return searchResults.NavChild(event,6,0)" class="SRScope" href="../structattribute__value.html#a5322c4edde771a7ee0d9fc5f5e45484c" target="_parent">attribute_value::type()</a>
+    <a id="Item6_c1" onkeydown="return searchResults.NavChild(event,6,1)" onkeypress="return searchResults.NavChild(event,6,1)" onkeyup="return searchResults.NavChild(event,6,1)" class="SRScope" href="../struct__hierarchy__node.html#a3b18e3ddfa2212c5e4ff9c0b4bde4296" target="_parent">_hierarchy_node::type()</a>
+  </div>
+ </div>
+</div>
 <div class="SRStatus" id="Searching">Searching...</div>
 <div class="SRStatus" id="NoMatches">No Matches</div>
 <script type="text/javascript"><!--
diff --git a/doc/html/search/all_75.html b/doc/html/search/all_75.html
index aa48425..f53a1f4 100644
--- a/doc/html/search/all_75.html
+++ b/doc/html/search/all_75.html
@@ -19,6 +19,12 @@
   <span class="SRScope">spp_ai.h</span>
  </div>
 </div>
+<div class="SRResult" id="SR_uint8_5ft">
+ <div class="SREntry">
+  <a id="Item2" onkeydown="return searchResults.Nav(event,2)" onkeypress="return searchResults.Nav(event,2)" onkeyup="return searchResults.Nav(event,2)" class="SRSymbol" href="../spp__ai_8h.html#aba7bc1797add20fe3efdf37ced1182c5" target="_parent">uint8_t</a>
+  <span class="SRScope">spp_ai.h</span>
+ </div>
+</div>
 <div class="SRStatus" id="Searching">Searching...</div>
 <div class="SRStatus" id="NoMatches">No Matches</div>
 <script type="text/javascript"><!--
diff --git a/doc/html/search/all_77.html b/doc/html/search/all_77.html
new file mode 100644
index 0000000..4410960
--- /dev/null
+++ b/doc/html/search/all_77.html
@@ -0,0 +1,26 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html><head><title></title>
+<meta http-equiv="Content-Type" content="text/xhtml;charset=UTF-8"/>
+<link rel="stylesheet" type="text/css" href="search.css"/>
+<script type="text/javascript" src="search.js"></script>
+</head>
+<body class="SRPage">
+<div id="SRIndex">
+<div class="SRStatus" id="Loading">Loading...</div>
+<div class="SRResult" id="SR_window">
+ <div class="SREntry">
+  <a id="Item0" onkeydown="return searchResults.Nav(event,0)" onkeypress="return searchResults.Nav(event,0)" onkeyup="return searchResults.Nav(event,0)" class="SRSymbol" href="../struct__AI__snort__alert.html#a63e94be3d248cf4beb0d4d5ab75331b1" target="_parent">window</a>
+  <span class="SRScope">_AI_snort_alert</span>
+ </div>
+</div>
+<div class="SRStatus" id="Searching">Searching...</div>
+<div class="SRStatus" id="NoMatches">No Matches</div>
+<script type="text/javascript"><!--
+document.getElementById("Loading").style.display="none";
+document.getElementById("NoMatches").style.display="none";
+var searchResults = new SearchResults("searchResults");
+searchResults.Search();
+--></script>
+</div>
+</body>
+</html>
diff --git a/doc/html/search/classes_5f.html b/doc/html/search/classes_5f.html
index e707a94..7f9da45 100644
--- a/doc/html/search/classes_5f.html
+++ b/doc/html/search/classes_5f.html
@@ -7,9 +7,14 @@
 <body class="SRPage">
 <div id="SRIndex">
 <div class="SRStatus" id="Loading">Loading...</div>
-<div class="SRResult" id="SR__5fai_5fconfig">
+<div class="SRResult" id="SR__5fai_5fsnort_5falert">
  <div class="SREntry">
-  <a id="Item0" onkeydown="return searchResults.Nav(event,0)" onkeypress="return searchResults.Nav(event,0)" onkeyup="return searchResults.Nav(event,0)" class="SRSymbol" href="../struct__AI__config.html" target="_parent">_AI_config</a>
+  <a id="Item0" onkeydown="return searchResults.Nav(event,0)" onkeypress="return searchResults.Nav(event,0)" onkeyup="return searchResults.Nav(event,0)" class="SRSymbol" href="../struct__AI__snort__alert.html" target="_parent">_AI_snort_alert</a>
+ </div>
+</div>
+<div class="SRResult" id="SR__5fhierarchy_5fnode">
+ <div class="SREntry">
+  <a id="Item1" onkeydown="return searchResults.Nav(event,1)" onkeypress="return searchResults.Nav(event,1)" onkeyup="return searchResults.Nav(event,1)" class="SRSymbol" href="../struct__hierarchy__node.html" target="_parent">_hierarchy_node</a>
  </div>
 </div>
 <div class="SRStatus" id="Searching">Searching...</div>
diff --git a/doc/html/search/classes_61.html b/doc/html/search/classes_61.html
new file mode 100644
index 0000000..0dbeae5
--- /dev/null
+++ b/doc/html/search/classes_61.html
@@ -0,0 +1,35 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html><head><title></title>
+<meta http-equiv="Content-Type" content="text/xhtml;charset=UTF-8"/>
+<link rel="stylesheet" type="text/css" href="search.css"/>
+<script type="text/javascript" src="search.js"></script>
+</head>
+<body class="SRPage">
+<div id="SRIndex">
+<div class="SRStatus" id="Loading">Loading...</div>
+<div class="SRResult" id="SR_ai_5fconfig">
+ <div class="SREntry">
+  <a id="Item0" onkeydown="return searchResults.Nav(event,0)" onkeypress="return searchResults.Nav(event,0)" onkeyup="return searchResults.Nav(event,0)" class="SRSymbol" href="../structAI__config.html" target="_parent">AI_config</a>
+ </div>
+</div>
+<div class="SRResult" id="SR_attribute_5fkey">
+ <div class="SREntry">
+  <a id="Item1" onkeydown="return searchResults.Nav(event,1)" onkeypress="return searchResults.Nav(event,1)" onkeyup="return searchResults.Nav(event,1)" class="SRSymbol" href="../structattribute__key.html" target="_parent">attribute_key</a>
+ </div>
+</div>
+<div class="SRResult" id="SR_attribute_5fvalue">
+ <div class="SREntry">
+  <a id="Item2" onkeydown="return searchResults.Nav(event,2)" onkeypress="return searchResults.Nav(event,2)" onkeyup="return searchResults.Nav(event,2)" class="SRSymbol" href="../structattribute__value.html" target="_parent">attribute_value</a>
+ </div>
+</div>
+<div class="SRStatus" id="Searching">Searching...</div>
+<div class="SRStatus" id="NoMatches">No Matches</div>
+<script type="text/javascript"><!--
+document.getElementById("Loading").style.display="none";
+document.getElementById("NoMatches").style.display="none";
+var searchResults = new SearchResults("searchResults");
+searchResults.Search();
+--></script>
+</div>
+</body>
+</html>
diff --git a/doc/html/search/defines_64.html b/doc/html/search/defines_64.html
index 79d2e40..830b87e 100644
--- a/doc/html/search/defines_64.html
+++ b/doc/html/search/defines_64.html
@@ -7,21 +7,39 @@
 <body class="SRPage">
 <div id="SRIndex">
 <div class="SRStatus" id="Loading">Loading...</div>
-<div class="SRResult" id="SR_dst_5fport_5fmatch">
+<div class="SRResult" id="SR_default_5falert_5fclustering_5finterval">
  <div class="SREntry">
-  <a id="Item0" onkeydown="return searchResults.Nav(event,0)" onkeypress="return searchResults.Nav(event,0)" onkeyup="return searchResults.Nav(event,0)" class="SRSymbol" href="../spp__ai_8c.html#a8ab13e8ad1dfd19b9237a99ae6130146" target="_parent">DST_PORT_MATCH</a>
-  <span class="SRScope">spp_ai.c</span>
+  <a id="Item0" onkeydown="return searchResults.Nav(event,0)" onkeypress="return searchResults.Nav(event,0)" onkeyup="return searchResults.Nav(event,0)" class="SRSymbol" href="../spp__ai_8h.html#a0c4b6fce670e46083e33b9f53b78f39e" target="_parent">DEFAULT_ALERT_CLUSTERING_INTERVAL</a>
+  <span class="SRScope">spp_ai.h</span>
  </div>
 </div>
-<div class="SRResult" id="SR_dst_5fport_5fmatch_5fstr">
+<div class="SRResult" id="SR_default_5falert_5flog_5ffile">
  <div class="SREntry">
-  <a id="Item1" onkeydown="return searchResults.Nav(event,1)" onkeypress="return searchResults.Nav(event,1)" onkeyup="return searchResults.Nav(event,1)" class="SRSymbol" href="../spp__ai_8c.html#a1f3521b9bcf5daf99190be58473a4110" target="_parent">DST_PORT_MATCH_STR</a>
-  <span class="SRScope">spp_ai.c</span>
+  <a id="Item1" onkeydown="return searchResults.Nav(event,1)" onkeypress="return searchResults.Nav(event,1)" onkeyup="return searchResults.Nav(event,1)" class="SRSymbol" href="../spp__ai_8h.html#a6d9bf552c32371e0144dc6a6209c7e4a" target="_parent">DEFAULT_ALERT_LOG_FILE</a>
+  <span class="SRScope">spp_ai.h</span>
+ </div>
+</div>
+<div class="SRResult" id="SR_default_5fcluster_5flog_5ffile">
+ <div class="SREntry">
+  <a id="Item2" onkeydown="return searchResults.Nav(event,2)" onkeypress="return searchResults.Nav(event,2)" onkeyup="return searchResults.Nav(event,2)" class="SRSymbol" href="../spp__ai_8h.html#a803dc913297ccdace9e604dbfecda97d" target="_parent">DEFAULT_CLUSTER_LOG_FILE</a>
+  <span class="SRScope">spp_ai.h</span>
+ </div>
+</div>
+<div class="SRResult" id="SR_default_5fhash_5fcleanup_5finterval">
+ <div class="SREntry">
+  <a id="Item3" onkeydown="return searchResults.Nav(event,3)" onkeypress="return searchResults.Nav(event,3)" onkeyup="return searchResults.Nav(event,3)" class="SRSymbol" href="../spp__ai_8h.html#a5f555c0ebd29ce2771a3e2dd4f526746" target="_parent">DEFAULT_HASH_CLEANUP_INTERVAL</a>
+  <span class="SRScope">spp_ai.h</span>
+ </div>
+</div>
+<div class="SRResult" id="SR_default_5fstream_5fexpire_5finterval">
+ <div class="SREntry">
+  <a id="Item4" onkeydown="return searchResults.Nav(event,4)" onkeypress="return searchResults.Nav(event,4)" onkeyup="return searchResults.Nav(event,4)" class="SRSymbol" href="../spp__ai_8h.html#a0f6a189af15ef783fb46ed37c144e031" target="_parent">DEFAULT_STREAM_EXPIRE_INTERVAL</a>
+  <span class="SRScope">spp_ai.h</span>
  </div>
 </div>
 <div class="SRResult" id="SR_dynamic_5fpreproc_5fsetup">
  <div class="SREntry">
-  <a id="Item2" onkeydown="return searchResults.Nav(event,2)" onkeypress="return searchResults.Nav(event,2)" onkeyup="return searchResults.Nav(event,2)" class="SRSymbol" href="../sf__preproc__info_8h.html#aba4c0d0af324a3861e662ed4650aae44" target="_parent">DYNAMIC_PREPROC_SETUP</a>
+  <a id="Item5" onkeydown="return searchResults.Nav(event,5)" onkeypress="return searchResults.Nav(event,5)" onkeyup="return searchResults.Nav(event,5)" class="SRSymbol" href="../sf__preproc__info_8h.html#aba4c0d0af324a3861e662ed4650aae44" target="_parent">DYNAMIC_PREPROC_SETUP</a>
   <span class="SRScope">sf_preproc_info.h</span>
  </div>
 </div>
diff --git a/doc/html/search/defines_70.html b/doc/html/search/defines_70.html
index 0e1d892..92aa16c 100644
--- a/doc/html/search/defines_70.html
+++ b/doc/html/search/defines_70.html
@@ -13,6 +13,12 @@
   <span class="SRScope">sf_preproc_info.h</span>
  </div>
 </div>
+<div class="SRResult" id="SR_private">
+ <div class="SREntry">
+  <a id="Item1" onkeydown="return searchResults.Nav(event,1)" onkeypress="return searchResults.Nav(event,1)" onkeyup="return searchResults.Nav(event,1)" class="SRSymbol" href="../spp__ai_8h.html#a5e151c615eda34903514212f05a5ccf8" target="_parent">PRIVATE</a>
+  <span class="SRScope">spp_ai.h</span>
+ </div>
+</div>
 <div class="SRStatus" id="Searching">Searching...</div>
 <div class="SRStatus" id="NoMatches">No Matches</div>
 <script type="text/javascript"><!--
diff --git a/doc/html/search/enums_63.html b/doc/html/search/enums_63.html
new file mode 100644
index 0000000..22e95fd
--- /dev/null
+++ b/doc/html/search/enums_63.html
@@ -0,0 +1,26 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html><head><title></title>
+<meta http-equiv="Content-Type" content="text/xhtml;charset=UTF-8"/>
+<link rel="stylesheet" type="text/css" href="search.css"/>
+<script type="text/javascript" src="search.js"></script>
+</head>
+<body class="SRPage">
+<div id="SRIndex">
+<div class="SRStatus" id="Loading">Loading...</div>
+<div class="SRResult" id="SR_cluster_5ftype">
+ <div class="SREntry">
+  <a id="Item0" onkeydown="return searchResults.Nav(event,0)" onkeypress="return searchResults.Nav(event,0)" onkeyup="return searchResults.Nav(event,0)" class="SRSymbol" href="../spp__ai_8h.html#ae2ff3c6586aa2ab211a102abfde86640" target="_parent">cluster_type</a>
+  <span class="SRScope">spp_ai.h</span>
+ </div>
+</div>
+<div class="SRStatus" id="Searching">Searching...</div>
+<div class="SRStatus" id="NoMatches">No Matches</div>
+<script type="text/javascript"><!--
+document.getElementById("Loading").style.display="none";
+document.getElementById("NoMatches").style.display="none";
+var searchResults = new SearchResults("searchResults");
+searchResults.Search();
+--></script>
+</div>
+</body>
+</html>
diff --git a/doc/html/search/enumvalues_63.html b/doc/html/search/enumvalues_63.html
new file mode 100644
index 0000000..d80b16c
--- /dev/null
+++ b/doc/html/search/enumvalues_63.html
@@ -0,0 +1,26 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html><head><title></title>
+<meta http-equiv="Content-Type" content="text/xhtml;charset=UTF-8"/>
+<link rel="stylesheet" type="text/css" href="search.css"/>
+<script type="text/javascript" src="search.js"></script>
+</head>
+<body class="SRPage">
+<div id="SRIndex">
+<div class="SRStatus" id="Loading">Loading...</div>
+<div class="SRResult" id="SR_cluster_5ftypes">
+ <div class="SREntry">
+  <a id="Item0" onkeydown="return searchResults.Nav(event,0)" onkeypress="return searchResults.Nav(event,0)" onkeyup="return searchResults.Nav(event,0)" class="SRSymbol" href="../spp__ai_8h.html#ae2ff3c6586aa2ab211a102abfde86640ab16bb5c4b330d5db02e2d852cd2ba451" target="_parent">CLUSTER_TYPES</a>
+  <span class="SRScope">spp_ai.h</span>
+ </div>
+</div>
+<div class="SRStatus" id="Searching">Searching...</div>
+<div class="SRStatus" id="NoMatches">No Matches</div>
+<script type="text/javascript"><!--
+document.getElementById("Loading").style.display="none";
+document.getElementById("NoMatches").style.display="none";
+var searchResults = new SearchResults("searchResults");
+searchResults.Search();
+--></script>
+</div>
+</body>
+</html>
diff --git a/doc/html/search/enumvalues_64.html b/doc/html/search/enumvalues_64.html
new file mode 100644
index 0000000..24209c6
--- /dev/null
+++ b/doc/html/search/enumvalues_64.html
@@ -0,0 +1,32 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html><head><title></title>
+<meta http-equiv="Content-Type" content="text/xhtml;charset=UTF-8"/>
+<link rel="stylesheet" type="text/css" href="search.css"/>
+<script type="text/javascript" src="search.js"></script>
+</head>
+<body class="SRPage">
+<div id="SRIndex">
+<div class="SRStatus" id="Loading">Loading...</div>
+<div class="SRResult" id="SR_dst_5faddr">
+ <div class="SREntry">
+  <a id="Item0" onkeydown="return searchResults.Nav(event,0)" onkeypress="return searchResults.Nav(event,0)" onkeyup="return searchResults.Nav(event,0)" class="SRSymbol" href="../spp__ai_8h.html#ae2ff3c6586aa2ab211a102abfde86640aa000f955ef1374c60cdb16bf43a1593c" target="_parent">dst_addr</a>
+  <span class="SRScope">spp_ai.h</span>
+ </div>
+</div>
+<div class="SRResult" id="SR_dst_5fport">
+ <div class="SREntry">
+  <a id="Item1" onkeydown="return searchResults.Nav(event,1)" onkeypress="return searchResults.Nav(event,1)" onkeyup="return searchResults.Nav(event,1)" class="SRSymbol" href="../spp__ai_8h.html#ae2ff3c6586aa2ab211a102abfde86640abc4f89a184ada44073bd6f54d7fc11c9" target="_parent">dst_port</a>
+  <span class="SRScope">spp_ai.h</span>
+ </div>
+</div>
+<div class="SRStatus" id="Searching">Searching...</div>
+<div class="SRStatus" id="NoMatches">No Matches</div>
+<script type="text/javascript"><!--
+document.getElementById("Loading").style.display="none";
+document.getElementById("NoMatches").style.display="none";
+var searchResults = new SearchResults("searchResults");
+searchResults.Search();
+--></script>
+</div>
+</body>
+</html>
diff --git a/doc/html/search/enumvalues_6e.html b/doc/html/search/enumvalues_6e.html
new file mode 100644
index 0000000..ad4bf43
--- /dev/null
+++ b/doc/html/search/enumvalues_6e.html
@@ -0,0 +1,26 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html><head><title></title>
+<meta http-equiv="Content-Type" content="text/xhtml;charset=UTF-8"/>
+<link rel="stylesheet" type="text/css" href="search.css"/>
+<script type="text/javascript" src="search.js"></script>
+</head>
+<body class="SRPage">
+<div id="SRIndex">
+<div class="SRStatus" id="Loading">Loading...</div>
+<div class="SRResult" id="SR_none">
+ <div class="SREntry">
+  <a id="Item0" onkeydown="return searchResults.Nav(event,0)" onkeypress="return searchResults.Nav(event,0)" onkeyup="return searchResults.Nav(event,0)" class="SRSymbol" href="../spp__ai_8h.html#ae2ff3c6586aa2ab211a102abfde86640ab7e4e0120a041dbe6528b050c04269e0" target="_parent">none</a>
+  <span class="SRScope">spp_ai.h</span>
+ </div>
+</div>
+<div class="SRStatus" id="Searching">Searching...</div>
+<div class="SRStatus" id="NoMatches">No Matches</div>
+<script type="text/javascript"><!--
+document.getElementById("Loading").style.display="none";
+document.getElementById("NoMatches").style.display="none";
+var searchResults = new SearchResults("searchResults");
+searchResults.Search();
+--></script>
+</div>
+</body>
+</html>
diff --git a/doc/html/search/enumvalues_73.html b/doc/html/search/enumvalues_73.html
new file mode 100644
index 0000000..e0535b0
--- /dev/null
+++ b/doc/html/search/enumvalues_73.html
@@ -0,0 +1,32 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html><head><title></title>
+<meta http-equiv="Content-Type" content="text/xhtml;charset=UTF-8"/>
+<link rel="stylesheet" type="text/css" href="search.css"/>
+<script type="text/javascript" src="search.js"></script>
+</head>
+<body class="SRPage">
+<div id="SRIndex">
+<div class="SRStatus" id="Loading">Loading...</div>
+<div class="SRResult" id="SR_src_5faddr">
+ <div class="SREntry">
+  <a id="Item0" onkeydown="return searchResults.Nav(event,0)" onkeypress="return searchResults.Nav(event,0)" onkeyup="return searchResults.Nav(event,0)" class="SRSymbol" href="../spp__ai_8h.html#ae2ff3c6586aa2ab211a102abfde86640abc900639df18f0f5f2f63a1f033fe42f" target="_parent">src_addr</a>
+  <span class="SRScope">spp_ai.h</span>
+ </div>
+</div>
+<div class="SRResult" id="SR_src_5fport">
+ <div class="SREntry">
+  <a id="Item1" onkeydown="return searchResults.Nav(event,1)" onkeypress="return searchResults.Nav(event,1)" onkeyup="return searchResults.Nav(event,1)" class="SRSymbol" href="../spp__ai_8h.html#ae2ff3c6586aa2ab211a102abfde86640ac1335c508143eb06843af2ce5ff3027b" target="_parent">src_port</a>
+  <span class="SRScope">spp_ai.h</span>
+ </div>
+</div>
+<div class="SRStatus" id="Searching">Searching...</div>
+<div class="SRStatus" id="NoMatches">No Matches</div>
+<script type="text/javascript"><!--
+document.getElementById("Loading").style.display="none";
+document.getElementById("NoMatches").style.display="none";
+var searchResults = new SearchResults("searchResults");
+searchResults.Search();
+--></script>
+</div>
+</body>
+</html>
diff --git a/doc/html/search/files_61.html b/doc/html/search/files_61.html
new file mode 100644
index 0000000..fb5d262
--- /dev/null
+++ b/doc/html/search/files_61.html
@@ -0,0 +1,25 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html><head><title></title>
+<meta http-equiv="Content-Type" content="text/xhtml;charset=UTF-8"/>
+<link rel="stylesheet" type="text/css" href="search.css"/>
+<script type="text/javascript" src="search.js"></script>
+</head>
+<body class="SRPage">
+<div id="SRIndex">
+<div class="SRStatus" id="Loading">Loading...</div>
+<div class="SRResult" id="SR_alert_5fparser_2ec">
+ <div class="SREntry">
+  <a id="Item0" onkeydown="return searchResults.Nav(event,0)" onkeypress="return searchResults.Nav(event,0)" onkeyup="return searchResults.Nav(event,0)" class="SRSymbol" href="../alert__parser_8c.html" target="_parent">alert_parser.c</a>
+ </div>
+</div>
+<div class="SRStatus" id="Searching">Searching...</div>
+<div class="SRStatus" id="NoMatches">No Matches</div>
+<script type="text/javascript"><!--
+document.getElementById("Loading").style.display="none";
+document.getElementById("NoMatches").style.display="none";
+var searchResults = new SearchResults("searchResults");
+searchResults.Search();
+--></script>
+</div>
+</body>
+</html>
diff --git a/doc/html/search/files_63.html b/doc/html/search/files_63.html
new file mode 100644
index 0000000..5fa7a6c
--- /dev/null
+++ b/doc/html/search/files_63.html
@@ -0,0 +1,25 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html><head><title></title>
+<meta http-equiv="Content-Type" content="text/xhtml;charset=UTF-8"/>
+<link rel="stylesheet" type="text/css" href="search.css"/>
+<script type="text/javascript" src="search.js"></script>
+</head>
+<body class="SRPage">
+<div id="SRIndex">
+<div class="SRStatus" id="Loading">Loading...</div>
+<div class="SRResult" id="SR_cluster_2ec">
+ <div class="SREntry">
+  <a id="Item0" onkeydown="return searchResults.Nav(event,0)" onkeypress="return searchResults.Nav(event,0)" onkeyup="return searchResults.Nav(event,0)" class="SRSymbol" href="../cluster_8c.html" target="_parent">cluster.c</a>
+ </div>
+</div>
+<div class="SRStatus" id="Searching">Searching...</div>
+<div class="SRStatus" id="NoMatches">No Matches</div>
+<script type="text/javascript"><!--
+document.getElementById("Loading").style.display="none";
+document.getElementById("NoMatches").style.display="none";
+var searchResults = new SearchResults("searchResults");
+searchResults.Search();
+--></script>
+</div>
+</body>
+</html>
diff --git a/doc/html/search/files_72.html b/doc/html/search/files_72.html
new file mode 100644
index 0000000..820c4ff
--- /dev/null
+++ b/doc/html/search/files_72.html
@@ -0,0 +1,25 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html><head><title></title>
+<meta http-equiv="Content-Type" content="text/xhtml;charset=UTF-8"/>
+<link rel="stylesheet" type="text/css" href="search.css"/>
+<script type="text/javascript" src="search.js"></script>
+</head>
+<body class="SRPage">
+<div id="SRIndex">
+<div class="SRStatus" id="Loading">Loading...</div>
+<div class="SRResult" id="SR_regex_2ec">
+ <div class="SREntry">
+  <a id="Item0" onkeydown="return searchResults.Nav(event,0)" onkeypress="return searchResults.Nav(event,0)" onkeyup="return searchResults.Nav(event,0)" class="SRSymbol" href="../regex_8c.html" target="_parent">regex.c</a>
+ </div>
+</div>
+<div class="SRStatus" id="Searching">Searching...</div>
+<div class="SRStatus" id="NoMatches">No Matches</div>
+<script type="text/javascript"><!--
+document.getElementById("Loading").style.display="none";
+document.getElementById("NoMatches").style.display="none";
+var searchResults = new SearchResults("searchResults");
+searchResults.Search();
+--></script>
+</div>
+</body>
+</html>
diff --git a/doc/html/search/functions_5f.html b/doc/html/search/functions_5f.html
index 3071030..cb1c0b7 100644
--- a/doc/html/search/functions_5f.html
+++ b/doc/html/search/functions_5f.html
@@ -7,12 +7,72 @@
 <body class="SRPage">
 <div id="SRIndex">
 <div class="SRStatus" id="Loading">Loading...</div>
+<div class="SRResult" id="SR__5fai_5fcheck_5fduplicate">
+ <div class="SREntry">
+  <a id="Item0" onkeydown="return searchResults.Nav(event,0)" onkeypress="return searchResults.Nav(event,0)" onkeyup="return searchResults.Nav(event,0)" class="SRSymbol" href="../cluster_8c.html#a29c35cd6c56f54e27b5b190c6d6c487a" target="_parent">_AI_check_duplicate</a>
+  <span class="SRScope">cluster.c</span>
+ </div>
+</div>
+<div class="SRResult" id="SR__5fai_5fcluster_5fthread">
+ <div class="SREntry">
+  <a id="Item1" onkeydown="return searchResults.Nav(event,1)" onkeypress="return searchResults.Nav(event,1)" onkeyup="return searchResults.Nav(event,1)" class="SRSymbol" href="../cluster_8c.html#a8a5eae61dc9fd0f13e0acdfa5f4478e2" target="_parent">_AI_cluster_thread</a>
+  <span class="SRScope">cluster.c</span>
+ </div>
+</div>
+<div class="SRResult" id="SR__5fai_5fcopy_5falerts">
+ <div class="SREntry">
+  <a id="Item2" onkeydown="return searchResults.Nav(event,2)" onkeypress="return searchResults.Nav(event,2)" onkeyup="return searchResults.Nav(event,2)" class="SRSymbol" href="../alert__parser_8c.html#a6c5014cae9155379fdc4db649b2c862d" target="_parent">_AI_copy_alerts</a>
+  <span class="SRScope">alert_parser.c</span>
+ </div>
+</div>
+<div class="SRResult" id="SR__5fai_5fequal_5falarms">
+ <div class="SREntry">
+  <a id="Item3" onkeydown="return searchResults.Nav(event,3)" onkeypress="return searchResults.Nav(event,3)" onkeyup="return searchResults.Nav(event,3)" class="SRSymbol" href="../cluster_8c.html#a0f91c8bfc37a3975f5c26b19fd6c5cba" target="_parent">_AI_equal_alarms</a>
+  <span class="SRScope">cluster.c</span>
+ </div>
+</div>
+<div class="SRResult" id="SR__5fai_5fget_5fmin_5fhierarchy_5fnode">
+ <div class="SREntry">
+  <a id="Item4" onkeydown="return searchResults.Nav(event,4)" onkeypress="return searchResults.Nav(event,4)" onkeyup="return searchResults.Nav(event,4)" class="SRSymbol" href="../cluster_8c.html#a6ddddcd505b1f763c339e81fc143e079" target="_parent">_AI_get_min_hierarchy_node</a>
+  <span class="SRScope">cluster.c</span>
+ </div>
+</div>
+<div class="SRResult" id="SR__5fai_5fmerge_5falerts">
+ <div class="SREntry">
+  <a id="Item5" onkeydown="return searchResults.Nav(event,5)" onkeypress="return searchResults.Nav(event,5)" onkeyup="return searchResults.Nav(event,5)" class="SRSymbol" href="../cluster_8c.html#a8ce8e5a5d8954672297fa2dedb380dcd" target="_parent">_AI_merge_alerts</a>
+  <span class="SRScope">cluster.c</span>
+ </div>
+</div>
+<div class="SRResult" id="SR__5fai_5fprint_5fclustered_5falerts">
+ <div class="SREntry">
+  <a id="Item6" onkeydown="return searchResults.Nav(event,6)" onkeypress="return searchResults.Nav(event,6)" onkeyup="return searchResults.Nav(event,6)" class="SRSymbol" href="../cluster_8c.html#a7d151880080470b542e99643dc0426a7" target="_parent">_AI_print_clustered_alerts</a>
+  <span class="SRScope">cluster.c</span>
+ </div>
+</div>
 <div class="SRResult" id="SR__5fai_5fstream_5ffree">
  <div class="SREntry">
-  <a id="Item0" onkeydown="return searchResults.Nav(event,0)" onkeypress="return searchResults.Nav(event,0)" onkeyup="return searchResults.Nav(event,0)" class="SRSymbol" href="../stream_8c.html#a2a0c295a6828df716311977538cabd4a" target="_parent">_AI_stream_free</a>
+  <a id="Item7" onkeydown="return searchResults.Nav(event,7)" onkeypress="return searchResults.Nav(event,7)" onkeyup="return searchResults.Nav(event,7)" class="SRSymbol" href="../stream_8c.html#a80016adf701c717a6ebfb5b15b8a5749" target="_parent">_AI_stream_free</a>
   <span class="SRScope">stream.c</span>
  </div>
 </div>
+<div class="SRResult" id="SR__5fheuristic_5ffunc">
+ <div class="SREntry">
+  <a id="Item8" onkeydown="return searchResults.Nav(event,8)" onkeypress="return searchResults.Nav(event,8)" onkeyup="return searchResults.Nav(event,8)" class="SRSymbol" href="../cluster_8c.html#a81f5fa721719fdb281595a568eef2101" target="_parent">_heuristic_func</a>
+  <span class="SRScope">cluster.c</span>
+ </div>
+</div>
+<div class="SRResult" id="SR__5fhierarchy_5fnode_5fappend">
+ <div class="SREntry">
+  <a id="Item9" onkeydown="return searchResults.Nav(event,9)" onkeypress="return searchResults.Nav(event,9)" onkeyup="return searchResults.Nav(event,9)" class="SRSymbol" href="../cluster_8c.html#a5601a1f603d9c870ef6e2df192e30c30" target="_parent">_hierarchy_node_append</a>
+  <span class="SRScope">cluster.c</span>
+ </div>
+</div>
+<div class="SRResult" id="SR__5fhierarchy_5fnode_5fnew">
+ <div class="SREntry">
+  <a id="Item10" onkeydown="return searchResults.Nav(event,10)" onkeypress="return searchResults.Nav(event,10)" onkeyup="return searchResults.Nav(event,10)" class="SRSymbol" href="../cluster_8c.html#a2f1a22cfea64e4669da0467620c3e3b3" target="_parent">_hierarchy_node_new</a>
+  <span class="SRScope">cluster.c</span>
+ </div>
+</div>
 <div class="SRStatus" id="Searching">Searching...</div>
 <div class="SRStatus" id="NoMatches">No Matches</div>
 <script type="text/javascript"><!--
diff --git a/doc/html/search/functions_61.html b/doc/html/search/functions_61.html
index 41619e6..735218f 100644
--- a/doc/html/search/functions_61.html
+++ b/doc/html/search/functions_61.html
@@ -7,48 +7,102 @@
 <body class="SRPage">
 <div id="SRIndex">
 <div class="SRStatus" id="Loading">Loading...</div>
+<div class="SRResult" id="SR_ai_5falertparser_5fthread">
+ <div class="SREntry">
+  <a id="Item0" onkeydown="return searchResults.Nav(event,0)" onkeypress="return searchResults.Nav(event,0)" onkeyup="return searchResults.Nav(event,0)" class="SRSymbol" href="javascript:searchResults.Toggle('SR_ai_5falertparser_5fthread')">AI_alertparser_thread</a>
+  <div class="SRChildren">
+    <a id="Item0_c0" onkeydown="return searchResults.NavChild(event,0,0)" onkeypress="return searchResults.NavChild(event,0,0)" onkeyup="return searchResults.NavChild(event,0,0)" class="SRScope" href="../alert__parser_8c.html#ad68c45b5846743a54ad3fa92c8e48f8a" target="_parent">AI_alertparser_thread(void *arg):&nbsp;alert_parser.c</a>
+    <a id="Item0_c1" onkeydown="return searchResults.NavChild(event,0,1)" onkeypress="return searchResults.NavChild(event,0,1)" onkeyup="return searchResults.NavChild(event,0,1)" class="SRScope" href="../spp__ai_8h.html#a842a3204c6e067a9920990b573757181" target="_parent">AI_alertparser_thread(void *):&nbsp;alert_parser.c</a>
+  </div>
+ </div>
+</div>
+<div class="SRResult" id="SR_ai_5ffree_5falerts">
+ <div class="SREntry">
+  <a id="Item1" onkeydown="return searchResults.Nav(event,1)" onkeypress="return searchResults.Nav(event,1)" onkeyup="return searchResults.Nav(event,1)" class="SRSymbol" href="javascript:searchResults.Toggle('SR_ai_5ffree_5falerts')">AI_free_alerts</a>
+  <div class="SRChildren">
+    <a id="Item1_c0" onkeydown="return searchResults.NavChild(event,1,0)" onkeypress="return searchResults.NavChild(event,1,0)" onkeyup="return searchResults.NavChild(event,1,0)" class="SRScope" href="../alert__parser_8c.html#a270e86669a0aa64a8da37bc16cda645b" target="_parent">AI_free_alerts(AI_snort_alert *node):&nbsp;alert_parser.c</a>
+    <a id="Item1_c1" onkeydown="return searchResults.NavChild(event,1,1)" onkeypress="return searchResults.NavChild(event,1,1)" onkeyup="return searchResults.NavChild(event,1,1)" class="SRScope" href="../spp__ai_8h.html#a270e86669a0aa64a8da37bc16cda645b" target="_parent">AI_free_alerts(AI_snort_alert *node):&nbsp;alert_parser.c</a>
+  </div>
+ </div>
+</div>
+<div class="SRResult" id="SR_ai_5fget_5falerts">
+ <div class="SREntry">
+  <a id="Item2" onkeydown="return searchResults.Nav(event,2)" onkeypress="return searchResults.Nav(event,2)" onkeyup="return searchResults.Nav(event,2)" class="SRSymbol" href="javascript:searchResults.Toggle('SR_ai_5fget_5falerts')">AI_get_alerts</a>
+  <div class="SRChildren">
+    <a id="Item2_c0" onkeydown="return searchResults.NavChild(event,2,0)" onkeypress="return searchResults.NavChild(event,2,0)" onkeyup="return searchResults.NavChild(event,2,0)" class="SRScope" href="../alert__parser_8c.html#a99474495643197b3075ac22ec6f6c70f" target="_parent">AI_get_alerts():&nbsp;alert_parser.c</a>
+    <a id="Item2_c1" onkeydown="return searchResults.NavChild(event,2,1)" onkeypress="return searchResults.NavChild(event,2,1)" onkeyup="return searchResults.NavChild(event,2,1)" class="SRScope" href="../spp__ai_8h.html#af19a28f7cbcdfeb2b66fb3b625b75076" target="_parent">AI_get_alerts(void):&nbsp;alert_parser.c</a>
+  </div>
+ </div>
+</div>
+<div class="SRResult" id="SR_ai_5fget_5fstream_5fby_5fkey">
+ <div class="SREntry">
+  <a id="Item3" onkeydown="return searchResults.Nav(event,3)" onkeypress="return searchResults.Nav(event,3)" onkeyup="return searchResults.Nav(event,3)" class="SRSymbol" href="javascript:searchResults.Toggle('SR_ai_5fget_5fstream_5fby_5fkey')">AI_get_stream_by_key</a>
+  <div class="SRChildren">
+    <a id="Item3_c0" onkeydown="return searchResults.NavChild(event,3,0)" onkeypress="return searchResults.NavChild(event,3,0)" onkeyup="return searchResults.NavChild(event,3,0)" class="SRScope" href="../spp__ai_8h.html#a3054f06297a9caefd4d9b1283bb8b69a" target="_parent">AI_get_stream_by_key(struct pkt_key):&nbsp;stream.c</a>
+    <a id="Item3_c1" onkeydown="return searchResults.NavChild(event,3,1)" onkeypress="return searchResults.NavChild(event,3,1)" onkeyup="return searchResults.NavChild(event,3,1)" class="SRScope" href="../stream_8c.html#a2efedcabbfd12c5345f0c93a3dd4735c" target="_parent">AI_get_stream_by_key(struct pkt_key key):&nbsp;stream.c</a>
+  </div>
+ </div>
+</div>
 <div class="SRResult" id="SR_ai_5fhashcleanup_5fthread">
  <div class="SREntry">
-  <a id="Item0" onkeydown="return searchResults.Nav(event,0)" onkeypress="return searchResults.Nav(event,0)" onkeyup="return searchResults.Nav(event,0)" class="SRSymbol" href="javascript:searchResults.Toggle('SR_ai_5fhashcleanup_5fthread')">AI_hashcleanup_thread</a>
+  <a id="Item4" onkeydown="return searchResults.Nav(event,4)" onkeypress="return searchResults.Nav(event,4)" onkeyup="return searchResults.Nav(event,4)" class="SRSymbol" href="javascript:searchResults.Toggle('SR_ai_5fhashcleanup_5fthread')">AI_hashcleanup_thread</a>
   <div class="SRChildren">
-    <a id="Item0_c0" onkeydown="return searchResults.NavChild(event,0,0)" onkeypress="return searchResults.NavChild(event,0,0)" onkeyup="return searchResults.NavChild(event,0,0)" class="SRScope" href="../spp__ai_8h.html#ad56f71be823eead743972274b99c82ff" target="_parent">AI_hashcleanup_thread(void *):&nbsp;stream.c</a>
-    <a id="Item0_c1" onkeydown="return searchResults.NavChild(event,0,1)" onkeypress="return searchResults.NavChild(event,0,1)" onkeyup="return searchResults.NavChild(event,0,1)" class="SRScope" href="../stream_8c.html#a24b1131374e5059564b8a12380c4eb75" target="_parent">AI_hashcleanup_thread(void *arg):&nbsp;stream.c</a>
+    <a id="Item4_c0" onkeydown="return searchResults.NavChild(event,4,0)" onkeypress="return searchResults.NavChild(event,4,0)" onkeyup="return searchResults.NavChild(event,4,0)" class="SRScope" href="../spp__ai_8h.html#ad56f71be823eead743972274b99c82ff" target="_parent">AI_hashcleanup_thread(void *):&nbsp;stream.c</a>
+    <a id="Item4_c1" onkeydown="return searchResults.NavChild(event,4,1)" onkeypress="return searchResults.NavChild(event,4,1)" onkeyup="return searchResults.NavChild(event,4,1)" class="SRScope" href="../stream_8c.html#a24b1131374e5059564b8a12380c4eb75" target="_parent">AI_hashcleanup_thread(void *arg):&nbsp;stream.c</a>
+  </div>
+ </div>
+</div>
+<div class="SRResult" id="SR_ai_5fhierarchies_5fbuild">
+ <div class="SREntry">
+  <a id="Item5" onkeydown="return searchResults.Nav(event,5)" onkeypress="return searchResults.Nav(event,5)" onkeyup="return searchResults.Nav(event,5)" class="SRSymbol" href="javascript:searchResults.Toggle('SR_ai_5fhierarchies_5fbuild')">AI_hierarchies_build</a>
+  <div class="SRChildren">
+    <a id="Item5_c0" onkeydown="return searchResults.NavChild(event,5,0)" onkeypress="return searchResults.NavChild(event,5,0)" onkeyup="return searchResults.NavChild(event,5,0)" class="SRScope" href="../cluster_8c.html#a1445818b37483f78cc3fb2890155842c" target="_parent">AI_hierarchies_build(AI_config *conf, hierarchy_node **nodes, int n_nodes):&nbsp;cluster.c</a>
+    <a id="Item5_c1" onkeydown="return searchResults.NavChild(event,5,1)" onkeypress="return searchResults.NavChild(event,5,1)" onkeyup="return searchResults.NavChild(event,5,1)" class="SRScope" href="../spp__ai_8h.html#a857348424b9db45c90f95631eb96fd7c" target="_parent">AI_hierarchies_build(AI_config *, hierarchy_node **, int):&nbsp;cluster.c</a>
   </div>
  </div>
 </div>
 <div class="SRResult" id="SR_ai_5finit">
  <div class="SREntry">
-  <a id="Item1" onkeydown="return searchResults.Nav(event,1)" onkeypress="return searchResults.Nav(event,1)" onkeyup="return searchResults.Nav(event,1)" class="SRSymbol" href="../spp__ai_8c.html#a3524cbdf8fddbcf38c4ed55241002242" target="_parent">AI_init</a>
+  <a id="Item6" onkeydown="return searchResults.Nav(event,6)" onkeypress="return searchResults.Nav(event,6)" onkeyup="return searchResults.Nav(event,6)" class="SRSymbol" href="../spp__ai_8c.html#a3524cbdf8fddbcf38c4ed55241002242" target="_parent">AI_init</a>
   <span class="SRScope">spp_ai.c</span>
  </div>
 </div>
 <div class="SRResult" id="SR_ai_5fparse">
  <div class="SREntry">
-  <a id="Item2" onkeydown="return searchResults.Nav(event,2)" onkeypress="return searchResults.Nav(event,2)" onkeyup="return searchResults.Nav(event,2)" class="SRSymbol" href="../spp__ai_8c.html#ae1c5c4b38ee2819d427848eb3046373e" target="_parent">AI_parse</a>
+  <a id="Item7" onkeydown="return searchResults.Nav(event,7)" onkeypress="return searchResults.Nav(event,7)" onkeyup="return searchResults.Nav(event,7)" class="SRSymbol" href="../spp__ai_8c.html#ae1c5c4b38ee2819d427848eb3046373e" target="_parent">AI_parse</a>
   <span class="SRScope">spp_ai.c</span>
  </div>
 </div>
 <div class="SRResult" id="SR_ai_5fpkt_5fenqueue">
  <div class="SREntry">
-  <a id="Item3" onkeydown="return searchResults.Nav(event,3)" onkeypress="return searchResults.Nav(event,3)" onkeyup="return searchResults.Nav(event,3)" class="SRSymbol" href="javascript:searchResults.Toggle('SR_ai_5fpkt_5fenqueue')">AI_pkt_enqueue</a>
+  <a id="Item8" onkeydown="return searchResults.Nav(event,8)" onkeypress="return searchResults.Nav(event,8)" onkeyup="return searchResults.Nav(event,8)" class="SRSymbol" href="javascript:searchResults.Toggle('SR_ai_5fpkt_5fenqueue')">AI_pkt_enqueue</a>
   <div class="SRChildren">
-    <a id="Item3_c0" onkeydown="return searchResults.NavChild(event,3,0)" onkeypress="return searchResults.NavChild(event,3,0)" onkeyup="return searchResults.NavChild(event,3,0)" class="SRScope" href="../spp__ai_8h.html#af6f7d167c3623bbc669e8d31c2719b29" target="_parent">AI_pkt_enqueue(SFSnortPacket *):&nbsp;stream.c</a>
-    <a id="Item3_c1" onkeydown="return searchResults.NavChild(event,3,1)" onkeypress="return searchResults.NavChild(event,3,1)" onkeyup="return searchResults.NavChild(event,3,1)" class="SRScope" href="../stream_8c.html#a7d71c5645b9baff7b6c4b9a181bf80c5" target="_parent">AI_pkt_enqueue(SFSnortPacket *pkt):&nbsp;stream.c</a>
+    <a id="Item8_c0" onkeydown="return searchResults.NavChild(event,8,0)" onkeypress="return searchResults.NavChild(event,8,0)" onkeyup="return searchResults.NavChild(event,8,0)" class="SRScope" href="../spp__ai_8h.html#af6f7d167c3623bbc669e8d31c2719b29" target="_parent">AI_pkt_enqueue(SFSnortPacket *):&nbsp;stream.c</a>
+    <a id="Item8_c1" onkeydown="return searchResults.NavChild(event,8,1)" onkeypress="return searchResults.NavChild(event,8,1)" onkeyup="return searchResults.NavChild(event,8,1)" class="SRScope" href="../stream_8c.html#a7d71c5645b9baff7b6c4b9a181bf80c5" target="_parent">AI_pkt_enqueue(SFSnortPacket *pkt):&nbsp;stream.c</a>
   </div>
  </div>
 </div>
 <div class="SRResult" id="SR_ai_5fprocess">
  <div class="SREntry">
-  <a id="Item4" onkeydown="return searchResults.Nav(event,4)" onkeypress="return searchResults.Nav(event,4)" onkeyup="return searchResults.Nav(event,4)" class="SRSymbol" href="../spp__ai_8c.html#a57c05cda012c443cb4c358dc327cd3d1" target="_parent">AI_process</a>
+  <a id="Item9" onkeydown="return searchResults.Nav(event,9)" onkeypress="return searchResults.Nav(event,9)" onkeyup="return searchResults.Nav(event,9)" class="SRSymbol" href="../spp__ai_8c.html#a57c05cda012c443cb4c358dc327cd3d1" target="_parent">AI_process</a>
   <span class="SRScope">spp_ai.c</span>
  </div>
 </div>
+<div class="SRResult" id="SR_ai_5fset_5fstream_5fobserved">
+ <div class="SREntry">
+  <a id="Item10" onkeydown="return searchResults.Nav(event,10)" onkeypress="return searchResults.Nav(event,10)" onkeyup="return searchResults.Nav(event,10)" class="SRSymbol" href="javascript:searchResults.Toggle('SR_ai_5fset_5fstream_5fobserved')">AI_set_stream_observed</a>
+  <div class="SRChildren">
+    <a id="Item10_c0" onkeydown="return searchResults.NavChild(event,10,0)" onkeypress="return searchResults.NavChild(event,10,0)" onkeyup="return searchResults.NavChild(event,10,0)" class="SRScope" href="../spp__ai_8h.html#a8749989cee2ac05a7de058faac280c02" target="_parent">AI_set_stream_observed(struct pkt_key key):&nbsp;stream.c</a>
+    <a id="Item10_c1" onkeydown="return searchResults.NavChild(event,10,1)" onkeypress="return searchResults.NavChild(event,10,1)" onkeyup="return searchResults.NavChild(event,10,1)" class="SRScope" href="../stream_8c.html#a8749989cee2ac05a7de058faac280c02" target="_parent">AI_set_stream_observed(struct pkt_key key):&nbsp;stream.c</a>
+  </div>
+ </div>
+</div>
 <div class="SRResult" id="SR_ai_5fsetup">
  <div class="SREntry">
-  <a id="Item5" onkeydown="return searchResults.Nav(event,5)" onkeypress="return searchResults.Nav(event,5)" onkeyup="return searchResults.Nav(event,5)" class="SRSymbol" href="javascript:searchResults.Toggle('SR_ai_5fsetup')">AI_setup</a>
+  <a id="Item11" onkeydown="return searchResults.Nav(event,11)" onkeypress="return searchResults.Nav(event,11)" onkeyup="return searchResults.Nav(event,11)" class="SRSymbol" href="javascript:searchResults.Toggle('SR_ai_5fsetup')">AI_setup</a>
   <div class="SRChildren">
-    <a id="Item5_c0" onkeydown="return searchResults.NavChild(event,5,0)" onkeypress="return searchResults.NavChild(event,5,0)" onkeyup="return searchResults.NavChild(event,5,0)" class="SRScope" href="../sf__preproc__info_8h.html#ad81716bc3f0fec4df74198a7cbdbd43c" target="_parent">AI_setup():&nbsp;spp_ai.c</a>
-    <a id="Item5_c1" onkeydown="return searchResults.NavChild(event,5,1)" onkeypress="return searchResults.NavChild(event,5,1)" onkeyup="return searchResults.NavChild(event,5,1)" class="SRScope" href="../spp__ai_8c.html#a1b9ebb5c719c7d9426ddfc1f3da36570" target="_parent">AI_setup(void):&nbsp;spp_ai.c</a>
+    <a id="Item11_c0" onkeydown="return searchResults.NavChild(event,11,0)" onkeypress="return searchResults.NavChild(event,11,0)" onkeyup="return searchResults.NavChild(event,11,0)" class="SRScope" href="../sf__preproc__info_8h.html#ad81716bc3f0fec4df74198a7cbdbd43c" target="_parent">AI_setup():&nbsp;spp_ai.c</a>
+    <a id="Item11_c1" onkeydown="return searchResults.NavChild(event,11,1)" onkeypress="return searchResults.NavChild(event,11,1)" onkeyup="return searchResults.NavChild(event,11,1)" class="SRScope" href="../spp__ai_8c.html#a1b9ebb5c719c7d9426ddfc1f3da36570" target="_parent">AI_setup(void):&nbsp;spp_ai.c</a>
   </div>
  </div>
 </div>
diff --git a/doc/html/search/functions_70.html b/doc/html/search/functions_70.html
new file mode 100644
index 0000000..4877310
--- /dev/null
+++ b/doc/html/search/functions_70.html
@@ -0,0 +1,29 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html><head><title></title>
+<meta http-equiv="Content-Type" content="text/xhtml;charset=UTF-8"/>
+<link rel="stylesheet" type="text/css" href="search.css"/>
+<script type="text/javascript" src="search.js"></script>
+</head>
+<body class="SRPage">
+<div id="SRIndex">
+<div class="SRStatus" id="Loading">Loading...</div>
+<div class="SRResult" id="SR_preg_5fmatch">
+ <div class="SREntry">
+  <a id="Item0" onkeydown="return searchResults.Nav(event,0)" onkeypress="return searchResults.Nav(event,0)" onkeyup="return searchResults.Nav(event,0)" class="SRSymbol" href="javascript:searchResults.Toggle('SR_preg_5fmatch')">preg_match</a>
+  <div class="SRChildren">
+    <a id="Item0_c0" onkeydown="return searchResults.NavChild(event,0,0)" onkeypress="return searchResults.NavChild(event,0,0)" onkeyup="return searchResults.NavChild(event,0,0)" class="SRScope" href="../regex_8c.html#a35f57c052a7de1ded54b67a1f7819791" target="_parent">preg_match(const char *expr, char *str, char ***matches, int *nmatches):&nbsp;regex.c</a>
+    <a id="Item0_c1" onkeydown="return searchResults.NavChild(event,0,1)" onkeypress="return searchResults.NavChild(event,0,1)" onkeyup="return searchResults.NavChild(event,0,1)" class="SRScope" href="../spp__ai_8h.html#a85c0852b05b60cbfe0130534160c9876" target="_parent">preg_match(const char *, char *, char ***, int *):&nbsp;regex.c</a>
+  </div>
+ </div>
+</div>
+<div class="SRStatus" id="Searching">Searching...</div>
+<div class="SRStatus" id="NoMatches">No Matches</div>
+<script type="text/javascript"><!--
+document.getElementById("Loading").style.display="none";
+document.getElementById("NoMatches").style.display="none";
+var searchResults = new SearchResults("searchResults");
+searchResults.Search();
+--></script>
+</div>
+</body>
+</html>
diff --git a/doc/html/search/search.js b/doc/html/search/search.js
index 7d8a494..ccaefd5 100644
--- a/doc/html/search/search.js
+++ b/doc/html/search/search.js
@@ -7,15 +7,15 @@
 
 var indexSectionsWithContent =
 {
-  0: "0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010110111111011110101111000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000",
-  1: "0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000000000000000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000",
-  2: "0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000",
-  3: "0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010100100001001000000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000",
-  4: "0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000110010010010101110000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000",
-  5: "0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000100000000000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000",
-  6: "0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000",
-  7: "0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000",
-  8: "0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010100100000100100100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"
+  0: "0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010111111111011111101111010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000",
+  1: "0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010100000000000000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000",
+  2: "0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000101000000000000001100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000",
+  3: "0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010100100001001000100100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000",
+  4: "0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010101110111011111101110010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000",
+  5: "0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000100000010000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000",
+  6: "0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000011000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000",
+  7: "0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001101000000010000110000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000",
+  8: "0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010100000000100100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"
 };
 
 var indexSectionNames =
diff --git a/doc/html/search/typedefs_61.html b/doc/html/search/typedefs_61.html
index 8093bed..e2b3ced 100644
--- a/doc/html/search/typedefs_61.html
+++ b/doc/html/search/typedefs_61.html
@@ -7,9 +7,9 @@
 <body class="SRPage">
 <div id="SRIndex">
 <div class="SRStatus" id="Loading">Loading...</div>
-<div class="SRResult" id="SR_ai_5fconfig">
+<div class="SRResult" id="SR_ai_5fsnort_5falert">
  <div class="SREntry">
-  <a id="Item0" onkeydown="return searchResults.Nav(event,0)" onkeypress="return searchResults.Nav(event,0)" onkeyup="return searchResults.Nav(event,0)" class="SRSymbol" href="../spp__ai_8h.html#a3fc526e5a55f5d137402b1bbd1b6072c" target="_parent">AI_config</a>
+  <a id="Item0" onkeydown="return searchResults.Nav(event,0)" onkeypress="return searchResults.Nav(event,0)" onkeyup="return searchResults.Nav(event,0)" class="SRSymbol" href="../spp__ai_8h.html#a982be90e72362e88d09f28336c9a1897" target="_parent">AI_snort_alert</a>
   <span class="SRScope">spp_ai.h</span>
  </div>
 </div>
diff --git a/doc/html/search/typedefs_68.html b/doc/html/search/typedefs_68.html
new file mode 100644
index 0000000..738dd5f
--- /dev/null
+++ b/doc/html/search/typedefs_68.html
@@ -0,0 +1,26 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html><head><title></title>
+<meta http-equiv="Content-Type" content="text/xhtml;charset=UTF-8"/>
+<link rel="stylesheet" type="text/css" href="search.css"/>
+<script type="text/javascript" src="search.js"></script>
+</head>
+<body class="SRPage">
+<div id="SRIndex">
+<div class="SRStatus" id="Loading">Loading...</div>
+<div class="SRResult" id="SR_hierarchy_5fnode">
+ <div class="SREntry">
+  <a id="Item0" onkeydown="return searchResults.Nav(event,0)" onkeypress="return searchResults.Nav(event,0)" onkeyup="return searchResults.Nav(event,0)" class="SRSymbol" href="../spp__ai_8h.html#a466391129919ef12366d311d501552fa" target="_parent">hierarchy_node</a>
+  <span class="SRScope">spp_ai.h</span>
+ </div>
+</div>
+<div class="SRStatus" id="Searching">Searching...</div>
+<div class="SRStatus" id="NoMatches">No Matches</div>
+<script type="text/javascript"><!--
+document.getElementById("Loading").style.display="none";
+document.getElementById("NoMatches").style.display="none";
+var searchResults = new SearchResults("searchResults");
+searchResults.Search();
+--></script>
+</div>
+</body>
+</html>
diff --git a/doc/html/search/typedefs_75.html b/doc/html/search/typedefs_75.html
index aa48425..f53a1f4 100644
--- a/doc/html/search/typedefs_75.html
+++ b/doc/html/search/typedefs_75.html
@@ -19,6 +19,12 @@
   <span class="SRScope">spp_ai.h</span>
  </div>
 </div>
+<div class="SRResult" id="SR_uint8_5ft">
+ <div class="SREntry">
+  <a id="Item2" onkeydown="return searchResults.Nav(event,2)" onkeypress="return searchResults.Nav(event,2)" onkeyup="return searchResults.Nav(event,2)" class="SRSymbol" href="../spp__ai_8h.html#aba7bc1797add20fe3efdf37ced1182c5" target="_parent">uint8_t</a>
+  <span class="SRScope">spp_ai.h</span>
+ </div>
+</div>
 <div class="SRStatus" id="Searching">Searching...</div>
 <div class="SRStatus" id="NoMatches">No Matches</div>
 <script type="text/javascript"><!--
diff --git a/doc/html/search/variables_5f.html b/doc/html/search/variables_5f.html
index be8fa09..4b3297a 100644
--- a/doc/html/search/variables_5f.html
+++ b/doc/html/search/variables_5f.html
@@ -7,12 +7,18 @@
 <body class="SRPage">
 <div id="SRIndex">
 <div class="SRStatus" id="Loading">Loading...</div>
+<div class="SRResult" id="SR__5fconfig">
+ <div class="SREntry">
+  <a id="Item0" onkeydown="return searchResults.Nav(event,0)" onkeypress="return searchResults.Nav(event,0)" onkeyup="return searchResults.Nav(event,0)" class="SRSymbol" href="../cluster_8c.html#a91458e2d34595688e39fcb63ba418849" target="_parent">_config</a>
+  <span class="SRScope">cluster.c</span>
+ </div>
+</div>
 <div class="SRResult" id="SR__5fdpd">
  <div class="SREntry">
-  <a id="Item0" onkeydown="return searchResults.Nav(event,0)" onkeypress="return searchResults.Nav(event,0)" onkeyup="return searchResults.Nav(event,0)" class="SRSymbol" href="javascript:searchResults.Toggle('SR__5fdpd')">_dpd</a>
+  <a id="Item1" onkeydown="return searchResults.Nav(event,1)" onkeypress="return searchResults.Nav(event,1)" onkeyup="return searchResults.Nav(event,1)" class="SRSymbol" href="javascript:searchResults.Toggle('SR__5fdpd')">_dpd</a>
   <div class="SRChildren">
-    <a id="Item0_c0" onkeydown="return searchResults.NavChild(event,0,0)" onkeypress="return searchResults.NavChild(event,0,0)" onkeyup="return searchResults.NavChild(event,0,0)" class="SRScope" href="../sf__dynamic__preproc__lib_8c.html#ab46420126c43c1aac5eabc5db266a71c" target="_parent">_dpd():&nbsp;sf_dynamic_preproc_lib.c</a>
-    <a id="Item0_c1" onkeydown="return searchResults.NavChild(event,0,1)" onkeypress="return searchResults.NavChild(event,0,1)" onkeyup="return searchResults.NavChild(event,0,1)" class="SRScope" href="../spp__ai_8c.html#ab46420126c43c1aac5eabc5db266a71c" target="_parent">_dpd():&nbsp;sf_dynamic_preproc_lib.c</a>
+    <a id="Item1_c0" onkeydown="return searchResults.NavChild(event,1,0)" onkeypress="return searchResults.NavChild(event,1,0)" onkeyup="return searchResults.NavChild(event,1,0)" class="SRScope" href="../sf__dynamic__preproc__lib_8c.html#ab46420126c43c1aac5eabc5db266a71c" target="_parent">_dpd():&nbsp;sf_dynamic_preproc_lib.c</a>
+    <a id="Item1_c1" onkeydown="return searchResults.NavChild(event,1,1)" onkeypress="return searchResults.NavChild(event,1,1)" onkeyup="return searchResults.NavChild(event,1,1)" class="SRScope" href="../spp__ai_8h.html#ab46420126c43c1aac5eabc5db266a71c" target="_parent">_dpd():&nbsp;sf_dynamic_preproc_lib.c</a>
   </div>
  </div>
 </div>
diff --git a/doc/html/search/variables_61.html b/doc/html/search/variables_61.html
new file mode 100644
index 0000000..219ba80
--- /dev/null
+++ b/doc/html/search/variables_61.html
@@ -0,0 +1,56 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html><head><title></title>
+<meta http-equiv="Content-Type" content="text/xhtml;charset=UTF-8"/>
+<link rel="stylesheet" type="text/css" href="search.css"/>
+<script type="text/javascript" src="search.js"></script>
+</head>
+<body class="SRPage">
+<div id="SRIndex">
+<div class="SRStatus" id="Loading">Loading...</div>
+<div class="SRResult" id="SR_ack">
+ <div class="SREntry">
+  <a id="Item0" onkeydown="return searchResults.Nav(event,0)" onkeypress="return searchResults.Nav(event,0)" onkeyup="return searchResults.Nav(event,0)" class="SRSymbol" href="../struct__AI__snort__alert.html#a2b185c678d3a7f1207b2119b0b567c37" target="_parent">ack</a>
+  <span class="SRScope">_AI_snort_alert</span>
+ </div>
+</div>
+<div class="SRResult" id="SR_alert_5ffp">
+ <div class="SREntry">
+  <a id="Item1" onkeydown="return searchResults.Nav(event,1)" onkeypress="return searchResults.Nav(event,1)" onkeyup="return searchResults.Nav(event,1)" class="SRSymbol" href="../alert__parser_8c.html#abee2a33368912d9288c76b51160a9ed6" target="_parent">alert_fp</a>
+  <span class="SRScope">alert_parser.c</span>
+ </div>
+</div>
+<div class="SRResult" id="SR_alert_5flog">
+ <div class="SREntry">
+  <a id="Item2" onkeydown="return searchResults.Nav(event,2)" onkeypress="return searchResults.Nav(event,2)" onkeyup="return searchResults.Nav(event,2)" class="SRSymbol" href="../cluster_8c.html#aaf4c19f60f48741b0890c6114dcff7d9" target="_parent">alert_log</a>
+  <span class="SRScope">cluster.c</span>
+ </div>
+</div>
+<div class="SRResult" id="SR_alertclusteringinterval">
+ <div class="SREntry">
+  <a id="Item3" onkeydown="return searchResults.Nav(event,3)" onkeypress="return searchResults.Nav(event,3)" onkeyup="return searchResults.Nav(event,3)" class="SRSymbol" href="../structAI__config.html#a7d0d098b8263aa3d8415b11d1ec7f93d" target="_parent">alertClusteringInterval</a>
+  <span class="SRScope">AI_config</span>
+ </div>
+</div>
+<div class="SRResult" id="SR_alertfile">
+ <div class="SREntry">
+  <a id="Item4" onkeydown="return searchResults.Nav(event,4)" onkeypress="return searchResults.Nav(event,4)" onkeyup="return searchResults.Nav(event,4)" class="SRSymbol" href="../structAI__config.html#a2efa9590d7eea6dce8b5dd9aa76ed8ca" target="_parent">alertfile</a>
+  <span class="SRScope">AI_config</span>
+ </div>
+</div>
+<div class="SRResult" id="SR_alerts">
+ <div class="SREntry">
+  <a id="Item5" onkeydown="return searchResults.Nav(event,5)" onkeypress="return searchResults.Nav(event,5)" onkeyup="return searchResults.Nav(event,5)" class="SRSymbol" href="../alert__parser_8c.html#ae837fc04e61c0eb052f997c54b4fd9fe" target="_parent">alerts</a>
+  <span class="SRScope">alert_parser.c</span>
+ </div>
+</div>
+<div class="SRStatus" id="Searching">Searching...</div>
+<div class="SRStatus" id="NoMatches">No Matches</div>
+<script type="text/javascript"><!--
+document.getElementById("Loading").style.display="none";
+document.getElementById("NoMatches").style.display="none";
+var searchResults = new SearchResults("searchResults");
+searchResults.Search();
+--></script>
+</div>
+</body>
+</html>
diff --git a/doc/html/search/variables_63.html b/doc/html/search/variables_63.html
new file mode 100644
index 0000000..4fa83be
--- /dev/null
+++ b/doc/html/search/variables_63.html
@@ -0,0 +1,44 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html><head><title></title>
+<meta http-equiv="Content-Type" content="text/xhtml;charset=UTF-8"/>
+<link rel="stylesheet" type="text/css" href="search.css"/>
+<script type="text/javascript" src="search.js"></script>
+</head>
+<body class="SRPage">
+<div id="SRIndex">
+<div class="SRStatus" id="Loading">Loading...</div>
+<div class="SRResult" id="SR_children">
+ <div class="SREntry">
+  <a id="Item0" onkeydown="return searchResults.Nav(event,0)" onkeypress="return searchResults.Nav(event,0)" onkeyup="return searchResults.Nav(event,0)" class="SRSymbol" href="../struct__hierarchy__node.html#afc23d4fe6426873164cdaab2f3d4f0cd" target="_parent">children</a>
+  <span class="SRScope">_hierarchy_node</span>
+ </div>
+</div>
+<div class="SRResult" id="SR_classification">
+ <div class="SREntry">
+  <a id="Item1" onkeydown="return searchResults.Nav(event,1)" onkeypress="return searchResults.Nav(event,1)" onkeyup="return searchResults.Nav(event,1)" class="SRSymbol" href="../struct__AI__snort__alert.html#aa89585e14acb2c4e684a1552d322632f" target="_parent">classification</a>
+  <span class="SRScope">_AI_snort_alert</span>
+ </div>
+</div>
+<div class="SRResult" id="SR_clusterfile">
+ <div class="SREntry">
+  <a id="Item2" onkeydown="return searchResults.Nav(event,2)" onkeypress="return searchResults.Nav(event,2)" onkeyup="return searchResults.Nav(event,2)" class="SRSymbol" href="../structAI__config.html#a6da02a3f7116fd3810a41b738e8883a3" target="_parent">clusterfile</a>
+  <span class="SRScope">AI_config</span>
+ </div>
+</div>
+<div class="SRResult" id="SR_count">
+ <div class="SREntry">
+  <a id="Item3" onkeydown="return searchResults.Nav(event,3)" onkeypress="return searchResults.Nav(event,3)" onkeyup="return searchResults.Nav(event,3)" class="SRSymbol" href="../structattribute__value.html#a5579c0304c2e9ab488ac94905b385045" target="_parent">count</a>
+  <span class="SRScope">attribute_value</span>
+ </div>
+</div>
+<div class="SRStatus" id="Searching">Searching...</div>
+<div class="SRStatus" id="NoMatches">No Matches</div>
+<script type="text/javascript"><!--
+document.getElementById("Loading").style.display="none";
+document.getElementById("NoMatches").style.display="none";
+var searchResults = new SearchResults("searchResults");
+searchResults.Search();
+--></script>
+</div>
+</body>
+</html>
diff --git a/doc/html/search/variables_64.html b/doc/html/search/variables_64.html
index 9b77f00..91d2f90 100644
--- a/doc/html/search/variables_64.html
+++ b/doc/html/search/variables_64.html
@@ -7,10 +7,25 @@
 <body class="SRPage">
 <div id="SRIndex">
 <div class="SRStatus" id="Loading">Loading...</div>
+<div class="SRResult" id="SR_desc">
+ <div class="SREntry">
+  <a id="Item0" onkeydown="return searchResults.Nav(event,0)" onkeypress="return searchResults.Nav(event,0)" onkeyup="return searchResults.Nav(event,0)" class="SRSymbol" href="../struct__AI__snort__alert.html#ac0902d7c756ec675fb06347ce4706135" target="_parent">desc</a>
+  <span class="SRScope">_AI_snort_alert</span>
+ </div>
+</div>
+<div class="SRResult" id="SR_dst_5faddr">
+ <div class="SREntry">
+  <a id="Item1" onkeydown="return searchResults.Nav(event,1)" onkeypress="return searchResults.Nav(event,1)" onkeyup="return searchResults.Nav(event,1)" class="SRSymbol" href="../struct__AI__snort__alert.html#a69cc2ba171c8c808a0b45caa9426cd8c" target="_parent">dst_addr</a>
+  <span class="SRScope">_AI_snort_alert</span>
+ </div>
+</div>
 <div class="SRResult" id="SR_dst_5fport">
  <div class="SREntry">
-  <a id="Item0" onkeydown="return searchResults.Nav(event,0)" onkeypress="return searchResults.Nav(event,0)" onkeyup="return searchResults.Nav(event,0)" class="SRSymbol" href="../structpkt__key.html#af77f5eb1f4cd88b43fe99fd73553351d" target="_parent">dst_port</a>
-  <span class="SRScope">pkt_key</span>
+  <a id="Item2" onkeydown="return searchResults.Nav(event,2)" onkeypress="return searchResults.Nav(event,2)" onkeyup="return searchResults.Nav(event,2)" class="SRSymbol" href="javascript:searchResults.Toggle('SR_dst_5fport')">dst_port</a>
+  <div class="SRChildren">
+    <a id="Item2_c0" onkeydown="return searchResults.NavChild(event,2,0)" onkeypress="return searchResults.NavChild(event,2,0)" onkeyup="return searchResults.NavChild(event,2,0)" class="SRScope" href="../structpkt__key.html#af77f5eb1f4cd88b43fe99fd73553351d" target="_parent">pkt_key::dst_port()</a>
+    <a id="Item2_c1" onkeydown="return searchResults.NavChild(event,2,1)" onkeypress="return searchResults.NavChild(event,2,1)" onkeyup="return searchResults.NavChild(event,2,1)" class="SRScope" href="../struct__AI__snort__alert.html#a6b323c07ae501d221e330e13646a96a3" target="_parent">_AI_snort_alert::dst_port()</a>
+  </div>
  </div>
 </div>
 <div class="SRStatus" id="Searching">Searching...</div>
diff --git a/doc/html/search/variables_67.html b/doc/html/search/variables_67.html
new file mode 100644
index 0000000..acc0a17
--- /dev/null
+++ b/doc/html/search/variables_67.html
@@ -0,0 +1,32 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html><head><title></title>
+<meta http-equiv="Content-Type" content="text/xhtml;charset=UTF-8"/>
+<link rel="stylesheet" type="text/css" href="search.css"/>
+<script type="text/javascript" src="search.js"></script>
+</head>
+<body class="SRPage">
+<div id="SRIndex">
+<div class="SRStatus" id="Loading">Loading...</div>
+<div class="SRResult" id="SR_gid">
+ <div class="SREntry">
+  <a id="Item0" onkeydown="return searchResults.Nav(event,0)" onkeypress="return searchResults.Nav(event,0)" onkeyup="return searchResults.Nav(event,0)" class="SRSymbol" href="../struct__AI__snort__alert.html#af8408be5da59cda853442dd13465c0f6" target="_parent">gid</a>
+  <span class="SRScope">_AI_snort_alert</span>
+ </div>
+</div>
+<div class="SRResult" id="SR_grouped_5falarms_5fcount">
+ <div class="SREntry">
+  <a id="Item1" onkeydown="return searchResults.Nav(event,1)" onkeypress="return searchResults.Nav(event,1)" onkeyup="return searchResults.Nav(event,1)" class="SRSymbol" href="../struct__AI__snort__alert.html#a285aff12d6bac03c316ccc5305d28e53" target="_parent">grouped_alarms_count</a>
+  <span class="SRScope">_AI_snort_alert</span>
+ </div>
+</div>
+<div class="SRStatus" id="Searching">Searching...</div>
+<div class="SRStatus" id="NoMatches">No Matches</div>
+<script type="text/javascript"><!--
+document.getElementById("Loading").style.display="none";
+document.getElementById("NoMatches").style.display="none";
+var searchResults = new SearchResults("searchResults");
+searchResults.Search();
+--></script>
+</div>
+</body>
+</html>
diff --git a/doc/html/search/variables_68.html b/doc/html/search/variables_68.html
index 46500ff..61fd90a 100644
--- a/doc/html/search/variables_68.html
+++ b/doc/html/search/variables_68.html
@@ -7,22 +7,37 @@
 <body class="SRPage">
 <div id="SRIndex">
 <div class="SRStatus" id="Loading">Loading...</div>
+<div class="SRResult" id="SR_h_5fnode">
+ <div class="SREntry">
+  <a id="Item0" onkeydown="return searchResults.Nav(event,0)" onkeypress="return searchResults.Nav(event,0)" onkeyup="return searchResults.Nav(event,0)" class="SRSymbol" href="../struct__AI__snort__alert.html#ac53765584296ead1328eabfaba8a3aed" target="_parent">h_node</a>
+  <span class="SRScope">_AI_snort_alert</span>
+ </div>
+</div>
+<div class="SRResult" id="SR_h_5froot">
+ <div class="SREntry">
+  <a id="Item1" onkeydown="return searchResults.Nav(event,1)" onkeypress="return searchResults.Nav(event,1)" onkeyup="return searchResults.Nav(event,1)" class="SRSymbol" href="../cluster_8c.html#a97d35425cf5a0207fb50b64ee8cdda82" target="_parent">h_root</a>
+  <span class="SRScope">cluster.c</span>
+ </div>
+</div>
 <div class="SRResult" id="SR_hash">
  <div class="SREntry">
-  <a id="Item0" onkeydown="return searchResults.Nav(event,0)" onkeypress="return searchResults.Nav(event,0)" onkeyup="return searchResults.Nav(event,0)" class="SRSymbol" href="../stream_8c.html#a96fbc549c67e0d852ced3cb72980e923" target="_parent">hash</a>
+  <a id="Item2" onkeydown="return searchResults.Nav(event,2)" onkeypress="return searchResults.Nav(event,2)" onkeyup="return searchResults.Nav(event,2)" class="SRSymbol" href="../stream_8c.html#a57e23cda853e9d11c37723a962ef2f68" target="_parent">hash</a>
   <span class="SRScope">stream.c</span>
  </div>
 </div>
 <div class="SRResult" id="SR_hashcleanupinterval">
  <div class="SREntry">
-  <a id="Item1" onkeydown="return searchResults.Nav(event,1)" onkeypress="return searchResults.Nav(event,1)" onkeyup="return searchResults.Nav(event,1)" class="SRSymbol" href="../struct__AI__config.html#a890e6756dc637e9d41b7051a4d1ddc93" target="_parent">hashCleanupInterval</a>
-  <span class="SRScope">_AI_config</span>
+  <a id="Item3" onkeydown="return searchResults.Nav(event,3)" onkeypress="return searchResults.Nav(event,3)" onkeyup="return searchResults.Nav(event,3)" class="SRSymbol" href="../structAI__config.html#a9f7680615027d4fb74b4aa144a7028a4" target="_parent">hashCleanupInterval</a>
+  <span class="SRScope">AI_config</span>
  </div>
 </div>
 <div class="SRResult" id="SR_hh">
  <div class="SREntry">
-  <a id="Item2" onkeydown="return searchResults.Nav(event,2)" onkeypress="return searchResults.Nav(event,2)" onkeyup="return searchResults.Nav(event,2)" class="SRSymbol" href="../structpkt__info.html#a264e90d4b5d490de040f38c1072e142f" target="_parent">hh</a>
-  <span class="SRScope">pkt_info</span>
+  <a id="Item4" onkeydown="return searchResults.Nav(event,4)" onkeypress="return searchResults.Nav(event,4)" onkeyup="return searchResults.Nav(event,4)" class="SRSymbol" href="javascript:searchResults.Toggle('SR_hh')">hh</a>
+  <div class="SRChildren">
+    <a id="Item4_c0" onkeydown="return searchResults.NavChild(event,4,0)" onkeypress="return searchResults.NavChild(event,4,0)" onkeyup="return searchResults.NavChild(event,4,0)" class="SRScope" href="../structattribute__value.html#a9abf5d1758ee0cc4803e3b40fc4481cc" target="_parent">attribute_value::hh()</a>
+    <a id="Item4_c1" onkeydown="return searchResults.NavChild(event,4,1)" onkeypress="return searchResults.NavChild(event,4,1)" onkeyup="return searchResults.NavChild(event,4,1)" class="SRScope" href="../structpkt__info.html#a264e90d4b5d490de040f38c1072e142f" target="_parent">pkt_info::hh()</a>
+  </div>
  </div>
 </div>
 <div class="SRStatus" id="Searching">Searching...</div>
diff --git a/doc/html/search/variables_69.html b/doc/html/search/variables_69.html
new file mode 100644
index 0000000..ec04f4b
--- /dev/null
+++ b/doc/html/search/variables_69.html
@@ -0,0 +1,38 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html><head><title></title>
+<meta http-equiv="Content-Type" content="text/xhtml;charset=UTF-8"/>
+<link rel="stylesheet" type="text/css" href="search.css"/>
+<script type="text/javascript" src="search.js"></script>
+</head>
+<body class="SRPage">
+<div id="SRIndex">
+<div class="SRStatus" id="Loading">Loading...</div>
+<div class="SRResult" id="SR_id">
+ <div class="SREntry">
+  <a id="Item0" onkeydown="return searchResults.Nav(event,0)" onkeypress="return searchResults.Nav(event,0)" onkeyup="return searchResults.Nav(event,0)" class="SRSymbol" href="../struct__AI__snort__alert.html#a45e4acf90450a5f9efd4e0c290f84bcf" target="_parent">id</a>
+  <span class="SRScope">_AI_snort_alert</span>
+ </div>
+</div>
+<div class="SRResult" id="SR_iplen">
+ <div class="SREntry">
+  <a id="Item1" onkeydown="return searchResults.Nav(event,1)" onkeypress="return searchResults.Nav(event,1)" onkeyup="return searchResults.Nav(event,1)" class="SRSymbol" href="../struct__AI__snort__alert.html#a523ef8842d01a1bc4ea3c0bf27518e78" target="_parent">iplen</a>
+  <span class="SRScope">_AI_snort_alert</span>
+ </div>
+</div>
+<div class="SRResult" id="SR_ipproto">
+ <div class="SREntry">
+  <a id="Item2" onkeydown="return searchResults.Nav(event,2)" onkeypress="return searchResults.Nav(event,2)" onkeyup="return searchResults.Nav(event,2)" class="SRSymbol" href="../struct__AI__snort__alert.html#a2a5f2741918c3c13890f2b617a7f23a4" target="_parent">ipproto</a>
+  <span class="SRScope">_AI_snort_alert</span>
+ </div>
+</div>
+<div class="SRStatus" id="Searching">Searching...</div>
+<div class="SRStatus" id="NoMatches">No Matches</div>
+<script type="text/javascript"><!--
+document.getElementById("Loading").style.display="none";
+document.getElementById("NoMatches").style.display="none";
+var searchResults = new SearchResults("searchResults");
+searchResults.Search();
+--></script>
+</div>
+</body>
+</html>
diff --git a/doc/html/search/variables_6b.html b/doc/html/search/variables_6b.html
index 765184f..2fda50e 100644
--- a/doc/html/search/variables_6b.html
+++ b/doc/html/search/variables_6b.html
@@ -9,8 +9,11 @@
 <div class="SRStatus" id="Loading">Loading...</div>
 <div class="SRResult" id="SR_key">
  <div class="SREntry">
-  <a id="Item0" onkeydown="return searchResults.Nav(event,0)" onkeypress="return searchResults.Nav(event,0)" onkeyup="return searchResults.Nav(event,0)" class="SRSymbol" href="../structpkt__info.html#a231d4734d3c62292b06eb9ea4b49c339" target="_parent">key</a>
-  <span class="SRScope">pkt_info</span>
+  <a id="Item0" onkeydown="return searchResults.Nav(event,0)" onkeypress="return searchResults.Nav(event,0)" onkeyup="return searchResults.Nav(event,0)" class="SRSymbol" href="javascript:searchResults.Toggle('SR_key')">key</a>
+  <div class="SRChildren">
+    <a id="Item0_c0" onkeydown="return searchResults.NavChild(event,0,0)" onkeypress="return searchResults.NavChild(event,0,0)" onkeyup="return searchResults.NavChild(event,0,0)" class="SRScope" href="../structattribute__value.html#aa8b5ae41c150e4fefb800d3b1924278d" target="_parent">attribute_value::key()</a>
+    <a id="Item0_c1" onkeydown="return searchResults.NavChild(event,0,1)" onkeypress="return searchResults.NavChild(event,0,1)" onkeyup="return searchResults.NavChild(event,0,1)" class="SRScope" href="../structpkt__info.html#a231d4734d3c62292b06eb9ea4b49c339" target="_parent">pkt_info::key()</a>
+  </div>
  </div>
 </div>
 <div class="SRStatus" id="Searching">Searching...</div>
diff --git a/doc/html/search/variables_6c.html b/doc/html/search/variables_6c.html
new file mode 100644
index 0000000..1eab44a
--- /dev/null
+++ b/doc/html/search/variables_6c.html
@@ -0,0 +1,26 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html><head><title></title>
+<meta http-equiv="Content-Type" content="text/xhtml;charset=UTF-8"/>
+<link rel="stylesheet" type="text/css" href="search.css"/>
+<script type="text/javascript" src="search.js"></script>
+</head>
+<body class="SRPage">
+<div id="SRIndex">
+<div class="SRStatus" id="Loading">Loading...</div>
+<div class="SRResult" id="SR_label">
+ <div class="SREntry">
+  <a id="Item0" onkeydown="return searchResults.Nav(event,0)" onkeypress="return searchResults.Nav(event,0)" onkeyup="return searchResults.Nav(event,0)" class="SRSymbol" href="../struct__hierarchy__node.html#ae498f6fd14ca058a3ae0a95d5425451a" target="_parent">label</a>
+  <span class="SRScope">_hierarchy_node</span>
+ </div>
+</div>
+<div class="SRStatus" id="Searching">Searching...</div>
+<div class="SRStatus" id="NoMatches">No Matches</div>
+<script type="text/javascript"><!--
+document.getElementById("Loading").style.display="none";
+document.getElementById("NoMatches").style.display="none";
+var searchResults = new SearchResults("searchResults");
+searchResults.Search();
+--></script>
+</div>
+</body>
+</html>
diff --git a/doc/html/search/variables_6d.html b/doc/html/search/variables_6d.html
new file mode 100644
index 0000000..88c2635
--- /dev/null
+++ b/doc/html/search/variables_6d.html
@@ -0,0 +1,44 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html><head><title></title>
+<meta http-equiv="Content-Type" content="text/xhtml;charset=UTF-8"/>
+<link rel="stylesheet" type="text/css" href="search.css"/>
+<script type="text/javascript" src="search.js"></script>
+</head>
+<body class="SRPage">
+<div id="SRIndex">
+<div class="SRStatus" id="Loading">Loading...</div>
+<div class="SRResult" id="SR_max">
+ <div class="SREntry">
+  <a id="Item0" onkeydown="return searchResults.Nav(event,0)" onkeypress="return searchResults.Nav(event,0)" onkeyup="return searchResults.Nav(event,0)" class="SRSymbol" href="../structattribute__key.html#a82b7e5ac49820b816871a4ddf30c462d" target="_parent">max</a>
+  <span class="SRScope">attribute_key</span>
+ </div>
+</div>
+<div class="SRResult" id="SR_max_5fval">
+ <div class="SREntry">
+  <a id="Item1" onkeydown="return searchResults.Nav(event,1)" onkeypress="return searchResults.Nav(event,1)" onkeyup="return searchResults.Nav(event,1)" class="SRSymbol" href="../struct__hierarchy__node.html#a79ea88029938dc30ab8f159405d12c87" target="_parent">max_val</a>
+  <span class="SRScope">_hierarchy_node</span>
+ </div>
+</div>
+<div class="SRResult" id="SR_min">
+ <div class="SREntry">
+  <a id="Item2" onkeydown="return searchResults.Nav(event,2)" onkeypress="return searchResults.Nav(event,2)" onkeyup="return searchResults.Nav(event,2)" class="SRSymbol" href="../structattribute__key.html#a4fdb3d7aabeac6b1052b59e05e3d8842" target="_parent">min</a>
+  <span class="SRScope">attribute_key</span>
+ </div>
+</div>
+<div class="SRResult" id="SR_min_5fval">
+ <div class="SREntry">
+  <a id="Item3" onkeydown="return searchResults.Nav(event,3)" onkeypress="return searchResults.Nav(event,3)" onkeyup="return searchResults.Nav(event,3)" class="SRSymbol" href="../struct__hierarchy__node.html#a13ceebd7b435b9ef347fb90d9e6bbfe4" target="_parent">min_val</a>
+  <span class="SRScope">_hierarchy_node</span>
+ </div>
+</div>
+<div class="SRStatus" id="Searching">Searching...</div>
+<div class="SRStatus" id="NoMatches">No Matches</div>
+<script type="text/javascript"><!--
+document.getElementById("Loading").style.display="none";
+document.getElementById("NoMatches").style.display="none";
+var searchResults = new SearchResults("searchResults");
+searchResults.Search();
+--></script>
+</div>
+</body>
+</html>
diff --git a/doc/html/search/variables_6e.html b/doc/html/search/variables_6e.html
index 7db4670..8998883 100644
--- a/doc/html/search/variables_6e.html
+++ b/doc/html/search/variables_6e.html
@@ -7,10 +7,19 @@
 <body class="SRPage">
 <div id="SRIndex">
 <div class="SRStatus" id="Loading">Loading...</div>
+<div class="SRResult" id="SR_nchildren">
+ <div class="SREntry">
+  <a id="Item0" onkeydown="return searchResults.Nav(event,0)" onkeypress="return searchResults.Nav(event,0)" onkeyup="return searchResults.Nav(event,0)" class="SRSymbol" href="../struct__hierarchy__node.html#a849256ce1039e2cefaaf64d91171be0a" target="_parent">nchildren</a>
+  <span class="SRScope">_hierarchy_node</span>
+ </div>
+</div>
 <div class="SRResult" id="SR_next">
  <div class="SREntry">
-  <a id="Item0" onkeydown="return searchResults.Nav(event,0)" onkeypress="return searchResults.Nav(event,0)" onkeyup="return searchResults.Nav(event,0)" class="SRSymbol" href="../structpkt__info.html#a5ee3c51f2ca5768b94819182641ef168" target="_parent">next</a>
-  <span class="SRScope">pkt_info</span>
+  <a id="Item1" onkeydown="return searchResults.Nav(event,1)" onkeypress="return searchResults.Nav(event,1)" onkeyup="return searchResults.Nav(event,1)" class="SRSymbol" href="javascript:searchResults.Toggle('SR_next')">next</a>
+  <div class="SRChildren">
+    <a id="Item1_c0" onkeydown="return searchResults.NavChild(event,1,0)" onkeypress="return searchResults.NavChild(event,1,0)" onkeyup="return searchResults.NavChild(event,1,0)" class="SRScope" href="../structpkt__info.html#a5ee3c51f2ca5768b94819182641ef168" target="_parent">pkt_info::next()</a>
+    <a id="Item1_c1" onkeydown="return searchResults.NavChild(event,1,1)" onkeypress="return searchResults.NavChild(event,1,1)" onkeyup="return searchResults.NavChild(event,1,1)" class="SRScope" href="../struct__AI__snort__alert.html#aa8336d4b3359015ed8ea312ca1fd1173" target="_parent">_AI_snort_alert::next()</a>
+  </div>
  </div>
 </div>
 <div class="SRStatus" id="Searching">Searching...</div>
diff --git a/doc/html/search/variables_6f.html b/doc/html/search/variables_6f.html
new file mode 100644
index 0000000..16cdef2
--- /dev/null
+++ b/doc/html/search/variables_6f.html
@@ -0,0 +1,26 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html><head><title></title>
+<meta http-equiv="Content-Type" content="text/xhtml;charset=UTF-8"/>
+<link rel="stylesheet" type="text/css" href="search.css"/>
+<script type="text/javascript" src="search.js"></script>
+</head>
+<body class="SRPage">
+<div id="SRIndex">
+<div class="SRStatus" id="Loading">Loading...</div>
+<div class="SRResult" id="SR_observed">
+ <div class="SREntry">
+  <a id="Item0" onkeydown="return searchResults.Nav(event,0)" onkeypress="return searchResults.Nav(event,0)" onkeyup="return searchResults.Nav(event,0)" class="SRSymbol" href="../structpkt__info.html#ac7ff78ea5faf333fc91f92e3085ea7c9" target="_parent">observed</a>
+  <span class="SRScope">pkt_info</span>
+ </div>
+</div>
+<div class="SRStatus" id="Searching">Searching...</div>
+<div class="SRStatus" id="NoMatches">No Matches</div>
+<script type="text/javascript"><!--
+document.getElementById("Loading").style.display="none";
+document.getElementById("NoMatches").style.display="none";
+var searchResults = new SearchResults("searchResults");
+searchResults.Search();
+--></script>
+</div>
+</body>
+</html>
diff --git a/doc/html/search/variables_70.html b/doc/html/search/variables_70.html
index bffc90b..954887c 100644
--- a/doc/html/search/variables_70.html
+++ b/doc/html/search/variables_70.html
@@ -7,22 +7,28 @@
 <body class="SRPage">
 <div id="SRIndex">
 <div class="SRStatus" id="Loading">Loading...</div>
+<div class="SRResult" id="SR_parent">
+ <div class="SREntry">
+  <a id="Item0" onkeydown="return searchResults.Nav(event,0)" onkeypress="return searchResults.Nav(event,0)" onkeyup="return searchResults.Nav(event,0)" class="SRSymbol" href="../struct__hierarchy__node.html#a5c94c89d7e2aea393f1c550afb766bbe" target="_parent">parent</a>
+  <span class="SRScope">_hierarchy_node</span>
+ </div>
+</div>
 <div class="SRResult" id="SR_parserpolicyid">
  <div class="SREntry">
-  <a id="Item0" onkeydown="return searchResults.Nav(event,0)" onkeypress="return searchResults.Nav(event,0)" onkeyup="return searchResults.Nav(event,0)" class="SRSymbol" href="../sfPolicyUserData_8c.html#a0a415b8e70250b11e64a463134d00b4f" target="_parent">parserPolicyId</a>
+  <a id="Item1" onkeydown="return searchResults.Nav(event,1)" onkeypress="return searchResults.Nav(event,1)" onkeyup="return searchResults.Nav(event,1)" class="SRSymbol" href="../sfPolicyUserData_8c.html#a0a415b8e70250b11e64a463134d00b4f" target="_parent">parserPolicyId</a>
   <span class="SRScope">sfPolicyUserData.c</span>
  </div>
 </div>
 <div class="SRResult" id="SR_pkt">
  <div class="SREntry">
-  <a id="Item1" onkeydown="return searchResults.Nav(event,1)" onkeypress="return searchResults.Nav(event,1)" onkeyup="return searchResults.Nav(event,1)" class="SRSymbol" href="../structpkt__info.html#a8d5ebd04a32067b05387e5c5056fe168" target="_parent">pkt</a>
+  <a id="Item2" onkeydown="return searchResults.Nav(event,2)" onkeypress="return searchResults.Nav(event,2)" onkeyup="return searchResults.Nav(event,2)" class="SRSymbol" href="../structpkt__info.html#a8d5ebd04a32067b05387e5c5056fe168" target="_parent">pkt</a>
   <span class="SRScope">pkt_info</span>
  </div>
 </div>
-<div class="SRResult" id="SR_porttocheck">
+<div class="SRResult" id="SR_priority">
  <div class="SREntry">
-  <a id="Item2" onkeydown="return searchResults.Nav(event,2)" onkeypress="return searchResults.Nav(event,2)" onkeyup="return searchResults.Nav(event,2)" class="SRSymbol" href="../struct__AI__config.html#ab22e082ad6637f6280134e882bf53b0d" target="_parent">portToCheck</a>
-  <span class="SRScope">_AI_config</span>
+  <a id="Item3" onkeydown="return searchResults.Nav(event,3)" onkeypress="return searchResults.Nav(event,3)" onkeyup="return searchResults.Nav(event,3)" class="SRSymbol" href="../struct__AI__snort__alert.html#a25661fa4e212c5e30af5e6a892985ec9" target="_parent">priority</a>
+  <span class="SRScope">_AI_snort_alert</span>
  </div>
 </div>
 <div class="SRStatus" id="Searching">Searching...</div>
diff --git a/doc/html/search/variables_72.html b/doc/html/search/variables_72.html
index 02e5703..6545c2c 100644
--- a/doc/html/search/variables_72.html
+++ b/doc/html/search/variables_72.html
@@ -7,9 +7,15 @@
 <body class="SRPage">
 <div id="SRIndex">
 <div class="SRStatus" id="Loading">Loading...</div>
+<div class="SRResult" id="SR_rev">
+ <div class="SREntry">
+  <a id="Item0" onkeydown="return searchResults.Nav(event,0)" onkeypress="return searchResults.Nav(event,0)" onkeyup="return searchResults.Nav(event,0)" class="SRSymbol" href="../struct__AI__snort__alert.html#a864d3baa48586d6a31639f4cd27d9d37" target="_parent">rev</a>
+  <span class="SRScope">_AI_snort_alert</span>
+ </div>
+</div>
 <div class="SRResult" id="SR_runtimepolicyid">
  <div class="SREntry">
-  <a id="Item0" onkeydown="return searchResults.Nav(event,0)" onkeypress="return searchResults.Nav(event,0)" onkeyup="return searchResults.Nav(event,0)" class="SRSymbol" href="../sfPolicyUserData_8c.html#a281b418c0dc978a74cd7ab5e46ee0fa4" target="_parent">runtimePolicyId</a>
+  <a id="Item1" onkeydown="return searchResults.Nav(event,1)" onkeypress="return searchResults.Nav(event,1)" onkeyup="return searchResults.Nav(event,1)" class="SRSymbol" href="../sfPolicyUserData_8c.html#a281b418c0dc978a74cd7ab5e46ee0fa4" target="_parent">runtimePolicyId</a>
   <span class="SRScope">sfPolicyUserData.c</span>
  </div>
 </div>
diff --git a/doc/html/search/variables_73.html b/doc/html/search/variables_73.html
index 6ce91b2..2b8daa9 100644
--- a/doc/html/search/variables_73.html
+++ b/doc/html/search/variables_73.html
@@ -7,16 +7,52 @@
 <body class="SRPage">
 <div id="SRIndex">
 <div class="SRStatus" id="Loading">Loading...</div>
+<div class="SRResult" id="SR_sequence">
+ <div class="SREntry">
+  <a id="Item0" onkeydown="return searchResults.Nav(event,0)" onkeypress="return searchResults.Nav(event,0)" onkeyup="return searchResults.Nav(event,0)" class="SRSymbol" href="../struct__AI__snort__alert.html#acb20c4c55149d5806d7523720786ab77" target="_parent">sequence</a>
+  <span class="SRScope">_AI_snort_alert</span>
+ </div>
+</div>
+<div class="SRResult" id="SR_sid">
+ <div class="SREntry">
+  <a id="Item1" onkeydown="return searchResults.Nav(event,1)" onkeypress="return searchResults.Nav(event,1)" onkeyup="return searchResults.Nav(event,1)" class="SRSymbol" href="../struct__AI__snort__alert.html#a3349aa68d2234f8ffd897367c3a8a137" target="_parent">sid</a>
+  <span class="SRScope">_AI_snort_alert</span>
+ </div>
+</div>
+<div class="SRResult" id="SR_src_5faddr">
+ <div class="SREntry">
+  <a id="Item2" onkeydown="return searchResults.Nav(event,2)" onkeypress="return searchResults.Nav(event,2)" onkeyup="return searchResults.Nav(event,2)" class="SRSymbol" href="../struct__AI__snort__alert.html#ab16a24f368020e4b40e65b53cae33b48" target="_parent">src_addr</a>
+  <span class="SRScope">_AI_snort_alert</span>
+ </div>
+</div>
 <div class="SRResult" id="SR_src_5fip">
  <div class="SREntry">
-  <a id="Item0" onkeydown="return searchResults.Nav(event,0)" onkeypress="return searchResults.Nav(event,0)" onkeyup="return searchResults.Nav(event,0)" class="SRSymbol" href="../structpkt__key.html#a3a091c20dafb8b3f689db00c5b2f8ddb" target="_parent">src_ip</a>
+  <a id="Item3" onkeydown="return searchResults.Nav(event,3)" onkeypress="return searchResults.Nav(event,3)" onkeyup="return searchResults.Nav(event,3)" class="SRSymbol" href="../structpkt__key.html#a3a091c20dafb8b3f689db00c5b2f8ddb" target="_parent">src_ip</a>
   <span class="SRScope">pkt_key</span>
  </div>
 </div>
+<div class="SRResult" id="SR_src_5fport">
+ <div class="SREntry">
+  <a id="Item4" onkeydown="return searchResults.Nav(event,4)" onkeypress="return searchResults.Nav(event,4)" onkeyup="return searchResults.Nav(event,4)" class="SRSymbol" href="../struct__AI__snort__alert.html#a856cccd3eaabd38aa9974f26d3edc5e3" target="_parent">src_port</a>
+  <span class="SRScope">_AI_snort_alert</span>
+ </div>
+</div>
+<div class="SRResult" id="SR_start_5ftime">
+ <div class="SREntry">
+  <a id="Item5" onkeydown="return searchResults.Nav(event,5)" onkeypress="return searchResults.Nav(event,5)" onkeyup="return searchResults.Nav(event,5)" class="SRSymbol" href="../stream_8c.html#a0597864b078ff448f28432db86950309" target="_parent">start_time</a>
+  <span class="SRScope">stream.c</span>
+ </div>
+</div>
+<div class="SRResult" id="SR_stream">
+ <div class="SREntry">
+  <a id="Item6" onkeydown="return searchResults.Nav(event,6)" onkeypress="return searchResults.Nav(event,6)" onkeyup="return searchResults.Nav(event,6)" class="SRSymbol" href="../struct__AI__snort__alert.html#a09dfe0a841fd3912ec78060d4547cb31" target="_parent">stream</a>
+  <span class="SRScope">_AI_snort_alert</span>
+ </div>
+</div>
 <div class="SRResult" id="SR_streamexpireinterval">
  <div class="SREntry">
-  <a id="Item1" onkeydown="return searchResults.Nav(event,1)" onkeypress="return searchResults.Nav(event,1)" onkeyup="return searchResults.Nav(event,1)" class="SRSymbol" href="../struct__AI__config.html#a338358f23bf15f567a015a99d892c8e7" target="_parent">streamExpireInterval</a>
-  <span class="SRScope">_AI_config</span>
+  <a id="Item7" onkeydown="return searchResults.Nav(event,7)" onkeypress="return searchResults.Nav(event,7)" onkeyup="return searchResults.Nav(event,7)" class="SRSymbol" href="../structAI__config.html#abbe77d5f94b8c5164bea47acba09c98b" target="_parent">streamExpireInterval</a>
+  <span class="SRScope">AI_config</span>
  </div>
 </div>
 <div class="SRStatus" id="Searching">Searching...</div>
diff --git a/doc/html/search/variables_74.html b/doc/html/search/variables_74.html
index 08f5c5a..9c5fdbe 100644
--- a/doc/html/search/variables_74.html
+++ b/doc/html/search/variables_74.html
@@ -7,10 +7,46 @@
 <body class="SRPage">
 <div id="SRIndex">
 <div class="SRStatus" id="Loading">Loading...</div>
+<div class="SRResult" id="SR_tcp_5fflags">
+ <div class="SREntry">
+  <a id="Item0" onkeydown="return searchResults.Nav(event,0)" onkeypress="return searchResults.Nav(event,0)" onkeyup="return searchResults.Nav(event,0)" class="SRSymbol" href="../struct__AI__snort__alert.html#aa643f11db93b70242b57f0a04775e507" target="_parent">tcp_flags</a>
+  <span class="SRScope">_AI_snort_alert</span>
+ </div>
+</div>
+<div class="SRResult" id="SR_tcplen">
+ <div class="SREntry">
+  <a id="Item1" onkeydown="return searchResults.Nav(event,1)" onkeypress="return searchResults.Nav(event,1)" onkeyup="return searchResults.Nav(event,1)" class="SRSymbol" href="../struct__AI__snort__alert.html#a519a103f5e8f1cb006c0c137b7c6a1c0" target="_parent">tcplen</a>
+  <span class="SRScope">_AI_snort_alert</span>
+ </div>
+</div>
 <div class="SRResult" id="SR_timestamp">
  <div class="SREntry">
-  <a id="Item0" onkeydown="return searchResults.Nav(event,0)" onkeypress="return searchResults.Nav(event,0)" onkeyup="return searchResults.Nav(event,0)" class="SRSymbol" href="../structpkt__info.html#a7f5090443f21e6290f0439f1bb872e92" target="_parent">timestamp</a>
-  <span class="SRScope">pkt_info</span>
+  <a id="Item2" onkeydown="return searchResults.Nav(event,2)" onkeypress="return searchResults.Nav(event,2)" onkeyup="return searchResults.Nav(event,2)" class="SRSymbol" href="javascript:searchResults.Toggle('SR_timestamp')">timestamp</a>
+  <div class="SRChildren">
+    <a id="Item2_c0" onkeydown="return searchResults.NavChild(event,2,0)" onkeypress="return searchResults.NavChild(event,2,0)" onkeyup="return searchResults.NavChild(event,2,0)" class="SRScope" href="../structpkt__info.html#a7f5090443f21e6290f0439f1bb872e92" target="_parent">pkt_info::timestamp()</a>
+    <a id="Item2_c1" onkeydown="return searchResults.NavChild(event,2,1)" onkeypress="return searchResults.NavChild(event,2,1)" onkeyup="return searchResults.NavChild(event,2,1)" class="SRScope" href="../struct__AI__snort__alert.html#a10a67f60ca3da339a2104849a0b2ac19" target="_parent">_AI_snort_alert::timestamp()</a>
+  </div>
+ </div>
+</div>
+<div class="SRResult" id="SR_tos">
+ <div class="SREntry">
+  <a id="Item3" onkeydown="return searchResults.Nav(event,3)" onkeypress="return searchResults.Nav(event,3)" onkeyup="return searchResults.Nav(event,3)" class="SRSymbol" href="../struct__AI__snort__alert.html#a882ae6db43dc0fe08071947ccb044b93" target="_parent">tos</a>
+  <span class="SRScope">_AI_snort_alert</span>
+ </div>
+</div>
+<div class="SRResult" id="SR_ttl">
+ <div class="SREntry">
+  <a id="Item4" onkeydown="return searchResults.Nav(event,4)" onkeypress="return searchResults.Nav(event,4)" onkeyup="return searchResults.Nav(event,4)" class="SRSymbol" href="../struct__AI__snort__alert.html#ab9b1ce8ee440a324af116403ac9c51a2" target="_parent">ttl</a>
+  <span class="SRScope">_AI_snort_alert</span>
+ </div>
+</div>
+<div class="SRResult" id="SR_type">
+ <div class="SREntry">
+  <a id="Item5" onkeydown="return searchResults.Nav(event,5)" onkeypress="return searchResults.Nav(event,5)" onkeyup="return searchResults.Nav(event,5)" class="SRSymbol" href="javascript:searchResults.Toggle('SR_type')">type</a>
+  <div class="SRChildren">
+    <a id="Item5_c0" onkeydown="return searchResults.NavChild(event,5,0)" onkeypress="return searchResults.NavChild(event,5,0)" onkeyup="return searchResults.NavChild(event,5,0)" class="SRScope" href="../structattribute__value.html#a5322c4edde771a7ee0d9fc5f5e45484c" target="_parent">attribute_value::type()</a>
+    <a id="Item5_c1" onkeydown="return searchResults.NavChild(event,5,1)" onkeypress="return searchResults.NavChild(event,5,1)" onkeyup="return searchResults.NavChild(event,5,1)" class="SRScope" href="../struct__hierarchy__node.html#a3b18e3ddfa2212c5e4ff9c0b4bde4296" target="_parent">_hierarchy_node::type()</a>
+  </div>
  </div>
 </div>
 <div class="SRStatus" id="Searching">Searching...</div>
diff --git a/doc/html/search/variables_77.html b/doc/html/search/variables_77.html
new file mode 100644
index 0000000..4410960
--- /dev/null
+++ b/doc/html/search/variables_77.html
@@ -0,0 +1,26 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html><head><title></title>
+<meta http-equiv="Content-Type" content="text/xhtml;charset=UTF-8"/>
+<link rel="stylesheet" type="text/css" href="search.css"/>
+<script type="text/javascript" src="search.js"></script>
+</head>
+<body class="SRPage">
+<div id="SRIndex">
+<div class="SRStatus" id="Loading">Loading...</div>
+<div class="SRResult" id="SR_window">
+ <div class="SREntry">
+  <a id="Item0" onkeydown="return searchResults.Nav(event,0)" onkeypress="return searchResults.Nav(event,0)" onkeyup="return searchResults.Nav(event,0)" class="SRSymbol" href="../struct__AI__snort__alert.html#a63e94be3d248cf4beb0d4d5ab75331b1" target="_parent">window</a>
+  <span class="SRScope">_AI_snort_alert</span>
+ </div>
+</div>
+<div class="SRStatus" id="Searching">Searching...</div>
+<div class="SRStatus" id="NoMatches">No Matches</div>
+<script type="text/javascript"><!--
+document.getElementById("Loading").style.display="none";
+document.getElementById("NoMatches").style.display="none";
+var searchResults = new SearchResults("searchResults");
+searchResults.Search();
+--></script>
+</div>
+</body>
+</html>
diff --git a/doc/html/sfPolicyUserData_8c.html b/doc/html/sfPolicyUserData_8c.html
index dcd82e5..2e2e07f 100644
--- a/doc/html/sfPolicyUserData_8c.html
+++ b/doc/html/sfPolicyUserData_8c.html
@@ -112,7 +112,7 @@ Variables</h2></td></tr>
 </iframe>
 </div>
 
-<hr class="footer"/><address class="footer"><small>Generated on Wed Aug 4 2010 11:30:57 for Snort AI preprocessor module by&nbsp;
+<hr class="footer"/><address class="footer"><small>Generated on Mon Aug 16 2010 22:05:38 for Snort AI preprocessor module by&nbsp;
 <a href="http://www.doxygen.org/index.html">
 <img class="footer" src="doxygen.png" alt="doxygen"/></a> 1.7.1 </small></address>
 </body>
diff --git a/doc/html/sf__dynamic__preproc__lib_8c.html b/doc/html/sf__dynamic__preproc__lib_8c.html
index 70a8444..edcaac5 100644
--- a/doc/html/sf__dynamic__preproc__lib_8c.html
+++ b/doc/html/sf__dynamic__preproc__lib_8c.html
@@ -145,7 +145,7 @@ Variables</h2></td></tr>
 <div class="memproto">
       <table class="memname">
         <tr>
-          <td class="memname">DynamicPreprocessorData <a class="el" href="spp__ai_8c.html#ab46420126c43c1aac5eabc5db266a71c">_dpd</a></td>
+          <td class="memname">DynamicPreprocessorData <a class="el" href="spp__ai_8h.html#ab46420126c43c1aac5eabc5db266a71c">_dpd</a></td>
         </tr>
       </table>
 </div>
@@ -168,7 +168,7 @@ Variables</h2></td></tr>
 </iframe>
 </div>
 
-<hr class="footer"/><address class="footer"><small>Generated on Wed Aug 4 2010 11:30:57 for Snort AI preprocessor module by&nbsp;
+<hr class="footer"/><address class="footer"><small>Generated on Mon Aug 16 2010 22:05:38 for Snort AI preprocessor module by&nbsp;
 <a href="http://www.doxygen.org/index.html">
 <img class="footer" src="doxygen.png" alt="doxygen"/></a> 1.7.1 </small></address>
 </body>
diff --git a/doc/html/sf__preproc__info_8h.html b/doc/html/sf__preproc__info_8h.html
index a9ccc96..6d147e2 100644
--- a/doc/html/sf__preproc__info_8h.html
+++ b/doc/html/sf__preproc__info_8h.html
@@ -171,7 +171,7 @@ Functions</h2></td></tr>
 </iframe>
 </div>
 
-<hr class="footer"/><address class="footer"><small>Generated on Wed Aug 4 2010 11:30:57 for Snort AI preprocessor module by&nbsp;
+<hr class="footer"/><address class="footer"><small>Generated on Mon Aug 16 2010 22:05:38 for Snort AI preprocessor module by&nbsp;
 <a href="http://www.doxygen.org/index.html">
 <img class="footer" src="doxygen.png" alt="doxygen"/></a> 1.7.1 </small></address>
 </body>
diff --git a/doc/html/sf__preproc__info_8h_source.html b/doc/html/sf__preproc__info_8h_source.html
index f8ff46b..af69ed8 100644
--- a/doc/html/sf__preproc__info_8h_source.html
+++ b/doc/html/sf__preproc__info_8h_source.html
@@ -78,7 +78,7 @@ var searchBox = new SearchBox("searchBox", "search",false,'Search');
 </iframe>
 </div>
 
-<hr class="footer"/><address class="footer"><small>Generated on Wed Aug 4 2010 11:30:57 for Snort AI preprocessor module by&nbsp;
+<hr class="footer"/><address class="footer"><small>Generated on Mon Aug 16 2010 22:05:38 for Snort AI preprocessor module by&nbsp;
 <a href="http://www.doxygen.org/index.html">
 <img class="footer" src="doxygen.png" alt="doxygen"/></a> 1.7.1 </small></address>
 </body>
diff --git a/doc/html/spp__ai_8c.html b/doc/html/spp__ai_8c.html
index d53f048..6c3e505 100644
--- a/doc/html/spp__ai_8c.html
+++ b/doc/html/spp__ai_8c.html
@@ -47,7 +47,6 @@ var searchBox = new SearchBox("searchBox", "search",false,'Search');
 </div>
 <div class="header">
   <div class="summary">
-<a href="#define-members">Defines</a> &#124;
 <a href="#func-members">Functions</a> &#124;
 <a href="#var-members">Variables</a>  </div>
   <div class="headertitle">
@@ -55,106 +54,25 @@ var searchBox = new SearchBox("searchBox", "search",false,'Search');
 </div>
 <div class="contents">
 <code>#include &quot;<a class="el" href="spp__ai_8h_source.html">spp_ai.h</a>&quot;</code><br/>
-<code>#include &quot;preprocids.h&quot;</code><br/>
-<code>#include &quot;sf_dynamic_preproc_lib.h&quot;</code><br/>
-<code>#include &quot;sf_dynamic_preprocessor.h&quot;</code><br/>
-<code>#include &quot;debug.h&quot;</code><br/>
-<code>#include &quot;sfPolicy.h&quot;</code><br/>
 <code>#include &quot;sfPolicyUserData.h&quot;</code><br/>
-<code>#include &lt;sys/types.h&gt;</code><br/>
 <code>#include &lt;stdlib.h&gt;</code><br/>
-<code>#include &lt;ctype.h&gt;</code><br/>
 <code>#include &lt;string.h&gt;</code><br/>
 <code>#include &lt;pthread.h&gt;</code><br/>
 <table class="memberdecls">
-<tr><td colspan="2"><h2><a name="define-members"></a>
-Defines</h2></td></tr>
-<tr><td class="memItemLeft" align="right" valign="top">#define&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="spp__ai_8c.html#a9e7d446fc8b40be2cfbb5c69c3e132ca">GENERATOR_EXAMPLE</a>&nbsp;&nbsp;&nbsp;256</td></tr>
-<tr><td class="memItemLeft" align="right" valign="top">#define&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="spp__ai_8c.html#af4c767ae0346026264c851108f42be63">SRC_PORT_MATCH</a>&nbsp;&nbsp;&nbsp;1</td></tr>
-<tr><td class="memItemLeft" align="right" valign="top">#define&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="spp__ai_8c.html#a3ec4dd8f1ebed73c13175d9b9c820e2e">SRC_PORT_MATCH_STR</a>&nbsp;&nbsp;&nbsp;&quot;example_preprocessor: src port match&quot;</td></tr>
-<tr><td class="memItemLeft" align="right" valign="top">#define&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="spp__ai_8c.html#a8ab13e8ad1dfd19b9237a99ae6130146">DST_PORT_MATCH</a>&nbsp;&nbsp;&nbsp;2</td></tr>
-<tr><td class="memItemLeft" align="right" valign="top">#define&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="spp__ai_8c.html#a1f3521b9bcf5daf99190be58473a4110">DST_PORT_MATCH_STR</a>&nbsp;&nbsp;&nbsp;&quot;example_preprocessor: dest port match&quot;</td></tr>
 <tr><td colspan="2"><h2><a name="func-members"></a>
 Functions</h2></td></tr>
 <tr><td class="memItemLeft" align="right" valign="top">static void&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="spp__ai_8c.html#a3524cbdf8fddbcf38c4ed55241002242">AI_init</a> (char *args)</td></tr>
 <tr><td class="mdescLeft">&nbsp;</td><td class="mdescRight">Initialize the preprocessor module.  <a href="#a3524cbdf8fddbcf38c4ed55241002242"></a><br/></td></tr>
 <tr><td class="memItemLeft" align="right" valign="top">static void&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="spp__ai_8c.html#a57c05cda012c443cb4c358dc327cd3d1">AI_process</a> (void *pkt, void *context)</td></tr>
 <tr><td class="mdescLeft">&nbsp;</td><td class="mdescRight">Function executed every time the module receives a packet to be processed.  <a href="#a57c05cda012c443cb4c358dc327cd3d1"></a><br/></td></tr>
-<tr><td class="memItemLeft" align="right" valign="top">static <a class="el" href="struct__AI__config.html">AI_config</a> *&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="spp__ai_8c.html#ae1c5c4b38ee2819d427848eb3046373e">AI_parse</a> (char *args)</td></tr>
+<tr><td class="memItemLeft" align="right" valign="top">static <a class="el" href="structAI__config.html">AI_config</a> *&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="spp__ai_8c.html#ae1c5c4b38ee2819d427848eb3046373e">AI_parse</a> (char *args)</td></tr>
 <tr><td class="mdescLeft">&nbsp;</td><td class="mdescRight">Parse the arguments passed to the module saving them to a valid configuration struct.  <a href="#ae1c5c4b38ee2819d427848eb3046373e"></a><br/></td></tr>
 <tr><td class="memItemLeft" align="right" valign="top">void&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="spp__ai_8c.html#a1b9ebb5c719c7d9426ddfc1f3da36570">AI_setup</a> (void)</td></tr>
 <tr><td class="mdescLeft">&nbsp;</td><td class="mdescRight">Set up the preprocessor module.  <a href="#a1b9ebb5c719c7d9426ddfc1f3da36570"></a><br/></td></tr>
 <tr><td colspan="2"><h2><a name="var-members"></a>
 Variables</h2></td></tr>
 <tr><td class="memItemLeft" align="right" valign="top">tSfPolicyUserContextId&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="spp__ai_8c.html#a3dd75596c540d148643fe6d1fdc02628">ex_config</a> = NULL</td></tr>
-<tr><td class="memItemLeft" align="right" valign="top">DynamicPreprocessorData&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="spp__ai_8c.html#ab46420126c43c1aac5eabc5db266a71c">_dpd</a></td></tr>
 </table>
-<hr/><h2>Define Documentation</h2>
-<a class="anchor" id="a8ab13e8ad1dfd19b9237a99ae6130146"></a><!-- doxytag: member="spp_ai.c::DST_PORT_MATCH" ref="a8ab13e8ad1dfd19b9237a99ae6130146" args="" -->
-<div class="memitem">
-<div class="memproto">
-      <table class="memname">
-        <tr>
-          <td class="memname">#define DST_PORT_MATCH&nbsp;&nbsp;&nbsp;2</td>
-        </tr>
-      </table>
-</div>
-<div class="memdoc">
-
-</div>
-</div>
-<a class="anchor" id="a1f3521b9bcf5daf99190be58473a4110"></a><!-- doxytag: member="spp_ai.c::DST_PORT_MATCH_STR" ref="a1f3521b9bcf5daf99190be58473a4110" args="" -->
-<div class="memitem">
-<div class="memproto">
-      <table class="memname">
-        <tr>
-          <td class="memname">#define DST_PORT_MATCH_STR&nbsp;&nbsp;&nbsp;&quot;example_preprocessor: dest port match&quot;</td>
-        </tr>
-      </table>
-</div>
-<div class="memdoc">
-
-</div>
-</div>
-<a class="anchor" id="a9e7d446fc8b40be2cfbb5c69c3e132ca"></a><!-- doxytag: member="spp_ai.c::GENERATOR_EXAMPLE" ref="a9e7d446fc8b40be2cfbb5c69c3e132ca" args="" -->
-<div class="memitem">
-<div class="memproto">
-      <table class="memname">
-        <tr>
-          <td class="memname">#define GENERATOR_EXAMPLE&nbsp;&nbsp;&nbsp;256</td>
-        </tr>
-      </table>
-</div>
-<div class="memdoc">
-
-</div>
-</div>
-<a class="anchor" id="af4c767ae0346026264c851108f42be63"></a><!-- doxytag: member="spp_ai.c::SRC_PORT_MATCH" ref="af4c767ae0346026264c851108f42be63" args="" -->
-<div class="memitem">
-<div class="memproto">
-      <table class="memname">
-        <tr>
-          <td class="memname">#define SRC_PORT_MATCH&nbsp;&nbsp;&nbsp;1</td>
-        </tr>
-      </table>
-</div>
-<div class="memdoc">
-
-</div>
-</div>
-<a class="anchor" id="a3ec4dd8f1ebed73c13175d9b9c820e2e"></a><!-- doxytag: member="spp_ai.c::SRC_PORT_MATCH_STR" ref="a3ec4dd8f1ebed73c13175d9b9c820e2e" args="" -->
-<div class="memitem">
-<div class="memproto">
-      <table class="memname">
-        <tr>
-          <td class="memname">#define SRC_PORT_MATCH_STR&nbsp;&nbsp;&nbsp;&quot;example_preprocessor: src port match&quot;</td>
-        </tr>
-      </table>
-</div>
-<div class="memdoc">
-
-</div>
-</div>
 <hr/><h2>Function Documentation</h2>
 <a class="anchor" id="a3524cbdf8fddbcf38c4ed55241002242"></a><!-- doxytag: member="spp_ai.c::AI_init" ref="a3524cbdf8fddbcf38c4ed55241002242" args="(char *args)" -->
 <div class="memitem">
@@ -188,7 +106,7 @@ Variables</h2></td></tr>
 <div class="memproto">
       <table class="memname">
         <tr>
-          <td class="memname">static <a class="el" href="struct__AI__config.html">AI_config</a> * AI_parse </td>
+          <td class="memname">static <a class="el" href="structAI__config.html">AI_config</a> * AI_parse </td>
           <td>(</td>
           <td class="paramtype">char *&nbsp;</td>
           <td class="paramname"> <em>args</em></td>
@@ -200,14 +118,14 @@ Variables</h2></td></tr>
 <div class="memdoc">
 
 <p>Parse the arguments passed to the module saving them to a valid configuration struct. </p>
-<p>FUNCTION: AI_config </p>
+<p>FUNCTION: <a class="el" href="structAI__config.html">AI_config</a> </p>
 <dl><dt><b>Parameters:</b></dt><dd>
   <table border="0" cellspacing="2" cellpadding="0">
     <tr><td valign="top"></td><td valign="top"><em>args</em>&nbsp;</td><td>Arguments passed to the module </td></tr>
   </table>
   </dd>
 </dl>
-<dl class="return"><dt><b>Returns:</b></dt><dd>Pointer to AI_config keeping the configuration for the module </dd></dl>
+<dl class="return"><dt><b>Returns:</b></dt><dd>Pointer to <a class="el" href="structAI__config.html">AI_config</a> keeping the configuration for the module </dd></dl>
 
 </div>
 </div>
@@ -270,19 +188,6 @@ Variables</h2></td></tr>
 </div>
 </div>
 <hr/><h2>Variable Documentation</h2>
-<a class="anchor" id="ab46420126c43c1aac5eabc5db266a71c"></a><!-- doxytag: member="spp_ai.c::_dpd" ref="ab46420126c43c1aac5eabc5db266a71c" args="" -->
-<div class="memitem">
-<div class="memproto">
-      <table class="memname">
-        <tr>
-          <td class="memname">DynamicPreprocessorData <a class="el" href="spp__ai_8c.html#ab46420126c43c1aac5eabc5db266a71c">_dpd</a></td>
-        </tr>
-      </table>
-</div>
-<div class="memdoc">
-
-</div>
-</div>
 <a class="anchor" id="a3dd75596c540d148643fe6d1fdc02628"></a><!-- doxytag: member="spp_ai.c::ex_config" ref="a3dd75596c540d148643fe6d1fdc02628" args="" -->
 <div class="memitem">
 <div class="memproto">
@@ -311,7 +216,7 @@ Variables</h2></td></tr>
 </iframe>
 </div>
 
-<hr class="footer"/><address class="footer"><small>Generated on Wed Aug 4 2010 11:30:57 for Snort AI preprocessor module by&nbsp;
+<hr class="footer"/><address class="footer"><small>Generated on Mon Aug 16 2010 22:05:38 for Snort AI preprocessor module by&nbsp;
 <a href="http://www.doxygen.org/index.html">
 <img class="footer" src="doxygen.png" alt="doxygen"/></a> 1.7.1 </small></address>
 </body>
diff --git a/doc/html/spp__ai_8h.html b/doc/html/spp__ai_8h.html
index ecbf4f0..edccb45 100644
--- a/doc/html/spp__ai_8h.html
+++ b/doc/html/spp__ai_8h.html
@@ -48,44 +48,181 @@ var searchBox = new SearchBox("searchBox", "search",false,'Search');
 <div class="header">
   <div class="summary">
 <a href="#nested-classes">Data Structures</a> &#124;
+<a href="#define-members">Defines</a> &#124;
 <a href="#typedef-members">Typedefs</a> &#124;
 <a href="#enum-members">Enumerations</a> &#124;
-<a href="#func-members">Functions</a>  </div>
+<a href="#func-members">Functions</a> &#124;
+<a href="#var-members">Variables</a>  </div>
   <div class="headertitle">
 <h1>spp_ai.h File Reference</h1>  </div>
 </div>
 <div class="contents">
 <code>#include &quot;sf_snort_packet.h&quot;</code><br/>
+<code>#include &quot;sf_dynamic_preprocessor.h&quot;</code><br/>
+<code>#include &quot;uthash.h&quot;</code><br/>
 
 <p><a href="spp__ai_8h_source.html">Go to the source code of this file.</a></p>
 <table class="memberdecls">
 <tr><td colspan="2"><h2><a name="nested-classes"></a>
 Data Structures</h2></td></tr>
-<tr><td class="memItemLeft" align="right" valign="top">struct &nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="struct__AI__config.html">_AI_config</a></td></tr>
+<tr><td class="memItemLeft" align="right" valign="top">struct &nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="structpkt__key.html">pkt_key</a></td></tr>
+<tr><td class="memItemLeft" align="right" valign="top">struct &nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="structpkt__info.html">pkt_info</a></td></tr>
+<tr><td class="memItemLeft" align="right" valign="top">struct &nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="structAI__config.html">AI_config</a></td></tr>
+<tr><td class="memItemLeft" align="right" valign="top">struct &nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="struct__hierarchy__node.html">_hierarchy_node</a></td></tr>
+<tr><td class="memItemLeft" align="right" valign="top">struct &nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="struct__AI__snort__alert.html">_AI_snort_alert</a></td></tr>
+<tr><td colspan="2"><h2><a name="define-members"></a>
+Defines</h2></td></tr>
+<tr><td class="memItemLeft" align="right" valign="top">#define&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="spp__ai_8h.html#a5e151c615eda34903514212f05a5ccf8">PRIVATE</a>&nbsp;&nbsp;&nbsp;static</td></tr>
+<tr><td class="memItemLeft" align="right" valign="top">#define&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="spp__ai_8h.html#a5f555c0ebd29ce2771a3e2dd4f526746">DEFAULT_HASH_CLEANUP_INTERVAL</a>&nbsp;&nbsp;&nbsp;300</td></tr>
+<tr><td class="memItemLeft" align="right" valign="top">#define&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="spp__ai_8h.html#a0f6a189af15ef783fb46ed37c144e031">DEFAULT_STREAM_EXPIRE_INTERVAL</a>&nbsp;&nbsp;&nbsp;300</td></tr>
+<tr><td class="memItemLeft" align="right" valign="top">#define&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="spp__ai_8h.html#a0c4b6fce670e46083e33b9f53b78f39e">DEFAULT_ALERT_CLUSTERING_INTERVAL</a>&nbsp;&nbsp;&nbsp;3600</td></tr>
+<tr><td class="memItemLeft" align="right" valign="top">#define&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="spp__ai_8h.html#a6d9bf552c32371e0144dc6a6209c7e4a">DEFAULT_ALERT_LOG_FILE</a>&nbsp;&nbsp;&nbsp;&quot;/var/log/snort/alert&quot;</td></tr>
+<tr><td class="memItemLeft" align="right" valign="top">#define&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="spp__ai_8h.html#a803dc913297ccdace9e604dbfecda97d">DEFAULT_CLUSTER_LOG_FILE</a>&nbsp;&nbsp;&nbsp;&quot;/var/log/snort/cluster_alert&quot;</td></tr>
 <tr><td colspan="2"><h2><a name="typedef-members"></a>
 Typedefs</h2></td></tr>
-<tr><td class="memItemLeft" align="right" valign="top">typedef unsigned int&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="spp__ai_8h.html#a435d1572bf3f880d55459d9805097f62">uint32_t</a></td></tr>
+<tr><td class="memItemLeft" align="right" valign="top">typedef unsigned char&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="spp__ai_8h.html#aba7bc1797add20fe3efdf37ced1182c5">uint8_t</a></td></tr>
 <tr><td class="memItemLeft" align="right" valign="top">typedef unsigned short&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="spp__ai_8h.html#a273cf69d639a59973b6019625df33e30">uint16_t</a></td></tr>
-<tr><td class="memItemLeft" align="right" valign="top">typedef struct <a class="el" href="struct__AI__config.html">_AI_config</a>&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="spp__ai_8h.html#a3fc526e5a55f5d137402b1bbd1b6072c">AI_config</a></td></tr>
+<tr><td class="memItemLeft" align="right" valign="top">typedef unsigned int&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="spp__ai_8h.html#a435d1572bf3f880d55459d9805097f62">uint32_t</a></td></tr>
+<tr><td class="memItemLeft" align="right" valign="top">typedef struct <a class="el" href="struct__hierarchy__node.html">_hierarchy_node</a>&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="spp__ai_8h.html#a466391129919ef12366d311d501552fa">hierarchy_node</a></td></tr>
+<tr><td class="memItemLeft" align="right" valign="top">typedef struct <a class="el" href="struct__AI__snort__alert.html">_AI_snort_alert</a>&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="spp__ai_8h.html#a982be90e72362e88d09f28336c9a1897">AI_snort_alert</a></td></tr>
 <tr><td colspan="2"><h2><a name="enum-members"></a>
 Enumerations</h2></td></tr>
 <tr><td class="memItemLeft" align="right" valign="top">enum &nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="spp__ai_8h.html#a3e5b8192e7d9ffaf3542f1210aec18dd">BOOL</a> { <a class="el" href="spp__ai_8h.html#a3e5b8192e7d9ffaf3542f1210aec18ddae9de385ef6fe9bf3360d1038396b884c">false</a>, 
 <a class="el" href="spp__ai_8h.html#a3e5b8192e7d9ffaf3542f1210aec18dda08f175a5505a10b9ed657defeb050e4b">true</a>
  }</td></tr>
+<tr><td class="memItemLeft" align="right" valign="top">enum &nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="spp__ai_8h.html#ae2ff3c6586aa2ab211a102abfde86640">cluster_type</a> { <br/>
+&nbsp;&nbsp;<a class="el" href="spp__ai_8h.html#ae2ff3c6586aa2ab211a102abfde86640ab7e4e0120a041dbe6528b050c04269e0">none</a>, 
+<a class="el" href="spp__ai_8h.html#ae2ff3c6586aa2ab211a102abfde86640abc900639df18f0f5f2f63a1f033fe42f">src_addr</a>, 
+<a class="el" href="spp__ai_8h.html#ae2ff3c6586aa2ab211a102abfde86640aa000f955ef1374c60cdb16bf43a1593c">dst_addr</a>, 
+<a class="el" href="spp__ai_8h.html#ae2ff3c6586aa2ab211a102abfde86640ac1335c508143eb06843af2ce5ff3027b">src_port</a>, 
+<br/>
+&nbsp;&nbsp;<a class="el" href="spp__ai_8h.html#ae2ff3c6586aa2ab211a102abfde86640abc4f89a184ada44073bd6f54d7fc11c9">dst_port</a>, 
+<a class="el" href="spp__ai_8h.html#ae2ff3c6586aa2ab211a102abfde86640ab16bb5c4b330d5db02e2d852cd2ba451">CLUSTER_TYPES</a>
+<br/>
+ }</td></tr>
 <tr><td colspan="2"><h2><a name="func-members"></a>
 Functions</h2></td></tr>
-<tr><td class="memItemLeft" align="right" valign="top">void&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="spp__ai_8h.html#af6f7d167c3623bbc669e8d31c2719b29">AI_pkt_enqueue</a> (SFSnortPacket *)</td></tr>
-<tr><td class="mdescLeft">&nbsp;</td><td class="mdescRight">Function called for appending a new packet to the hash table, creating a new stream or appending it to an existing stream.  <a href="#af6f7d167c3623bbc669e8d31c2719b29"></a><br/></td></tr>
+<tr><td class="memItemLeft" align="right" valign="top">int&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="spp__ai_8h.html#a85c0852b05b60cbfe0130534160c9876">preg_match</a> (const char *, char *, char ***, int *)</td></tr>
+<tr><td class="mdescLeft">&nbsp;</td><td class="mdescRight">Check if a string matches a regular expression.  <a href="#a85c0852b05b60cbfe0130534160c9876"></a><br/></td></tr>
 <tr><td class="memItemLeft" align="right" valign="top">void *&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="spp__ai_8h.html#ad56f71be823eead743972274b99c82ff">AI_hashcleanup_thread</a> (void *)</td></tr>
 <tr><td class="mdescLeft">&nbsp;</td><td class="mdescRight">Thread called for cleaning up the hash table from the traffic streams older than a certain threshold.  <a href="#ad56f71be823eead743972274b99c82ff"></a><br/></td></tr>
+<tr><td class="memItemLeft" align="right" valign="top">void *&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="spp__ai_8h.html#a842a3204c6e067a9920990b573757181">AI_alertparser_thread</a> (void *)</td></tr>
+<tr><td class="mdescLeft">&nbsp;</td><td class="mdescRight">Thread for parsing Snort's alert file.  <a href="#a842a3204c6e067a9920990b573757181"></a><br/></td></tr>
+<tr><td class="memItemLeft" align="right" valign="top">void&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="spp__ai_8h.html#af6f7d167c3623bbc669e8d31c2719b29">AI_pkt_enqueue</a> (SFSnortPacket *)</td></tr>
+<tr><td class="mdescLeft">&nbsp;</td><td class="mdescRight">Function called for appending a new packet to the hash table, creating a new stream or appending it to an existing stream.  <a href="#af6f7d167c3623bbc669e8d31c2719b29"></a><br/></td></tr>
+<tr><td class="memItemLeft" align="right" valign="top">void&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="spp__ai_8h.html#a8749989cee2ac05a7de058faac280c02">AI_set_stream_observed</a> (struct <a class="el" href="structpkt__key.html">pkt_key</a> key)</td></tr>
+<tr><td class="mdescLeft">&nbsp;</td><td class="mdescRight">Set the flag "observed" on a stream associated to a security alert, so that it won't be removed from the hash table.  <a href="#a8749989cee2ac05a7de058faac280c02"></a><br/></td></tr>
+<tr><td class="memItemLeft" align="right" valign="top">void&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="spp__ai_8h.html#a857348424b9db45c90f95631eb96fd7c">AI_hierarchies_build</a> (<a class="el" href="structAI__config.html">AI_config</a> *, <a class="el" href="struct__hierarchy__node.html">hierarchy_node</a> **, int)</td></tr>
+<tr><td class="mdescLeft">&nbsp;</td><td class="mdescRight">Build the clustering hierarchy trees.  <a href="#a857348424b9db45c90f95631eb96fd7c"></a><br/></td></tr>
+<tr><td class="memItemLeft" align="right" valign="top">struct <a class="el" href="structpkt__info.html">pkt_info</a> *&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="spp__ai_8h.html#a3054f06297a9caefd4d9b1283bb8b69a">AI_get_stream_by_key</a> (struct <a class="el" href="structpkt__key.html">pkt_key</a>)</td></tr>
+<tr><td class="mdescLeft">&nbsp;</td><td class="mdescRight">Get a TCP stream by key.  <a href="#a3054f06297a9caefd4d9b1283bb8b69a"></a><br/></td></tr>
+<tr><td class="memItemLeft" align="right" valign="top"><a class="el" href="struct__AI__snort__alert.html">AI_snort_alert</a> *&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="spp__ai_8h.html#af19a28f7cbcdfeb2b66fb3b625b75076">AI_get_alerts</a> (void)</td></tr>
+<tr><td class="mdescLeft">&nbsp;</td><td class="mdescRight">Return the alerts parsed so far as a linked list.  <a href="#af19a28f7cbcdfeb2b66fb3b625b75076"></a><br/></td></tr>
+<tr><td class="memItemLeft" align="right" valign="top">void&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="spp__ai_8h.html#a270e86669a0aa64a8da37bc16cda645b">AI_free_alerts</a> (<a class="el" href="struct__AI__snort__alert.html">AI_snort_alert</a> *node)</td></tr>
+<tr><td class="mdescLeft">&nbsp;</td><td class="mdescRight">Deallocate the memory of a log alert linked list.  <a href="#a270e86669a0aa64a8da37bc16cda645b"></a><br/></td></tr>
+<tr><td colspan="2"><h2><a name="var-members"></a>
+Variables</h2></td></tr>
+<tr><td class="memItemLeft" align="right" valign="top">DynamicPreprocessorData&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="spp__ai_8h.html#ab46420126c43c1aac5eabc5db266a71c">_dpd</a></td></tr>
 </table>
-<hr/><h2>Typedef Documentation</h2>
-<a class="anchor" id="a3fc526e5a55f5d137402b1bbd1b6072c"></a><!-- doxytag: member="spp_ai.h::AI_config" ref="a3fc526e5a55f5d137402b1bbd1b6072c" args="" -->
+<hr/><h2>Define Documentation</h2>
+<a class="anchor" id="a0c4b6fce670e46083e33b9f53b78f39e"></a><!-- doxytag: member="spp_ai.h::DEFAULT_ALERT_CLUSTERING_INTERVAL" ref="a0c4b6fce670e46083e33b9f53b78f39e" args="" -->
 <div class="memitem">
 <div class="memproto">
       <table class="memname">
         <tr>
-          <td class="memname">typedef struct <a class="el" href="struct__AI__config.html">_AI_config</a>  <a class="el" href="struct__AI__config.html">AI_config</a></td>
+          <td class="memname">#define DEFAULT_ALERT_CLUSTERING_INTERVAL&nbsp;&nbsp;&nbsp;3600</td>
+        </tr>
+      </table>
+</div>
+<div class="memdoc">
+
+</div>
+</div>
+<a class="anchor" id="a6d9bf552c32371e0144dc6a6209c7e4a"></a><!-- doxytag: member="spp_ai.h::DEFAULT_ALERT_LOG_FILE" ref="a6d9bf552c32371e0144dc6a6209c7e4a" args="" -->
+<div class="memitem">
+<div class="memproto">
+      <table class="memname">
+        <tr>
+          <td class="memname">#define DEFAULT_ALERT_LOG_FILE&nbsp;&nbsp;&nbsp;&quot;/var/log/snort/alert&quot;</td>
+        </tr>
+      </table>
+</div>
+<div class="memdoc">
+
+</div>
+</div>
+<a class="anchor" id="a803dc913297ccdace9e604dbfecda97d"></a><!-- doxytag: member="spp_ai.h::DEFAULT_CLUSTER_LOG_FILE" ref="a803dc913297ccdace9e604dbfecda97d" args="" -->
+<div class="memitem">
+<div class="memproto">
+      <table class="memname">
+        <tr>
+          <td class="memname">#define DEFAULT_CLUSTER_LOG_FILE&nbsp;&nbsp;&nbsp;&quot;/var/log/snort/cluster_alert&quot;</td>
+        </tr>
+      </table>
+</div>
+<div class="memdoc">
+
+</div>
+</div>
+<a class="anchor" id="a5f555c0ebd29ce2771a3e2dd4f526746"></a><!-- doxytag: member="spp_ai.h::DEFAULT_HASH_CLEANUP_INTERVAL" ref="a5f555c0ebd29ce2771a3e2dd4f526746" args="" -->
+<div class="memitem">
+<div class="memproto">
+      <table class="memname">
+        <tr>
+          <td class="memname">#define DEFAULT_HASH_CLEANUP_INTERVAL&nbsp;&nbsp;&nbsp;300</td>
+        </tr>
+      </table>
+</div>
+<div class="memdoc">
+
+</div>
+</div>
+<a class="anchor" id="a0f6a189af15ef783fb46ed37c144e031"></a><!-- doxytag: member="spp_ai.h::DEFAULT_STREAM_EXPIRE_INTERVAL" ref="a0f6a189af15ef783fb46ed37c144e031" args="" -->
+<div class="memitem">
+<div class="memproto">
+      <table class="memname">
+        <tr>
+          <td class="memname">#define DEFAULT_STREAM_EXPIRE_INTERVAL&nbsp;&nbsp;&nbsp;300</td>
+        </tr>
+      </table>
+</div>
+<div class="memdoc">
+
+</div>
+</div>
+<a class="anchor" id="a5e151c615eda34903514212f05a5ccf8"></a><!-- doxytag: member="spp_ai.h::PRIVATE" ref="a5e151c615eda34903514212f05a5ccf8" args="" -->
+<div class="memitem">
+<div class="memproto">
+      <table class="memname">
+        <tr>
+          <td class="memname">#define PRIVATE&nbsp;&nbsp;&nbsp;static</td>
+        </tr>
+      </table>
+</div>
+<div class="memdoc">
+
+</div>
+</div>
+<hr/><h2>Typedef Documentation</h2>
+<a class="anchor" id="a982be90e72362e88d09f28336c9a1897"></a><!-- doxytag: member="spp_ai.h::AI_snort_alert" ref="a982be90e72362e88d09f28336c9a1897" args="" -->
+<div class="memitem">
+<div class="memproto">
+      <table class="memname">
+        <tr>
+          <td class="memname">typedef struct <a class="el" href="struct__AI__snort__alert.html">_AI_snort_alert</a>  <a class="el" href="struct__AI__snort__alert.html">AI_snort_alert</a></td>
+        </tr>
+      </table>
+</div>
+<div class="memdoc">
+
+</div>
+</div>
+<a class="anchor" id="a466391129919ef12366d311d501552fa"></a><!-- doxytag: member="spp_ai.h::hierarchy_node" ref="a466391129919ef12366d311d501552fa" args="" -->
+<div class="memitem">
+<div class="memproto">
+      <table class="memname">
+        <tr>
+          <td class="memname">typedef struct <a class="el" href="struct__hierarchy__node.html">_hierarchy_node</a>  <a class="el" href="struct__hierarchy__node.html">hierarchy_node</a></td>
         </tr>
       </table>
 </div>
@@ -117,6 +254,19 @@ Functions</h2></td></tr>
 </div>
 <div class="memdoc">
 
+</div>
+</div>
+<a class="anchor" id="aba7bc1797add20fe3efdf37ced1182c5"></a><!-- doxytag: member="spp_ai.h::uint8_t" ref="aba7bc1797add20fe3efdf37ced1182c5" args="" -->
+<div class="memitem">
+<div class="memproto">
+      <table class="memname">
+        <tr>
+          <td class="memname">typedef unsigned char <a class="el" href="spp__ai_8h.html#aba7bc1797add20fe3efdf37ced1182c5">uint8_t</a></td>
+        </tr>
+      </table>
+</div>
+<div class="memdoc">
+
 </div>
 </div>
 <hr/><h2>Enumeration Type Documentation</h2>
@@ -139,9 +289,142 @@ Functions</h2></td></tr>
 </dd>
 </dl>
 
+</div>
+</div>
+<a class="anchor" id="ae2ff3c6586aa2ab211a102abfde86640"></a><!-- doxytag: member="spp_ai.h::cluster_type" ref="ae2ff3c6586aa2ab211a102abfde86640" args="" -->
+<div class="memitem">
+<div class="memproto">
+      <table class="memname">
+        <tr>
+          <td class="memname">enum <a class="el" href="spp__ai_8h.html#ae2ff3c6586aa2ab211a102abfde86640">cluster_type</a></td>
+        </tr>
+      </table>
+</div>
+<div class="memdoc">
+<dl><dt><b>Enumerator: </b></dt><dd><table border="0" cellspacing="2" cellpadding="0">
+<tr><td valign="top"><em><a class="anchor" id="ae2ff3c6586aa2ab211a102abfde86640ab7e4e0120a041dbe6528b050c04269e0"></a><!-- doxytag: member="none" ref="ae2ff3c6586aa2ab211a102abfde86640ab7e4e0120a041dbe6528b050c04269e0" args="" -->none</em>&nbsp;</td><td>
+</td></tr>
+<tr><td valign="top"><em><a class="anchor" id="ae2ff3c6586aa2ab211a102abfde86640abc900639df18f0f5f2f63a1f033fe42f"></a><!-- doxytag: member="src_addr" ref="ae2ff3c6586aa2ab211a102abfde86640abc900639df18f0f5f2f63a1f033fe42f" args="" -->src_addr</em>&nbsp;</td><td>
+</td></tr>
+<tr><td valign="top"><em><a class="anchor" id="ae2ff3c6586aa2ab211a102abfde86640aa000f955ef1374c60cdb16bf43a1593c"></a><!-- doxytag: member="dst_addr" ref="ae2ff3c6586aa2ab211a102abfde86640aa000f955ef1374c60cdb16bf43a1593c" args="" -->dst_addr</em>&nbsp;</td><td>
+</td></tr>
+<tr><td valign="top"><em><a class="anchor" id="ae2ff3c6586aa2ab211a102abfde86640ac1335c508143eb06843af2ce5ff3027b"></a><!-- doxytag: member="src_port" ref="ae2ff3c6586aa2ab211a102abfde86640ac1335c508143eb06843af2ce5ff3027b" args="" -->src_port</em>&nbsp;</td><td>
+</td></tr>
+<tr><td valign="top"><em><a class="anchor" id="ae2ff3c6586aa2ab211a102abfde86640abc4f89a184ada44073bd6f54d7fc11c9"></a><!-- doxytag: member="dst_port" ref="ae2ff3c6586aa2ab211a102abfde86640abc4f89a184ada44073bd6f54d7fc11c9" args="" -->dst_port</em>&nbsp;</td><td>
+</td></tr>
+<tr><td valign="top"><em><a class="anchor" id="ae2ff3c6586aa2ab211a102abfde86640ab16bb5c4b330d5db02e2d852cd2ba451"></a><!-- doxytag: member="CLUSTER_TYPES" ref="ae2ff3c6586aa2ab211a102abfde86640ab16bb5c4b330d5db02e2d852cd2ba451" args="" -->CLUSTER_TYPES</em>&nbsp;</td><td>
+</td></tr>
+</table>
+</dd>
+</dl>
+
 </div>
 </div>
 <hr/><h2>Function Documentation</h2>
+<a class="anchor" id="a842a3204c6e067a9920990b573757181"></a><!-- doxytag: member="spp_ai.h::AI_alertparser_thread" ref="a842a3204c6e067a9920990b573757181" args="(void *)" -->
+<div class="memitem">
+<div class="memproto">
+      <table class="memname">
+        <tr>
+          <td class="memname">void* AI_alertparser_thread </td>
+          <td>(</td>
+          <td class="paramtype">void *&nbsp;</td>
+          <td class="paramname"> <em>arg</em></td>
+          <td>&nbsp;)&nbsp;</td>
+          <td></td>
+        </tr>
+      </table>
+</div>
+<div class="memdoc">
+
+<p>Thread for parsing Snort's alert file. </p>
+<p>FUNCTION: AI_alertparser_thread </p>
+<dl><dt><b>Parameters:</b></dt><dd>
+  <table border="0" cellspacing="2" cellpadding="0">
+    <tr><td valign="top"></td><td valign="top"><em>arg</em>&nbsp;</td><td>void* pointer to module's configuration </td></tr>
+  </table>
+  </dd>
+</dl>
+
+</div>
+</div>
+<a class="anchor" id="a270e86669a0aa64a8da37bc16cda645b"></a><!-- doxytag: member="spp_ai.h::AI_free_alerts" ref="a270e86669a0aa64a8da37bc16cda645b" args="(AI_snort_alert *node)" -->
+<div class="memitem">
+<div class="memproto">
+      <table class="memname">
+        <tr>
+          <td class="memname">void AI_free_alerts </td>
+          <td>(</td>
+          <td class="paramtype"><a class="el" href="struct__AI__snort__alert.html">AI_snort_alert</a> *&nbsp;</td>
+          <td class="paramname"> <em>node</em></td>
+          <td>&nbsp;)&nbsp;</td>
+          <td></td>
+        </tr>
+      </table>
+</div>
+<div class="memdoc">
+
+<p>Deallocate the memory of a log alert linked list. </p>
+<p>FUNCTION: AI_free_alerts </p>
+<dl><dt><b>Parameters:</b></dt><dd>
+  <table border="0" cellspacing="2" cellpadding="0">
+    <tr><td valign="top"></td><td valign="top"><em>node</em>&nbsp;</td><td>Linked list to be freed </td></tr>
+  </table>
+  </dd>
+</dl>
+
+</div>
+</div>
+<a class="anchor" id="af19a28f7cbcdfeb2b66fb3b625b75076"></a><!-- doxytag: member="spp_ai.h::AI_get_alerts" ref="af19a28f7cbcdfeb2b66fb3b625b75076" args="(void)" -->
+<div class="memitem">
+<div class="memproto">
+      <table class="memname">
+        <tr>
+          <td class="memname"><a class="el" href="struct__AI__snort__alert.html">AI_snort_alert</a>* AI_get_alerts </td>
+          <td>(</td>
+          <td class="paramtype">void&nbsp;</td>
+          <td class="paramname"></td>
+          <td>&nbsp;)&nbsp;</td>
+          <td></td>
+        </tr>
+      </table>
+</div>
+<div class="memdoc">
+
+<p>Return the alerts parsed so far as a linked list. </p>
+<p>FUNCTION: AI_get_alerts </p>
+<dl class="return"><dt><b>Returns:</b></dt><dd>An AI_snort_alert pointer identifying the list of alerts </dd></dl>
+
+</div>
+</div>
+<a class="anchor" id="a3054f06297a9caefd4d9b1283bb8b69a"></a><!-- doxytag: member="spp_ai.h::AI_get_stream_by_key" ref="a3054f06297a9caefd4d9b1283bb8b69a" args="(struct pkt_key)" -->
+<div class="memitem">
+<div class="memproto">
+      <table class="memname">
+        <tr>
+          <td class="memname">struct <a class="el" href="structpkt__info.html">pkt_info</a>* AI_get_stream_by_key </td>
+          <td>(</td>
+          <td class="paramtype">struct <a class="el" href="structpkt__key.html">pkt_key</a>&nbsp;</td>
+          <td class="paramname"> <em>key</em></td>
+          <td>&nbsp;)&nbsp;</td>
+          <td><code> [read]</code></td>
+        </tr>
+      </table>
+</div>
+<div class="memdoc">
+
+<p>Get a TCP stream by key. </p>
+<p>FUNCTION: AI_get_stream_by_key </p>
+<dl><dt><b>Parameters:</b></dt><dd>
+  <table border="0" cellspacing="2" cellpadding="0">
+    <tr><td valign="top"></td><td valign="top"><em>key</em>&nbsp;</td><td>Key of the stream to be picked up (struct <a class="el" href="structpkt__key.html">pkt_key</a>) </td></tr>
+  </table>
+  </dd>
+</dl>
+<dl class="return"><dt><b>Returns:</b></dt><dd>A <a class="el" href="structpkt__info.html">pkt_info</a> pointer to the stream if found, NULL otherwise </dd></dl>
+
+</div>
+</div>
 <a class="anchor" id="ad56f71be823eead743972274b99c82ff"></a><!-- doxytag: member="spp_ai.h::AI_hashcleanup_thread" ref="ad56f71be823eead743972274b99c82ff" args="(void *)" -->
 <div class="memitem">
 <div class="memproto">
@@ -162,7 +445,51 @@ Functions</h2></td></tr>
 <p>FUNCTION: AI_hashcleanup_thread </p>
 <dl><dt><b>Parameters:</b></dt><dd>
   <table border="0" cellspacing="2" cellpadding="0">
-    <tr><td valign="top"></td><td valign="top"><em>arg</em>&nbsp;</td><td>Pointer to the AI_config struct </td></tr>
+    <tr><td valign="top"></td><td valign="top"><em>arg</em>&nbsp;</td><td>Pointer to the <a class="el" href="structAI__config.html">AI_config</a> struct </td></tr>
+  </table>
+  </dd>
+</dl>
+
+</div>
+</div>
+<a class="anchor" id="a857348424b9db45c90f95631eb96fd7c"></a><!-- doxytag: member="spp_ai.h::AI_hierarchies_build" ref="a857348424b9db45c90f95631eb96fd7c" args="(AI_config *, hierarchy_node **, int)" -->
+<div class="memitem">
+<div class="memproto">
+      <table class="memname">
+        <tr>
+          <td class="memname">void AI_hierarchies_build </td>
+          <td>(</td>
+          <td class="paramtype"><a class="el" href="structAI__config.html">AI_config</a> *&nbsp;</td>
+          <td class="paramname"> <em>conf</em>, </td>
+        </tr>
+        <tr>
+          <td class="paramkey"></td>
+          <td></td>
+          <td class="paramtype"><a class="el" href="struct__hierarchy__node.html">hierarchy_node</a> **&nbsp;</td>
+          <td class="paramname"> <em>nodes</em>, </td>
+        </tr>
+        <tr>
+          <td class="paramkey"></td>
+          <td></td>
+          <td class="paramtype">int&nbsp;</td>
+          <td class="paramname"> <em>n_nodes</em></td><td>&nbsp;</td>
+        </tr>
+        <tr>
+          <td></td>
+          <td>)</td>
+          <td></td><td></td><td></td>
+        </tr>
+      </table>
+</div>
+<div class="memdoc">
+
+<p>Build the clustering hierarchy trees. </p>
+<p>FUNCTION: AI_hierarchies_build </p>
+<dl><dt><b>Parameters:</b></dt><dd>
+  <table border="0" cellspacing="2" cellpadding="0">
+    <tr><td valign="top"></td><td valign="top"><em>conf</em>&nbsp;</td><td>Reference to the configuration of the module </td></tr>
+    <tr><td valign="top"></td><td valign="top"><em>nodes</em>&nbsp;</td><td>Nodes containing the information about the clustering ranges </td></tr>
+    <tr><td valign="top"></td><td valign="top"><em>n_nodes</em>&nbsp;</td><td>Number of nodes </td></tr>
   </table>
   </dd>
 </dl>
@@ -194,6 +521,99 @@ Functions</h2></td></tr>
   </dd>
 </dl>
 
+</div>
+</div>
+<a class="anchor" id="a8749989cee2ac05a7de058faac280c02"></a><!-- doxytag: member="spp_ai.h::AI_set_stream_observed" ref="a8749989cee2ac05a7de058faac280c02" args="(struct pkt_key key)" -->
+<div class="memitem">
+<div class="memproto">
+      <table class="memname">
+        <tr>
+          <td class="memname">void AI_set_stream_observed </td>
+          <td>(</td>
+          <td class="paramtype">struct <a class="el" href="structpkt__key.html">pkt_key</a>&nbsp;</td>
+          <td class="paramname"> <em>key</em></td>
+          <td>&nbsp;)&nbsp;</td>
+          <td></td>
+        </tr>
+      </table>
+</div>
+<div class="memdoc">
+
+<p>Set the flag "observed" on a stream associated to a security alert, so that it won't be removed from the hash table. </p>
+<p>FUNCTION: AI_set_stream_observed </p>
+<dl><dt><b>Parameters:</b></dt><dd>
+  <table border="0" cellspacing="2" cellpadding="0">
+    <tr><td valign="top"></td><td valign="top"><em>key</em>&nbsp;</td><td>Key of the stream to be set as "observed" </td></tr>
+  </table>
+  </dd>
+</dl>
+
+</div>
+</div>
+<a class="anchor" id="a85c0852b05b60cbfe0130534160c9876"></a><!-- doxytag: member="spp_ai.h::preg_match" ref="a85c0852b05b60cbfe0130534160c9876" args="(const char *, char *, char ***, int *)" -->
+<div class="memitem">
+<div class="memproto">
+      <table class="memname">
+        <tr>
+          <td class="memname">int preg_match </td>
+          <td>(</td>
+          <td class="paramtype">const char *&nbsp;</td>
+          <td class="paramname"> <em>expr</em>, </td>
+        </tr>
+        <tr>
+          <td class="paramkey"></td>
+          <td></td>
+          <td class="paramtype">char *&nbsp;</td>
+          <td class="paramname"> <em>str</em>, </td>
+        </tr>
+        <tr>
+          <td class="paramkey"></td>
+          <td></td>
+          <td class="paramtype">char ***&nbsp;</td>
+          <td class="paramname"> <em>matches</em>, </td>
+        </tr>
+        <tr>
+          <td class="paramkey"></td>
+          <td></td>
+          <td class="paramtype">int *&nbsp;</td>
+          <td class="paramname"> <em>nmatches</em></td><td>&nbsp;</td>
+        </tr>
+        <tr>
+          <td></td>
+          <td>)</td>
+          <td></td><td></td><td></td>
+        </tr>
+      </table>
+</div>
+<div class="memdoc">
+
+<p>Check if a string matches a regular expression. </p>
+<p>FUNCTION: preg_match </p>
+<dl><dt><b>Parameters:</b></dt><dd>
+  <table border="0" cellspacing="2" cellpadding="0">
+    <tr><td valign="top"></td><td valign="top"><em>expr</em>&nbsp;</td><td>Regular expression to be matched </td></tr>
+    <tr><td valign="top"></td><td valign="top"><em>str</em>&nbsp;</td><td>String to be checked </td></tr>
+    <tr><td valign="top"></td><td valign="top"><em>matches</em>&nbsp;</td><td>Reference to a char** that will contain the submatches (NULL if you don't need it) </td></tr>
+    <tr><td valign="top"></td><td valign="top"><em>nmatches</em>&nbsp;</td><td>Reference to a int containing the number of submatches found (NULL if you don't need it) </td></tr>
+  </table>
+  </dd>
+</dl>
+<dl class="return"><dt><b>Returns:</b></dt><dd>-1 if the regex is wrong, 0 if no match was found, 1 otherwise </dd></dl>
+
+</div>
+</div>
+<hr/><h2>Variable Documentation</h2>
+<a class="anchor" id="ab46420126c43c1aac5eabc5db266a71c"></a><!-- doxytag: member="spp_ai.h::_dpd" ref="ab46420126c43c1aac5eabc5db266a71c" args="" -->
+<div class="memitem">
+<div class="memproto">
+      <table class="memname">
+        <tr>
+          <td class="memname">DynamicPreprocessorData <a class="el" href="spp__ai_8h.html#ab46420126c43c1aac5eabc5db266a71c">_dpd</a></td>
+        </tr>
+      </table>
+</div>
+<div class="memdoc">
+
 </div>
 </div>
 </div>
@@ -211,7 +631,7 @@ Functions</h2></td></tr>
 </iframe>
 </div>
 
-<hr class="footer"/><address class="footer"><small>Generated on Wed Aug 4 2010 11:30:57 for Snort AI preprocessor module by&nbsp;
+<hr class="footer"/><address class="footer"><small>Generated on Mon Aug 16 2010 22:05:38 for Snort AI preprocessor module by&nbsp;
 <a href="http://www.doxygen.org/index.html">
 <img class="footer" src="doxygen.png" alt="doxygen"/></a> 1.7.1 </small></address>
 </body>
diff --git a/doc/html/spp__ai_8h_source.html b/doc/html/spp__ai_8h_source.html
index ba2d92c..339d40d 100644
--- a/doc/html/spp__ai_8h_source.html
+++ b/doc/html/spp__ai_8h_source.html
@@ -71,26 +71,135 @@ var searchBox = new SearchBox("searchBox", "search",false,'Search');
 <a name="l00020"></a>00020 <span class="preprocessor">#ifndef _SPP_AI_H</span>
 <a name="l00021"></a>00021 <span class="preprocessor"></span><span class="preprocessor">#define _SPP_AI_H</span>
 <a name="l00022"></a>00022 <span class="preprocessor"></span>
-<a name="l00023"></a>00023 <span class="preprocessor">#include &quot;sf_snort_packet.h&quot;</span>
-<a name="l00024"></a>00024 
-<a name="l00025"></a><a class="code" href="spp__ai_8h.html#a435d1572bf3f880d55459d9805097f62">00025</a> <span class="keyword">typedef</span> <span class="keywordtype">unsigned</span> <span class="keywordtype">int</span> uint32_t;
-<a name="l00026"></a><a class="code" href="spp__ai_8h.html#a273cf69d639a59973b6019625df33e30">00026</a> <span class="keyword">typedef</span> <span class="keywordtype">unsigned</span> <span class="keywordtype">short</span> uint16_t;
-<a name="l00027"></a>00027 
-<a name="l00028"></a><a class="code" href="spp__ai_8h.html#a3e5b8192e7d9ffaf3542f1210aec18dda08f175a5505a10b9ed657defeb050e4b">00028</a> <span class="keyword">typedef</span> <span class="keyword">enum</span> { <span class="keyword">false</span>, <span class="keyword">true</span> } BOOL;
-<a name="l00029"></a>00029 
-<a name="l00030"></a><a class="code" href="struct__AI__config.html">00030</a> <span class="keyword">typedef</span> <span class="keyword">struct </span><a class="code" href="struct__AI__config.html">_AI_config</a>
-<a name="l00031"></a>00031 {
-<a name="l00032"></a><a class="code" href="struct__AI__config.html#ab22e082ad6637f6280134e882bf53b0d">00032</a>         <a class="code" href="spp__ai_8h.html#a273cf69d639a59973b6019625df33e30">uint16_t</a> <a class="code" href="struct__AI__config.html#ab22e082ad6637f6280134e882bf53b0d">portToCheck</a>;
-<a name="l00033"></a><a class="code" href="struct__AI__config.html#a890e6756dc637e9d41b7051a4d1ddc93">00033</a>         <span class="keywordtype">unsigned</span> <span class="keywordtype">long</span> <a class="code" href="struct__AI__config.html#a890e6756dc637e9d41b7051a4d1ddc93">hashCleanupInterval</a>;
-<a name="l00034"></a><a class="code" href="struct__AI__config.html#a338358f23bf15f567a015a99d892c8e7">00034</a>         <span class="keywordtype">unsigned</span> <span class="keywordtype">long</span> <a class="code" href="struct__AI__config.html#a338358f23bf15f567a015a99d892c8e7">streamExpireInterval</a>;
-<a name="l00035"></a>00035 
-<a name="l00036"></a>00036 } <a class="code" href="struct__AI__config.html">AI_config</a>;
-<a name="l00037"></a>00037 
-<a name="l00038"></a>00038 <span class="keywordtype">void</span>  <a class="code" href="spp__ai_8h.html#af6f7d167c3623bbc669e8d31c2719b29" title="Function called for appending a new packet to the hash table, creating a new stream or appending it t...">AI_pkt_enqueue</a> ( SFSnortPacket* );
-<a name="l00039"></a>00039 <span class="keywordtype">void</span>* <a class="code" href="spp__ai_8h.html#ad56f71be823eead743972274b99c82ff" title="Thread called for cleaning up the hash table from the traffic streams older than a certain threshold...">AI_hashcleanup_thread</a> ( <span class="keywordtype">void</span>* );
-<a name="l00040"></a>00040 
-<a name="l00041"></a>00041 <span class="preprocessor">#endif  </span><span class="comment">/* _SPP_AI_H */</span>
-<a name="l00042"></a>00042 
+<a name="l00023"></a>00023 <span class="preprocessor">#include        &quot;sf_snort_packet.h&quot;</span>
+<a name="l00024"></a>00024 <span class="preprocessor">#include        &quot;sf_dynamic_preprocessor.h&quot;</span>
+<a name="l00025"></a>00025 <span class="preprocessor">#include        &quot;uthash.h&quot;</span>
+<a name="l00026"></a>00026 
+<a name="l00027"></a><a class="code" href="spp__ai_8h.html#a5e151c615eda34903514212f05a5ccf8">00027</a> <span class="preprocessor">#define         PRIVATE                 static</span>
+<a name="l00028"></a>00028 <span class="preprocessor"></span>
+<a name="l00029"></a><a class="code" href="spp__ai_8h.html#a5f555c0ebd29ce2771a3e2dd4f526746">00029</a> <span class="preprocessor">#define         DEFAULT_HASH_CLEANUP_INTERVAL           300</span>
+<a name="l00030"></a><a class="code" href="spp__ai_8h.html#a0f6a189af15ef783fb46ed37c144e031">00030</a> <span class="preprocessor"></span><span class="preprocessor">#define         DEFAULT_STREAM_EXPIRE_INTERVAL          300</span>
+<a name="l00031"></a><a class="code" href="spp__ai_8h.html#a0c4b6fce670e46083e33b9f53b78f39e">00031</a> <span class="preprocessor"></span><span class="preprocessor">#define         DEFAULT_ALERT_CLUSTERING_INTERVAL               3600</span>
+<a name="l00032"></a><a class="code" href="spp__ai_8h.html#a6d9bf552c32371e0144dc6a6209c7e4a">00032</a> <span class="preprocessor"></span><span class="preprocessor">#define         DEFAULT_ALERT_LOG_FILE                          &quot;/var/log/snort/alert&quot;</span>
+<a name="l00033"></a><a class="code" href="spp__ai_8h.html#a803dc913297ccdace9e604dbfecda97d">00033</a> <span class="preprocessor"></span><span class="preprocessor">#define         DEFAULT_CLUSTER_LOG_FILE                        &quot;/var/log/snort/cluster_alert&quot;</span>
+<a name="l00034"></a>00034 <span class="preprocessor"></span>
+<a name="l00035"></a>00035 <span class="keyword">extern</span> DynamicPreprocessorData <a class="code" href="sf__dynamic__preproc__lib_8c.html#ab46420126c43c1aac5eabc5db266a71c">_dpd</a>;
+<a name="l00036"></a><a class="code" href="spp__ai_8h.html#aba7bc1797add20fe3efdf37ced1182c5">00036</a> <span class="keyword">typedef</span> <span class="keywordtype">unsigned</span> <span class="keywordtype">char</span>   uint8_t;
+<a name="l00037"></a><a class="code" href="spp__ai_8h.html#a273cf69d639a59973b6019625df33e30">00037</a> <span class="keyword">typedef</span> <span class="keywordtype">unsigned</span> <span class="keywordtype">short</span>  uint16_t;
+<a name="l00038"></a><a class="code" href="spp__ai_8h.html#a435d1572bf3f880d55459d9805097f62">00038</a> <span class="keyword">typedef</span> <span class="keywordtype">unsigned</span> <span class="keywordtype">int</span>    uint32_t;
+<a name="l00039"></a>00039 
+<a name="l00040"></a><a class="code" href="spp__ai_8h.html#a3e5b8192e7d9ffaf3542f1210aec18dda08f175a5505a10b9ed657defeb050e4b">00040</a> <span class="keyword">typedef</span> <span class="keyword">enum</span> { <span class="keyword">false</span>, <span class="keyword">true</span> } BOOL;
+<a name="l00041"></a>00041 
+<a name="l00042"></a><a class="code" href="spp__ai_8h.html#ae2ff3c6586aa2ab211a102abfde86640">00042</a> <span class="keyword">typedef</span> <span class="keyword">enum</span> {
+<a name="l00043"></a><a class="code" href="spp__ai_8h.html#ae2ff3c6586aa2ab211a102abfde86640ac1335c508143eb06843af2ce5ff3027b">00043</a>         none, src_addr, dst_addr, src_port, dst_port, <a class="code" href="spp__ai_8h.html#ae2ff3c6586aa2ab211a102abfde86640ab16bb5c4b330d5db02e2d852cd2ba451">CLUSTER_TYPES</a>
+<a name="l00044"></a>00044 } cluster_type;
+<a name="l00045"></a>00045 
+<a name="l00046"></a>00046 <span class="comment">/* Each stream in the hash table is identified by the couple (src_ip, dst_port) */</span>
+<a name="l00047"></a><a class="code" href="structpkt__key.html">00047</a> <span class="keyword">struct </span><a class="code" href="structpkt__key.html">pkt_key</a>
+<a name="l00048"></a>00048 {
+<a name="l00049"></a><a class="code" href="structpkt__key.html#a3a091c20dafb8b3f689db00c5b2f8ddb">00049</a>         <a class="code" href="spp__ai_8h.html#a435d1572bf3f880d55459d9805097f62">uint32_t</a> <a class="code" href="structpkt__key.html#a3a091c20dafb8b3f689db00c5b2f8ddb">src_ip</a>;
+<a name="l00050"></a><a class="code" href="structpkt__key.html#af77f5eb1f4cd88b43fe99fd73553351d">00050</a>         <a class="code" href="spp__ai_8h.html#a273cf69d639a59973b6019625df33e30">uint16_t</a> <a class="code" href="structpkt__key.html#af77f5eb1f4cd88b43fe99fd73553351d">dst_port</a>;
+<a name="l00051"></a>00051 };
+<a name="l00052"></a>00052 
+<a name="l00053"></a>00053 <span class="comment">/* Identifier of a packet in a stream */</span>
+<a name="l00054"></a><a class="code" href="structpkt__info.html">00054</a> <span class="keyword">struct </span><a class="code" href="structpkt__info.html">pkt_info</a>
+<a name="l00055"></a>00055 {
+<a name="l00056"></a><a class="code" href="structpkt__info.html#a231d4734d3c62292b06eb9ea4b49c339">00056</a>         <span class="keyword">struct </span><a class="code" href="structpkt__key.html">pkt_key</a>    <a class="code" href="structpkt__info.html#a231d4734d3c62292b06eb9ea4b49c339">key</a>;             <span class="comment">/* Key of the packet (src_ip, dst_port) */</span>
+<a name="l00057"></a><a class="code" href="structpkt__info.html#a7f5090443f21e6290f0439f1bb872e92">00057</a>         time_t            <a class="code" href="structpkt__info.html#a7f5090443f21e6290f0439f1bb872e92">timestamp</a>;        <span class="comment">/* Timestamp */</span>
+<a name="l00058"></a><a class="code" href="structpkt__info.html#a8d5ebd04a32067b05387e5c5056fe168">00058</a>         SFSnortPacket*    <a class="code" href="structpkt__info.html#a8d5ebd04a32067b05387e5c5056fe168">pkt</a>;             <span class="comment">/* Reference to SFSnortPacket containing packet&#39;s information */</span>
+<a name="l00059"></a><a class="code" href="structpkt__info.html#a5ee3c51f2ca5768b94819182641ef168">00059</a>         <span class="keyword">struct </span><a class="code" href="structpkt__info.html">pkt_info</a>*  <a class="code" href="structpkt__info.html#a5ee3c51f2ca5768b94819182641ef168">next</a>;                    <span class="comment">/* Pointer to the next packet in the stream */</span>
+<a name="l00060"></a><a class="code" href="structpkt__info.html#ac7ff78ea5faf333fc91f92e3085ea7c9">00060</a>         <a class="code" href="spp__ai_8h.html#a3e5b8192e7d9ffaf3542f1210aec18dd">BOOL</a>              <a class="code" href="structpkt__info.html#ac7ff78ea5faf333fc91f92e3085ea7c9">observed</a>;         <span class="comment">/* Flag set if the packet is observed, i.e. associated to a security alert */</span>
+<a name="l00061"></a><a class="code" href="structpkt__info.html#a264e90d4b5d490de040f38c1072e142f">00061</a>         UT_hash_handle    <a class="code" href="structpkt__info.html#a264e90d4b5d490de040f38c1072e142f">hh</a>;                 <span class="comment">/* Make the struct &#39;hashable&#39; */</span>
+<a name="l00062"></a>00062 };
+<a name="l00063"></a>00063 
+<a name="l00064"></a>00064 <span class="comment">/* Data type containing the configuration of the module */</span>
+<a name="l00065"></a><a class="code" href="structAI__config.html">00065</a> <span class="keyword">typedef</span> <span class="keyword">struct</span>
+<a name="l00066"></a>00066 {
+<a name="l00067"></a><a class="code" href="structAI__config.html#a9f7680615027d4fb74b4aa144a7028a4">00067</a>         <span class="keywordtype">unsigned</span> <span class="keywordtype">long</span> hashCleanupInterval;
+<a name="l00068"></a><a class="code" href="structAI__config.html#abbe77d5f94b8c5164bea47acba09c98b">00068</a>         <span class="keywordtype">unsigned</span> <span class="keywordtype">long</span> streamExpireInterval;
+<a name="l00069"></a><a class="code" href="structAI__config.html#a7d0d098b8263aa3d8415b11d1ec7f93d">00069</a>         <span class="keywordtype">unsigned</span> <span class="keywordtype">long</span> alertClusteringInterval;
+<a name="l00070"></a><a class="code" href="structAI__config.html#a2efa9590d7eea6dce8b5dd9aa76ed8ca">00070</a>         <span class="keywordtype">char</span>          alertfile[1024];
+<a name="l00071"></a><a class="code" href="structAI__config.html#a6da02a3f7116fd3810a41b738e8883a3">00071</a>         <span class="keywordtype">char</span>          clusterfile[1024];
+<a name="l00072"></a>00072 } <a class="code" href="structAI__config.html">AI_config</a>;
+<a name="l00073"></a>00073 
+<a name="l00074"></a>00074 <span class="comment">/* Data type for hierarchies used for clustering */</span>
+<a name="l00075"></a><a class="code" href="struct__hierarchy__node.html">00075</a> <span class="keyword">typedef</span> <span class="keyword">struct </span><a class="code" href="struct__hierarchy__node.html">_hierarchy_node</a>
+<a name="l00076"></a>00076 {
+<a name="l00077"></a><a class="code" href="struct__hierarchy__node.html#a3b18e3ddfa2212c5e4ff9c0b4bde4296">00077</a>         <a class="code" href="spp__ai_8h.html#ae2ff3c6586aa2ab211a102abfde86640">cluster_type</a>            <a class="code" href="struct__hierarchy__node.html#a3b18e3ddfa2212c5e4ff9c0b4bde4296">type</a>;
+<a name="l00078"></a><a class="code" href="struct__hierarchy__node.html#ae498f6fd14ca058a3ae0a95d5425451a">00078</a>         <span class="keywordtype">char</span>                    <a class="code" href="struct__hierarchy__node.html#ae498f6fd14ca058a3ae0a95d5425451a">label</a>[256];
+<a name="l00079"></a><a class="code" href="struct__hierarchy__node.html#a13ceebd7b435b9ef347fb90d9e6bbfe4">00079</a>         <span class="keywordtype">int</span>                     <a class="code" href="struct__hierarchy__node.html#a13ceebd7b435b9ef347fb90d9e6bbfe4">min_val</a>;
+<a name="l00080"></a><a class="code" href="struct__hierarchy__node.html#a79ea88029938dc30ab8f159405d12c87">00080</a>         <span class="keywordtype">int</span>                     <a class="code" href="struct__hierarchy__node.html#a79ea88029938dc30ab8f159405d12c87">max_val</a>;
+<a name="l00081"></a><a class="code" href="struct__hierarchy__node.html#a849256ce1039e2cefaaf64d91171be0a">00081</a>         <span class="keywordtype">int</span>                     <a class="code" href="struct__hierarchy__node.html#a849256ce1039e2cefaaf64d91171be0a">nchildren</a>;
+<a name="l00082"></a><a class="code" href="struct__hierarchy__node.html#a5c94c89d7e2aea393f1c550afb766bbe">00082</a>         <span class="keyword">struct </span><a class="code" href="struct__hierarchy__node.html">_hierarchy_node</a>  *<a class="code" href="struct__hierarchy__node.html#a5c94c89d7e2aea393f1c550afb766bbe">parent</a>;
+<a name="l00083"></a><a class="code" href="struct__hierarchy__node.html#afc23d4fe6426873164cdaab2f3d4f0cd">00083</a>         <span class="keyword">struct </span><a class="code" href="struct__hierarchy__node.html">_hierarchy_node</a>  **<a class="code" href="struct__hierarchy__node.html#afc23d4fe6426873164cdaab2f3d4f0cd">children</a>;
+<a name="l00084"></a>00084 } <a class="code" href="struct__hierarchy__node.html">hierarchy_node</a>;
+<a name="l00085"></a>00085 
+<a name="l00086"></a>00086 <span class="comment">/* Data type for Snort alerts */</span>
+<a name="l00087"></a><a class="code" href="struct__AI__snort__alert.html">00087</a> <span class="keyword">typedef</span> <span class="keyword">struct </span><a class="code" href="struct__AI__snort__alert.html">_AI_snort_alert</a>  {
+<a name="l00088"></a>00088         <span class="comment">/* Identifiers of the alert */</span>
+<a name="l00089"></a><a class="code" href="struct__AI__snort__alert.html#af8408be5da59cda853442dd13465c0f6">00089</a>         <span class="keywordtype">unsigned</span> <span class="keywordtype">int</span>    <a class="code" href="struct__AI__snort__alert.html#af8408be5da59cda853442dd13465c0f6">gid</a>;
+<a name="l00090"></a><a class="code" href="struct__AI__snort__alert.html#a3349aa68d2234f8ffd897367c3a8a137">00090</a>         <span class="keywordtype">unsigned</span> <span class="keywordtype">int</span>    <a class="code" href="struct__AI__snort__alert.html#a3349aa68d2234f8ffd897367c3a8a137">sid</a>;
+<a name="l00091"></a><a class="code" href="struct__AI__snort__alert.html#a864d3baa48586d6a31639f4cd27d9d37">00091</a>         <span class="keywordtype">unsigned</span> <span class="keywordtype">int</span>    <a class="code" href="struct__AI__snort__alert.html#a864d3baa48586d6a31639f4cd27d9d37">rev</a>;
+<a name="l00092"></a>00092 
+<a name="l00093"></a>00093         <span class="comment">/* Snort priority, description,</span>
+<a name="l00094"></a>00094 <span class="comment">         * classification and timestamp</span>
+<a name="l00095"></a>00095 <span class="comment">         * of the alert */</span>
+<a name="l00096"></a><a class="code" href="struct__AI__snort__alert.html#a25661fa4e212c5e30af5e6a892985ec9">00096</a>         <span class="keywordtype">unsigned</span> <span class="keywordtype">short</span>  <a class="code" href="struct__AI__snort__alert.html#a25661fa4e212c5e30af5e6a892985ec9">priority</a>;
+<a name="l00097"></a><a class="code" href="struct__AI__snort__alert.html#ac0902d7c756ec675fb06347ce4706135">00097</a>         <span class="keywordtype">char</span>            *<a class="code" href="struct__AI__snort__alert.html#ac0902d7c756ec675fb06347ce4706135">desc</a>;
+<a name="l00098"></a><a class="code" href="struct__AI__snort__alert.html#aa89585e14acb2c4e684a1552d322632f">00098</a>         <span class="keywordtype">char</span>            *<a class="code" href="struct__AI__snort__alert.html#aa89585e14acb2c4e684a1552d322632f">classification</a>;
+<a name="l00099"></a><a class="code" href="struct__AI__snort__alert.html#a10a67f60ca3da339a2104849a0b2ac19">00099</a>         time_t          <a class="code" href="struct__AI__snort__alert.html#a10a67f60ca3da339a2104849a0b2ac19">timestamp</a>;
+<a name="l00100"></a>00100 
+<a name="l00101"></a>00101         <span class="comment">/* IP header information */</span>
+<a name="l00102"></a><a class="code" href="struct__AI__snort__alert.html#a882ae6db43dc0fe08071947ccb044b93">00102</a>         <a class="code" href="spp__ai_8h.html#aba7bc1797add20fe3efdf37ced1182c5">uint8_t</a>         <a class="code" href="struct__AI__snort__alert.html#a882ae6db43dc0fe08071947ccb044b93">tos</a>;
+<a name="l00103"></a><a class="code" href="struct__AI__snort__alert.html#a523ef8842d01a1bc4ea3c0bf27518e78">00103</a>         <a class="code" href="spp__ai_8h.html#a273cf69d639a59973b6019625df33e30">uint16_t</a>        <a class="code" href="struct__AI__snort__alert.html#a523ef8842d01a1bc4ea3c0bf27518e78">iplen</a>;
+<a name="l00104"></a><a class="code" href="struct__AI__snort__alert.html#a45e4acf90450a5f9efd4e0c290f84bcf">00104</a>         <a class="code" href="spp__ai_8h.html#a273cf69d639a59973b6019625df33e30">uint16_t</a>        <a class="code" href="struct__AI__snort__alert.html#a45e4acf90450a5f9efd4e0c290f84bcf">id</a>;
+<a name="l00105"></a><a class="code" href="struct__AI__snort__alert.html#ab9b1ce8ee440a324af116403ac9c51a2">00105</a>         <a class="code" href="spp__ai_8h.html#aba7bc1797add20fe3efdf37ced1182c5">uint8_t</a>         <a class="code" href="struct__AI__snort__alert.html#ab9b1ce8ee440a324af116403ac9c51a2">ttl</a>;
+<a name="l00106"></a><a class="code" href="struct__AI__snort__alert.html#a2a5f2741918c3c13890f2b617a7f23a4">00106</a>         <a class="code" href="spp__ai_8h.html#aba7bc1797add20fe3efdf37ced1182c5">uint8_t</a>         <a class="code" href="struct__AI__snort__alert.html#a2a5f2741918c3c13890f2b617a7f23a4">ipproto</a>;
+<a name="l00107"></a><a class="code" href="struct__AI__snort__alert.html#ab16a24f368020e4b40e65b53cae33b48">00107</a>         <a class="code" href="spp__ai_8h.html#a435d1572bf3f880d55459d9805097f62">uint32_t</a>        <a class="code" href="struct__AI__snort__alert.html#ab16a24f368020e4b40e65b53cae33b48">src_addr</a>;
+<a name="l00108"></a><a class="code" href="struct__AI__snort__alert.html#a69cc2ba171c8c808a0b45caa9426cd8c">00108</a>         <a class="code" href="spp__ai_8h.html#a435d1572bf3f880d55459d9805097f62">uint32_t</a>        <a class="code" href="struct__AI__snort__alert.html#a69cc2ba171c8c808a0b45caa9426cd8c">dst_addr</a>;
+<a name="l00109"></a>00109 
+<a name="l00110"></a>00110         <span class="comment">/* TCP header information */</span>
+<a name="l00111"></a><a class="code" href="struct__AI__snort__alert.html#a856cccd3eaabd38aa9974f26d3edc5e3">00111</a>         <a class="code" href="spp__ai_8h.html#a273cf69d639a59973b6019625df33e30">uint16_t</a>        <a class="code" href="struct__AI__snort__alert.html#a856cccd3eaabd38aa9974f26d3edc5e3">src_port</a>;
+<a name="l00112"></a><a class="code" href="struct__AI__snort__alert.html#a6b323c07ae501d221e330e13646a96a3">00112</a>         <a class="code" href="spp__ai_8h.html#a273cf69d639a59973b6019625df33e30">uint16_t</a>        <a class="code" href="struct__AI__snort__alert.html#a6b323c07ae501d221e330e13646a96a3">dst_port</a>;
+<a name="l00113"></a><a class="code" href="struct__AI__snort__alert.html#acb20c4c55149d5806d7523720786ab77">00113</a>         <a class="code" href="spp__ai_8h.html#a435d1572bf3f880d55459d9805097f62">uint32_t</a>        <a class="code" href="struct__AI__snort__alert.html#acb20c4c55149d5806d7523720786ab77">sequence</a>;
+<a name="l00114"></a><a class="code" href="struct__AI__snort__alert.html#a2b185c678d3a7f1207b2119b0b567c37">00114</a>         <a class="code" href="spp__ai_8h.html#a435d1572bf3f880d55459d9805097f62">uint32_t</a>        <a class="code" href="struct__AI__snort__alert.html#a2b185c678d3a7f1207b2119b0b567c37">ack</a>;
+<a name="l00115"></a><a class="code" href="struct__AI__snort__alert.html#aa643f11db93b70242b57f0a04775e507">00115</a>         <a class="code" href="spp__ai_8h.html#aba7bc1797add20fe3efdf37ced1182c5">uint8_t</a>         <a class="code" href="struct__AI__snort__alert.html#aa643f11db93b70242b57f0a04775e507">tcp_flags</a>;
+<a name="l00116"></a><a class="code" href="struct__AI__snort__alert.html#a63e94be3d248cf4beb0d4d5ab75331b1">00116</a>         <a class="code" href="spp__ai_8h.html#a273cf69d639a59973b6019625df33e30">uint16_t</a>        <a class="code" href="struct__AI__snort__alert.html#a63e94be3d248cf4beb0d4d5ab75331b1">window</a>;
+<a name="l00117"></a><a class="code" href="struct__AI__snort__alert.html#a519a103f5e8f1cb006c0c137b7c6a1c0">00117</a>         <a class="code" href="spp__ai_8h.html#a273cf69d639a59973b6019625df33e30">uint16_t</a>        <a class="code" href="struct__AI__snort__alert.html#a519a103f5e8f1cb006c0c137b7c6a1c0">tcplen</a>;
+<a name="l00118"></a>00118 
+<a name="l00119"></a>00119         <span class="comment">/* Reference to the TCP stream</span>
+<a name="l00120"></a>00120 <span class="comment">         * associated to the alert, if any */</span>
+<a name="l00121"></a><a class="code" href="struct__AI__snort__alert.html#a09dfe0a841fd3912ec78060d4547cb31">00121</a>         <span class="keyword">struct </span><a class="code" href="structpkt__info.html">pkt_info</a> *<a class="code" href="struct__AI__snort__alert.html#a09dfe0a841fd3912ec78060d4547cb31">stream</a>;
+<a name="l00122"></a>00122 
+<a name="l00123"></a>00123         <span class="comment">/* Pointer to the next alert in</span>
+<a name="l00124"></a>00124 <span class="comment">         * the log, if any*/</span>
+<a name="l00125"></a><a class="code" href="struct__AI__snort__alert.html#aa8336d4b3359015ed8ea312ca1fd1173">00125</a>         <span class="keyword">struct </span><a class="code" href="struct__AI__snort__alert.html">_AI_snort_alert</a> *<a class="code" href="struct__AI__snort__alert.html#aa8336d4b3359015ed8ea312ca1fd1173">next</a>;
+<a name="l00126"></a>00126 
+<a name="l00127"></a>00127         <span class="comment">/* Hierarchies for addresses and ports,</span>
+<a name="l00128"></a>00128 <span class="comment">         * if the clustering algorithm is used */</span>
+<a name="l00129"></a><a class="code" href="struct__AI__snort__alert.html#ac53765584296ead1328eabfaba8a3aed">00129</a>         <a class="code" href="struct__hierarchy__node.html">hierarchy_node</a>  *<a class="code" href="struct__AI__snort__alert.html#ac53765584296ead1328eabfaba8a3aed">h_node</a>[CLUSTER_TYPES];
+<a name="l00130"></a>00130 
+<a name="l00131"></a>00131         <span class="comment">/* If the clustering algorithm is used,</span>
+<a name="l00132"></a>00132 <span class="comment">         * we also count how many alerts this</span>
+<a name="l00133"></a>00133 <span class="comment">         * single alert groups */</span>
+<a name="l00134"></a><a class="code" href="struct__AI__snort__alert.html#a285aff12d6bac03c316ccc5305d28e53">00134</a>         <span class="keywordtype">unsigned</span> <span class="keywordtype">int</span>    <a class="code" href="struct__AI__snort__alert.html#a285aff12d6bac03c316ccc5305d28e53">grouped_alarms_count</a>;
+<a name="l00135"></a>00135 } <a class="code" href="struct__AI__snort__alert.html">AI_snort_alert</a>;
+<a name="l00136"></a>00136 
+<a name="l00137"></a>00137 <span class="keywordtype">int</span>                <a class="code" href="regex_8c.html#a35f57c052a7de1ded54b67a1f7819791" title="Check if a string matches a regular expression.">preg_match</a> ( <span class="keyword">const</span> <span class="keywordtype">char</span>*, <span class="keywordtype">char</span>*, <span class="keywordtype">char</span>***, <span class="keywordtype">int</span>* );
+<a name="l00138"></a>00138 
+<a name="l00139"></a>00139 <span class="keywordtype">void</span>*              <a class="code" href="spp__ai_8h.html#ad56f71be823eead743972274b99c82ff" title="Thread called for cleaning up the hash table from the traffic streams older than a certain threshold...">AI_hashcleanup_thread</a> ( <span class="keywordtype">void</span>* );
+<a name="l00140"></a>00140 <span class="keywordtype">void</span>*              <a class="code" href="alert__parser_8c.html#ad68c45b5846743a54ad3fa92c8e48f8a" title="Thread for parsing Snort&amp;#39;s alert file.">AI_alertparser_thread</a> ( <span class="keywordtype">void</span>* );
+<a name="l00141"></a>00141 
+<a name="l00142"></a>00142 <span class="keywordtype">void</span>               <a class="code" href="spp__ai_8h.html#af6f7d167c3623bbc669e8d31c2719b29" title="Function called for appending a new packet to the hash table, creating a new stream or appending it t...">AI_pkt_enqueue</a> ( SFSnortPacket* );
+<a name="l00143"></a>00143 <span class="keywordtype">void</span>               <a class="code" href="spp__ai_8h.html#a8749989cee2ac05a7de058faac280c02" title="Set the flag &amp;quot;observed&amp;quot; on a stream associated to a security alert, so that it won&amp;#39;t be...">AI_set_stream_observed</a> ( <span class="keyword">struct</span> <a class="code" href="structpkt__key.html">pkt_key</a> key );
+<a name="l00144"></a>00144 <span class="keywordtype">void</span>               <a class="code" href="cluster_8c.html#a1445818b37483f78cc3fb2890155842c" title="Build the clustering hierarchy trees.">AI_hierarchies_build</a> ( <a class="code" href="structAI__config.html">AI_config</a>*, <a class="code" href="struct__hierarchy__node.html">hierarchy_node</a>**, <span class="keywordtype">int</span> );
+<a name="l00145"></a>00145 
+<a name="l00146"></a>00146 <span class="keyword">struct </span><a class="code" href="structpkt__info.html">pkt_info</a>*   <a class="code" href="spp__ai_8h.html#a3054f06297a9caefd4d9b1283bb8b69a" title="Get a TCP stream by key.">AI_get_stream_by_key</a> ( <span class="keyword">struct</span> <a class="code" href="structpkt__key.html">pkt_key</a> );
+<a name="l00147"></a>00147 <a class="code" href="struct__AI__snort__alert.html">AI_snort_alert</a>*    <a class="code" href="alert__parser_8c.html#a99474495643197b3075ac22ec6f6c70f" title="Return the alerts parsed so far as a linked list.">AI_get_alerts</a> ( <span class="keywordtype">void</span> );
+<a name="l00148"></a>00148 <span class="keywordtype">void</span>               <a class="code" href="alert__parser_8c.html#a270e86669a0aa64a8da37bc16cda645b" title="Deallocate the memory of a log alert linked list.">AI_free_alerts</a> ( <a class="code" href="struct__AI__snort__alert.html">AI_snort_alert</a> *node );
+<a name="l00149"></a>00149 
+<a name="l00150"></a>00150 <span class="preprocessor">#endif  </span><span class="comment">/* _SPP_AI_H */</span>
+<a name="l00151"></a>00151 
 </pre></div></div>
 </div>
 <!--- window showing the filter options -->
@@ -107,7 +216,7 @@ var searchBox = new SearchBox("searchBox", "search",false,'Search');
 </iframe>
 </div>
 
-<hr class="footer"/><address class="footer"><small>Generated on Wed Aug 4 2010 11:30:57 for Snort AI preprocessor module by&nbsp;
+<hr class="footer"/><address class="footer"><small>Generated on Mon Aug 16 2010 22:05:38 for Snort AI preprocessor module by&nbsp;
 <a href="http://www.doxygen.org/index.html">
 <img class="footer" src="doxygen.png" alt="doxygen"/></a> 1.7.1 </small></address>
 </body>
diff --git a/doc/html/stream_8c.html b/doc/html/stream_8c.html
index ad4c66a..7330351 100644
--- a/doc/html/stream_8c.html
+++ b/doc/html/stream_8c.html
@@ -47,7 +47,6 @@ var searchBox = new SearchBox("searchBox", "search",false,'Search');
 </div>
 <div class="header">
   <div class="summary">
-<a href="#nested-classes">Data Structures</a> &#124;
 <a href="#func-members">Functions</a> &#124;
 <a href="#var-members">Variables</a>  </div>
   <div class="headertitle">
@@ -55,42 +54,40 @@ var searchBox = new SearchBox("searchBox", "search",false,'Search');
 </div>
 <div class="contents">
 <code>#include &quot;<a class="el" href="spp__ai_8h_source.html">spp_ai.h</a>&quot;</code><br/>
-<code>#include &quot;uthash.h&quot;</code><br/>
 <code>#include &lt;stdio.h&gt;</code><br/>
 <code>#include &lt;stdlib.h&gt;</code><br/>
-<code>#include &lt;string.h&gt;</code><br/>
 <code>#include &lt;time.h&gt;</code><br/>
 <code>#include &lt;unistd.h&gt;</code><br/>
-<code>#include &lt;arpa/inet.h&gt;</code><br/>
 <table class="memberdecls">
-<tr><td colspan="2"><h2><a name="nested-classes"></a>
-Data Structures</h2></td></tr>
-<tr><td class="memItemLeft" align="right" valign="top">struct &nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="structpkt__key.html">pkt_key</a></td></tr>
-<tr><td class="memItemLeft" align="right" valign="top">struct &nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="structpkt__info.html">pkt_info</a></td></tr>
 <tr><td colspan="2"><h2><a name="func-members"></a>
 Functions</h2></td></tr>
-<tr><td class="memItemLeft" align="right" valign="top">static void&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="stream_8c.html#a2a0c295a6828df716311977538cabd4a">_AI_stream_free</a> (struct <a class="el" href="structpkt__info.html">pkt_info</a> *stream)</td></tr>
-<tr><td class="mdescLeft">&nbsp;</td><td class="mdescRight">Remove a stream from the hash table (private function).  <a href="#a2a0c295a6828df716311977538cabd4a"></a><br/></td></tr>
+<tr><td class="memItemLeft" align="right" valign="top">PRIVATE void&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="stream_8c.html#a80016adf701c717a6ebfb5b15b8a5749">_AI_stream_free</a> (struct <a class="el" href="structpkt__info.html">pkt_info</a> *stream)</td></tr>
+<tr><td class="mdescLeft">&nbsp;</td><td class="mdescRight">Remove a stream from the hash table (private function).  <a href="#a80016adf701c717a6ebfb5b15b8a5749"></a><br/></td></tr>
 <tr><td class="memItemLeft" align="right" valign="top">void *&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="stream_8c.html#a24b1131374e5059564b8a12380c4eb75">AI_hashcleanup_thread</a> (void *arg)</td></tr>
 <tr><td class="mdescLeft">&nbsp;</td><td class="mdescRight">Thread called for cleaning up the hash table from the traffic streams older than a certain threshold.  <a href="#a24b1131374e5059564b8a12380c4eb75"></a><br/></td></tr>
 <tr><td class="memItemLeft" align="right" valign="top">void&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="stream_8c.html#a7d71c5645b9baff7b6c4b9a181bf80c5">AI_pkt_enqueue</a> (SFSnortPacket *pkt)</td></tr>
 <tr><td class="mdescLeft">&nbsp;</td><td class="mdescRight">Function called for appending a new packet to the hash table, creating a new stream or appending it to an existing stream.  <a href="#a7d71c5645b9baff7b6c4b9a181bf80c5"></a><br/></td></tr>
+<tr><td class="memItemLeft" align="right" valign="top">struct <a class="el" href="structpkt__info.html">pkt_info</a> *&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="stream_8c.html#a2efedcabbfd12c5345f0c93a3dd4735c">AI_get_stream_by_key</a> (struct <a class="el" href="structpkt__key.html">pkt_key</a> key)</td></tr>
+<tr><td class="mdescLeft">&nbsp;</td><td class="mdescRight">Get a TCP stream by key.  <a href="#a2efedcabbfd12c5345f0c93a3dd4735c"></a><br/></td></tr>
+<tr><td class="memItemLeft" align="right" valign="top">void&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="stream_8c.html#a8749989cee2ac05a7de058faac280c02">AI_set_stream_observed</a> (struct <a class="el" href="structpkt__key.html">pkt_key</a> key)</td></tr>
+<tr><td class="mdescLeft">&nbsp;</td><td class="mdescRight">Set the flag "observed" on a stream associated to a security alert, so that it won't be removed from the hash table.  <a href="#a8749989cee2ac05a7de058faac280c02"></a><br/></td></tr>
 <tr><td colspan="2"><h2><a name="var-members"></a>
 Variables</h2></td></tr>
-<tr><td class="memItemLeft" align="right" valign="top">static struct <a class="el" href="structpkt__info.html">pkt_info</a> *&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="stream_8c.html#a96fbc549c67e0d852ced3cb72980e923">hash</a> = NULL</td></tr>
+<tr><td class="memItemLeft" align="right" valign="top">PRIVATE struct <a class="el" href="structpkt__info.html">pkt_info</a> *&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="stream_8c.html#a57e23cda853e9d11c37723a962ef2f68">hash</a> = NULL</td></tr>
+<tr><td class="memItemLeft" align="right" valign="top">PRIVATE time_t&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="stream_8c.html#a0597864b078ff448f28432db86950309">start_time</a> = 0</td></tr>
 </table>
 <hr/><h2>Function Documentation</h2>
-<a class="anchor" id="a2a0c295a6828df716311977538cabd4a"></a><!-- doxytag: member="stream.c::_AI_stream_free" ref="a2a0c295a6828df716311977538cabd4a" args="(struct pkt_info *stream)" -->
+<a class="anchor" id="a80016adf701c717a6ebfb5b15b8a5749"></a><!-- doxytag: member="stream.c::_AI_stream_free" ref="a80016adf701c717a6ebfb5b15b8a5749" args="(struct pkt_info *stream)" -->
 <div class="memitem">
 <div class="memproto">
       <table class="memname">
         <tr>
-          <td class="memname">static void _AI_stream_free </td>
+          <td class="memname">PRIVATE void _AI_stream_free </td>
           <td>(</td>
           <td class="paramtype">struct <a class="el" href="structpkt__info.html">pkt_info</a> *&nbsp;</td>
           <td class="paramname"> <em>stream</em></td>
           <td>&nbsp;)&nbsp;</td>
-          <td><code> [static]</code></td>
+          <td></td>
         </tr>
       </table>
 </div>
@@ -105,6 +102,34 @@ Variables</h2></td></tr>
   </dd>
 </dl>
 
+</div>
+</div>
+<a class="anchor" id="a2efedcabbfd12c5345f0c93a3dd4735c"></a><!-- doxytag: member="stream.c::AI_get_stream_by_key" ref="a2efedcabbfd12c5345f0c93a3dd4735c" args="(struct pkt_key key)" -->
+<div class="memitem">
+<div class="memproto">
+      <table class="memname">
+        <tr>
+          <td class="memname">struct <a class="el" href="structpkt__info.html">pkt_info</a>* AI_get_stream_by_key </td>
+          <td>(</td>
+          <td class="paramtype">struct <a class="el" href="structpkt__key.html">pkt_key</a>&nbsp;</td>
+          <td class="paramname"> <em>key</em></td>
+          <td>&nbsp;)&nbsp;</td>
+          <td><code> [read]</code></td>
+        </tr>
+      </table>
+</div>
+<div class="memdoc">
+
+<p>Get a TCP stream by key. </p>
+<p>FUNCTION: AI_get_stream_by_key </p>
+<dl><dt><b>Parameters:</b></dt><dd>
+  <table border="0" cellspacing="2" cellpadding="0">
+    <tr><td valign="top"></td><td valign="top"><em>key</em>&nbsp;</td><td>Key of the stream to be picked up (struct <a class="el" href="structpkt__key.html">pkt_key</a>) </td></tr>
+  </table>
+  </dd>
+</dl>
+<dl class="return"><dt><b>Returns:</b></dt><dd>A <a class="el" href="structpkt__info.html">pkt_info</a> pointer to the stream if found, NULL otherwise </dd></dl>
+
 </div>
 </div>
 <a class="anchor" id="a24b1131374e5059564b8a12380c4eb75"></a><!-- doxytag: member="stream.c::AI_hashcleanup_thread" ref="a24b1131374e5059564b8a12380c4eb75" args="(void *arg)" -->
@@ -127,7 +152,7 @@ Variables</h2></td></tr>
 <p>FUNCTION: AI_hashcleanup_thread </p>
 <dl><dt><b>Parameters:</b></dt><dd>
   <table border="0" cellspacing="2" cellpadding="0">
-    <tr><td valign="top"></td><td valign="top"><em>arg</em>&nbsp;</td><td>Pointer to the AI_config struct </td></tr>
+    <tr><td valign="top"></td><td valign="top"><em>arg</em>&nbsp;</td><td>Pointer to the <a class="el" href="structAI__config.html">AI_config</a> struct </td></tr>
   </table>
   </dd>
 </dl>
@@ -161,13 +186,53 @@ Variables</h2></td></tr>
 
 </div>
 </div>
-<hr/><h2>Variable Documentation</h2>
-<a class="anchor" id="a96fbc549c67e0d852ced3cb72980e923"></a><!-- doxytag: member="stream.c::hash" ref="a96fbc549c67e0d852ced3cb72980e923" args="" -->
+<a class="anchor" id="a8749989cee2ac05a7de058faac280c02"></a><!-- doxytag: member="stream.c::AI_set_stream_observed" ref="a8749989cee2ac05a7de058faac280c02" args="(struct pkt_key key)" -->
 <div class="memitem">
 <div class="memproto">
       <table class="memname">
         <tr>
-          <td class="memname">struct <a class="el" href="structpkt__info.html">pkt_info</a>* <a class="el" href="stream_8c.html#a96fbc549c67e0d852ced3cb72980e923">hash</a> = NULL<code> [static]</code></td>
+          <td class="memname">void AI_set_stream_observed </td>
+          <td>(</td>
+          <td class="paramtype">struct <a class="el" href="structpkt__key.html">pkt_key</a>&nbsp;</td>
+          <td class="paramname"> <em>key</em></td>
+          <td>&nbsp;)&nbsp;</td>
+          <td></td>
+        </tr>
+      </table>
+</div>
+<div class="memdoc">
+
+<p>Set the flag "observed" on a stream associated to a security alert, so that it won't be removed from the hash table. </p>
+<p>FUNCTION: AI_set_stream_observed </p>
+<dl><dt><b>Parameters:</b></dt><dd>
+  <table border="0" cellspacing="2" cellpadding="0">
+    <tr><td valign="top"></td><td valign="top"><em>key</em>&nbsp;</td><td>Key of the stream to be set as "observed" </td></tr>
+  </table>
+  </dd>
+</dl>
+
+</div>
+</div>
+<hr/><h2>Variable Documentation</h2>
+<a class="anchor" id="a57e23cda853e9d11c37723a962ef2f68"></a><!-- doxytag: member="stream.c::hash" ref="a57e23cda853e9d11c37723a962ef2f68" args="" -->
+<div class="memitem">
+<div class="memproto">
+      <table class="memname">
+        <tr>
+          <td class="memname">PRIVATE struct <a class="el" href="structpkt__info.html">pkt_info</a>* <a class="el" href="stream_8c.html#a57e23cda853e9d11c37723a962ef2f68">hash</a> = NULL</td>
+        </tr>
+      </table>
+</div>
+<div class="memdoc">
+
+</div>
+</div>
+<a class="anchor" id="a0597864b078ff448f28432db86950309"></a><!-- doxytag: member="stream.c::start_time" ref="a0597864b078ff448f28432db86950309" args="" -->
+<div class="memitem">
+<div class="memproto">
+      <table class="memname">
+        <tr>
+          <td class="memname">PRIVATE time_t <a class="el" href="stream_8c.html#a0597864b078ff448f28432db86950309">start_time</a> = 0</td>
         </tr>
       </table>
 </div>
@@ -190,7 +255,7 @@ Variables</h2></td></tr>
 </iframe>
 </div>
 
-<hr class="footer"/><address class="footer"><small>Generated on Wed Aug 4 2010 11:30:57 for Snort AI preprocessor module by&nbsp;
+<hr class="footer"/><address class="footer"><small>Generated on Mon Aug 16 2010 22:05:38 for Snort AI preprocessor module by&nbsp;
 <a href="http://www.doxygen.org/index.html">
 <img class="footer" src="doxygen.png" alt="doxygen"/></a> 1.7.1 </small></address>
 </body>
diff --git a/doc/html/structAI__config.html b/doc/html/structAI__config.html
new file mode 100644
index 0000000..5eff9d3
--- /dev/null
+++ b/doc/html/structAI__config.html
@@ -0,0 +1,155 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+<head>
+<meta http-equiv="Content-Type" content="text/xhtml;charset=UTF-8"/>
+<title>Snort AI preprocessor module: AI_config Struct Reference</title>
+<link href="tabs.css" rel="stylesheet" type="text/css"/>
+<link href="search/search.css" rel="stylesheet" type="text/css"/>
+<script type="text/javaScript" src="search/search.js"></script>
+<link href="doxygen.css" rel="stylesheet" type="text/css"/>
+</head>
+<body onload='searchBox.OnSelectItem(0);'>
+<!-- Generated by Doxygen 1.7.1 -->
+<script type="text/javascript"><!--
+var searchBox = new SearchBox("searchBox", "search",false,'Search');
+--></script>
+<div class="navigation" id="top">
+  <div class="tabs">
+    <ul class="tablist">
+      <li><a href="index.html"><span>Main&nbsp;Page</span></a></li>
+      <li><a href="modules.html"><span>Modules</span></a></li>
+      <li class="current"><a href="annotated.html"><span>Data&nbsp;Structures</span></a></li>
+      <li><a href="files.html"><span>Files</span></a></li>
+      <li id="searchli">
+        <div id="MSearchBox" class="MSearchBoxInactive">
+        <span class="left">
+          <img id="MSearchSelect" src="search/mag_sel.png"
+               onmouseover="return searchBox.OnSearchSelectShow()"
+               onmouseout="return searchBox.OnSearchSelectHide()"
+               alt=""/>
+          <input type="text" id="MSearchField" value="Search" accesskey="S"
+               onfocus="searchBox.OnSearchFieldFocus(true)" 
+               onblur="searchBox.OnSearchFieldFocus(false)" 
+               onkeyup="searchBox.OnSearchFieldChange(event)"/>
+          </span><span class="right">
+            <a id="MSearchClose" href="javascript:searchBox.CloseResultsWindow()"><img id="MSearchCloseImg" border="0" src="search/close.png" alt=""/></a>
+          </span>
+        </div>
+      </li>
+    </ul>
+  </div>
+  <div class="tabs2">
+    <ul class="tablist">
+      <li><a href="annotated.html"><span>Data&nbsp;Structures</span></a></li>
+      <li><a href="classes.html"><span>Data&nbsp;Structure&nbsp;Index</span></a></li>
+      <li><a href="functions.html"><span>Data&nbsp;Fields</span></a></li>
+    </ul>
+  </div>
+</div>
+<div class="header">
+  <div class="summary">
+<a href="#pub-attribs">Data Fields</a>  </div>
+  <div class="headertitle">
+<h1>AI_config Struct Reference</h1>  </div>
+</div>
+<div class="contents">
+<!-- doxytag: class="AI_config" -->
+<p><code>#include &lt;<a class="el" href="spp__ai_8h_source.html">spp_ai.h</a>&gt;</code></p>
+<table class="memberdecls">
+<tr><td colspan="2"><h2><a name="pub-attribs"></a>
+Data Fields</h2></td></tr>
+<tr><td class="memItemLeft" align="right" valign="top">unsigned long&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="structAI__config.html#a9f7680615027d4fb74b4aa144a7028a4">hashCleanupInterval</a></td></tr>
+<tr><td class="memItemLeft" align="right" valign="top">unsigned long&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="structAI__config.html#abbe77d5f94b8c5164bea47acba09c98b">streamExpireInterval</a></td></tr>
+<tr><td class="memItemLeft" align="right" valign="top">unsigned long&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="structAI__config.html#a7d0d098b8263aa3d8415b11d1ec7f93d">alertClusteringInterval</a></td></tr>
+<tr><td class="memItemLeft" align="right" valign="top">char&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="structAI__config.html#a2efa9590d7eea6dce8b5dd9aa76ed8ca">alertfile</a> [1024]</td></tr>
+<tr><td class="memItemLeft" align="right" valign="top">char&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="structAI__config.html#a6da02a3f7116fd3810a41b738e8883a3">clusterfile</a> [1024]</td></tr>
+</table>
+<hr/><h2>Field Documentation</h2>
+<a class="anchor" id="a7d0d098b8263aa3d8415b11d1ec7f93d"></a><!-- doxytag: member="AI_config::alertClusteringInterval" ref="a7d0d098b8263aa3d8415b11d1ec7f93d" args="" -->
+<div class="memitem">
+<div class="memproto">
+      <table class="memname">
+        <tr>
+          <td class="memname">unsigned long <a class="el" href="structAI__config.html#a7d0d098b8263aa3d8415b11d1ec7f93d">AI_config::alertClusteringInterval</a></td>
+        </tr>
+      </table>
+</div>
+<div class="memdoc">
+
+</div>
+</div>
+<a class="anchor" id="a2efa9590d7eea6dce8b5dd9aa76ed8ca"></a><!-- doxytag: member="AI_config::alertfile" ref="a2efa9590d7eea6dce8b5dd9aa76ed8ca" args="[1024]" -->
+<div class="memitem">
+<div class="memproto">
+      <table class="memname">
+        <tr>
+          <td class="memname">char <a class="el" href="structAI__config.html#a2efa9590d7eea6dce8b5dd9aa76ed8ca">AI_config::alertfile</a>[1024]</td>
+        </tr>
+      </table>
+</div>
+<div class="memdoc">
+
+</div>
+</div>
+<a class="anchor" id="a6da02a3f7116fd3810a41b738e8883a3"></a><!-- doxytag: member="AI_config::clusterfile" ref="a6da02a3f7116fd3810a41b738e8883a3" args="[1024]" -->
+<div class="memitem">
+<div class="memproto">
+      <table class="memname">
+        <tr>
+          <td class="memname">char <a class="el" href="structAI__config.html#a6da02a3f7116fd3810a41b738e8883a3">AI_config::clusterfile</a>[1024]</td>
+        </tr>
+      </table>
+</div>
+<div class="memdoc">
+
+</div>
+</div>
+<a class="anchor" id="a9f7680615027d4fb74b4aa144a7028a4"></a><!-- doxytag: member="AI_config::hashCleanupInterval" ref="a9f7680615027d4fb74b4aa144a7028a4" args="" -->
+<div class="memitem">
+<div class="memproto">
+      <table class="memname">
+        <tr>
+          <td class="memname">unsigned long <a class="el" href="structAI__config.html#a9f7680615027d4fb74b4aa144a7028a4">AI_config::hashCleanupInterval</a></td>
+        </tr>
+      </table>
+</div>
+<div class="memdoc">
+
+</div>
+</div>
+<a class="anchor" id="abbe77d5f94b8c5164bea47acba09c98b"></a><!-- doxytag: member="AI_config::streamExpireInterval" ref="abbe77d5f94b8c5164bea47acba09c98b" args="" -->
+<div class="memitem">
+<div class="memproto">
+      <table class="memname">
+        <tr>
+          <td class="memname">unsigned long <a class="el" href="structAI__config.html#abbe77d5f94b8c5164bea47acba09c98b">AI_config::streamExpireInterval</a></td>
+        </tr>
+      </table>
+</div>
+<div class="memdoc">
+
+</div>
+</div>
+<hr/>The documentation for this struct was generated from the following file:<ul>
+<li><a class="el" href="spp__ai_8h_source.html">spp_ai.h</a></li>
+</ul>
+</div>
+<!--- window showing the filter options -->
+<div id="MSearchSelectWindow"
+     onmouseover="return searchBox.OnSearchSelectShow()"
+     onmouseout="return searchBox.OnSearchSelectHide()"
+     onkeydown="return searchBox.OnSearchSelectKey(event)">
+<a class="SelectItem" href="javascript:void(0)" onclick="searchBox.OnSelectItem(0)"><span class="SelectionMark">&nbsp;</span>All</a><a class="SelectItem" href="javascript:void(0)" onclick="searchBox.OnSelectItem(1)"><span class="SelectionMark">&nbsp;</span>Data Structures</a><a class="SelectItem" href="javascript:void(0)" onclick="searchBox.OnSelectItem(2)"><span class="SelectionMark">&nbsp;</span>Files</a><a class="SelectItem" href="javascript:void(0)" onclick="searchBox.OnSelectItem(3)"><span class="SelectionMark">&nbsp;</span>Functions</a><a class="SelectItem" href="javascript:void(0)" onclick="searchBox.OnSelectItem(4)"><span class="SelectionMark">&nbsp;</span>Variables</a><a class="SelectItem" href="javascript:void(0)" onclick="searchBox.OnSelectItem(5)"><span class="SelectionMark">&nbsp;</span>Typedefs</a><a class="SelectItem" href="javascript:void(0)" onclick="searchBox.OnSelectItem(6)"><span class="SelectionMark">&nbsp;</span>Enumerations</a><a class="SelectItem" href="javascript:void(0)" onclick="searchBox.OnSelectItem(7)"><span class="SelectionMark">&nbsp;</span>Enumerator</a><a class="SelectItem" href="javascript:void(0)" onclick="searchBox.OnSelectItem(8)"><span class="SelectionMark">&nbsp;</span>Defines</a></div>
+
+<!-- iframe showing the search results (closed by default) -->
+<div id="MSearchResultsWindow">
+<iframe src="" frameborder="0" 
+        name="MSearchResults" id="MSearchResults">
+</iframe>
+</div>
+
+<hr class="footer"/><address class="footer"><small>Generated on Mon Aug 16 2010 22:05:38 for Snort AI preprocessor module by&nbsp;
+<a href="http://www.doxygen.org/index.html">
+<img class="footer" src="doxygen.png" alt="doxygen"/></a> 1.7.1 </small></address>
+</body>
+</html>
diff --git a/doc/html/struct__AI__snort__alert.html b/doc/html/struct__AI__snort__alert.html
new file mode 100644
index 0000000..e8d179e
--- /dev/null
+++ b/doc/html/struct__AI__snort__alert.html
@@ -0,0 +1,435 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+<head>
+<meta http-equiv="Content-Type" content="text/xhtml;charset=UTF-8"/>
+<title>Snort AI preprocessor module: _AI_snort_alert Struct Reference</title>
+<link href="tabs.css" rel="stylesheet" type="text/css"/>
+<link href="search/search.css" rel="stylesheet" type="text/css"/>
+<script type="text/javaScript" src="search/search.js"></script>
+<link href="doxygen.css" rel="stylesheet" type="text/css"/>
+</head>
+<body onload='searchBox.OnSelectItem(0);'>
+<!-- Generated by Doxygen 1.7.1 -->
+<script type="text/javascript"><!--
+var searchBox = new SearchBox("searchBox", "search",false,'Search');
+--></script>
+<div class="navigation" id="top">
+  <div class="tabs">
+    <ul class="tablist">
+      <li><a href="index.html"><span>Main&nbsp;Page</span></a></li>
+      <li><a href="modules.html"><span>Modules</span></a></li>
+      <li class="current"><a href="annotated.html"><span>Data&nbsp;Structures</span></a></li>
+      <li><a href="files.html"><span>Files</span></a></li>
+      <li id="searchli">
+        <div id="MSearchBox" class="MSearchBoxInactive">
+        <span class="left">
+          <img id="MSearchSelect" src="search/mag_sel.png"
+               onmouseover="return searchBox.OnSearchSelectShow()"
+               onmouseout="return searchBox.OnSearchSelectHide()"
+               alt=""/>
+          <input type="text" id="MSearchField" value="Search" accesskey="S"
+               onfocus="searchBox.OnSearchFieldFocus(true)" 
+               onblur="searchBox.OnSearchFieldFocus(false)" 
+               onkeyup="searchBox.OnSearchFieldChange(event)"/>
+          </span><span class="right">
+            <a id="MSearchClose" href="javascript:searchBox.CloseResultsWindow()"><img id="MSearchCloseImg" border="0" src="search/close.png" alt=""/></a>
+          </span>
+        </div>
+      </li>
+    </ul>
+  </div>
+  <div class="tabs2">
+    <ul class="tablist">
+      <li><a href="annotated.html"><span>Data&nbsp;Structures</span></a></li>
+      <li><a href="classes.html"><span>Data&nbsp;Structure&nbsp;Index</span></a></li>
+      <li><a href="functions.html"><span>Data&nbsp;Fields</span></a></li>
+    </ul>
+  </div>
+</div>
+<div class="header">
+  <div class="summary">
+<a href="#pub-attribs">Data Fields</a>  </div>
+  <div class="headertitle">
+<h1>_AI_snort_alert Struct Reference</h1>  </div>
+</div>
+<div class="contents">
+<!-- doxytag: class="_AI_snort_alert" -->
+<p><code>#include &lt;<a class="el" href="spp__ai_8h_source.html">spp_ai.h</a>&gt;</code></p>
+<table class="memberdecls">
+<tr><td colspan="2"><h2><a name="pub-attribs"></a>
+Data Fields</h2></td></tr>
+<tr><td class="memItemLeft" align="right" valign="top">unsigned int&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="struct__AI__snort__alert.html#af8408be5da59cda853442dd13465c0f6">gid</a></td></tr>
+<tr><td class="memItemLeft" align="right" valign="top">unsigned int&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="struct__AI__snort__alert.html#a3349aa68d2234f8ffd897367c3a8a137">sid</a></td></tr>
+<tr><td class="memItemLeft" align="right" valign="top">unsigned int&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="struct__AI__snort__alert.html#a864d3baa48586d6a31639f4cd27d9d37">rev</a></td></tr>
+<tr><td class="memItemLeft" align="right" valign="top">unsigned short&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="struct__AI__snort__alert.html#a25661fa4e212c5e30af5e6a892985ec9">priority</a></td></tr>
+<tr><td class="memItemLeft" align="right" valign="top">char *&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="struct__AI__snort__alert.html#ac0902d7c756ec675fb06347ce4706135">desc</a></td></tr>
+<tr><td class="memItemLeft" align="right" valign="top">char *&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="struct__AI__snort__alert.html#aa89585e14acb2c4e684a1552d322632f">classification</a></td></tr>
+<tr><td class="memItemLeft" align="right" valign="top">time_t&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="struct__AI__snort__alert.html#a10a67f60ca3da339a2104849a0b2ac19">timestamp</a></td></tr>
+<tr><td class="memItemLeft" align="right" valign="top"><a class="el" href="spp__ai_8h.html#aba7bc1797add20fe3efdf37ced1182c5">uint8_t</a>&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="struct__AI__snort__alert.html#a882ae6db43dc0fe08071947ccb044b93">tos</a></td></tr>
+<tr><td class="memItemLeft" align="right" valign="top"><a class="el" href="spp__ai_8h.html#a273cf69d639a59973b6019625df33e30">uint16_t</a>&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="struct__AI__snort__alert.html#a523ef8842d01a1bc4ea3c0bf27518e78">iplen</a></td></tr>
+<tr><td class="memItemLeft" align="right" valign="top"><a class="el" href="spp__ai_8h.html#a273cf69d639a59973b6019625df33e30">uint16_t</a>&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="struct__AI__snort__alert.html#a45e4acf90450a5f9efd4e0c290f84bcf">id</a></td></tr>
+<tr><td class="memItemLeft" align="right" valign="top"><a class="el" href="spp__ai_8h.html#aba7bc1797add20fe3efdf37ced1182c5">uint8_t</a>&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="struct__AI__snort__alert.html#ab9b1ce8ee440a324af116403ac9c51a2">ttl</a></td></tr>
+<tr><td class="memItemLeft" align="right" valign="top"><a class="el" href="spp__ai_8h.html#aba7bc1797add20fe3efdf37ced1182c5">uint8_t</a>&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="struct__AI__snort__alert.html#a2a5f2741918c3c13890f2b617a7f23a4">ipproto</a></td></tr>
+<tr><td class="memItemLeft" align="right" valign="top"><a class="el" href="spp__ai_8h.html#a435d1572bf3f880d55459d9805097f62">uint32_t</a>&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="struct__AI__snort__alert.html#ab16a24f368020e4b40e65b53cae33b48">src_addr</a></td></tr>
+<tr><td class="memItemLeft" align="right" valign="top"><a class="el" href="spp__ai_8h.html#a435d1572bf3f880d55459d9805097f62">uint32_t</a>&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="struct__AI__snort__alert.html#a69cc2ba171c8c808a0b45caa9426cd8c">dst_addr</a></td></tr>
+<tr><td class="memItemLeft" align="right" valign="top"><a class="el" href="spp__ai_8h.html#a273cf69d639a59973b6019625df33e30">uint16_t</a>&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="struct__AI__snort__alert.html#a856cccd3eaabd38aa9974f26d3edc5e3">src_port</a></td></tr>
+<tr><td class="memItemLeft" align="right" valign="top"><a class="el" href="spp__ai_8h.html#a273cf69d639a59973b6019625df33e30">uint16_t</a>&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="struct__AI__snort__alert.html#a6b323c07ae501d221e330e13646a96a3">dst_port</a></td></tr>
+<tr><td class="memItemLeft" align="right" valign="top"><a class="el" href="spp__ai_8h.html#a435d1572bf3f880d55459d9805097f62">uint32_t</a>&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="struct__AI__snort__alert.html#acb20c4c55149d5806d7523720786ab77">sequence</a></td></tr>
+<tr><td class="memItemLeft" align="right" valign="top"><a class="el" href="spp__ai_8h.html#a435d1572bf3f880d55459d9805097f62">uint32_t</a>&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="struct__AI__snort__alert.html#a2b185c678d3a7f1207b2119b0b567c37">ack</a></td></tr>
+<tr><td class="memItemLeft" align="right" valign="top"><a class="el" href="spp__ai_8h.html#aba7bc1797add20fe3efdf37ced1182c5">uint8_t</a>&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="struct__AI__snort__alert.html#aa643f11db93b70242b57f0a04775e507">tcp_flags</a></td></tr>
+<tr><td class="memItemLeft" align="right" valign="top"><a class="el" href="spp__ai_8h.html#a273cf69d639a59973b6019625df33e30">uint16_t</a>&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="struct__AI__snort__alert.html#a63e94be3d248cf4beb0d4d5ab75331b1">window</a></td></tr>
+<tr><td class="memItemLeft" align="right" valign="top"><a class="el" href="spp__ai_8h.html#a273cf69d639a59973b6019625df33e30">uint16_t</a>&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="struct__AI__snort__alert.html#a519a103f5e8f1cb006c0c137b7c6a1c0">tcplen</a></td></tr>
+<tr><td class="memItemLeft" align="right" valign="top">struct <a class="el" href="structpkt__info.html">pkt_info</a> *&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="struct__AI__snort__alert.html#a09dfe0a841fd3912ec78060d4547cb31">stream</a></td></tr>
+<tr><td class="memItemLeft" align="right" valign="top">struct <a class="el" href="struct__AI__snort__alert.html">_AI_snort_alert</a> *&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="struct__AI__snort__alert.html#aa8336d4b3359015ed8ea312ca1fd1173">next</a></td></tr>
+<tr><td class="memItemLeft" align="right" valign="top"><a class="el" href="struct__hierarchy__node.html">hierarchy_node</a> *&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="struct__AI__snort__alert.html#ac53765584296ead1328eabfaba8a3aed">h_node</a> [CLUSTER_TYPES]</td></tr>
+<tr><td class="memItemLeft" align="right" valign="top">unsigned int&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="struct__AI__snort__alert.html#a285aff12d6bac03c316ccc5305d28e53">grouped_alarms_count</a></td></tr>
+</table>
+<hr/><h2>Field Documentation</h2>
+<a class="anchor" id="a2b185c678d3a7f1207b2119b0b567c37"></a><!-- doxytag: member="_AI_snort_alert::ack" ref="a2b185c678d3a7f1207b2119b0b567c37" args="" -->
+<div class="memitem">
+<div class="memproto">
+      <table class="memname">
+        <tr>
+          <td class="memname"><a class="el" href="spp__ai_8h.html#a435d1572bf3f880d55459d9805097f62">uint32_t</a> <a class="el" href="struct__AI__snort__alert.html#a2b185c678d3a7f1207b2119b0b567c37">_AI_snort_alert::ack</a></td>
+        </tr>
+      </table>
+</div>
+<div class="memdoc">
+
+</div>
+</div>
+<a class="anchor" id="aa89585e14acb2c4e684a1552d322632f"></a><!-- doxytag: member="_AI_snort_alert::classification" ref="aa89585e14acb2c4e684a1552d322632f" args="" -->
+<div class="memitem">
+<div class="memproto">
+      <table class="memname">
+        <tr>
+          <td class="memname">char* <a class="el" href="struct__AI__snort__alert.html#aa89585e14acb2c4e684a1552d322632f">_AI_snort_alert::classification</a></td>
+        </tr>
+      </table>
+</div>
+<div class="memdoc">
+
+</div>
+</div>
+<a class="anchor" id="ac0902d7c756ec675fb06347ce4706135"></a><!-- doxytag: member="_AI_snort_alert::desc" ref="ac0902d7c756ec675fb06347ce4706135" args="" -->
+<div class="memitem">
+<div class="memproto">
+      <table class="memname">
+        <tr>
+          <td class="memname">char* <a class="el" href="struct__AI__snort__alert.html#ac0902d7c756ec675fb06347ce4706135">_AI_snort_alert::desc</a></td>
+        </tr>
+      </table>
+</div>
+<div class="memdoc">
+
+</div>
+</div>
+<a class="anchor" id="a69cc2ba171c8c808a0b45caa9426cd8c"></a><!-- doxytag: member="_AI_snort_alert::dst_addr" ref="a69cc2ba171c8c808a0b45caa9426cd8c" args="" -->
+<div class="memitem">
+<div class="memproto">
+      <table class="memname">
+        <tr>
+          <td class="memname"><a class="el" href="spp__ai_8h.html#a435d1572bf3f880d55459d9805097f62">uint32_t</a> <a class="el" href="struct__AI__snort__alert.html#a69cc2ba171c8c808a0b45caa9426cd8c">_AI_snort_alert::dst_addr</a></td>
+        </tr>
+      </table>
+</div>
+<div class="memdoc">
+
+</div>
+</div>
+<a class="anchor" id="a6b323c07ae501d221e330e13646a96a3"></a><!-- doxytag: member="_AI_snort_alert::dst_port" ref="a6b323c07ae501d221e330e13646a96a3" args="" -->
+<div class="memitem">
+<div class="memproto">
+      <table class="memname">
+        <tr>
+          <td class="memname"><a class="el" href="spp__ai_8h.html#a273cf69d639a59973b6019625df33e30">uint16_t</a> <a class="el" href="struct__AI__snort__alert.html#a6b323c07ae501d221e330e13646a96a3">_AI_snort_alert::dst_port</a></td>
+        </tr>
+      </table>
+</div>
+<div class="memdoc">
+
+</div>
+</div>
+<a class="anchor" id="af8408be5da59cda853442dd13465c0f6"></a><!-- doxytag: member="_AI_snort_alert::gid" ref="af8408be5da59cda853442dd13465c0f6" args="" -->
+<div class="memitem">
+<div class="memproto">
+      <table class="memname">
+        <tr>
+          <td class="memname">unsigned int <a class="el" href="struct__AI__snort__alert.html#af8408be5da59cda853442dd13465c0f6">_AI_snort_alert::gid</a></td>
+        </tr>
+      </table>
+</div>
+<div class="memdoc">
+
+</div>
+</div>
+<a class="anchor" id="a285aff12d6bac03c316ccc5305d28e53"></a><!-- doxytag: member="_AI_snort_alert::grouped_alarms_count" ref="a285aff12d6bac03c316ccc5305d28e53" args="" -->
+<div class="memitem">
+<div class="memproto">
+      <table class="memname">
+        <tr>
+          <td class="memname">unsigned int <a class="el" href="struct__AI__snort__alert.html#a285aff12d6bac03c316ccc5305d28e53">_AI_snort_alert::grouped_alarms_count</a></td>
+        </tr>
+      </table>
+</div>
+<div class="memdoc">
+
+</div>
+</div>
+<a class="anchor" id="ac53765584296ead1328eabfaba8a3aed"></a><!-- doxytag: member="_AI_snort_alert::h_node" ref="ac53765584296ead1328eabfaba8a3aed" args="[CLUSTER_TYPES]" -->
+<div class="memitem">
+<div class="memproto">
+      <table class="memname">
+        <tr>
+          <td class="memname"><a class="el" href="struct__hierarchy__node.html">hierarchy_node</a>* <a class="el" href="struct__AI__snort__alert.html#ac53765584296ead1328eabfaba8a3aed">_AI_snort_alert::h_node</a>[CLUSTER_TYPES]</td>
+        </tr>
+      </table>
+</div>
+<div class="memdoc">
+
+</div>
+</div>
+<a class="anchor" id="a45e4acf90450a5f9efd4e0c290f84bcf"></a><!-- doxytag: member="_AI_snort_alert::id" ref="a45e4acf90450a5f9efd4e0c290f84bcf" args="" -->
+<div class="memitem">
+<div class="memproto">
+      <table class="memname">
+        <tr>
+          <td class="memname"><a class="el" href="spp__ai_8h.html#a273cf69d639a59973b6019625df33e30">uint16_t</a> <a class="el" href="struct__AI__snort__alert.html#a45e4acf90450a5f9efd4e0c290f84bcf">_AI_snort_alert::id</a></td>
+        </tr>
+      </table>
+</div>
+<div class="memdoc">
+
+</div>
+</div>
+<a class="anchor" id="a523ef8842d01a1bc4ea3c0bf27518e78"></a><!-- doxytag: member="_AI_snort_alert::iplen" ref="a523ef8842d01a1bc4ea3c0bf27518e78" args="" -->
+<div class="memitem">
+<div class="memproto">
+      <table class="memname">
+        <tr>
+          <td class="memname"><a class="el" href="spp__ai_8h.html#a273cf69d639a59973b6019625df33e30">uint16_t</a> <a class="el" href="struct__AI__snort__alert.html#a523ef8842d01a1bc4ea3c0bf27518e78">_AI_snort_alert::iplen</a></td>
+        </tr>
+      </table>
+</div>
+<div class="memdoc">
+
+</div>
+</div>
+<a class="anchor" id="a2a5f2741918c3c13890f2b617a7f23a4"></a><!-- doxytag: member="_AI_snort_alert::ipproto" ref="a2a5f2741918c3c13890f2b617a7f23a4" args="" -->
+<div class="memitem">
+<div class="memproto">
+      <table class="memname">
+        <tr>
+          <td class="memname"><a class="el" href="spp__ai_8h.html#aba7bc1797add20fe3efdf37ced1182c5">uint8_t</a> <a class="el" href="struct__AI__snort__alert.html#a2a5f2741918c3c13890f2b617a7f23a4">_AI_snort_alert::ipproto</a></td>
+        </tr>
+      </table>
+</div>
+<div class="memdoc">
+
+</div>
+</div>
+<a class="anchor" id="aa8336d4b3359015ed8ea312ca1fd1173"></a><!-- doxytag: member="_AI_snort_alert::next" ref="aa8336d4b3359015ed8ea312ca1fd1173" args="" -->
+<div class="memitem">
+<div class="memproto">
+      <table class="memname">
+        <tr>
+          <td class="memname">struct <a class="el" href="struct__AI__snort__alert.html">_AI_snort_alert</a>* <a class="el" href="struct__AI__snort__alert.html#aa8336d4b3359015ed8ea312ca1fd1173">_AI_snort_alert::next</a></td>
+        </tr>
+      </table>
+</div>
+<div class="memdoc">
+
+</div>
+</div>
+<a class="anchor" id="a25661fa4e212c5e30af5e6a892985ec9"></a><!-- doxytag: member="_AI_snort_alert::priority" ref="a25661fa4e212c5e30af5e6a892985ec9" args="" -->
+<div class="memitem">
+<div class="memproto">
+      <table class="memname">
+        <tr>
+          <td class="memname">unsigned short <a class="el" href="struct__AI__snort__alert.html#a25661fa4e212c5e30af5e6a892985ec9">_AI_snort_alert::priority</a></td>
+        </tr>
+      </table>
+</div>
+<div class="memdoc">
+
+</div>
+</div>
+<a class="anchor" id="a864d3baa48586d6a31639f4cd27d9d37"></a><!-- doxytag: member="_AI_snort_alert::rev" ref="a864d3baa48586d6a31639f4cd27d9d37" args="" -->
+<div class="memitem">
+<div class="memproto">
+      <table class="memname">
+        <tr>
+          <td class="memname">unsigned int <a class="el" href="struct__AI__snort__alert.html#a864d3baa48586d6a31639f4cd27d9d37">_AI_snort_alert::rev</a></td>
+        </tr>
+      </table>
+</div>
+<div class="memdoc">
+
+</div>
+</div>
+<a class="anchor" id="acb20c4c55149d5806d7523720786ab77"></a><!-- doxytag: member="_AI_snort_alert::sequence" ref="acb20c4c55149d5806d7523720786ab77" args="" -->
+<div class="memitem">
+<div class="memproto">
+      <table class="memname">
+        <tr>
+          <td class="memname"><a class="el" href="spp__ai_8h.html#a435d1572bf3f880d55459d9805097f62">uint32_t</a> <a class="el" href="struct__AI__snort__alert.html#acb20c4c55149d5806d7523720786ab77">_AI_snort_alert::sequence</a></td>
+        </tr>
+      </table>
+</div>
+<div class="memdoc">
+
+</div>
+</div>
+<a class="anchor" id="a3349aa68d2234f8ffd897367c3a8a137"></a><!-- doxytag: member="_AI_snort_alert::sid" ref="a3349aa68d2234f8ffd897367c3a8a137" args="" -->
+<div class="memitem">
+<div class="memproto">
+      <table class="memname">
+        <tr>
+          <td class="memname">unsigned int <a class="el" href="struct__AI__snort__alert.html#a3349aa68d2234f8ffd897367c3a8a137">_AI_snort_alert::sid</a></td>
+        </tr>
+      </table>
+</div>
+<div class="memdoc">
+
+</div>
+</div>
+<a class="anchor" id="ab16a24f368020e4b40e65b53cae33b48"></a><!-- doxytag: member="_AI_snort_alert::src_addr" ref="ab16a24f368020e4b40e65b53cae33b48" args="" -->
+<div class="memitem">
+<div class="memproto">
+      <table class="memname">
+        <tr>
+          <td class="memname"><a class="el" href="spp__ai_8h.html#a435d1572bf3f880d55459d9805097f62">uint32_t</a> <a class="el" href="struct__AI__snort__alert.html#ab16a24f368020e4b40e65b53cae33b48">_AI_snort_alert::src_addr</a></td>
+        </tr>
+      </table>
+</div>
+<div class="memdoc">
+
+</div>
+</div>
+<a class="anchor" id="a856cccd3eaabd38aa9974f26d3edc5e3"></a><!-- doxytag: member="_AI_snort_alert::src_port" ref="a856cccd3eaabd38aa9974f26d3edc5e3" args="" -->
+<div class="memitem">
+<div class="memproto">
+      <table class="memname">
+        <tr>
+          <td class="memname"><a class="el" href="spp__ai_8h.html#a273cf69d639a59973b6019625df33e30">uint16_t</a> <a class="el" href="struct__AI__snort__alert.html#a856cccd3eaabd38aa9974f26d3edc5e3">_AI_snort_alert::src_port</a></td>
+        </tr>
+      </table>
+</div>
+<div class="memdoc">
+
+</div>
+</div>
+<a class="anchor" id="a09dfe0a841fd3912ec78060d4547cb31"></a><!-- doxytag: member="_AI_snort_alert::stream" ref="a09dfe0a841fd3912ec78060d4547cb31" args="" -->
+<div class="memitem">
+<div class="memproto">
+      <table class="memname">
+        <tr>
+          <td class="memname">struct <a class="el" href="structpkt__info.html">pkt_info</a>* <a class="el" href="struct__AI__snort__alert.html#a09dfe0a841fd3912ec78060d4547cb31">_AI_snort_alert::stream</a></td>
+        </tr>
+      </table>
+</div>
+<div class="memdoc">
+
+</div>
+</div>
+<a class="anchor" id="aa643f11db93b70242b57f0a04775e507"></a><!-- doxytag: member="_AI_snort_alert::tcp_flags" ref="aa643f11db93b70242b57f0a04775e507" args="" -->
+<div class="memitem">
+<div class="memproto">
+      <table class="memname">
+        <tr>
+          <td class="memname"><a class="el" href="spp__ai_8h.html#aba7bc1797add20fe3efdf37ced1182c5">uint8_t</a> <a class="el" href="struct__AI__snort__alert.html#aa643f11db93b70242b57f0a04775e507">_AI_snort_alert::tcp_flags</a></td>
+        </tr>
+      </table>
+</div>
+<div class="memdoc">
+
+</div>
+</div>
+<a class="anchor" id="a519a103f5e8f1cb006c0c137b7c6a1c0"></a><!-- doxytag: member="_AI_snort_alert::tcplen" ref="a519a103f5e8f1cb006c0c137b7c6a1c0" args="" -->
+<div class="memitem">
+<div class="memproto">
+      <table class="memname">
+        <tr>
+          <td class="memname"><a class="el" href="spp__ai_8h.html#a273cf69d639a59973b6019625df33e30">uint16_t</a> <a class="el" href="struct__AI__snort__alert.html#a519a103f5e8f1cb006c0c137b7c6a1c0">_AI_snort_alert::tcplen</a></td>
+        </tr>
+      </table>
+</div>
+<div class="memdoc">
+
+</div>
+</div>
+<a class="anchor" id="a10a67f60ca3da339a2104849a0b2ac19"></a><!-- doxytag: member="_AI_snort_alert::timestamp" ref="a10a67f60ca3da339a2104849a0b2ac19" args="" -->
+<div class="memitem">
+<div class="memproto">
+      <table class="memname">
+        <tr>
+          <td class="memname">time_t <a class="el" href="struct__AI__snort__alert.html#a10a67f60ca3da339a2104849a0b2ac19">_AI_snort_alert::timestamp</a></td>
+        </tr>
+      </table>
+</div>
+<div class="memdoc">
+
+</div>
+</div>
+<a class="anchor" id="a882ae6db43dc0fe08071947ccb044b93"></a><!-- doxytag: member="_AI_snort_alert::tos" ref="a882ae6db43dc0fe08071947ccb044b93" args="" -->
+<div class="memitem">
+<div class="memproto">
+      <table class="memname">
+        <tr>
+          <td class="memname"><a class="el" href="spp__ai_8h.html#aba7bc1797add20fe3efdf37ced1182c5">uint8_t</a> <a class="el" href="struct__AI__snort__alert.html#a882ae6db43dc0fe08071947ccb044b93">_AI_snort_alert::tos</a></td>
+        </tr>
+      </table>
+</div>
+<div class="memdoc">
+
+</div>
+</div>
+<a class="anchor" id="ab9b1ce8ee440a324af116403ac9c51a2"></a><!-- doxytag: member="_AI_snort_alert::ttl" ref="ab9b1ce8ee440a324af116403ac9c51a2" args="" -->
+<div class="memitem">
+<div class="memproto">
+      <table class="memname">
+        <tr>
+          <td class="memname"><a class="el" href="spp__ai_8h.html#aba7bc1797add20fe3efdf37ced1182c5">uint8_t</a> <a class="el" href="struct__AI__snort__alert.html#ab9b1ce8ee440a324af116403ac9c51a2">_AI_snort_alert::ttl</a></td>
+        </tr>
+      </table>
+</div>
+<div class="memdoc">
+
+</div>
+</div>
+<a class="anchor" id="a63e94be3d248cf4beb0d4d5ab75331b1"></a><!-- doxytag: member="_AI_snort_alert::window" ref="a63e94be3d248cf4beb0d4d5ab75331b1" args="" -->
+<div class="memitem">
+<div class="memproto">
+      <table class="memname">
+        <tr>
+          <td class="memname"><a class="el" href="spp__ai_8h.html#a273cf69d639a59973b6019625df33e30">uint16_t</a> <a class="el" href="struct__AI__snort__alert.html#a63e94be3d248cf4beb0d4d5ab75331b1">_AI_snort_alert::window</a></td>
+        </tr>
+      </table>
+</div>
+<div class="memdoc">
+
+</div>
+</div>
+<hr/>The documentation for this struct was generated from the following file:<ul>
+<li><a class="el" href="spp__ai_8h_source.html">spp_ai.h</a></li>
+</ul>
+</div>
+<!--- window showing the filter options -->
+<div id="MSearchSelectWindow"
+     onmouseover="return searchBox.OnSearchSelectShow()"
+     onmouseout="return searchBox.OnSearchSelectHide()"
+     onkeydown="return searchBox.OnSearchSelectKey(event)">
+<a class="SelectItem" href="javascript:void(0)" onclick="searchBox.OnSelectItem(0)"><span class="SelectionMark">&nbsp;</span>All</a><a class="SelectItem" href="javascript:void(0)" onclick="searchBox.OnSelectItem(1)"><span class="SelectionMark">&nbsp;</span>Data Structures</a><a class="SelectItem" href="javascript:void(0)" onclick="searchBox.OnSelectItem(2)"><span class="SelectionMark">&nbsp;</span>Files</a><a class="SelectItem" href="javascript:void(0)" onclick="searchBox.OnSelectItem(3)"><span class="SelectionMark">&nbsp;</span>Functions</a><a class="SelectItem" href="javascript:void(0)" onclick="searchBox.OnSelectItem(4)"><span class="SelectionMark">&nbsp;</span>Variables</a><a class="SelectItem" href="javascript:void(0)" onclick="searchBox.OnSelectItem(5)"><span class="SelectionMark">&nbsp;</span>Typedefs</a><a class="SelectItem" href="javascript:void(0)" onclick="searchBox.OnSelectItem(6)"><span class="SelectionMark">&nbsp;</span>Enumerations</a><a class="SelectItem" href="javascript:void(0)" onclick="searchBox.OnSelectItem(7)"><span class="SelectionMark">&nbsp;</span>Enumerator</a><a class="SelectItem" href="javascript:void(0)" onclick="searchBox.OnSelectItem(8)"><span class="SelectionMark">&nbsp;</span>Defines</a></div>
+
+<!-- iframe showing the search results (closed by default) -->
+<div id="MSearchResultsWindow">
+<iframe src="" frameborder="0" 
+        name="MSearchResults" id="MSearchResults">
+</iframe>
+</div>
+
+<hr class="footer"/><address class="footer"><small>Generated on Mon Aug 16 2010 22:05:38 for Snort AI preprocessor module by&nbsp;
+<a href="http://www.doxygen.org/index.html">
+<img class="footer" src="doxygen.png" alt="doxygen"/></a> 1.7.1 </small></address>
+</body>
+</html>
diff --git a/doc/html/struct__hierarchy__node.html b/doc/html/struct__hierarchy__node.html
new file mode 100644
index 0000000..12a2179
--- /dev/null
+++ b/doc/html/struct__hierarchy__node.html
@@ -0,0 +1,183 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+<head>
+<meta http-equiv="Content-Type" content="text/xhtml;charset=UTF-8"/>
+<title>Snort AI preprocessor module: _hierarchy_node Struct Reference</title>
+<link href="tabs.css" rel="stylesheet" type="text/css"/>
+<link href="search/search.css" rel="stylesheet" type="text/css"/>
+<script type="text/javaScript" src="search/search.js"></script>
+<link href="doxygen.css" rel="stylesheet" type="text/css"/>
+</head>
+<body onload='searchBox.OnSelectItem(0);'>
+<!-- Generated by Doxygen 1.7.1 -->
+<script type="text/javascript"><!--
+var searchBox = new SearchBox("searchBox", "search",false,'Search');
+--></script>
+<div class="navigation" id="top">
+  <div class="tabs">
+    <ul class="tablist">
+      <li><a href="index.html"><span>Main&nbsp;Page</span></a></li>
+      <li><a href="modules.html"><span>Modules</span></a></li>
+      <li class="current"><a href="annotated.html"><span>Data&nbsp;Structures</span></a></li>
+      <li><a href="files.html"><span>Files</span></a></li>
+      <li id="searchli">
+        <div id="MSearchBox" class="MSearchBoxInactive">
+        <span class="left">
+          <img id="MSearchSelect" src="search/mag_sel.png"
+               onmouseover="return searchBox.OnSearchSelectShow()"
+               onmouseout="return searchBox.OnSearchSelectHide()"
+               alt=""/>
+          <input type="text" id="MSearchField" value="Search" accesskey="S"
+               onfocus="searchBox.OnSearchFieldFocus(true)" 
+               onblur="searchBox.OnSearchFieldFocus(false)" 
+               onkeyup="searchBox.OnSearchFieldChange(event)"/>
+          </span><span class="right">
+            <a id="MSearchClose" href="javascript:searchBox.CloseResultsWindow()"><img id="MSearchCloseImg" border="0" src="search/close.png" alt=""/></a>
+          </span>
+        </div>
+      </li>
+    </ul>
+  </div>
+  <div class="tabs2">
+    <ul class="tablist">
+      <li><a href="annotated.html"><span>Data&nbsp;Structures</span></a></li>
+      <li><a href="classes.html"><span>Data&nbsp;Structure&nbsp;Index</span></a></li>
+      <li><a href="functions.html"><span>Data&nbsp;Fields</span></a></li>
+    </ul>
+  </div>
+</div>
+<div class="header">
+  <div class="summary">
+<a href="#pub-attribs">Data Fields</a>  </div>
+  <div class="headertitle">
+<h1>_hierarchy_node Struct Reference</h1>  </div>
+</div>
+<div class="contents">
+<!-- doxytag: class="_hierarchy_node" -->
+<p><code>#include &lt;<a class="el" href="spp__ai_8h_source.html">spp_ai.h</a>&gt;</code></p>
+<table class="memberdecls">
+<tr><td colspan="2"><h2><a name="pub-attribs"></a>
+Data Fields</h2></td></tr>
+<tr><td class="memItemLeft" align="right" valign="top"><a class="el" href="spp__ai_8h.html#ae2ff3c6586aa2ab211a102abfde86640">cluster_type</a>&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="struct__hierarchy__node.html#a3b18e3ddfa2212c5e4ff9c0b4bde4296">type</a></td></tr>
+<tr><td class="memItemLeft" align="right" valign="top">char&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="struct__hierarchy__node.html#ae498f6fd14ca058a3ae0a95d5425451a">label</a> [256]</td></tr>
+<tr><td class="memItemLeft" align="right" valign="top">int&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="struct__hierarchy__node.html#a13ceebd7b435b9ef347fb90d9e6bbfe4">min_val</a></td></tr>
+<tr><td class="memItemLeft" align="right" valign="top">int&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="struct__hierarchy__node.html#a79ea88029938dc30ab8f159405d12c87">max_val</a></td></tr>
+<tr><td class="memItemLeft" align="right" valign="top">int&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="struct__hierarchy__node.html#a849256ce1039e2cefaaf64d91171be0a">nchildren</a></td></tr>
+<tr><td class="memItemLeft" align="right" valign="top">struct <a class="el" href="struct__hierarchy__node.html">_hierarchy_node</a> *&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="struct__hierarchy__node.html#a5c94c89d7e2aea393f1c550afb766bbe">parent</a></td></tr>
+<tr><td class="memItemLeft" align="right" valign="top">struct <a class="el" href="struct__hierarchy__node.html">_hierarchy_node</a> **&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="struct__hierarchy__node.html#afc23d4fe6426873164cdaab2f3d4f0cd">children</a></td></tr>
+</table>
+<hr/><h2>Field Documentation</h2>
+<a class="anchor" id="afc23d4fe6426873164cdaab2f3d4f0cd"></a><!-- doxytag: member="_hierarchy_node::children" ref="afc23d4fe6426873164cdaab2f3d4f0cd" args="" -->
+<div class="memitem">
+<div class="memproto">
+      <table class="memname">
+        <tr>
+          <td class="memname">struct <a class="el" href="struct__hierarchy__node.html">_hierarchy_node</a>** <a class="el" href="struct__hierarchy__node.html#afc23d4fe6426873164cdaab2f3d4f0cd">_hierarchy_node::children</a></td>
+        </tr>
+      </table>
+</div>
+<div class="memdoc">
+
+</div>
+</div>
+<a class="anchor" id="ae498f6fd14ca058a3ae0a95d5425451a"></a><!-- doxytag: member="_hierarchy_node::label" ref="ae498f6fd14ca058a3ae0a95d5425451a" args="[256]" -->
+<div class="memitem">
+<div class="memproto">
+      <table class="memname">
+        <tr>
+          <td class="memname">char <a class="el" href="struct__hierarchy__node.html#ae498f6fd14ca058a3ae0a95d5425451a">_hierarchy_node::label</a>[256]</td>
+        </tr>
+      </table>
+</div>
+<div class="memdoc">
+
+</div>
+</div>
+<a class="anchor" id="a79ea88029938dc30ab8f159405d12c87"></a><!-- doxytag: member="_hierarchy_node::max_val" ref="a79ea88029938dc30ab8f159405d12c87" args="" -->
+<div class="memitem">
+<div class="memproto">
+      <table class="memname">
+        <tr>
+          <td class="memname">int <a class="el" href="struct__hierarchy__node.html#a79ea88029938dc30ab8f159405d12c87">_hierarchy_node::max_val</a></td>
+        </tr>
+      </table>
+</div>
+<div class="memdoc">
+
+</div>
+</div>
+<a class="anchor" id="a13ceebd7b435b9ef347fb90d9e6bbfe4"></a><!-- doxytag: member="_hierarchy_node::min_val" ref="a13ceebd7b435b9ef347fb90d9e6bbfe4" args="" -->
+<div class="memitem">
+<div class="memproto">
+      <table class="memname">
+        <tr>
+          <td class="memname">int <a class="el" href="struct__hierarchy__node.html#a13ceebd7b435b9ef347fb90d9e6bbfe4">_hierarchy_node::min_val</a></td>
+        </tr>
+      </table>
+</div>
+<div class="memdoc">
+
+</div>
+</div>
+<a class="anchor" id="a849256ce1039e2cefaaf64d91171be0a"></a><!-- doxytag: member="_hierarchy_node::nchildren" ref="a849256ce1039e2cefaaf64d91171be0a" args="" -->
+<div class="memitem">
+<div class="memproto">
+      <table class="memname">
+        <tr>
+          <td class="memname">int <a class="el" href="struct__hierarchy__node.html#a849256ce1039e2cefaaf64d91171be0a">_hierarchy_node::nchildren</a></td>
+        </tr>
+      </table>
+</div>
+<div class="memdoc">
+
+</div>
+</div>
+<a class="anchor" id="a5c94c89d7e2aea393f1c550afb766bbe"></a><!-- doxytag: member="_hierarchy_node::parent" ref="a5c94c89d7e2aea393f1c550afb766bbe" args="" -->
+<div class="memitem">
+<div class="memproto">
+      <table class="memname">
+        <tr>
+          <td class="memname">struct <a class="el" href="struct__hierarchy__node.html">_hierarchy_node</a>* <a class="el" href="struct__hierarchy__node.html#a5c94c89d7e2aea393f1c550afb766bbe">_hierarchy_node::parent</a></td>
+        </tr>
+      </table>
+</div>
+<div class="memdoc">
+
+</div>
+</div>
+<a class="anchor" id="a3b18e3ddfa2212c5e4ff9c0b4bde4296"></a><!-- doxytag: member="_hierarchy_node::type" ref="a3b18e3ddfa2212c5e4ff9c0b4bde4296" args="" -->
+<div class="memitem">
+<div class="memproto">
+      <table class="memname">
+        <tr>
+          <td class="memname"><a class="el" href="spp__ai_8h.html#ae2ff3c6586aa2ab211a102abfde86640">cluster_type</a> <a class="el" href="struct__hierarchy__node.html#a3b18e3ddfa2212c5e4ff9c0b4bde4296">_hierarchy_node::type</a></td>
+        </tr>
+      </table>
+</div>
+<div class="memdoc">
+
+</div>
+</div>
+<hr/>The documentation for this struct was generated from the following file:<ul>
+<li><a class="el" href="spp__ai_8h_source.html">spp_ai.h</a></li>
+</ul>
+</div>
+<!--- window showing the filter options -->
+<div id="MSearchSelectWindow"
+     onmouseover="return searchBox.OnSearchSelectShow()"
+     onmouseout="return searchBox.OnSearchSelectHide()"
+     onkeydown="return searchBox.OnSearchSelectKey(event)">
+<a class="SelectItem" href="javascript:void(0)" onclick="searchBox.OnSelectItem(0)"><span class="SelectionMark">&nbsp;</span>All</a><a class="SelectItem" href="javascript:void(0)" onclick="searchBox.OnSelectItem(1)"><span class="SelectionMark">&nbsp;</span>Data Structures</a><a class="SelectItem" href="javascript:void(0)" onclick="searchBox.OnSelectItem(2)"><span class="SelectionMark">&nbsp;</span>Files</a><a class="SelectItem" href="javascript:void(0)" onclick="searchBox.OnSelectItem(3)"><span class="SelectionMark">&nbsp;</span>Functions</a><a class="SelectItem" href="javascript:void(0)" onclick="searchBox.OnSelectItem(4)"><span class="SelectionMark">&nbsp;</span>Variables</a><a class="SelectItem" href="javascript:void(0)" onclick="searchBox.OnSelectItem(5)"><span class="SelectionMark">&nbsp;</span>Typedefs</a><a class="SelectItem" href="javascript:void(0)" onclick="searchBox.OnSelectItem(6)"><span class="SelectionMark">&nbsp;</span>Enumerations</a><a class="SelectItem" href="javascript:void(0)" onclick="searchBox.OnSelectItem(7)"><span class="SelectionMark">&nbsp;</span>Enumerator</a><a class="SelectItem" href="javascript:void(0)" onclick="searchBox.OnSelectItem(8)"><span class="SelectionMark">&nbsp;</span>Defines</a></div>
+
+<!-- iframe showing the search results (closed by default) -->
+<div id="MSearchResultsWindow">
+<iframe src="" frameborder="0" 
+        name="MSearchResults" id="MSearchResults">
+</iframe>
+</div>
+
+<hr class="footer"/><address class="footer"><small>Generated on Mon Aug 16 2010 22:05:38 for Snort AI preprocessor module by&nbsp;
+<a href="http://www.doxygen.org/index.html">
+<img class="footer" src="doxygen.png" alt="doxygen"/></a> 1.7.1 </small></address>
+</body>
+</html>
diff --git a/doc/html/structattribute__key.html b/doc/html/structattribute__key.html
new file mode 100644
index 0000000..bcc2315
--- /dev/null
+++ b/doc/html/structattribute__key.html
@@ -0,0 +1,111 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+<head>
+<meta http-equiv="Content-Type" content="text/xhtml;charset=UTF-8"/>
+<title>Snort AI preprocessor module: attribute_key Struct Reference</title>
+<link href="tabs.css" rel="stylesheet" type="text/css"/>
+<link href="search/search.css" rel="stylesheet" type="text/css"/>
+<script type="text/javaScript" src="search/search.js"></script>
+<link href="doxygen.css" rel="stylesheet" type="text/css"/>
+</head>
+<body onload='searchBox.OnSelectItem(0);'>
+<!-- Generated by Doxygen 1.7.1 -->
+<script type="text/javascript"><!--
+var searchBox = new SearchBox("searchBox", "search",false,'Search');
+--></script>
+<div class="navigation" id="top">
+  <div class="tabs">
+    <ul class="tablist">
+      <li><a href="index.html"><span>Main&nbsp;Page</span></a></li>
+      <li><a href="modules.html"><span>Modules</span></a></li>
+      <li class="current"><a href="annotated.html"><span>Data&nbsp;Structures</span></a></li>
+      <li><a href="files.html"><span>Files</span></a></li>
+      <li id="searchli">
+        <div id="MSearchBox" class="MSearchBoxInactive">
+        <span class="left">
+          <img id="MSearchSelect" src="search/mag_sel.png"
+               onmouseover="return searchBox.OnSearchSelectShow()"
+               onmouseout="return searchBox.OnSearchSelectHide()"
+               alt=""/>
+          <input type="text" id="MSearchField" value="Search" accesskey="S"
+               onfocus="searchBox.OnSearchFieldFocus(true)" 
+               onblur="searchBox.OnSearchFieldFocus(false)" 
+               onkeyup="searchBox.OnSearchFieldChange(event)"/>
+          </span><span class="right">
+            <a id="MSearchClose" href="javascript:searchBox.CloseResultsWindow()"><img id="MSearchCloseImg" border="0" src="search/close.png" alt=""/></a>
+          </span>
+        </div>
+      </li>
+    </ul>
+  </div>
+  <div class="tabs2">
+    <ul class="tablist">
+      <li><a href="annotated.html"><span>Data&nbsp;Structures</span></a></li>
+      <li><a href="classes.html"><span>Data&nbsp;Structure&nbsp;Index</span></a></li>
+      <li><a href="functions.html"><span>Data&nbsp;Fields</span></a></li>
+    </ul>
+  </div>
+</div>
+<div class="header">
+  <div class="summary">
+<a href="#pub-attribs">Data Fields</a>  </div>
+  <div class="headertitle">
+<h1>attribute_key Struct Reference</h1>  </div>
+</div>
+<div class="contents">
+<!-- doxytag: class="attribute_key" --><table class="memberdecls">
+<tr><td colspan="2"><h2><a name="pub-attribs"></a>
+Data Fields</h2></td></tr>
+<tr><td class="memItemLeft" align="right" valign="top">int&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="structattribute__key.html#a4fdb3d7aabeac6b1052b59e05e3d8842">min</a></td></tr>
+<tr><td class="memItemLeft" align="right" valign="top">int&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="structattribute__key.html#a82b7e5ac49820b816871a4ddf30c462d">max</a></td></tr>
+</table>
+<hr/><h2>Field Documentation</h2>
+<a class="anchor" id="a82b7e5ac49820b816871a4ddf30c462d"></a><!-- doxytag: member="attribute_key::max" ref="a82b7e5ac49820b816871a4ddf30c462d" args="" -->
+<div class="memitem">
+<div class="memproto">
+      <table class="memname">
+        <tr>
+          <td class="memname">int <a class="el" href="structattribute__key.html#a82b7e5ac49820b816871a4ddf30c462d">attribute_key::max</a></td>
+        </tr>
+      </table>
+</div>
+<div class="memdoc">
+
+</div>
+</div>
+<a class="anchor" id="a4fdb3d7aabeac6b1052b59e05e3d8842"></a><!-- doxytag: member="attribute_key::min" ref="a4fdb3d7aabeac6b1052b59e05e3d8842" args="" -->
+<div class="memitem">
+<div class="memproto">
+      <table class="memname">
+        <tr>
+          <td class="memname">int <a class="el" href="structattribute__key.html#a4fdb3d7aabeac6b1052b59e05e3d8842">attribute_key::min</a></td>
+        </tr>
+      </table>
+</div>
+<div class="memdoc">
+
+</div>
+</div>
+<hr/>The documentation for this struct was generated from the following file:<ul>
+<li><a class="el" href="cluster_8c.html">cluster.c</a></li>
+</ul>
+</div>
+<!--- window showing the filter options -->
+<div id="MSearchSelectWindow"
+     onmouseover="return searchBox.OnSearchSelectShow()"
+     onmouseout="return searchBox.OnSearchSelectHide()"
+     onkeydown="return searchBox.OnSearchSelectKey(event)">
+<a class="SelectItem" href="javascript:void(0)" onclick="searchBox.OnSelectItem(0)"><span class="SelectionMark">&nbsp;</span>All</a><a class="SelectItem" href="javascript:void(0)" onclick="searchBox.OnSelectItem(1)"><span class="SelectionMark">&nbsp;</span>Data Structures</a><a class="SelectItem" href="javascript:void(0)" onclick="searchBox.OnSelectItem(2)"><span class="SelectionMark">&nbsp;</span>Files</a><a class="SelectItem" href="javascript:void(0)" onclick="searchBox.OnSelectItem(3)"><span class="SelectionMark">&nbsp;</span>Functions</a><a class="SelectItem" href="javascript:void(0)" onclick="searchBox.OnSelectItem(4)"><span class="SelectionMark">&nbsp;</span>Variables</a><a class="SelectItem" href="javascript:void(0)" onclick="searchBox.OnSelectItem(5)"><span class="SelectionMark">&nbsp;</span>Typedefs</a><a class="SelectItem" href="javascript:void(0)" onclick="searchBox.OnSelectItem(6)"><span class="SelectionMark">&nbsp;</span>Enumerations</a><a class="SelectItem" href="javascript:void(0)" onclick="searchBox.OnSelectItem(7)"><span class="SelectionMark">&nbsp;</span>Enumerator</a><a class="SelectItem" href="javascript:void(0)" onclick="searchBox.OnSelectItem(8)"><span class="SelectionMark">&nbsp;</span>Defines</a></div>
+
+<!-- iframe showing the search results (closed by default) -->
+<div id="MSearchResultsWindow">
+<iframe src="" frameborder="0" 
+        name="MSearchResults" id="MSearchResults">
+</iframe>
+</div>
+
+<hr class="footer"/><address class="footer"><small>Generated on Mon Aug 16 2010 22:05:38 for Snort AI preprocessor module by&nbsp;
+<a href="http://www.doxygen.org/index.html">
+<img class="footer" src="doxygen.png" alt="doxygen"/></a> 1.7.1 </small></address>
+</body>
+</html>
diff --git a/doc/html/structattribute__value.html b/doc/html/structattribute__value.html
new file mode 100644
index 0000000..b773606
--- /dev/null
+++ b/doc/html/structattribute__value.html
@@ -0,0 +1,139 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+<head>
+<meta http-equiv="Content-Type" content="text/xhtml;charset=UTF-8"/>
+<title>Snort AI preprocessor module: attribute_value Struct Reference</title>
+<link href="tabs.css" rel="stylesheet" type="text/css"/>
+<link href="search/search.css" rel="stylesheet" type="text/css"/>
+<script type="text/javaScript" src="search/search.js"></script>
+<link href="doxygen.css" rel="stylesheet" type="text/css"/>
+</head>
+<body onload='searchBox.OnSelectItem(0);'>
+<!-- Generated by Doxygen 1.7.1 -->
+<script type="text/javascript"><!--
+var searchBox = new SearchBox("searchBox", "search",false,'Search');
+--></script>
+<div class="navigation" id="top">
+  <div class="tabs">
+    <ul class="tablist">
+      <li><a href="index.html"><span>Main&nbsp;Page</span></a></li>
+      <li><a href="modules.html"><span>Modules</span></a></li>
+      <li class="current"><a href="annotated.html"><span>Data&nbsp;Structures</span></a></li>
+      <li><a href="files.html"><span>Files</span></a></li>
+      <li id="searchli">
+        <div id="MSearchBox" class="MSearchBoxInactive">
+        <span class="left">
+          <img id="MSearchSelect" src="search/mag_sel.png"
+               onmouseover="return searchBox.OnSearchSelectShow()"
+               onmouseout="return searchBox.OnSearchSelectHide()"
+               alt=""/>
+          <input type="text" id="MSearchField" value="Search" accesskey="S"
+               onfocus="searchBox.OnSearchFieldFocus(true)" 
+               onblur="searchBox.OnSearchFieldFocus(false)" 
+               onkeyup="searchBox.OnSearchFieldChange(event)"/>
+          </span><span class="right">
+            <a id="MSearchClose" href="javascript:searchBox.CloseResultsWindow()"><img id="MSearchCloseImg" border="0" src="search/close.png" alt=""/></a>
+          </span>
+        </div>
+      </li>
+    </ul>
+  </div>
+  <div class="tabs2">
+    <ul class="tablist">
+      <li><a href="annotated.html"><span>Data&nbsp;Structures</span></a></li>
+      <li><a href="classes.html"><span>Data&nbsp;Structure&nbsp;Index</span></a></li>
+      <li><a href="functions.html"><span>Data&nbsp;Fields</span></a></li>
+    </ul>
+  </div>
+</div>
+<div class="header">
+  <div class="summary">
+<a href="#pub-attribs">Data Fields</a>  </div>
+  <div class="headertitle">
+<h1>attribute_value Struct Reference</h1>  </div>
+</div>
+<div class="contents">
+<!-- doxytag: class="attribute_value" --><table class="memberdecls">
+<tr><td colspan="2"><h2><a name="pub-attribs"></a>
+Data Fields</h2></td></tr>
+<tr><td class="memItemLeft" align="right" valign="top"><a class="el" href="structattribute__key.html">attribute_key</a>&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="structattribute__value.html#aa8b5ae41c150e4fefb800d3b1924278d">key</a></td></tr>
+<tr><td class="memItemLeft" align="right" valign="top"><a class="el" href="spp__ai_8h.html#ae2ff3c6586aa2ab211a102abfde86640">cluster_type</a>&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="structattribute__value.html#a5322c4edde771a7ee0d9fc5f5e45484c">type</a></td></tr>
+<tr><td class="memItemLeft" align="right" valign="top">unsigned int&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="structattribute__value.html#a5579c0304c2e9ab488ac94905b385045">count</a></td></tr>
+<tr><td class="memItemLeft" align="right" valign="top">UT_hash_handle&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="structattribute__value.html#a9abf5d1758ee0cc4803e3b40fc4481cc">hh</a></td></tr>
+</table>
+<hr/><h2>Field Documentation</h2>
+<a class="anchor" id="a5579c0304c2e9ab488ac94905b385045"></a><!-- doxytag: member="attribute_value::count" ref="a5579c0304c2e9ab488ac94905b385045" args="" -->
+<div class="memitem">
+<div class="memproto">
+      <table class="memname">
+        <tr>
+          <td class="memname">unsigned int <a class="el" href="structattribute__value.html#a5579c0304c2e9ab488ac94905b385045">attribute_value::count</a></td>
+        </tr>
+      </table>
+</div>
+<div class="memdoc">
+
+</div>
+</div>
+<a class="anchor" id="a9abf5d1758ee0cc4803e3b40fc4481cc"></a><!-- doxytag: member="attribute_value::hh" ref="a9abf5d1758ee0cc4803e3b40fc4481cc" args="" -->
+<div class="memitem">
+<div class="memproto">
+      <table class="memname">
+        <tr>
+          <td class="memname">UT_hash_handle <a class="el" href="structattribute__value.html#a9abf5d1758ee0cc4803e3b40fc4481cc">attribute_value::hh</a></td>
+        </tr>
+      </table>
+</div>
+<div class="memdoc">
+
+</div>
+</div>
+<a class="anchor" id="aa8b5ae41c150e4fefb800d3b1924278d"></a><!-- doxytag: member="attribute_value::key" ref="aa8b5ae41c150e4fefb800d3b1924278d" args="" -->
+<div class="memitem">
+<div class="memproto">
+      <table class="memname">
+        <tr>
+          <td class="memname"><a class="el" href="structattribute__key.html">attribute_key</a> <a class="el" href="structattribute__value.html#aa8b5ae41c150e4fefb800d3b1924278d">attribute_value::key</a></td>
+        </tr>
+      </table>
+</div>
+<div class="memdoc">
+
+</div>
+</div>
+<a class="anchor" id="a5322c4edde771a7ee0d9fc5f5e45484c"></a><!-- doxytag: member="attribute_value::type" ref="a5322c4edde771a7ee0d9fc5f5e45484c" args="" -->
+<div class="memitem">
+<div class="memproto">
+      <table class="memname">
+        <tr>
+          <td class="memname"><a class="el" href="spp__ai_8h.html#ae2ff3c6586aa2ab211a102abfde86640">cluster_type</a> <a class="el" href="structattribute__value.html#a5322c4edde771a7ee0d9fc5f5e45484c">attribute_value::type</a></td>
+        </tr>
+      </table>
+</div>
+<div class="memdoc">
+
+</div>
+</div>
+<hr/>The documentation for this struct was generated from the following file:<ul>
+<li><a class="el" href="cluster_8c.html">cluster.c</a></li>
+</ul>
+</div>
+<!--- window showing the filter options -->
+<div id="MSearchSelectWindow"
+     onmouseover="return searchBox.OnSearchSelectShow()"
+     onmouseout="return searchBox.OnSearchSelectHide()"
+     onkeydown="return searchBox.OnSearchSelectKey(event)">
+<a class="SelectItem" href="javascript:void(0)" onclick="searchBox.OnSelectItem(0)"><span class="SelectionMark">&nbsp;</span>All</a><a class="SelectItem" href="javascript:void(0)" onclick="searchBox.OnSelectItem(1)"><span class="SelectionMark">&nbsp;</span>Data Structures</a><a class="SelectItem" href="javascript:void(0)" onclick="searchBox.OnSelectItem(2)"><span class="SelectionMark">&nbsp;</span>Files</a><a class="SelectItem" href="javascript:void(0)" onclick="searchBox.OnSelectItem(3)"><span class="SelectionMark">&nbsp;</span>Functions</a><a class="SelectItem" href="javascript:void(0)" onclick="searchBox.OnSelectItem(4)"><span class="SelectionMark">&nbsp;</span>Variables</a><a class="SelectItem" href="javascript:void(0)" onclick="searchBox.OnSelectItem(5)"><span class="SelectionMark">&nbsp;</span>Typedefs</a><a class="SelectItem" href="javascript:void(0)" onclick="searchBox.OnSelectItem(6)"><span class="SelectionMark">&nbsp;</span>Enumerations</a><a class="SelectItem" href="javascript:void(0)" onclick="searchBox.OnSelectItem(7)"><span class="SelectionMark">&nbsp;</span>Enumerator</a><a class="SelectItem" href="javascript:void(0)" onclick="searchBox.OnSelectItem(8)"><span class="SelectionMark">&nbsp;</span>Defines</a></div>
+
+<!-- iframe showing the search results (closed by default) -->
+<div id="MSearchResultsWindow">
+<iframe src="" frameborder="0" 
+        name="MSearchResults" id="MSearchResults">
+</iframe>
+</div>
+
+<hr class="footer"/><address class="footer"><small>Generated on Mon Aug 16 2010 22:05:38 for Snort AI preprocessor module by&nbsp;
+<a href="http://www.doxygen.org/index.html">
+<img class="footer" src="doxygen.png" alt="doxygen"/></a> 1.7.1 </small></address>
+</body>
+</html>
diff --git a/doc/html/structpkt__info.html b/doc/html/structpkt__info.html
index 5ff74e3..ba6f4d0 100644
--- a/doc/html/structpkt__info.html
+++ b/doc/html/structpkt__info.html
@@ -53,13 +53,16 @@ var searchBox = new SearchBox("searchBox", "search",false,'Search');
 <h1>pkt_info Struct Reference</h1>  </div>
 </div>
 <div class="contents">
-<!-- doxytag: class="pkt_info" --><table class="memberdecls">
+<!-- doxytag: class="pkt_info" -->
+<p><code>#include &lt;<a class="el" href="spp__ai_8h_source.html">spp_ai.h</a>&gt;</code></p>
+<table class="memberdecls">
 <tr><td colspan="2"><h2><a name="pub-attribs"></a>
 Data Fields</h2></td></tr>
 <tr><td class="memItemLeft" align="right" valign="top">struct <a class="el" href="structpkt__key.html">pkt_key</a>&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="structpkt__info.html#a231d4734d3c62292b06eb9ea4b49c339">key</a></td></tr>
 <tr><td class="memItemLeft" align="right" valign="top">time_t&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="structpkt__info.html#a7f5090443f21e6290f0439f1bb872e92">timestamp</a></td></tr>
 <tr><td class="memItemLeft" align="right" valign="top">SFSnortPacket *&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="structpkt__info.html#a8d5ebd04a32067b05387e5c5056fe168">pkt</a></td></tr>
 <tr><td class="memItemLeft" align="right" valign="top">struct <a class="el" href="structpkt__info.html">pkt_info</a> *&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="structpkt__info.html#a5ee3c51f2ca5768b94819182641ef168">next</a></td></tr>
+<tr><td class="memItemLeft" align="right" valign="top"><a class="el" href="spp__ai_8h.html#a3e5b8192e7d9ffaf3542f1210aec18dd">BOOL</a>&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="structpkt__info.html#ac7ff78ea5faf333fc91f92e3085ea7c9">observed</a></td></tr>
 <tr><td class="memItemLeft" align="right" valign="top">UT_hash_handle&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="structpkt__info.html#a264e90d4b5d490de040f38c1072e142f">hh</a></td></tr>
 </table>
 <hr/><h2>Field Documentation</h2>
@@ -100,6 +103,19 @@ Data Fields</h2></td></tr>
 </div>
 <div class="memdoc">
 
+</div>
+</div>
+<a class="anchor" id="ac7ff78ea5faf333fc91f92e3085ea7c9"></a><!-- doxytag: member="pkt_info::observed" ref="ac7ff78ea5faf333fc91f92e3085ea7c9" args="" -->
+<div class="memitem">
+<div class="memproto">
+      <table class="memname">
+        <tr>
+          <td class="memname"><a class="el" href="spp__ai_8h.html#a3e5b8192e7d9ffaf3542f1210aec18dd">BOOL</a> <a class="el" href="structpkt__info.html#ac7ff78ea5faf333fc91f92e3085ea7c9">pkt_info::observed</a></td>
+        </tr>
+      </table>
+</div>
+<div class="memdoc">
+
 </div>
 </div>
 <a class="anchor" id="a8d5ebd04a32067b05387e5c5056fe168"></a><!-- doxytag: member="pkt_info::pkt" ref="a8d5ebd04a32067b05387e5c5056fe168" args="" -->
@@ -129,7 +145,7 @@ Data Fields</h2></td></tr>
 </div>
 </div>
 <hr/>The documentation for this struct was generated from the following file:<ul>
-<li><a class="el" href="stream_8c.html">stream.c</a></li>
+<li><a class="el" href="spp__ai_8h_source.html">spp_ai.h</a></li>
 </ul>
 </div>
 <!--- window showing the filter options -->
@@ -146,7 +162,7 @@ Data Fields</h2></td></tr>
 </iframe>
 </div>
 
-<hr class="footer"/><address class="footer"><small>Generated on Wed Aug 4 2010 11:30:57 for Snort AI preprocessor module by&nbsp;
+<hr class="footer"/><address class="footer"><small>Generated on Mon Aug 16 2010 22:05:38 for Snort AI preprocessor module by&nbsp;
 <a href="http://www.doxygen.org/index.html">
 <img class="footer" src="doxygen.png" alt="doxygen"/></a> 1.7.1 </small></address>
 </body>
diff --git a/doc/html/structpkt__key.html b/doc/html/structpkt__key.html
index c785c5c..37cf8e5 100644
--- a/doc/html/structpkt__key.html
+++ b/doc/html/structpkt__key.html
@@ -53,7 +53,9 @@ var searchBox = new SearchBox("searchBox", "search",false,'Search');
 <h1>pkt_key Struct Reference</h1>  </div>
 </div>
 <div class="contents">
-<!-- doxytag: class="pkt_key" --><table class="memberdecls">
+<!-- doxytag: class="pkt_key" -->
+<p><code>#include &lt;<a class="el" href="spp__ai_8h_source.html">spp_ai.h</a>&gt;</code></p>
+<table class="memberdecls">
 <tr><td colspan="2"><h2><a name="pub-attribs"></a>
 Data Fields</h2></td></tr>
 <tr><td class="memItemLeft" align="right" valign="top"><a class="el" href="spp__ai_8h.html#a435d1572bf3f880d55459d9805097f62">uint32_t</a>&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="structpkt__key.html#a3a091c20dafb8b3f689db00c5b2f8ddb">src_ip</a></td></tr>
@@ -87,7 +89,7 @@ Data Fields</h2></td></tr>
 </div>
 </div>
 <hr/>The documentation for this struct was generated from the following file:<ul>
-<li><a class="el" href="stream_8c.html">stream.c</a></li>
+<li><a class="el" href="spp__ai_8h_source.html">spp_ai.h</a></li>
 </ul>
 </div>
 <!--- window showing the filter options -->
@@ -104,7 +106,7 @@ Data Fields</h2></td></tr>
 </iframe>
 </div>
 
-<hr class="footer"/><address class="footer"><small>Generated on Wed Aug 4 2010 11:30:57 for Snort AI preprocessor module by&nbsp;
+<hr class="footer"/><address class="footer"><small>Generated on Mon Aug 16 2010 22:05:38 for Snort AI preprocessor module by&nbsp;
 <a href="http://www.doxygen.org/index.html">
 <img class="footer" src="doxygen.png" alt="doxygen"/></a> 1.7.1 </small></address>
 </body>
diff --git a/doc/latex/alert__parser_8c.tex b/doc/latex/alert__parser_8c.tex
new file mode 100644
index 0000000..cef2ab4
--- /dev/null
+++ b/doc/latex/alert__parser_8c.tex
@@ -0,0 +1,111 @@
+\hypertarget{alert__parser_8c}{
+\section{alert\_\-parser.c File Reference}
+\label{alert__parser_8c}\index{alert\_\-parser.c@{alert\_\-parser.c}}
+}
+{\ttfamily \#include \char`\"{}spp\_\-ai.h\char`\"{}}\par
+{\ttfamily \#include $<$stdio.h$>$}\par
+{\ttfamily \#include $<$unistd.h$>$}\par
+{\ttfamily \#include $<$time.h$>$}\par
+{\ttfamily \#include $<$sys/inotify.h$>$}\par
+{\ttfamily \#include $<$sys/stat.h$>$}\par
+\subsection*{Functions}
+\begin{DoxyCompactItemize}
+\item 
+void $\ast$ \hyperlink{alert__parser_8c_ad68c45b5846743a54ad3fa92c8e48f8a}{AI\_\-alertparser\_\-thread} (void $\ast$arg)
+\begin{DoxyCompactList}\small\item\em Thread for parsing Snort's alert file. \item\end{DoxyCompactList}\item 
+PRIVATE \hyperlink{struct__AI__snort__alert}{AI\_\-snort\_\-alert} $\ast$ \hyperlink{alert__parser_8c_a6c5014cae9155379fdc4db649b2c862d}{\_\-AI\_\-copy\_\-alerts} (\hyperlink{struct__AI__snort__alert}{AI\_\-snort\_\-alert} $\ast$node)
+\begin{DoxyCompactList}\small\item\em Create a copy of the alert log struct (this is done for leaving the alert log structure in this file as read-\/only). \item\end{DoxyCompactList}\item 
+\hyperlink{struct__AI__snort__alert}{AI\_\-snort\_\-alert} $\ast$ \hyperlink{alert__parser_8c_a99474495643197b3075ac22ec6f6c70f}{AI\_\-get\_\-alerts} ()
+\begin{DoxyCompactList}\small\item\em Return the alerts parsed so far as a linked list. \item\end{DoxyCompactList}\item 
+void \hyperlink{alert__parser_8c_a270e86669a0aa64a8da37bc16cda645b}{AI\_\-free\_\-alerts} (\hyperlink{struct__AI__snort__alert}{AI\_\-snort\_\-alert} $\ast$node)
+\begin{DoxyCompactList}\small\item\em Deallocate the memory of a log alert linked list. \item\end{DoxyCompactList}\end{DoxyCompactItemize}
+\subsection*{Variables}
+\begin{DoxyCompactItemize}
+\item 
+PRIVATE \hyperlink{struct__AI__snort__alert}{AI\_\-snort\_\-alert} $\ast$ \hyperlink{alert__parser_8c_ae837fc04e61c0eb052f997c54b4fd9fe}{alerts} = NULL
+\item 
+PRIVATE FILE $\ast$ \hyperlink{alert__parser_8c_abee2a33368912d9288c76b51160a9ed6}{alert\_\-fp} = NULL
+\end{DoxyCompactItemize}
+
+
+\subsection{Function Documentation}
+\hypertarget{alert__parser_8c_a6c5014cae9155379fdc4db649b2c862d}{
+\index{alert\_\-parser.c@{alert\_\-parser.c}!\_\-AI\_\-copy\_\-alerts@{\_\-AI\_\-copy\_\-alerts}}
+\index{\_\-AI\_\-copy\_\-alerts@{\_\-AI\_\-copy\_\-alerts}!alert_parser.c@{alert\_\-parser.c}}
+\subsubsection[{\_\-AI\_\-copy\_\-alerts}]{\setlength{\rightskip}{0pt plus 5cm}PRIVATE {\bf AI\_\-snort\_\-alert}$\ast$ \_\-AI\_\-copy\_\-alerts (
+\begin{DoxyParamCaption}
+\item[{{\bf AI\_\-snort\_\-alert} $\ast$}]{ node}
+\end{DoxyParamCaption}
+)}}
+\label{alert__parser_8c_a6c5014cae9155379fdc4db649b2c862d}
+
+
+Create a copy of the alert log struct (this is done for leaving the alert log structure in this file as read-\/only). 
+
+FUNCTION: \_\-AI\_\-copy\_\-alerts 
+\begin{DoxyParams}{Parameters}
+\item[{\em node}]Starting node (used for the recursion) \end{DoxyParams}
+\begin{DoxyReturn}{Returns}
+A copy of the alert log linked list 
+\end{DoxyReturn}
+\hypertarget{alert__parser_8c_ad68c45b5846743a54ad3fa92c8e48f8a}{
+\index{alert\_\-parser.c@{alert\_\-parser.c}!AI\_\-alertparser\_\-thread@{AI\_\-alertparser\_\-thread}}
+\index{AI\_\-alertparser\_\-thread@{AI\_\-alertparser\_\-thread}!alert_parser.c@{alert\_\-parser.c}}
+\subsubsection[{AI\_\-alertparser\_\-thread}]{\setlength{\rightskip}{0pt plus 5cm}void$\ast$ AI\_\-alertparser\_\-thread (
+\begin{DoxyParamCaption}
+\item[{void $\ast$}]{ arg}
+\end{DoxyParamCaption}
+)}}
+\label{alert__parser_8c_ad68c45b5846743a54ad3fa92c8e48f8a}
+
+
+Thread for parsing Snort's alert file. 
+
+FUNCTION: AI\_\-alertparser\_\-thread 
+\begin{DoxyParams}{Parameters}
+\item[{\em arg}]void$\ast$ pointer to module's configuration \end{DoxyParams}
+\hypertarget{alert__parser_8c_a270e86669a0aa64a8da37bc16cda645b}{
+\index{alert\_\-parser.c@{alert\_\-parser.c}!AI\_\-free\_\-alerts@{AI\_\-free\_\-alerts}}
+\index{AI\_\-free\_\-alerts@{AI\_\-free\_\-alerts}!alert_parser.c@{alert\_\-parser.c}}
+\subsubsection[{AI\_\-free\_\-alerts}]{\setlength{\rightskip}{0pt plus 5cm}void AI\_\-free\_\-alerts (
+\begin{DoxyParamCaption}
+\item[{{\bf AI\_\-snort\_\-alert} $\ast$}]{ node}
+\end{DoxyParamCaption}
+)}}
+\label{alert__parser_8c_a270e86669a0aa64a8da37bc16cda645b}
+
+
+Deallocate the memory of a log alert linked list. 
+
+FUNCTION: AI\_\-free\_\-alerts 
+\begin{DoxyParams}{Parameters}
+\item[{\em node}]Linked list to be freed \end{DoxyParams}
+\hypertarget{alert__parser_8c_a99474495643197b3075ac22ec6f6c70f}{
+\index{alert\_\-parser.c@{alert\_\-parser.c}!AI\_\-get\_\-alerts@{AI\_\-get\_\-alerts}}
+\index{AI\_\-get\_\-alerts@{AI\_\-get\_\-alerts}!alert_parser.c@{alert\_\-parser.c}}
+\subsubsection[{AI\_\-get\_\-alerts}]{\setlength{\rightskip}{0pt plus 5cm}{\bf AI\_\-snort\_\-alert}$\ast$ AI\_\-get\_\-alerts (
+\begin{DoxyParamCaption}
+\item[{void}]{}
+\end{DoxyParamCaption}
+)}}
+\label{alert__parser_8c_a99474495643197b3075ac22ec6f6c70f}
+
+
+Return the alerts parsed so far as a linked list. 
+
+FUNCTION: AI\_\-get\_\-alerts \begin{DoxyReturn}{Returns}
+An AI\_\-snort\_\-alert pointer identifying the list of alerts 
+\end{DoxyReturn}
+
+
+\subsection{Variable Documentation}
+\hypertarget{alert__parser_8c_abee2a33368912d9288c76b51160a9ed6}{
+\index{alert\_\-parser.c@{alert\_\-parser.c}!alert\_\-fp@{alert\_\-fp}}
+\index{alert\_\-fp@{alert\_\-fp}!alert_parser.c@{alert\_\-parser.c}}
+\subsubsection[{alert\_\-fp}]{\setlength{\rightskip}{0pt plus 5cm}PRIVATE FILE$\ast$ {\bf alert\_\-fp} = NULL}}
+\label{alert__parser_8c_abee2a33368912d9288c76b51160a9ed6}
+\hypertarget{alert__parser_8c_ae837fc04e61c0eb052f997c54b4fd9fe}{
+\index{alert\_\-parser.c@{alert\_\-parser.c}!alerts@{alerts}}
+\index{alerts@{alerts}!alert_parser.c@{alert\_\-parser.c}}
+\subsubsection[{alerts}]{\setlength{\rightskip}{0pt plus 5cm}PRIVATE {\bf AI\_\-snort\_\-alert}$\ast$ {\bf alerts} = NULL}}
+\label{alert__parser_8c_ae837fc04e61c0eb052f997c54b4fd9fe}
diff --git a/doc/latex/annotated.tex b/doc/latex/annotated.tex
index a4eb945..a6b0571 100644
--- a/doc/latex/annotated.tex
+++ b/doc/latex/annotated.tex
@@ -1,6 +1,10 @@
 \section{Data Structures}
 Here are the data structures with brief descriptions:\begin{DoxyCompactList}
-\item\contentsline{section}{\hyperlink{struct__AI__config}{\_\-AI\_\-config} }{\pageref{struct__AI__config}}{}
+\item\contentsline{section}{\hyperlink{struct__AI__snort__alert}{\_\-AI\_\-snort\_\-alert} }{\pageref{struct__AI__snort__alert}}{}
+\item\contentsline{section}{\hyperlink{struct__hierarchy__node}{\_\-hierarchy\_\-node} }{\pageref{struct__hierarchy__node}}{}
+\item\contentsline{section}{\hyperlink{structAI__config}{AI\_\-config} }{\pageref{structAI__config}}{}
+\item\contentsline{section}{\hyperlink{structattribute__key}{attribute\_\-key} }{\pageref{structattribute__key}}{}
+\item\contentsline{section}{\hyperlink{structattribute__value}{attribute\_\-value} }{\pageref{structattribute__value}}{}
 \item\contentsline{section}{\hyperlink{structpkt__info}{pkt\_\-info} }{\pageref{structpkt__info}}{}
 \item\contentsline{section}{\hyperlink{structpkt__key}{pkt\_\-key} }{\pageref{structpkt__key}}{}
 \end{DoxyCompactList}
diff --git a/doc/latex/cluster_8c.tex b/doc/latex/cluster_8c.tex
new file mode 100644
index 0000000..b545c8e
--- /dev/null
+++ b/doc/latex/cluster_8c.tex
@@ -0,0 +1,253 @@
+\hypertarget{cluster_8c}{
+\section{cluster.c File Reference}
+\label{cluster_8c}\index{cluster.c@{cluster.c}}
+}
+{\ttfamily \#include \char`\"{}spp\_\-ai.h\char`\"{}}\par
+{\ttfamily \#include $<$stdio.h$>$}\par
+{\ttfamily \#include $<$unistd.h$>$}\par
+{\ttfamily \#include $<$limits.h$>$}\par
+{\ttfamily \#include $<$pthread.h$>$}\par
+\subsection*{Data Structures}
+\begin{DoxyCompactItemize}
+\item 
+struct \hyperlink{structattribute__key}{attribute\_\-key}
+\item 
+struct \hyperlink{structattribute__value}{attribute\_\-value}
+\end{DoxyCompactItemize}
+\subsection*{Functions}
+\begin{DoxyCompactItemize}
+\item 
+PRIVATE int \hyperlink{cluster_8c_a81f5fa721719fdb281595a568eef2101}{\_\-heuristic\_\-func} (\hyperlink{spp__ai_8h_ae2ff3c6586aa2ab211a102abfde86640}{cluster\_\-type} type)
+\begin{DoxyCompactList}\small\item\em Function that picks up the heuristic value for a clustering attribute in according to Julisch's heuristic (ACM, Vol.2, No.3, 09 2002, pag.124). \item\end{DoxyCompactList}\item 
+PRIVATE \hyperlink{struct__hierarchy__node}{hierarchy\_\-node} $\ast$ \hyperlink{cluster_8c_a2f1a22cfea64e4669da0467620c3e3b3}{\_\-hierarchy\_\-node\_\-new} (char $\ast$label, int min\_\-val, int max\_\-val)
+\begin{DoxyCompactList}\small\item\em Create a new clustering hierarchy node. \item\end{DoxyCompactList}\item 
+PRIVATE void \hyperlink{cluster_8c_a5601a1f603d9c870ef6e2df192e30c30}{\_\-hierarchy\_\-node\_\-append} (\hyperlink{struct__hierarchy__node}{hierarchy\_\-node} $\ast$parent, \hyperlink{struct__hierarchy__node}{hierarchy\_\-node} $\ast$child)
+\begin{DoxyCompactList}\small\item\em Append a node to a clustering hierarchy node. \item\end{DoxyCompactList}\item 
+PRIVATE \hyperlink{struct__hierarchy__node}{hierarchy\_\-node} $\ast$ \hyperlink{cluster_8c_a6ddddcd505b1f763c339e81fc143e079}{\_\-AI\_\-get\_\-min\_\-hierarchy\_\-node} (int val, \hyperlink{struct__hierarchy__node}{hierarchy\_\-node} $\ast$root)
+\begin{DoxyCompactList}\small\item\em Get the minimum node in a hierarchy tree that matches a certain value. \item\end{DoxyCompactList}\item 
+PRIVATE \hyperlink{spp__ai_8h_a3e5b8192e7d9ffaf3542f1210aec18dd}{BOOL} \hyperlink{cluster_8c_a0f91c8bfc37a3975f5c26b19fd6c5cba}{\_\-AI\_\-equal\_\-alarms} (\hyperlink{struct__AI__snort__alert}{AI\_\-snort\_\-alert} $\ast$a1, \hyperlink{struct__AI__snort__alert}{AI\_\-snort\_\-alert} $\ast$a2)
+\begin{DoxyCompactList}\small\item\em Check if two alerts are semantically equal. \item\end{DoxyCompactList}\item 
+PRIVATE int \hyperlink{cluster_8c_a8ce8e5a5d8954672297fa2dedb380dcd}{\_\-AI\_\-merge\_\-alerts} (\hyperlink{struct__AI__snort__alert}{AI\_\-snort\_\-alert} $\ast$$\ast$log)
+\begin{DoxyCompactList}\small\item\em Merge the alerts marked as equal in the log. \item\end{DoxyCompactList}\item 
+PRIVATE void \hyperlink{cluster_8c_a7d151880080470b542e99643dc0426a7}{\_\-AI\_\-print\_\-clustered\_\-alerts} (\hyperlink{struct__AI__snort__alert}{AI\_\-snort\_\-alert} $\ast$log, FILE $\ast$fp)
+\begin{DoxyCompactList}\small\item\em Print the clustered alerts to a log file. \item\end{DoxyCompactList}\item 
+PRIVATE void $\ast$ \hyperlink{cluster_8c_a8a5eae61dc9fd0f13e0acdfa5f4478e2}{\_\-AI\_\-cluster\_\-thread} (void $\ast$arg)
+\begin{DoxyCompactList}\small\item\em Thread for periodically clustering the log information. \item\end{DoxyCompactList}\item 
+PRIVATE \hyperlink{spp__ai_8h_a3e5b8192e7d9ffaf3542f1210aec18dd}{BOOL} \hyperlink{cluster_8c_a29c35cd6c56f54e27b5b190c6d6c487a}{\_\-AI\_\-check\_\-duplicate} (\hyperlink{struct__hierarchy__node}{hierarchy\_\-node} $\ast$node, \hyperlink{struct__hierarchy__node}{hierarchy\_\-node} $\ast$root)
+\begin{DoxyCompactList}\small\item\em Check if a certain node's range (minimum and maximum value) are already present in a clustering hierarchy. \item\end{DoxyCompactList}\item 
+void \hyperlink{cluster_8c_a1445818b37483f78cc3fb2890155842c}{AI\_\-hierarchies\_\-build} (\hyperlink{structAI__config}{AI\_\-config} $\ast$conf, \hyperlink{struct__hierarchy__node}{hierarchy\_\-node} $\ast$$\ast$nodes, int n\_\-nodes)
+\begin{DoxyCompactList}\small\item\em Build the clustering hierarchy trees. \item\end{DoxyCompactList}\end{DoxyCompactItemize}
+\subsection*{Variables}
+\begin{DoxyCompactItemize}
+\item 
+PRIVATE \hyperlink{struct__hierarchy__node}{hierarchy\_\-node} $\ast$ \hyperlink{cluster_8c_a97d35425cf5a0207fb50b64ee8cdda82}{h\_\-root} \mbox{[}CLUSTER\_\-TYPES\mbox{]} = \{ NULL \}
+\item 
+PRIVATE \hyperlink{structAI__config}{AI\_\-config} $\ast$ \hyperlink{cluster_8c_a91458e2d34595688e39fcb63ba418849}{\_\-config} = NULL
+\item 
+PRIVATE \hyperlink{struct__AI__snort__alert}{AI\_\-snort\_\-alert} $\ast$ \hyperlink{cluster_8c_aaf4c19f60f48741b0890c6114dcff7d9}{alert\_\-log} = NULL
+\end{DoxyCompactItemize}
+
+
+\subsection{Function Documentation}
+\hypertarget{cluster_8c_a29c35cd6c56f54e27b5b190c6d6c487a}{
+\index{cluster.c@{cluster.c}!\_\-AI\_\-check\_\-duplicate@{\_\-AI\_\-check\_\-duplicate}}
+\index{\_\-AI\_\-check\_\-duplicate@{\_\-AI\_\-check\_\-duplicate}!cluster.c@{cluster.c}}
+\subsubsection[{\_\-AI\_\-check\_\-duplicate}]{\setlength{\rightskip}{0pt plus 5cm}PRIVATE {\bf BOOL} \_\-AI\_\-check\_\-duplicate (
+\begin{DoxyParamCaption}
+\item[{{\bf hierarchy\_\-node} $\ast$}]{ node, }
+\item[{{\bf hierarchy\_\-node} $\ast$}]{ root}
+\end{DoxyParamCaption}
+)}}
+\label{cluster_8c_a29c35cd6c56f54e27b5b190c6d6c487a}
+
+
+Check if a certain node's range (minimum and maximum value) are already present in a clustering hierarchy. 
+
+FUNCTION: \_\-AI\_\-check\_\-duplicate 
+\begin{DoxyParams}{Parameters}
+\item[{\em node}]Node to be checked \item[{\em root}]Clustering hierarchy \end{DoxyParams}
+\begin{DoxyReturn}{Returns}
+True if 'node' is already in 'root', false otherwise 
+\end{DoxyReturn}
+\hypertarget{cluster_8c_a8a5eae61dc9fd0f13e0acdfa5f4478e2}{
+\index{cluster.c@{cluster.c}!\_\-AI\_\-cluster\_\-thread@{\_\-AI\_\-cluster\_\-thread}}
+\index{\_\-AI\_\-cluster\_\-thread@{\_\-AI\_\-cluster\_\-thread}!cluster.c@{cluster.c}}
+\subsubsection[{\_\-AI\_\-cluster\_\-thread}]{\setlength{\rightskip}{0pt plus 5cm}PRIVATE void$\ast$ \_\-AI\_\-cluster\_\-thread (
+\begin{DoxyParamCaption}
+\item[{void $\ast$}]{ arg}
+\end{DoxyParamCaption}
+)}}
+\label{cluster_8c_a8a5eae61dc9fd0f13e0acdfa5f4478e2}
+
+
+Thread for periodically clustering the log information. 
+
+FUNCTION: \_\-AI\_\-cluster\_\-thread \hypertarget{cluster_8c_a0f91c8bfc37a3975f5c26b19fd6c5cba}{
+\index{cluster.c@{cluster.c}!\_\-AI\_\-equal\_\-alarms@{\_\-AI\_\-equal\_\-alarms}}
+\index{\_\-AI\_\-equal\_\-alarms@{\_\-AI\_\-equal\_\-alarms}!cluster.c@{cluster.c}}
+\subsubsection[{\_\-AI\_\-equal\_\-alarms}]{\setlength{\rightskip}{0pt plus 5cm}PRIVATE {\bf BOOL} \_\-AI\_\-equal\_\-alarms (
+\begin{DoxyParamCaption}
+\item[{{\bf AI\_\-snort\_\-alert} $\ast$}]{ a1, }
+\item[{{\bf AI\_\-snort\_\-alert} $\ast$}]{ a2}
+\end{DoxyParamCaption}
+)}}
+\label{cluster_8c_a0f91c8bfc37a3975f5c26b19fd6c5cba}
+
+
+Check if two alerts are semantically equal. 
+
+FUNCTION: \_\-AI\_\-equal\_\-alarms 
+\begin{DoxyParams}{Parameters}
+\item[{\em a1}]First alert \item[{\em a2}]Second alert \end{DoxyParams}
+\begin{DoxyReturn}{Returns}
+True if they are equal, false otherwise 
+\end{DoxyReturn}
+\hypertarget{cluster_8c_a6ddddcd505b1f763c339e81fc143e079}{
+\index{cluster.c@{cluster.c}!\_\-AI\_\-get\_\-min\_\-hierarchy\_\-node@{\_\-AI\_\-get\_\-min\_\-hierarchy\_\-node}}
+\index{\_\-AI\_\-get\_\-min\_\-hierarchy\_\-node@{\_\-AI\_\-get\_\-min\_\-hierarchy\_\-node}!cluster.c@{cluster.c}}
+\subsubsection[{\_\-AI\_\-get\_\-min\_\-hierarchy\_\-node}]{\setlength{\rightskip}{0pt plus 5cm}PRIVATE {\bf hierarchy\_\-node}$\ast$ \_\-AI\_\-get\_\-min\_\-hierarchy\_\-node (
+\begin{DoxyParamCaption}
+\item[{int}]{ val, }
+\item[{{\bf hierarchy\_\-node} $\ast$}]{ root}
+\end{DoxyParamCaption}
+)}}
+\label{cluster_8c_a6ddddcd505b1f763c339e81fc143e079}
+
+
+Get the minimum node in a hierarchy tree that matches a certain value. 
+
+FUNCTION: \_\-AI\_\-get\_\-min\_\-hierarchy\_\-node 
+\begin{DoxyParams}{Parameters}
+\item[{\em val}]Value to be matched in the range \item[{\em root}]Root of the hierarchy \end{DoxyParams}
+\begin{DoxyReturn}{Returns}
+The minimum node that matches the value if any, NULL otherwise 
+\end{DoxyReturn}
+\hypertarget{cluster_8c_a8ce8e5a5d8954672297fa2dedb380dcd}{
+\index{cluster.c@{cluster.c}!\_\-AI\_\-merge\_\-alerts@{\_\-AI\_\-merge\_\-alerts}}
+\index{\_\-AI\_\-merge\_\-alerts@{\_\-AI\_\-merge\_\-alerts}!cluster.c@{cluster.c}}
+\subsubsection[{\_\-AI\_\-merge\_\-alerts}]{\setlength{\rightskip}{0pt plus 5cm}PRIVATE int \_\-AI\_\-merge\_\-alerts (
+\begin{DoxyParamCaption}
+\item[{{\bf AI\_\-snort\_\-alert} $\ast$$\ast$}]{ log}
+\end{DoxyParamCaption}
+)}}
+\label{cluster_8c_a8ce8e5a5d8954672297fa2dedb380dcd}
+
+
+Merge the alerts marked as equal in the log. 
+
+FUNCTION: \_\-AI\_\-merge\_\-alerts 
+\begin{DoxyParams}{Parameters}
+\item[{\em log}]Alert log reference \end{DoxyParams}
+\begin{DoxyReturn}{Returns}
+The number of merged couples 
+\end{DoxyReturn}
+\hypertarget{cluster_8c_a7d151880080470b542e99643dc0426a7}{
+\index{cluster.c@{cluster.c}!\_\-AI\_\-print\_\-clustered\_\-alerts@{\_\-AI\_\-print\_\-clustered\_\-alerts}}
+\index{\_\-AI\_\-print\_\-clustered\_\-alerts@{\_\-AI\_\-print\_\-clustered\_\-alerts}!cluster.c@{cluster.c}}
+\subsubsection[{\_\-AI\_\-print\_\-clustered\_\-alerts}]{\setlength{\rightskip}{0pt plus 5cm}PRIVATE void \_\-AI\_\-print\_\-clustered\_\-alerts (
+\begin{DoxyParamCaption}
+\item[{{\bf AI\_\-snort\_\-alert} $\ast$}]{ log, }
+\item[{FILE $\ast$}]{ fp}
+\end{DoxyParamCaption}
+)}}
+\label{cluster_8c_a7d151880080470b542e99643dc0426a7}
+
+
+Print the clustered alerts to a log file. 
+
+FUNCTION: \_\-AI\_\-print\_\-clustered\_\-alerts 
+\begin{DoxyParams}{Parameters}
+\item[{\em log}]Log containing the alerts \item[{\em fp}]File pointer where the alerts will be printed \end{DoxyParams}
+\hypertarget{cluster_8c_a81f5fa721719fdb281595a568eef2101}{
+\index{cluster.c@{cluster.c}!\_\-heuristic\_\-func@{\_\-heuristic\_\-func}}
+\index{\_\-heuristic\_\-func@{\_\-heuristic\_\-func}!cluster.c@{cluster.c}}
+\subsubsection[{\_\-heuristic\_\-func}]{\setlength{\rightskip}{0pt plus 5cm}PRIVATE int \_\-heuristic\_\-func (
+\begin{DoxyParamCaption}
+\item[{{\bf cluster\_\-type}}]{ type}
+\end{DoxyParamCaption}
+)}}
+\label{cluster_8c_a81f5fa721719fdb281595a568eef2101}
+
+
+Function that picks up the heuristic value for a clustering attribute in according to Julisch's heuristic (ACM, Vol.2, No.3, 09 2002, pag.124). 
+
+FUNCTION: \_\-heuristic\_\-func 
+\begin{DoxyParams}{Parameters}
+\item[{\em type}]Attribute type \end{DoxyParams}
+\begin{DoxyReturn}{Returns}
+The heuristic coefficient for that attribute, -\/1 if no clustering information is available for that attribute 
+\end{DoxyReturn}
+\hypertarget{cluster_8c_a5601a1f603d9c870ef6e2df192e30c30}{
+\index{cluster.c@{cluster.c}!\_\-hierarchy\_\-node\_\-append@{\_\-hierarchy\_\-node\_\-append}}
+\index{\_\-hierarchy\_\-node\_\-append@{\_\-hierarchy\_\-node\_\-append}!cluster.c@{cluster.c}}
+\subsubsection[{\_\-hierarchy\_\-node\_\-append}]{\setlength{\rightskip}{0pt plus 5cm}PRIVATE void \_\-hierarchy\_\-node\_\-append (
+\begin{DoxyParamCaption}
+\item[{{\bf hierarchy\_\-node} $\ast$}]{ parent, }
+\item[{{\bf hierarchy\_\-node} $\ast$}]{ child}
+\end{DoxyParamCaption}
+)}}
+\label{cluster_8c_a5601a1f603d9c870ef6e2df192e30c30}
+
+
+Append a node to a clustering hierarchy node. 
+
+FUNCTION: \_\-hierarchy\_\-node\_\-append 
+\begin{DoxyParams}{Parameters}
+\item[{\em parent}]Parent node \item[{\em child}]Child node \end{DoxyParams}
+\hypertarget{cluster_8c_a2f1a22cfea64e4669da0467620c3e3b3}{
+\index{cluster.c@{cluster.c}!\_\-hierarchy\_\-node\_\-new@{\_\-hierarchy\_\-node\_\-new}}
+\index{\_\-hierarchy\_\-node\_\-new@{\_\-hierarchy\_\-node\_\-new}!cluster.c@{cluster.c}}
+\subsubsection[{\_\-hierarchy\_\-node\_\-new}]{\setlength{\rightskip}{0pt plus 5cm}PRIVATE {\bf hierarchy\_\-node}$\ast$ \_\-hierarchy\_\-node\_\-new (
+\begin{DoxyParamCaption}
+\item[{char $\ast$}]{ label, }
+\item[{int}]{ min\_\-val, }
+\item[{int}]{ max\_\-val}
+\end{DoxyParamCaption}
+)}}
+\label{cluster_8c_a2f1a22cfea64e4669da0467620c3e3b3}
+
+
+Create a new clustering hierarchy node. 
+
+FUNCTION: \_\-hierarchy\_\-node\_\-new 
+\begin{DoxyParams}{Parameters}
+\item[{\em label}]Label for the node \item[{\em min\_\-val}]Minimum value for the range represented by the node \item[{\em max\_\-val}]Maximum value for the range represented by the node \end{DoxyParams}
+\begin{DoxyReturn}{Returns}
+The brand new node if the allocation was ok, otherwise abort the application 
+\end{DoxyReturn}
+\hypertarget{cluster_8c_a1445818b37483f78cc3fb2890155842c}{
+\index{cluster.c@{cluster.c}!AI\_\-hierarchies\_\-build@{AI\_\-hierarchies\_\-build}}
+\index{AI\_\-hierarchies\_\-build@{AI\_\-hierarchies\_\-build}!cluster.c@{cluster.c}}
+\subsubsection[{AI\_\-hierarchies\_\-build}]{\setlength{\rightskip}{0pt plus 5cm}void AI\_\-hierarchies\_\-build (
+\begin{DoxyParamCaption}
+\item[{{\bf AI\_\-config} $\ast$}]{ conf, }
+\item[{{\bf hierarchy\_\-node} $\ast$$\ast$}]{ nodes, }
+\item[{int}]{ n\_\-nodes}
+\end{DoxyParamCaption}
+)}}
+\label{cluster_8c_a1445818b37483f78cc3fb2890155842c}
+
+
+Build the clustering hierarchy trees. 
+
+FUNCTION: AI\_\-hierarchies\_\-build 
+\begin{DoxyParams}{Parameters}
+\item[{\em conf}]Reference to the configuration of the module \item[{\em nodes}]Nodes containing the information about the clustering ranges \item[{\em n\_\-nodes}]Number of nodes \end{DoxyParams}
+
+
+\subsection{Variable Documentation}
+\hypertarget{cluster_8c_a91458e2d34595688e39fcb63ba418849}{
+\index{cluster.c@{cluster.c}!\_\-config@{\_\-config}}
+\index{\_\-config@{\_\-config}!cluster.c@{cluster.c}}
+\subsubsection[{\_\-config}]{\setlength{\rightskip}{0pt plus 5cm}PRIVATE {\bf AI\_\-config}$\ast$ {\bf \_\-config} = NULL}}
+\label{cluster_8c_a91458e2d34595688e39fcb63ba418849}
+\hypertarget{cluster_8c_aaf4c19f60f48741b0890c6114dcff7d9}{
+\index{cluster.c@{cluster.c}!alert\_\-log@{alert\_\-log}}
+\index{alert\_\-log@{alert\_\-log}!cluster.c@{cluster.c}}
+\subsubsection[{alert\_\-log}]{\setlength{\rightskip}{0pt plus 5cm}PRIVATE {\bf AI\_\-snort\_\-alert}$\ast$ {\bf alert\_\-log} = NULL}}
+\label{cluster_8c_aaf4c19f60f48741b0890c6114dcff7d9}
+\hypertarget{cluster_8c_a97d35425cf5a0207fb50b64ee8cdda82}{
+\index{cluster.c@{cluster.c}!h\_\-root@{h\_\-root}}
+\index{h\_\-root@{h\_\-root}!cluster.c@{cluster.c}}
+\subsubsection[{h\_\-root}]{\setlength{\rightskip}{0pt plus 5cm}PRIVATE {\bf hierarchy\_\-node}$\ast$ {\bf h\_\-root}\mbox{[}CLUSTER\_\-TYPES\mbox{]} = \{ NULL \}}}
+\label{cluster_8c_a97d35425cf5a0207fb50b64ee8cdda82}
diff --git a/doc/latex/doxygen.sty b/doc/latex/doxygen.sty
index e048d39..6b2aae6 100644
--- a/doc/latex/doxygen.sty
+++ b/doc/latex/doxygen.sty
@@ -27,9 +27,9 @@
   \fancyplain{}{\bfseries\thepage}%
 }
 \rfoot[\fancyplain{}{\bfseries\scriptsize%
-  Generated on Wed Aug 4 2010 11:30:57 for Snort AI preprocessor module by Doxygen }]{}
+  Generated on Mon Aug 16 2010 22:05:38 for Snort AI preprocessor module by Doxygen }]{}
 \lfoot[]{\fancyplain{}{\bfseries\scriptsize%
-  Generated on Wed Aug 4 2010 11:30:57 for Snort AI preprocessor module by Doxygen }}
+  Generated on Mon Aug 16 2010 22:05:38 for Snort AI preprocessor module by Doxygen }}
 \cfoot{}
 
 %---------- Internal commands used in this style file ----------------
diff --git a/doc/latex/files.tex b/doc/latex/files.tex
index 704242b..1801958 100644
--- a/doc/latex/files.tex
+++ b/doc/latex/files.tex
@@ -1,5 +1,8 @@
 \section{File List}
 Here is a list of all files with brief descriptions:\begin{DoxyCompactList}
+\item\contentsline{section}{\hyperlink{alert__parser_8c}{alert\_\-parser.c} }{\pageref{alert__parser_8c}}{}
+\item\contentsline{section}{\hyperlink{cluster_8c}{cluster.c} }{\pageref{cluster_8c}}{}
+\item\contentsline{section}{\hyperlink{regex_8c}{regex.c} }{\pageref{regex_8c}}{}
 \item\contentsline{section}{\hyperlink{sf__dynamic__preproc__lib_8c}{sf\_\-dynamic\_\-preproc\_\-lib.c} }{\pageref{sf__dynamic__preproc__lib_8c}}{}
 \item\contentsline{section}{\hyperlink{sf__preproc__info_8h}{sf\_\-preproc\_\-info.h} }{\pageref{sf__preproc__info_8h}}{}
 \item\contentsline{section}{\hyperlink{sfPolicyUserData_8c}{sfPolicyUserData.c} }{\pageref{sfPolicyUserData_8c}}{}
diff --git a/doc/latex/refman.tex b/doc/latex/refman.tex
index 51d4829..d84eff3 100644
--- a/doc/latex/refman.tex
+++ b/doc/latex/refman.tex
@@ -41,7 +41,7 @@
 \vspace*{1cm}
 {\large Generated by Doxygen 1.7.1}\\
 \vspace*{0.5cm}
-{\small Wed Aug 4 2010 11:30:57}\\
+{\small Mon Aug 16 2010 22:05:38}\\
 \end{center}
 \end{titlepage}
 \clearemptydoublepage
@@ -59,10 +59,17 @@
 \chapter{Module Documentation}
 \input{group__sfPolicyConfig}
 \chapter{Data Structure Documentation}
-\input{struct__AI__config}
+\input{struct__AI__snort__alert}
+\input{struct__hierarchy__node}
+\input{structAI__config}
+\input{structattribute__key}
+\input{structattribute__value}
 \input{structpkt__info}
 \input{structpkt__key}
 \chapter{File Documentation}
+\input{alert__parser_8c}
+\input{cluster_8c}
+\input{regex_8c}
 \input{sf__dynamic__preproc__lib_8c}
 \input{sf__preproc__info_8h}
 \input{sfPolicyUserData_8c}
diff --git a/doc/latex/regex_8c.tex b/doc/latex/regex_8c.tex
new file mode 100644
index 0000000..3fe7d92
--- /dev/null
+++ b/doc/latex/regex_8c.tex
@@ -0,0 +1,38 @@
+\hypertarget{regex_8c}{
+\section{regex.c File Reference}
+\label{regex_8c}\index{regex.c@{regex.c}}
+}
+{\ttfamily \#include $<$stdio.h$>$}\par
+{\ttfamily \#include $<$stdlib.h$>$}\par
+{\ttfamily \#include $<$string.h$>$}\par
+{\ttfamily \#include $<$regex.h$>$}\par
+\subsection*{Functions}
+\begin{DoxyCompactItemize}
+\item 
+int \hyperlink{regex_8c_a35f57c052a7de1ded54b67a1f7819791}{preg\_\-match} (const char $\ast$expr, char $\ast$str, char $\ast$$\ast$$\ast$matches, int $\ast$nmatches)
+\begin{DoxyCompactList}\small\item\em Check if a string matches a regular expression. \item\end{DoxyCompactList}\end{DoxyCompactItemize}
+
+
+\subsection{Function Documentation}
+\hypertarget{regex_8c_a35f57c052a7de1ded54b67a1f7819791}{
+\index{regex.c@{regex.c}!preg\_\-match@{preg\_\-match}}
+\index{preg\_\-match@{preg\_\-match}!regex.c@{regex.c}}
+\subsubsection[{preg\_\-match}]{\setlength{\rightskip}{0pt plus 5cm}int preg\_\-match (
+\begin{DoxyParamCaption}
+\item[{const char $\ast$}]{ expr, }
+\item[{char $\ast$}]{ str, }
+\item[{char $\ast$$\ast$$\ast$}]{ matches, }
+\item[{int $\ast$}]{ nmatches}
+\end{DoxyParamCaption}
+)}}
+\label{regex_8c_a35f57c052a7de1ded54b67a1f7819791}
+
+
+Check if a string matches a regular expression. 
+
+FUNCTION: preg\_\-match 
+\begin{DoxyParams}{Parameters}
+\item[{\em expr}]Regular expression to be matched \item[{\em str}]String to be checked \item[{\em matches}]Reference to a char$\ast$$\ast$ that will contain the submatches (NULL if you don't need it) \item[{\em nmatches}]Reference to a int containing the number of submatches found (NULL if you don't need it) \end{DoxyParams}
+\begin{DoxyReturn}{Returns}
+-\/1 if the regex is wrong, 0 if no match was found, 1 otherwise 
+\end{DoxyReturn}
diff --git a/doc/latex/spp__ai_8c.tex b/doc/latex/spp__ai_8c.tex
index 21baed3..8d64916 100644
--- a/doc/latex/spp__ai_8c.tex
+++ b/doc/latex/spp__ai_8c.tex
@@ -3,30 +3,10 @@
 \label{spp__ai_8c}\index{spp\_\-ai.c@{spp\_\-ai.c}}
 }
 {\ttfamily \#include \char`\"{}spp\_\-ai.h\char`\"{}}\par
-{\ttfamily \#include \char`\"{}preprocids.h\char`\"{}}\par
-{\ttfamily \#include \char`\"{}sf\_\-dynamic\_\-preproc\_\-lib.h\char`\"{}}\par
-{\ttfamily \#include \char`\"{}sf\_\-dynamic\_\-preprocessor.h\char`\"{}}\par
-{\ttfamily \#include \char`\"{}debug.h\char`\"{}}\par
-{\ttfamily \#include \char`\"{}sfPolicy.h\char`\"{}}\par
 {\ttfamily \#include \char`\"{}sfPolicyUserData.h\char`\"{}}\par
-{\ttfamily \#include $<$sys/types.h$>$}\par
 {\ttfamily \#include $<$stdlib.h$>$}\par
-{\ttfamily \#include $<$ctype.h$>$}\par
 {\ttfamily \#include $<$string.h$>$}\par
 {\ttfamily \#include $<$pthread.h$>$}\par
-\subsection*{Defines}
-\begin{DoxyCompactItemize}
-\item 
-\#define \hyperlink{spp__ai_8c_a9e7d446fc8b40be2cfbb5c69c3e132ca}{GENERATOR\_\-EXAMPLE}~256
-\item 
-\#define \hyperlink{spp__ai_8c_af4c767ae0346026264c851108f42be63}{SRC\_\-PORT\_\-MATCH}~1
-\item 
-\#define \hyperlink{spp__ai_8c_a3ec4dd8f1ebed73c13175d9b9c820e2e}{SRC\_\-PORT\_\-MATCH\_\-STR}~\char`\"{}example\_\-preprocessor: src port match\char`\"{}
-\item 
-\#define \hyperlink{spp__ai_8c_a8ab13e8ad1dfd19b9237a99ae6130146}{DST\_\-PORT\_\-MATCH}~2
-\item 
-\#define \hyperlink{spp__ai_8c_a1f3521b9bcf5daf99190be58473a4110}{DST\_\-PORT\_\-MATCH\_\-STR}~\char`\"{}example\_\-preprocessor: dest port match\char`\"{}
-\end{DoxyCompactItemize}
 \subsection*{Functions}
 \begin{DoxyCompactItemize}
 \item 
@@ -34,7 +14,7 @@ static void \hyperlink{spp__ai_8c_a3524cbdf8fddbcf38c4ed55241002242}{AI\_\-init}
 \begin{DoxyCompactList}\small\item\em Initialize the preprocessor module. \item\end{DoxyCompactList}\item 
 static void \hyperlink{spp__ai_8c_a57c05cda012c443cb4c358dc327cd3d1}{AI\_\-process} (void $\ast$pkt, void $\ast$context)
 \begin{DoxyCompactList}\small\item\em Function executed every time the module receives a packet to be processed. \item\end{DoxyCompactList}\item 
-static \hyperlink{struct__AI__config}{AI\_\-config} $\ast$ \hyperlink{spp__ai_8c_ae1c5c4b38ee2819d427848eb3046373e}{AI\_\-parse} (char $\ast$args)
+static \hyperlink{structAI__config}{AI\_\-config} $\ast$ \hyperlink{spp__ai_8c_ae1c5c4b38ee2819d427848eb3046373e}{AI\_\-parse} (char $\ast$args)
 \begin{DoxyCompactList}\small\item\em Parse the arguments passed to the module saving them to a valid configuration struct. \item\end{DoxyCompactList}\item 
 void \hyperlink{spp__ai_8c_a1b9ebb5c719c7d9426ddfc1f3da36570}{AI\_\-setup} (void)
 \begin{DoxyCompactList}\small\item\em Set up the preprocessor module. \item\end{DoxyCompactList}\end{DoxyCompactItemize}
@@ -42,39 +22,9 @@ void \hyperlink{spp__ai_8c_a1b9ebb5c719c7d9426ddfc1f3da36570}{AI\_\-setup} (void
 \begin{DoxyCompactItemize}
 \item 
 tSfPolicyUserContextId \hyperlink{spp__ai_8c_a3dd75596c540d148643fe6d1fdc02628}{ex\_\-config} = NULL
-\item 
-DynamicPreprocessorData \hyperlink{spp__ai_8c_ab46420126c43c1aac5eabc5db266a71c}{\_\-dpd}
 \end{DoxyCompactItemize}
 
 
-\subsection{Define Documentation}
-\hypertarget{spp__ai_8c_a8ab13e8ad1dfd19b9237a99ae6130146}{
-\index{spp\_\-ai.c@{spp\_\-ai.c}!DST\_\-PORT\_\-MATCH@{DST\_\-PORT\_\-MATCH}}
-\index{DST\_\-PORT\_\-MATCH@{DST\_\-PORT\_\-MATCH}!spp_ai.c@{spp\_\-ai.c}}
-\subsubsection[{DST\_\-PORT\_\-MATCH}]{\setlength{\rightskip}{0pt plus 5cm}\#define DST\_\-PORT\_\-MATCH~2}}
-\label{spp__ai_8c_a8ab13e8ad1dfd19b9237a99ae6130146}
-\hypertarget{spp__ai_8c_a1f3521b9bcf5daf99190be58473a4110}{
-\index{spp\_\-ai.c@{spp\_\-ai.c}!DST\_\-PORT\_\-MATCH\_\-STR@{DST\_\-PORT\_\-MATCH\_\-STR}}
-\index{DST\_\-PORT\_\-MATCH\_\-STR@{DST\_\-PORT\_\-MATCH\_\-STR}!spp_ai.c@{spp\_\-ai.c}}
-\subsubsection[{DST\_\-PORT\_\-MATCH\_\-STR}]{\setlength{\rightskip}{0pt plus 5cm}\#define DST\_\-PORT\_\-MATCH\_\-STR~\char`\"{}example\_\-preprocessor: dest port match\char`\"{}}}
-\label{spp__ai_8c_a1f3521b9bcf5daf99190be58473a4110}
-\hypertarget{spp__ai_8c_a9e7d446fc8b40be2cfbb5c69c3e132ca}{
-\index{spp\_\-ai.c@{spp\_\-ai.c}!GENERATOR\_\-EXAMPLE@{GENERATOR\_\-EXAMPLE}}
-\index{GENERATOR\_\-EXAMPLE@{GENERATOR\_\-EXAMPLE}!spp_ai.c@{spp\_\-ai.c}}
-\subsubsection[{GENERATOR\_\-EXAMPLE}]{\setlength{\rightskip}{0pt plus 5cm}\#define GENERATOR\_\-EXAMPLE~256}}
-\label{spp__ai_8c_a9e7d446fc8b40be2cfbb5c69c3e132ca}
-\hypertarget{spp__ai_8c_af4c767ae0346026264c851108f42be63}{
-\index{spp\_\-ai.c@{spp\_\-ai.c}!SRC\_\-PORT\_\-MATCH@{SRC\_\-PORT\_\-MATCH}}
-\index{SRC\_\-PORT\_\-MATCH@{SRC\_\-PORT\_\-MATCH}!spp_ai.c@{spp\_\-ai.c}}
-\subsubsection[{SRC\_\-PORT\_\-MATCH}]{\setlength{\rightskip}{0pt plus 5cm}\#define SRC\_\-PORT\_\-MATCH~1}}
-\label{spp__ai_8c_af4c767ae0346026264c851108f42be63}
-\hypertarget{spp__ai_8c_a3ec4dd8f1ebed73c13175d9b9c820e2e}{
-\index{spp\_\-ai.c@{spp\_\-ai.c}!SRC\_\-PORT\_\-MATCH\_\-STR@{SRC\_\-PORT\_\-MATCH\_\-STR}}
-\index{SRC\_\-PORT\_\-MATCH\_\-STR@{SRC\_\-PORT\_\-MATCH\_\-STR}!spp_ai.c@{spp\_\-ai.c}}
-\subsubsection[{SRC\_\-PORT\_\-MATCH\_\-STR}]{\setlength{\rightskip}{0pt plus 5cm}\#define SRC\_\-PORT\_\-MATCH\_\-STR~\char`\"{}example\_\-preprocessor: src port match\char`\"{}}}
-\label{spp__ai_8c_a3ec4dd8f1ebed73c13175d9b9c820e2e}
-
-
 \subsection{Function Documentation}
 \hypertarget{spp__ai_8c_a3524cbdf8fddbcf38c4ed55241002242}{
 \index{spp\_\-ai.c@{spp\_\-ai.c}!AI\_\-init@{AI\_\-init}}
@@ -105,11 +55,11 @@ FUNCTION: AI\_\-init
 
 Parse the arguments passed to the module saving them to a valid configuration struct. 
 
-FUNCTION: AI\_\-config 
+FUNCTION: \hyperlink{structAI__config}{AI\_\-config} 
 \begin{DoxyParams}{Parameters}
 \item[{\em args}]Arguments passed to the module \end{DoxyParams}
 \begin{DoxyReturn}{Returns}
-Pointer to AI\_\-config keeping the configuration for the module 
+Pointer to \hyperlink{structAI__config}{AI\_\-config} keeping the configuration for the module 
 \end{DoxyReturn}
 \hypertarget{spp__ai_8c_a57c05cda012c443cb4c358dc327cd3d1}{
 \index{spp\_\-ai.c@{spp\_\-ai.c}!AI\_\-process@{AI\_\-process}}
@@ -144,11 +94,6 @@ Set up the preprocessor module.
 FUNCTION: AI\_\-setup 
 
 \subsection{Variable Documentation}
-\hypertarget{spp__ai_8c_ab46420126c43c1aac5eabc5db266a71c}{
-\index{spp\_\-ai.c@{spp\_\-ai.c}!\_\-dpd@{\_\-dpd}}
-\index{\_\-dpd@{\_\-dpd}!spp_ai.c@{spp\_\-ai.c}}
-\subsubsection[{\_\-dpd}]{\setlength{\rightskip}{0pt plus 5cm}DynamicPreprocessorData {\bf \_\-dpd}}}
-\label{spp__ai_8c_ab46420126c43c1aac5eabc5db266a71c}
 \hypertarget{spp__ai_8c_a3dd75596c540d148643fe6d1fdc02628}{
 \index{spp\_\-ai.c@{spp\_\-ai.c}!ex\_\-config@{ex\_\-config}}
 \index{ex\_\-config@{ex\_\-config}!spp_ai.c@{spp\_\-ai.c}}
diff --git a/doc/latex/spp__ai_8h.tex b/doc/latex/spp__ai_8h.tex
index 0430843..3cf1235 100644
--- a/doc/latex/spp__ai_8h.tex
+++ b/doc/latex/spp__ai_8h.tex
@@ -3,19 +3,48 @@
 \label{spp__ai_8h}\index{spp\_\-ai.h@{spp\_\-ai.h}}
 }
 {\ttfamily \#include \char`\"{}sf\_\-snort\_\-packet.h\char`\"{}}\par
+{\ttfamily \#include \char`\"{}sf\_\-dynamic\_\-preprocessor.h\char`\"{}}\par
+{\ttfamily \#include \char`\"{}uthash.h\char`\"{}}\par
 \subsection*{Data Structures}
 \begin{DoxyCompactItemize}
 \item 
-struct \hyperlink{struct__AI__config}{\_\-AI\_\-config}
+struct \hyperlink{structpkt__key}{pkt\_\-key}
+\item 
+struct \hyperlink{structpkt__info}{pkt\_\-info}
+\item 
+struct \hyperlink{structAI__config}{AI\_\-config}
+\item 
+struct \hyperlink{struct__hierarchy__node}{\_\-hierarchy\_\-node}
+\item 
+struct \hyperlink{struct__AI__snort__alert}{\_\-AI\_\-snort\_\-alert}
+\end{DoxyCompactItemize}
+\subsection*{Defines}
+\begin{DoxyCompactItemize}
+\item 
+\#define \hyperlink{spp__ai_8h_a5e151c615eda34903514212f05a5ccf8}{PRIVATE}~static
+\item 
+\#define \hyperlink{spp__ai_8h_a5f555c0ebd29ce2771a3e2dd4f526746}{DEFAULT\_\-HASH\_\-CLEANUP\_\-INTERVAL}~300
+\item 
+\#define \hyperlink{spp__ai_8h_a0f6a189af15ef783fb46ed37c144e031}{DEFAULT\_\-STREAM\_\-EXPIRE\_\-INTERVAL}~300
+\item 
+\#define \hyperlink{spp__ai_8h_a0c4b6fce670e46083e33b9f53b78f39e}{DEFAULT\_\-ALERT\_\-CLUSTERING\_\-INTERVAL}~3600
+\item 
+\#define \hyperlink{spp__ai_8h_a6d9bf552c32371e0144dc6a6209c7e4a}{DEFAULT\_\-ALERT\_\-LOG\_\-FILE}~\char`\"{}/var/log/snort/alert\char`\"{}
+\item 
+\#define \hyperlink{spp__ai_8h_a803dc913297ccdace9e604dbfecda97d}{DEFAULT\_\-CLUSTER\_\-LOG\_\-FILE}~\char`\"{}/var/log/snort/cluster\_\-alert\char`\"{}
 \end{DoxyCompactItemize}
 \subsection*{Typedefs}
 \begin{DoxyCompactItemize}
 \item 
-typedef unsigned int \hyperlink{spp__ai_8h_a435d1572bf3f880d55459d9805097f62}{uint32\_\-t}
+typedef unsigned char \hyperlink{spp__ai_8h_aba7bc1797add20fe3efdf37ced1182c5}{uint8\_\-t}
 \item 
 typedef unsigned short \hyperlink{spp__ai_8h_a273cf69d639a59973b6019625df33e30}{uint16\_\-t}
 \item 
-typedef struct \hyperlink{struct__AI__config}{\_\-AI\_\-config} \hyperlink{spp__ai_8h_a3fc526e5a55f5d137402b1bbd1b6072c}{AI\_\-config}
+typedef unsigned int \hyperlink{spp__ai_8h_a435d1572bf3f880d55459d9805097f62}{uint32\_\-t}
+\item 
+typedef struct \hyperlink{struct__hierarchy__node}{\_\-hierarchy\_\-node} \hyperlink{spp__ai_8h_a466391129919ef12366d311d501552fa}{hierarchy\_\-node}
+\item 
+typedef struct \hyperlink{struct__AI__snort__alert}{\_\-AI\_\-snort\_\-alert} \hyperlink{spp__ai_8h_a982be90e72362e88d09f28336c9a1897}{AI\_\-snort\_\-alert}
 \end{DoxyCompactItemize}
 \subsection*{Enumerations}
 \begin{DoxyCompactItemize}
@@ -23,22 +52,89 @@ typedef struct \hyperlink{struct__AI__config}{\_\-AI\_\-config} \hyperlink{spp__
 enum \hyperlink{spp__ai_8h_a3e5b8192e7d9ffaf3542f1210aec18dd}{BOOL} \{ \hyperlink{spp__ai_8h_a3e5b8192e7d9ffaf3542f1210aec18ddae9de385ef6fe9bf3360d1038396b884c}{false}, 
 \hyperlink{spp__ai_8h_a3e5b8192e7d9ffaf3542f1210aec18dda08f175a5505a10b9ed657defeb050e4b}{true}
  \}
+\item 
+enum \hyperlink{spp__ai_8h_ae2ff3c6586aa2ab211a102abfde86640}{cluster\_\-type} \{ \par
+\hyperlink{spp__ai_8h_ae2ff3c6586aa2ab211a102abfde86640ab7e4e0120a041dbe6528b050c04269e0}{none}, 
+\hyperlink{spp__ai_8h_ae2ff3c6586aa2ab211a102abfde86640abc900639df18f0f5f2f63a1f033fe42f}{src\_\-addr}, 
+\hyperlink{spp__ai_8h_ae2ff3c6586aa2ab211a102abfde86640aa000f955ef1374c60cdb16bf43a1593c}{dst\_\-addr}, 
+\hyperlink{spp__ai_8h_ae2ff3c6586aa2ab211a102abfde86640ac1335c508143eb06843af2ce5ff3027b}{src\_\-port}, 
+\par
+\hyperlink{spp__ai_8h_ae2ff3c6586aa2ab211a102abfde86640abc4f89a184ada44073bd6f54d7fc11c9}{dst\_\-port}, 
+\hyperlink{spp__ai_8h_ae2ff3c6586aa2ab211a102abfde86640ab16bb5c4b330d5db02e2d852cd2ba451}{CLUSTER\_\-TYPES}
+ \}
 \end{DoxyCompactItemize}
 \subsection*{Functions}
 \begin{DoxyCompactItemize}
 \item 
+int \hyperlink{spp__ai_8h_a85c0852b05b60cbfe0130534160c9876}{preg\_\-match} (const char $\ast$, char $\ast$, char $\ast$$\ast$$\ast$, int $\ast$)
+\begin{DoxyCompactList}\small\item\em Check if a string matches a regular expression. \item\end{DoxyCompactList}\item 
+void $\ast$ \hyperlink{spp__ai_8h_ad56f71be823eead743972274b99c82ff}{AI\_\-hashcleanup\_\-thread} (void $\ast$)
+\begin{DoxyCompactList}\small\item\em Thread called for cleaning up the hash table from the traffic streams older than a certain threshold. \item\end{DoxyCompactList}\item 
+void $\ast$ \hyperlink{spp__ai_8h_a842a3204c6e067a9920990b573757181}{AI\_\-alertparser\_\-thread} (void $\ast$)
+\begin{DoxyCompactList}\small\item\em Thread for parsing Snort's alert file. \item\end{DoxyCompactList}\item 
 void \hyperlink{spp__ai_8h_af6f7d167c3623bbc669e8d31c2719b29}{AI\_\-pkt\_\-enqueue} (SFSnortPacket $\ast$)
 \begin{DoxyCompactList}\small\item\em Function called for appending a new packet to the hash table, creating a new stream or appending it to an existing stream. \item\end{DoxyCompactList}\item 
-void $\ast$ \hyperlink{spp__ai_8h_ad56f71be823eead743972274b99c82ff}{AI\_\-hashcleanup\_\-thread} (void $\ast$)
-\begin{DoxyCompactList}\small\item\em Thread called for cleaning up the hash table from the traffic streams older than a certain threshold. \item\end{DoxyCompactList}\end{DoxyCompactItemize}
+void \hyperlink{spp__ai_8h_a8749989cee2ac05a7de058faac280c02}{AI\_\-set\_\-stream\_\-observed} (struct \hyperlink{structpkt__key}{pkt\_\-key} key)
+\begin{DoxyCompactList}\small\item\em Set the flag \char`\"{}observed\char`\"{} on a stream associated to a security alert, so that it won't be removed from the hash table. \item\end{DoxyCompactList}\item 
+void \hyperlink{spp__ai_8h_a857348424b9db45c90f95631eb96fd7c}{AI\_\-hierarchies\_\-build} (\hyperlink{structAI__config}{AI\_\-config} $\ast$, \hyperlink{struct__hierarchy__node}{hierarchy\_\-node} $\ast$$\ast$, int)
+\begin{DoxyCompactList}\small\item\em Build the clustering hierarchy trees. \item\end{DoxyCompactList}\item 
+struct \hyperlink{structpkt__info}{pkt\_\-info} $\ast$ \hyperlink{spp__ai_8h_a3054f06297a9caefd4d9b1283bb8b69a}{AI\_\-get\_\-stream\_\-by\_\-key} (struct \hyperlink{structpkt__key}{pkt\_\-key})
+\begin{DoxyCompactList}\small\item\em Get a TCP stream by key. \item\end{DoxyCompactList}\item 
+\hyperlink{struct__AI__snort__alert}{AI\_\-snort\_\-alert} $\ast$ \hyperlink{spp__ai_8h_af19a28f7cbcdfeb2b66fb3b625b75076}{AI\_\-get\_\-alerts} (void)
+\begin{DoxyCompactList}\small\item\em Return the alerts parsed so far as a linked list. \item\end{DoxyCompactList}\item 
+void \hyperlink{spp__ai_8h_a270e86669a0aa64a8da37bc16cda645b}{AI\_\-free\_\-alerts} (\hyperlink{struct__AI__snort__alert}{AI\_\-snort\_\-alert} $\ast$node)
+\begin{DoxyCompactList}\small\item\em Deallocate the memory of a log alert linked list. \item\end{DoxyCompactList}\end{DoxyCompactItemize}
+\subsection*{Variables}
+\begin{DoxyCompactItemize}
+\item 
+DynamicPreprocessorData \hyperlink{spp__ai_8h_ab46420126c43c1aac5eabc5db266a71c}{\_\-dpd}
+\end{DoxyCompactItemize}
+
+
+\subsection{Define Documentation}
+\hypertarget{spp__ai_8h_a0c4b6fce670e46083e33b9f53b78f39e}{
+\index{spp\_\-ai.h@{spp\_\-ai.h}!DEFAULT\_\-ALERT\_\-CLUSTERING\_\-INTERVAL@{DEFAULT\_\-ALERT\_\-CLUSTERING\_\-INTERVAL}}
+\index{DEFAULT\_\-ALERT\_\-CLUSTERING\_\-INTERVAL@{DEFAULT\_\-ALERT\_\-CLUSTERING\_\-INTERVAL}!spp_ai.h@{spp\_\-ai.h}}
+\subsubsection[{DEFAULT\_\-ALERT\_\-CLUSTERING\_\-INTERVAL}]{\setlength{\rightskip}{0pt plus 5cm}\#define DEFAULT\_\-ALERT\_\-CLUSTERING\_\-INTERVAL~3600}}
+\label{spp__ai_8h_a0c4b6fce670e46083e33b9f53b78f39e}
+\hypertarget{spp__ai_8h_a6d9bf552c32371e0144dc6a6209c7e4a}{
+\index{spp\_\-ai.h@{spp\_\-ai.h}!DEFAULT\_\-ALERT\_\-LOG\_\-FILE@{DEFAULT\_\-ALERT\_\-LOG\_\-FILE}}
+\index{DEFAULT\_\-ALERT\_\-LOG\_\-FILE@{DEFAULT\_\-ALERT\_\-LOG\_\-FILE}!spp_ai.h@{spp\_\-ai.h}}
+\subsubsection[{DEFAULT\_\-ALERT\_\-LOG\_\-FILE}]{\setlength{\rightskip}{0pt plus 5cm}\#define DEFAULT\_\-ALERT\_\-LOG\_\-FILE~\char`\"{}/var/log/snort/alert\char`\"{}}}
+\label{spp__ai_8h_a6d9bf552c32371e0144dc6a6209c7e4a}
+\hypertarget{spp__ai_8h_a803dc913297ccdace9e604dbfecda97d}{
+\index{spp\_\-ai.h@{spp\_\-ai.h}!DEFAULT\_\-CLUSTER\_\-LOG\_\-FILE@{DEFAULT\_\-CLUSTER\_\-LOG\_\-FILE}}
+\index{DEFAULT\_\-CLUSTER\_\-LOG\_\-FILE@{DEFAULT\_\-CLUSTER\_\-LOG\_\-FILE}!spp_ai.h@{spp\_\-ai.h}}
+\subsubsection[{DEFAULT\_\-CLUSTER\_\-LOG\_\-FILE}]{\setlength{\rightskip}{0pt plus 5cm}\#define DEFAULT\_\-CLUSTER\_\-LOG\_\-FILE~\char`\"{}/var/log/snort/cluster\_\-alert\char`\"{}}}
+\label{spp__ai_8h_a803dc913297ccdace9e604dbfecda97d}
+\hypertarget{spp__ai_8h_a5f555c0ebd29ce2771a3e2dd4f526746}{
+\index{spp\_\-ai.h@{spp\_\-ai.h}!DEFAULT\_\-HASH\_\-CLEANUP\_\-INTERVAL@{DEFAULT\_\-HASH\_\-CLEANUP\_\-INTERVAL}}
+\index{DEFAULT\_\-HASH\_\-CLEANUP\_\-INTERVAL@{DEFAULT\_\-HASH\_\-CLEANUP\_\-INTERVAL}!spp_ai.h@{spp\_\-ai.h}}
+\subsubsection[{DEFAULT\_\-HASH\_\-CLEANUP\_\-INTERVAL}]{\setlength{\rightskip}{0pt plus 5cm}\#define DEFAULT\_\-HASH\_\-CLEANUP\_\-INTERVAL~300}}
+\label{spp__ai_8h_a5f555c0ebd29ce2771a3e2dd4f526746}
+\hypertarget{spp__ai_8h_a0f6a189af15ef783fb46ed37c144e031}{
+\index{spp\_\-ai.h@{spp\_\-ai.h}!DEFAULT\_\-STREAM\_\-EXPIRE\_\-INTERVAL@{DEFAULT\_\-STREAM\_\-EXPIRE\_\-INTERVAL}}
+\index{DEFAULT\_\-STREAM\_\-EXPIRE\_\-INTERVAL@{DEFAULT\_\-STREAM\_\-EXPIRE\_\-INTERVAL}!spp_ai.h@{spp\_\-ai.h}}
+\subsubsection[{DEFAULT\_\-STREAM\_\-EXPIRE\_\-INTERVAL}]{\setlength{\rightskip}{0pt plus 5cm}\#define DEFAULT\_\-STREAM\_\-EXPIRE\_\-INTERVAL~300}}
+\label{spp__ai_8h_a0f6a189af15ef783fb46ed37c144e031}
+\hypertarget{spp__ai_8h_a5e151c615eda34903514212f05a5ccf8}{
+\index{spp\_\-ai.h@{spp\_\-ai.h}!PRIVATE@{PRIVATE}}
+\index{PRIVATE@{PRIVATE}!spp_ai.h@{spp\_\-ai.h}}
+\subsubsection[{PRIVATE}]{\setlength{\rightskip}{0pt plus 5cm}\#define PRIVATE~static}}
+\label{spp__ai_8h_a5e151c615eda34903514212f05a5ccf8}
 
 
 \subsection{Typedef Documentation}
-\hypertarget{spp__ai_8h_a3fc526e5a55f5d137402b1bbd1b6072c}{
-\index{spp\_\-ai.h@{spp\_\-ai.h}!AI\_\-config@{AI\_\-config}}
-\index{AI\_\-config@{AI\_\-config}!spp_ai.h@{spp\_\-ai.h}}
-\subsubsection[{AI\_\-config}]{\setlength{\rightskip}{0pt plus 5cm}typedef struct {\bf \_\-AI\_\-config}  {\bf AI\_\-config}}}
-\label{spp__ai_8h_a3fc526e5a55f5d137402b1bbd1b6072c}
+\hypertarget{spp__ai_8h_a982be90e72362e88d09f28336c9a1897}{
+\index{spp\_\-ai.h@{spp\_\-ai.h}!AI\_\-snort\_\-alert@{AI\_\-snort\_\-alert}}
+\index{AI\_\-snort\_\-alert@{AI\_\-snort\_\-alert}!spp_ai.h@{spp\_\-ai.h}}
+\subsubsection[{AI\_\-snort\_\-alert}]{\setlength{\rightskip}{0pt plus 5cm}typedef struct {\bf \_\-AI\_\-snort\_\-alert}  {\bf AI\_\-snort\_\-alert}}}
+\label{spp__ai_8h_a982be90e72362e88d09f28336c9a1897}
+\hypertarget{spp__ai_8h_a466391129919ef12366d311d501552fa}{
+\index{spp\_\-ai.h@{spp\_\-ai.h}!hierarchy\_\-node@{hierarchy\_\-node}}
+\index{hierarchy\_\-node@{hierarchy\_\-node}!spp_ai.h@{spp\_\-ai.h}}
+\subsubsection[{hierarchy\_\-node}]{\setlength{\rightskip}{0pt plus 5cm}typedef struct {\bf \_\-hierarchy\_\-node}  {\bf hierarchy\_\-node}}}
+\label{spp__ai_8h_a466391129919ef12366d311d501552fa}
 \hypertarget{spp__ai_8h_a273cf69d639a59973b6019625df33e30}{
 \index{spp\_\-ai.h@{spp\_\-ai.h}!uint16\_\-t@{uint16\_\-t}}
 \index{uint16\_\-t@{uint16\_\-t}!spp_ai.h@{spp\_\-ai.h}}
@@ -49,6 +145,11 @@ void $\ast$ \hyperlink{spp__ai_8h_ad56f71be823eead743972274b99c82ff}{AI\_\-hashc
 \index{uint32\_\-t@{uint32\_\-t}!spp_ai.h@{spp\_\-ai.h}}
 \subsubsection[{uint32\_\-t}]{\setlength{\rightskip}{0pt plus 5cm}typedef unsigned int {\bf uint32\_\-t}}}
 \label{spp__ai_8h_a435d1572bf3f880d55459d9805097f62}
+\hypertarget{spp__ai_8h_aba7bc1797add20fe3efdf37ced1182c5}{
+\index{spp\_\-ai.h@{spp\_\-ai.h}!uint8\_\-t@{uint8\_\-t}}
+\index{uint8\_\-t@{uint8\_\-t}!spp_ai.h@{spp\_\-ai.h}}
+\subsubsection[{uint8\_\-t}]{\setlength{\rightskip}{0pt plus 5cm}typedef unsigned char {\bf uint8\_\-t}}}
+\label{spp__ai_8h_aba7bc1797add20fe3efdf37ced1182c5}
 
 
 \subsection{Enumeration Type Documentation}
@@ -71,9 +172,111 @@ true}
 }]\end{description}
 \end{Desc}
 
+\hypertarget{spp__ai_8h_ae2ff3c6586aa2ab211a102abfde86640}{
+\index{spp\_\-ai.h@{spp\_\-ai.h}!cluster\_\-type@{cluster\_\-type}}
+\index{cluster\_\-type@{cluster\_\-type}!spp_ai.h@{spp\_\-ai.h}}
+\subsubsection[{cluster\_\-type}]{\setlength{\rightskip}{0pt plus 5cm}enum {\bf cluster\_\-type}}}
+\label{spp__ai_8h_ae2ff3c6586aa2ab211a102abfde86640}
+\begin{Desc}
+\item[Enumerator: ]\par
+\begin{description}
+\index{none@{none}!spp\_\-ai.h@{spp\_\-ai.h}}\index{spp\_\-ai.h@{spp\_\-ai.h}!none@{none}}\item[{\em 
+\hypertarget{spp__ai_8h_ae2ff3c6586aa2ab211a102abfde86640ab7e4e0120a041dbe6528b050c04269e0}{
+none}
+\label{spp__ai_8h_ae2ff3c6586aa2ab211a102abfde86640ab7e4e0120a041dbe6528b050c04269e0}
+}]\index{src\_\-addr@{src\_\-addr}!spp\_\-ai.h@{spp\_\-ai.h}}\index{spp\_\-ai.h@{spp\_\-ai.h}!src\_\-addr@{src\_\-addr}}\item[{\em 
+\hypertarget{spp__ai_8h_ae2ff3c6586aa2ab211a102abfde86640abc900639df18f0f5f2f63a1f033fe42f}{
+src\_\-addr}
+\label{spp__ai_8h_ae2ff3c6586aa2ab211a102abfde86640abc900639df18f0f5f2f63a1f033fe42f}
+}]\index{dst\_\-addr@{dst\_\-addr}!spp\_\-ai.h@{spp\_\-ai.h}}\index{spp\_\-ai.h@{spp\_\-ai.h}!dst\_\-addr@{dst\_\-addr}}\item[{\em 
+\hypertarget{spp__ai_8h_ae2ff3c6586aa2ab211a102abfde86640aa000f955ef1374c60cdb16bf43a1593c}{
+dst\_\-addr}
+\label{spp__ai_8h_ae2ff3c6586aa2ab211a102abfde86640aa000f955ef1374c60cdb16bf43a1593c}
+}]\index{src\_\-port@{src\_\-port}!spp\_\-ai.h@{spp\_\-ai.h}}\index{spp\_\-ai.h@{spp\_\-ai.h}!src\_\-port@{src\_\-port}}\item[{\em 
+\hypertarget{spp__ai_8h_ae2ff3c6586aa2ab211a102abfde86640ac1335c508143eb06843af2ce5ff3027b}{
+src\_\-port}
+\label{spp__ai_8h_ae2ff3c6586aa2ab211a102abfde86640ac1335c508143eb06843af2ce5ff3027b}
+}]\index{dst\_\-port@{dst\_\-port}!spp\_\-ai.h@{spp\_\-ai.h}}\index{spp\_\-ai.h@{spp\_\-ai.h}!dst\_\-port@{dst\_\-port}}\item[{\em 
+\hypertarget{spp__ai_8h_ae2ff3c6586aa2ab211a102abfde86640abc4f89a184ada44073bd6f54d7fc11c9}{
+dst\_\-port}
+\label{spp__ai_8h_ae2ff3c6586aa2ab211a102abfde86640abc4f89a184ada44073bd6f54d7fc11c9}
+}]\index{CLUSTER\_\-TYPES@{CLUSTER\_\-TYPES}!spp\_\-ai.h@{spp\_\-ai.h}}\index{spp\_\-ai.h@{spp\_\-ai.h}!CLUSTER\_\-TYPES@{CLUSTER\_\-TYPES}}\item[{\em 
+\hypertarget{spp__ai_8h_ae2ff3c6586aa2ab211a102abfde86640ab16bb5c4b330d5db02e2d852cd2ba451}{
+CLUSTER\_\-TYPES}
+\label{spp__ai_8h_ae2ff3c6586aa2ab211a102abfde86640ab16bb5c4b330d5db02e2d852cd2ba451}
+}]\end{description}
+\end{Desc}
+
 
 
 \subsection{Function Documentation}
+\hypertarget{spp__ai_8h_a842a3204c6e067a9920990b573757181}{
+\index{spp\_\-ai.h@{spp\_\-ai.h}!AI\_\-alertparser\_\-thread@{AI\_\-alertparser\_\-thread}}
+\index{AI\_\-alertparser\_\-thread@{AI\_\-alertparser\_\-thread}!spp_ai.h@{spp\_\-ai.h}}
+\subsubsection[{AI\_\-alertparser\_\-thread}]{\setlength{\rightskip}{0pt plus 5cm}void$\ast$ AI\_\-alertparser\_\-thread (
+\begin{DoxyParamCaption}
+\item[{void $\ast$}]{ arg}
+\end{DoxyParamCaption}
+)}}
+\label{spp__ai_8h_a842a3204c6e067a9920990b573757181}
+
+
+Thread for parsing Snort's alert file. 
+
+FUNCTION: AI\_\-alertparser\_\-thread 
+\begin{DoxyParams}{Parameters}
+\item[{\em arg}]void$\ast$ pointer to module's configuration \end{DoxyParams}
+\hypertarget{spp__ai_8h_a270e86669a0aa64a8da37bc16cda645b}{
+\index{spp\_\-ai.h@{spp\_\-ai.h}!AI\_\-free\_\-alerts@{AI\_\-free\_\-alerts}}
+\index{AI\_\-free\_\-alerts@{AI\_\-free\_\-alerts}!spp_ai.h@{spp\_\-ai.h}}
+\subsubsection[{AI\_\-free\_\-alerts}]{\setlength{\rightskip}{0pt plus 5cm}void AI\_\-free\_\-alerts (
+\begin{DoxyParamCaption}
+\item[{{\bf AI\_\-snort\_\-alert} $\ast$}]{ node}
+\end{DoxyParamCaption}
+)}}
+\label{spp__ai_8h_a270e86669a0aa64a8da37bc16cda645b}
+
+
+Deallocate the memory of a log alert linked list. 
+
+FUNCTION: AI\_\-free\_\-alerts 
+\begin{DoxyParams}{Parameters}
+\item[{\em node}]Linked list to be freed \end{DoxyParams}
+\hypertarget{spp__ai_8h_af19a28f7cbcdfeb2b66fb3b625b75076}{
+\index{spp\_\-ai.h@{spp\_\-ai.h}!AI\_\-get\_\-alerts@{AI\_\-get\_\-alerts}}
+\index{AI\_\-get\_\-alerts@{AI\_\-get\_\-alerts}!spp_ai.h@{spp\_\-ai.h}}
+\subsubsection[{AI\_\-get\_\-alerts}]{\setlength{\rightskip}{0pt plus 5cm}{\bf AI\_\-snort\_\-alert}$\ast$ AI\_\-get\_\-alerts (
+\begin{DoxyParamCaption}
+\item[{void}]{}
+\end{DoxyParamCaption}
+)}}
+\label{spp__ai_8h_af19a28f7cbcdfeb2b66fb3b625b75076}
+
+
+Return the alerts parsed so far as a linked list. 
+
+FUNCTION: AI\_\-get\_\-alerts \begin{DoxyReturn}{Returns}
+An AI\_\-snort\_\-alert pointer identifying the list of alerts 
+\end{DoxyReturn}
+\hypertarget{spp__ai_8h_a3054f06297a9caefd4d9b1283bb8b69a}{
+\index{spp\_\-ai.h@{spp\_\-ai.h}!AI\_\-get\_\-stream\_\-by\_\-key@{AI\_\-get\_\-stream\_\-by\_\-key}}
+\index{AI\_\-get\_\-stream\_\-by\_\-key@{AI\_\-get\_\-stream\_\-by\_\-key}!spp_ai.h@{spp\_\-ai.h}}
+\subsubsection[{AI\_\-get\_\-stream\_\-by\_\-key}]{\setlength{\rightskip}{0pt plus 5cm}struct {\bf pkt\_\-info}$\ast$ AI\_\-get\_\-stream\_\-by\_\-key (
+\begin{DoxyParamCaption}
+\item[{struct {\bf pkt\_\-key}}]{ key}
+\end{DoxyParamCaption}
+)\hspace{0.3cm}{\ttfamily  \mbox{[}read\mbox{]}}}}
+\label{spp__ai_8h_a3054f06297a9caefd4d9b1283bb8b69a}
+
+
+Get a TCP stream by key. 
+
+FUNCTION: AI\_\-get\_\-stream\_\-by\_\-key 
+\begin{DoxyParams}{Parameters}
+\item[{\em key}]Key of the stream to be picked up (struct \hyperlink{structpkt__key}{pkt\_\-key}) \end{DoxyParams}
+\begin{DoxyReturn}{Returns}
+A \hyperlink{structpkt__info}{pkt\_\-info} pointer to the stream if found, NULL otherwise 
+\end{DoxyReturn}
 \hypertarget{spp__ai_8h_ad56f71be823eead743972274b99c82ff}{
 \index{spp\_\-ai.h@{spp\_\-ai.h}!AI\_\-hashcleanup\_\-thread@{AI\_\-hashcleanup\_\-thread}}
 \index{AI\_\-hashcleanup\_\-thread@{AI\_\-hashcleanup\_\-thread}!spp_ai.h@{spp\_\-ai.h}}
@@ -89,7 +292,25 @@ Thread called for cleaning up the hash table from the traffic streams older than
 
 FUNCTION: AI\_\-hashcleanup\_\-thread 
 \begin{DoxyParams}{Parameters}
-\item[{\em arg}]Pointer to the AI\_\-config struct \end{DoxyParams}
+\item[{\em arg}]Pointer to the \hyperlink{structAI__config}{AI\_\-config} struct \end{DoxyParams}
+\hypertarget{spp__ai_8h_a857348424b9db45c90f95631eb96fd7c}{
+\index{spp\_\-ai.h@{spp\_\-ai.h}!AI\_\-hierarchies\_\-build@{AI\_\-hierarchies\_\-build}}
+\index{AI\_\-hierarchies\_\-build@{AI\_\-hierarchies\_\-build}!spp_ai.h@{spp\_\-ai.h}}
+\subsubsection[{AI\_\-hierarchies\_\-build}]{\setlength{\rightskip}{0pt plus 5cm}void AI\_\-hierarchies\_\-build (
+\begin{DoxyParamCaption}
+\item[{{\bf AI\_\-config} $\ast$}]{ conf, }
+\item[{{\bf hierarchy\_\-node} $\ast$$\ast$}]{ nodes, }
+\item[{int}]{ n\_\-nodes}
+\end{DoxyParamCaption}
+)}}
+\label{spp__ai_8h_a857348424b9db45c90f95631eb96fd7c}
+
+
+Build the clustering hierarchy trees. 
+
+FUNCTION: AI\_\-hierarchies\_\-build 
+\begin{DoxyParams}{Parameters}
+\item[{\em conf}]Reference to the configuration of the module \item[{\em nodes}]Nodes containing the information about the clustering ranges \item[{\em n\_\-nodes}]Number of nodes \end{DoxyParams}
 \hypertarget{spp__ai_8h_af6f7d167c3623bbc669e8d31c2719b29}{
 \index{spp\_\-ai.h@{spp\_\-ai.h}!AI\_\-pkt\_\-enqueue@{AI\_\-pkt\_\-enqueue}}
 \index{AI\_\-pkt\_\-enqueue@{AI\_\-pkt\_\-enqueue}!spp_ai.h@{spp\_\-ai.h}}
@@ -106,3 +327,49 @@ Function called for appending a new packet to the hash table, creating a new str
 FUNCTION: AI\_\-pkt\_\-enqueue 
 \begin{DoxyParams}{Parameters}
 \item[{\em pkt}]Packet to be appended \end{DoxyParams}
+\hypertarget{spp__ai_8h_a8749989cee2ac05a7de058faac280c02}{
+\index{spp\_\-ai.h@{spp\_\-ai.h}!AI\_\-set\_\-stream\_\-observed@{AI\_\-set\_\-stream\_\-observed}}
+\index{AI\_\-set\_\-stream\_\-observed@{AI\_\-set\_\-stream\_\-observed}!spp_ai.h@{spp\_\-ai.h}}
+\subsubsection[{AI\_\-set\_\-stream\_\-observed}]{\setlength{\rightskip}{0pt plus 5cm}void AI\_\-set\_\-stream\_\-observed (
+\begin{DoxyParamCaption}
+\item[{struct {\bf pkt\_\-key}}]{ key}
+\end{DoxyParamCaption}
+)}}
+\label{spp__ai_8h_a8749989cee2ac05a7de058faac280c02}
+
+
+Set the flag \char`\"{}observed\char`\"{} on a stream associated to a security alert, so that it won't be removed from the hash table. 
+
+FUNCTION: AI\_\-set\_\-stream\_\-observed 
+\begin{DoxyParams}{Parameters}
+\item[{\em key}]Key of the stream to be set as \char`\"{}observed\char`\"{} \end{DoxyParams}
+\hypertarget{spp__ai_8h_a85c0852b05b60cbfe0130534160c9876}{
+\index{spp\_\-ai.h@{spp\_\-ai.h}!preg\_\-match@{preg\_\-match}}
+\index{preg\_\-match@{preg\_\-match}!spp_ai.h@{spp\_\-ai.h}}
+\subsubsection[{preg\_\-match}]{\setlength{\rightskip}{0pt plus 5cm}int preg\_\-match (
+\begin{DoxyParamCaption}
+\item[{const char $\ast$}]{ expr, }
+\item[{char $\ast$}]{ str, }
+\item[{char $\ast$$\ast$$\ast$}]{ matches, }
+\item[{int $\ast$}]{ nmatches}
+\end{DoxyParamCaption}
+)}}
+\label{spp__ai_8h_a85c0852b05b60cbfe0130534160c9876}
+
+
+Check if a string matches a regular expression. 
+
+FUNCTION: preg\_\-match 
+\begin{DoxyParams}{Parameters}
+\item[{\em expr}]Regular expression to be matched \item[{\em str}]String to be checked \item[{\em matches}]Reference to a char$\ast$$\ast$ that will contain the submatches (NULL if you don't need it) \item[{\em nmatches}]Reference to a int containing the number of submatches found (NULL if you don't need it) \end{DoxyParams}
+\begin{DoxyReturn}{Returns}
+-\/1 if the regex is wrong, 0 if no match was found, 1 otherwise 
+\end{DoxyReturn}
+
+
+\subsection{Variable Documentation}
+\hypertarget{spp__ai_8h_ab46420126c43c1aac5eabc5db266a71c}{
+\index{spp\_\-ai.h@{spp\_\-ai.h}!\_\-dpd@{\_\-dpd}}
+\index{\_\-dpd@{\_\-dpd}!spp_ai.h@{spp\_\-ai.h}}
+\subsubsection[{\_\-dpd}]{\setlength{\rightskip}{0pt plus 5cm}DynamicPreprocessorData {\bf \_\-dpd}}}
+\label{spp__ai_8h_ab46420126c43c1aac5eabc5db266a71c}
diff --git a/doc/latex/stream_8c.tex b/doc/latex/stream_8c.tex
index eeb2e72..d2d4947 100644
--- a/doc/latex/stream_8c.tex
+++ b/doc/latex/stream_8c.tex
@@ -3,46 +3,42 @@
 \label{stream_8c}\index{stream.c@{stream.c}}
 }
 {\ttfamily \#include \char`\"{}spp\_\-ai.h\char`\"{}}\par
-{\ttfamily \#include \char`\"{}uthash.h\char`\"{}}\par
 {\ttfamily \#include $<$stdio.h$>$}\par
 {\ttfamily \#include $<$stdlib.h$>$}\par
-{\ttfamily \#include $<$string.h$>$}\par
 {\ttfamily \#include $<$time.h$>$}\par
 {\ttfamily \#include $<$unistd.h$>$}\par
-{\ttfamily \#include $<$arpa/inet.h$>$}\par
-\subsection*{Data Structures}
-\begin{DoxyCompactItemize}
-\item 
-struct \hyperlink{structpkt__key}{pkt\_\-key}
-\item 
-struct \hyperlink{structpkt__info}{pkt\_\-info}
-\end{DoxyCompactItemize}
 \subsection*{Functions}
 \begin{DoxyCompactItemize}
 \item 
-static void \hyperlink{stream_8c_a2a0c295a6828df716311977538cabd4a}{\_\-AI\_\-stream\_\-free} (struct \hyperlink{structpkt__info}{pkt\_\-info} $\ast$stream)
+PRIVATE void \hyperlink{stream_8c_a80016adf701c717a6ebfb5b15b8a5749}{\_\-AI\_\-stream\_\-free} (struct \hyperlink{structpkt__info}{pkt\_\-info} $\ast$stream)
 \begin{DoxyCompactList}\small\item\em Remove a stream from the hash table (private function). \item\end{DoxyCompactList}\item 
 void $\ast$ \hyperlink{stream_8c_a24b1131374e5059564b8a12380c4eb75}{AI\_\-hashcleanup\_\-thread} (void $\ast$arg)
 \begin{DoxyCompactList}\small\item\em Thread called for cleaning up the hash table from the traffic streams older than a certain threshold. \item\end{DoxyCompactList}\item 
 void \hyperlink{stream_8c_a7d71c5645b9baff7b6c4b9a181bf80c5}{AI\_\-pkt\_\-enqueue} (SFSnortPacket $\ast$pkt)
-\begin{DoxyCompactList}\small\item\em Function called for appending a new packet to the hash table, creating a new stream or appending it to an existing stream. \item\end{DoxyCompactList}\end{DoxyCompactItemize}
+\begin{DoxyCompactList}\small\item\em Function called for appending a new packet to the hash table, creating a new stream or appending it to an existing stream. \item\end{DoxyCompactList}\item 
+struct \hyperlink{structpkt__info}{pkt\_\-info} $\ast$ \hyperlink{stream_8c_a2efedcabbfd12c5345f0c93a3dd4735c}{AI\_\-get\_\-stream\_\-by\_\-key} (struct \hyperlink{structpkt__key}{pkt\_\-key} key)
+\begin{DoxyCompactList}\small\item\em Get a TCP stream by key. \item\end{DoxyCompactList}\item 
+void \hyperlink{stream_8c_a8749989cee2ac05a7de058faac280c02}{AI\_\-set\_\-stream\_\-observed} (struct \hyperlink{structpkt__key}{pkt\_\-key} key)
+\begin{DoxyCompactList}\small\item\em Set the flag \char`\"{}observed\char`\"{} on a stream associated to a security alert, so that it won't be removed from the hash table. \item\end{DoxyCompactList}\end{DoxyCompactItemize}
 \subsection*{Variables}
 \begin{DoxyCompactItemize}
 \item 
-static struct \hyperlink{structpkt__info}{pkt\_\-info} $\ast$ \hyperlink{stream_8c_a96fbc549c67e0d852ced3cb72980e923}{hash} = NULL
+PRIVATE struct \hyperlink{structpkt__info}{pkt\_\-info} $\ast$ \hyperlink{stream_8c_a57e23cda853e9d11c37723a962ef2f68}{hash} = NULL
+\item 
+PRIVATE time\_\-t \hyperlink{stream_8c_a0597864b078ff448f28432db86950309}{start\_\-time} = 0
 \end{DoxyCompactItemize}
 
 
 \subsection{Function Documentation}
-\hypertarget{stream_8c_a2a0c295a6828df716311977538cabd4a}{
+\hypertarget{stream_8c_a80016adf701c717a6ebfb5b15b8a5749}{
 \index{stream.c@{stream.c}!\_\-AI\_\-stream\_\-free@{\_\-AI\_\-stream\_\-free}}
 \index{\_\-AI\_\-stream\_\-free@{\_\-AI\_\-stream\_\-free}!stream.c@{stream.c}}
-\subsubsection[{\_\-AI\_\-stream\_\-free}]{\setlength{\rightskip}{0pt plus 5cm}static void \_\-AI\_\-stream\_\-free (
+\subsubsection[{\_\-AI\_\-stream\_\-free}]{\setlength{\rightskip}{0pt plus 5cm}PRIVATE void \_\-AI\_\-stream\_\-free (
 \begin{DoxyParamCaption}
 \item[{struct {\bf pkt\_\-info} $\ast$}]{ stream}
 \end{DoxyParamCaption}
-)\hspace{0.3cm}{\ttfamily  \mbox{[}static\mbox{]}}}}
-\label{stream_8c_a2a0c295a6828df716311977538cabd4a}
+)}}
+\label{stream_8c_a80016adf701c717a6ebfb5b15b8a5749}
 
 
 Remove a stream from the hash table (private function). 
@@ -50,6 +46,25 @@ Remove a stream from the hash table (private function).
 FUNCTION: \_\-AI\_\-stream\_\-free 
 \begin{DoxyParams}{Parameters}
 \item[{\em stream}]Stream to be removed \end{DoxyParams}
+\hypertarget{stream_8c_a2efedcabbfd12c5345f0c93a3dd4735c}{
+\index{stream.c@{stream.c}!AI\_\-get\_\-stream\_\-by\_\-key@{AI\_\-get\_\-stream\_\-by\_\-key}}
+\index{AI\_\-get\_\-stream\_\-by\_\-key@{AI\_\-get\_\-stream\_\-by\_\-key}!stream.c@{stream.c}}
+\subsubsection[{AI\_\-get\_\-stream\_\-by\_\-key}]{\setlength{\rightskip}{0pt plus 5cm}struct {\bf pkt\_\-info}$\ast$ AI\_\-get\_\-stream\_\-by\_\-key (
+\begin{DoxyParamCaption}
+\item[{struct {\bf pkt\_\-key}}]{ key}
+\end{DoxyParamCaption}
+)\hspace{0.3cm}{\ttfamily  \mbox{[}read\mbox{]}}}}
+\label{stream_8c_a2efedcabbfd12c5345f0c93a3dd4735c}
+
+
+Get a TCP stream by key. 
+
+FUNCTION: AI\_\-get\_\-stream\_\-by\_\-key 
+\begin{DoxyParams}{Parameters}
+\item[{\em key}]Key of the stream to be picked up (struct \hyperlink{structpkt__key}{pkt\_\-key}) \end{DoxyParams}
+\begin{DoxyReturn}{Returns}
+A \hyperlink{structpkt__info}{pkt\_\-info} pointer to the stream if found, NULL otherwise 
+\end{DoxyReturn}
 \hypertarget{stream_8c_a24b1131374e5059564b8a12380c4eb75}{
 \index{stream.c@{stream.c}!AI\_\-hashcleanup\_\-thread@{AI\_\-hashcleanup\_\-thread}}
 \index{AI\_\-hashcleanup\_\-thread@{AI\_\-hashcleanup\_\-thread}!stream.c@{stream.c}}
@@ -65,7 +80,7 @@ Thread called for cleaning up the hash table from the traffic streams older than
 
 FUNCTION: AI\_\-hashcleanup\_\-thread 
 \begin{DoxyParams}{Parameters}
-\item[{\em arg}]Pointer to the AI\_\-config struct \end{DoxyParams}
+\item[{\em arg}]Pointer to the \hyperlink{structAI__config}{AI\_\-config} struct \end{DoxyParams}
 \hypertarget{stream_8c_a7d71c5645b9baff7b6c4b9a181bf80c5}{
 \index{stream.c@{stream.c}!AI\_\-pkt\_\-enqueue@{AI\_\-pkt\_\-enqueue}}
 \index{AI\_\-pkt\_\-enqueue@{AI\_\-pkt\_\-enqueue}!stream.c@{stream.c}}
@@ -82,11 +97,32 @@ Function called for appending a new packet to the hash table, creating a new str
 FUNCTION: AI\_\-pkt\_\-enqueue 
 \begin{DoxyParams}{Parameters}
 \item[{\em pkt}]Packet to be appended \end{DoxyParams}
+\hypertarget{stream_8c_a8749989cee2ac05a7de058faac280c02}{
+\index{stream.c@{stream.c}!AI\_\-set\_\-stream\_\-observed@{AI\_\-set\_\-stream\_\-observed}}
+\index{AI\_\-set\_\-stream\_\-observed@{AI\_\-set\_\-stream\_\-observed}!stream.c@{stream.c}}
+\subsubsection[{AI\_\-set\_\-stream\_\-observed}]{\setlength{\rightskip}{0pt plus 5cm}void AI\_\-set\_\-stream\_\-observed (
+\begin{DoxyParamCaption}
+\item[{struct {\bf pkt\_\-key}}]{ key}
+\end{DoxyParamCaption}
+)}}
+\label{stream_8c_a8749989cee2ac05a7de058faac280c02}
+
+
+Set the flag \char`\"{}observed\char`\"{} on a stream associated to a security alert, so that it won't be removed from the hash table. 
+
+FUNCTION: AI\_\-set\_\-stream\_\-observed 
+\begin{DoxyParams}{Parameters}
+\item[{\em key}]Key of the stream to be set as \char`\"{}observed\char`\"{} \end{DoxyParams}
 
 
 \subsection{Variable Documentation}
-\hypertarget{stream_8c_a96fbc549c67e0d852ced3cb72980e923}{
+\hypertarget{stream_8c_a57e23cda853e9d11c37723a962ef2f68}{
 \index{stream.c@{stream.c}!hash@{hash}}
 \index{hash@{hash}!stream.c@{stream.c}}
-\subsubsection[{hash}]{\setlength{\rightskip}{0pt plus 5cm}struct {\bf pkt\_\-info}$\ast$ {\bf hash} = NULL\hspace{0.3cm}{\ttfamily  \mbox{[}static\mbox{]}}}}
-\label{stream_8c_a96fbc549c67e0d852ced3cb72980e923}
+\subsubsection[{hash}]{\setlength{\rightskip}{0pt plus 5cm}PRIVATE struct {\bf pkt\_\-info}$\ast$ {\bf hash} = NULL}}
+\label{stream_8c_a57e23cda853e9d11c37723a962ef2f68}
+\hypertarget{stream_8c_a0597864b078ff448f28432db86950309}{
+\index{stream.c@{stream.c}!start\_\-time@{start\_\-time}}
+\index{start\_\-time@{start\_\-time}!stream.c@{stream.c}}
+\subsubsection[{start\_\-time}]{\setlength{\rightskip}{0pt plus 5cm}PRIVATE time\_\-t {\bf start\_\-time} = 0}}
+\label{stream_8c_a0597864b078ff448f28432db86950309}
diff --git a/doc/latex/structAI__config.tex b/doc/latex/structAI__config.tex
new file mode 100644
index 0000000..d7dead8
--- /dev/null
+++ b/doc/latex/structAI__config.tex
@@ -0,0 +1,54 @@
+\hypertarget{structAI__config}{
+\section{AI\_\-config Struct Reference}
+\label{structAI__config}\index{AI\_\-config@{AI\_\-config}}
+}
+
+
+{\ttfamily \#include $<$spp\_\-ai.h$>$}
+
+\subsection*{Data Fields}
+\begin{DoxyCompactItemize}
+\item 
+unsigned long \hyperlink{structAI__config_a9f7680615027d4fb74b4aa144a7028a4}{hashCleanupInterval}
+\item 
+unsigned long \hyperlink{structAI__config_abbe77d5f94b8c5164bea47acba09c98b}{streamExpireInterval}
+\item 
+unsigned long \hyperlink{structAI__config_a7d0d098b8263aa3d8415b11d1ec7f93d}{alertClusteringInterval}
+\item 
+char \hyperlink{structAI__config_a2efa9590d7eea6dce8b5dd9aa76ed8ca}{alertfile} \mbox{[}1024\mbox{]}
+\item 
+char \hyperlink{structAI__config_a6da02a3f7116fd3810a41b738e8883a3}{clusterfile} \mbox{[}1024\mbox{]}
+\end{DoxyCompactItemize}
+
+
+\subsection{Field Documentation}
+\hypertarget{structAI__config_a7d0d098b8263aa3d8415b11d1ec7f93d}{
+\index{AI\_\-config@{AI\_\-config}!alertClusteringInterval@{alertClusteringInterval}}
+\index{alertClusteringInterval@{alertClusteringInterval}!AI_config@{AI\_\-config}}
+\subsubsection[{alertClusteringInterval}]{\setlength{\rightskip}{0pt plus 5cm}unsigned long {\bf AI\_\-config::alertClusteringInterval}}}
+\label{structAI__config_a7d0d098b8263aa3d8415b11d1ec7f93d}
+\hypertarget{structAI__config_a2efa9590d7eea6dce8b5dd9aa76ed8ca}{
+\index{AI\_\-config@{AI\_\-config}!alertfile@{alertfile}}
+\index{alertfile@{alertfile}!AI_config@{AI\_\-config}}
+\subsubsection[{alertfile}]{\setlength{\rightskip}{0pt plus 5cm}char {\bf AI\_\-config::alertfile}\mbox{[}1024\mbox{]}}}
+\label{structAI__config_a2efa9590d7eea6dce8b5dd9aa76ed8ca}
+\hypertarget{structAI__config_a6da02a3f7116fd3810a41b738e8883a3}{
+\index{AI\_\-config@{AI\_\-config}!clusterfile@{clusterfile}}
+\index{clusterfile@{clusterfile}!AI_config@{AI\_\-config}}
+\subsubsection[{clusterfile}]{\setlength{\rightskip}{0pt plus 5cm}char {\bf AI\_\-config::clusterfile}\mbox{[}1024\mbox{]}}}
+\label{structAI__config_a6da02a3f7116fd3810a41b738e8883a3}
+\hypertarget{structAI__config_a9f7680615027d4fb74b4aa144a7028a4}{
+\index{AI\_\-config@{AI\_\-config}!hashCleanupInterval@{hashCleanupInterval}}
+\index{hashCleanupInterval@{hashCleanupInterval}!AI_config@{AI\_\-config}}
+\subsubsection[{hashCleanupInterval}]{\setlength{\rightskip}{0pt plus 5cm}unsigned long {\bf AI\_\-config::hashCleanupInterval}}}
+\label{structAI__config_a9f7680615027d4fb74b4aa144a7028a4}
+\hypertarget{structAI__config_abbe77d5f94b8c5164bea47acba09c98b}{
+\index{AI\_\-config@{AI\_\-config}!streamExpireInterval@{streamExpireInterval}}
+\index{streamExpireInterval@{streamExpireInterval}!AI_config@{AI\_\-config}}
+\subsubsection[{streamExpireInterval}]{\setlength{\rightskip}{0pt plus 5cm}unsigned long {\bf AI\_\-config::streamExpireInterval}}}
+\label{structAI__config_abbe77d5f94b8c5164bea47acba09c98b}
+
+
+The documentation for this struct was generated from the following file:\begin{DoxyCompactItemize}
+\item 
+\hyperlink{spp__ai_8h}{spp\_\-ai.h}\end{DoxyCompactItemize}
diff --git a/doc/latex/struct__AI__snort__alert.tex b/doc/latex/struct__AI__snort__alert.tex
new file mode 100644
index 0000000..9aba4dc
--- /dev/null
+++ b/doc/latex/struct__AI__snort__alert.tex
@@ -0,0 +1,194 @@
+\hypertarget{struct__AI__snort__alert}{
+\section{\_\-AI\_\-snort\_\-alert Struct Reference}
+\label{struct__AI__snort__alert}\index{\_\-AI\_\-snort\_\-alert@{\_\-AI\_\-snort\_\-alert}}
+}
+
+
+{\ttfamily \#include $<$spp\_\-ai.h$>$}
+
+\subsection*{Data Fields}
+\begin{DoxyCompactItemize}
+\item 
+unsigned int \hyperlink{struct__AI__snort__alert_af8408be5da59cda853442dd13465c0f6}{gid}
+\item 
+unsigned int \hyperlink{struct__AI__snort__alert_a3349aa68d2234f8ffd897367c3a8a137}{sid}
+\item 
+unsigned int \hyperlink{struct__AI__snort__alert_a864d3baa48586d6a31639f4cd27d9d37}{rev}
+\item 
+unsigned short \hyperlink{struct__AI__snort__alert_a25661fa4e212c5e30af5e6a892985ec9}{priority}
+\item 
+char $\ast$ \hyperlink{struct__AI__snort__alert_ac0902d7c756ec675fb06347ce4706135}{desc}
+\item 
+char $\ast$ \hyperlink{struct__AI__snort__alert_aa89585e14acb2c4e684a1552d322632f}{classification}
+\item 
+time\_\-t \hyperlink{struct__AI__snort__alert_a10a67f60ca3da339a2104849a0b2ac19}{timestamp}
+\item 
+\hyperlink{spp__ai_8h_aba7bc1797add20fe3efdf37ced1182c5}{uint8\_\-t} \hyperlink{struct__AI__snort__alert_a882ae6db43dc0fe08071947ccb044b93}{tos}
+\item 
+\hyperlink{spp__ai_8h_a273cf69d639a59973b6019625df33e30}{uint16\_\-t} \hyperlink{struct__AI__snort__alert_a523ef8842d01a1bc4ea3c0bf27518e78}{iplen}
+\item 
+\hyperlink{spp__ai_8h_a273cf69d639a59973b6019625df33e30}{uint16\_\-t} \hyperlink{struct__AI__snort__alert_a45e4acf90450a5f9efd4e0c290f84bcf}{id}
+\item 
+\hyperlink{spp__ai_8h_aba7bc1797add20fe3efdf37ced1182c5}{uint8\_\-t} \hyperlink{struct__AI__snort__alert_ab9b1ce8ee440a324af116403ac9c51a2}{ttl}
+\item 
+\hyperlink{spp__ai_8h_aba7bc1797add20fe3efdf37ced1182c5}{uint8\_\-t} \hyperlink{struct__AI__snort__alert_a2a5f2741918c3c13890f2b617a7f23a4}{ipproto}
+\item 
+\hyperlink{spp__ai_8h_a435d1572bf3f880d55459d9805097f62}{uint32\_\-t} \hyperlink{struct__AI__snort__alert_ab16a24f368020e4b40e65b53cae33b48}{src\_\-addr}
+\item 
+\hyperlink{spp__ai_8h_a435d1572bf3f880d55459d9805097f62}{uint32\_\-t} \hyperlink{struct__AI__snort__alert_a69cc2ba171c8c808a0b45caa9426cd8c}{dst\_\-addr}
+\item 
+\hyperlink{spp__ai_8h_a273cf69d639a59973b6019625df33e30}{uint16\_\-t} \hyperlink{struct__AI__snort__alert_a856cccd3eaabd38aa9974f26d3edc5e3}{src\_\-port}
+\item 
+\hyperlink{spp__ai_8h_a273cf69d639a59973b6019625df33e30}{uint16\_\-t} \hyperlink{struct__AI__snort__alert_a6b323c07ae501d221e330e13646a96a3}{dst\_\-port}
+\item 
+\hyperlink{spp__ai_8h_a435d1572bf3f880d55459d9805097f62}{uint32\_\-t} \hyperlink{struct__AI__snort__alert_acb20c4c55149d5806d7523720786ab77}{sequence}
+\item 
+\hyperlink{spp__ai_8h_a435d1572bf3f880d55459d9805097f62}{uint32\_\-t} \hyperlink{struct__AI__snort__alert_a2b185c678d3a7f1207b2119b0b567c37}{ack}
+\item 
+\hyperlink{spp__ai_8h_aba7bc1797add20fe3efdf37ced1182c5}{uint8\_\-t} \hyperlink{struct__AI__snort__alert_aa643f11db93b70242b57f0a04775e507}{tcp\_\-flags}
+\item 
+\hyperlink{spp__ai_8h_a273cf69d639a59973b6019625df33e30}{uint16\_\-t} \hyperlink{struct__AI__snort__alert_a63e94be3d248cf4beb0d4d5ab75331b1}{window}
+\item 
+\hyperlink{spp__ai_8h_a273cf69d639a59973b6019625df33e30}{uint16\_\-t} \hyperlink{struct__AI__snort__alert_a519a103f5e8f1cb006c0c137b7c6a1c0}{tcplen}
+\item 
+struct \hyperlink{structpkt__info}{pkt\_\-info} $\ast$ \hyperlink{struct__AI__snort__alert_a09dfe0a841fd3912ec78060d4547cb31}{stream}
+\item 
+struct \hyperlink{struct__AI__snort__alert}{\_\-AI\_\-snort\_\-alert} $\ast$ \hyperlink{struct__AI__snort__alert_aa8336d4b3359015ed8ea312ca1fd1173}{next}
+\item 
+\hyperlink{struct__hierarchy__node}{hierarchy\_\-node} $\ast$ \hyperlink{struct__AI__snort__alert_ac53765584296ead1328eabfaba8a3aed}{h\_\-node} \mbox{[}CLUSTER\_\-TYPES\mbox{]}
+\item 
+unsigned int \hyperlink{struct__AI__snort__alert_a285aff12d6bac03c316ccc5305d28e53}{grouped\_\-alarms\_\-count}
+\end{DoxyCompactItemize}
+
+
+\subsection{Field Documentation}
+\hypertarget{struct__AI__snort__alert_a2b185c678d3a7f1207b2119b0b567c37}{
+\index{\_\-AI\_\-snort\_\-alert@{\_\-AI\_\-snort\_\-alert}!ack@{ack}}
+\index{ack@{ack}!_AI_snort_alert@{\_\-AI\_\-snort\_\-alert}}
+\subsubsection[{ack}]{\setlength{\rightskip}{0pt plus 5cm}{\bf uint32\_\-t} {\bf \_\-AI\_\-snort\_\-alert::ack}}}
+\label{struct__AI__snort__alert_a2b185c678d3a7f1207b2119b0b567c37}
+\hypertarget{struct__AI__snort__alert_aa89585e14acb2c4e684a1552d322632f}{
+\index{\_\-AI\_\-snort\_\-alert@{\_\-AI\_\-snort\_\-alert}!classification@{classification}}
+\index{classification@{classification}!_AI_snort_alert@{\_\-AI\_\-snort\_\-alert}}
+\subsubsection[{classification}]{\setlength{\rightskip}{0pt plus 5cm}char$\ast$ {\bf \_\-AI\_\-snort\_\-alert::classification}}}
+\label{struct__AI__snort__alert_aa89585e14acb2c4e684a1552d322632f}
+\hypertarget{struct__AI__snort__alert_ac0902d7c756ec675fb06347ce4706135}{
+\index{\_\-AI\_\-snort\_\-alert@{\_\-AI\_\-snort\_\-alert}!desc@{desc}}
+\index{desc@{desc}!_AI_snort_alert@{\_\-AI\_\-snort\_\-alert}}
+\subsubsection[{desc}]{\setlength{\rightskip}{0pt plus 5cm}char$\ast$ {\bf \_\-AI\_\-snort\_\-alert::desc}}}
+\label{struct__AI__snort__alert_ac0902d7c756ec675fb06347ce4706135}
+\hypertarget{struct__AI__snort__alert_a69cc2ba171c8c808a0b45caa9426cd8c}{
+\index{\_\-AI\_\-snort\_\-alert@{\_\-AI\_\-snort\_\-alert}!dst\_\-addr@{dst\_\-addr}}
+\index{dst\_\-addr@{dst\_\-addr}!_AI_snort_alert@{\_\-AI\_\-snort\_\-alert}}
+\subsubsection[{dst\_\-addr}]{\setlength{\rightskip}{0pt plus 5cm}{\bf uint32\_\-t} {\bf \_\-AI\_\-snort\_\-alert::dst\_\-addr}}}
+\label{struct__AI__snort__alert_a69cc2ba171c8c808a0b45caa9426cd8c}
+\hypertarget{struct__AI__snort__alert_a6b323c07ae501d221e330e13646a96a3}{
+\index{\_\-AI\_\-snort\_\-alert@{\_\-AI\_\-snort\_\-alert}!dst\_\-port@{dst\_\-port}}
+\index{dst\_\-port@{dst\_\-port}!_AI_snort_alert@{\_\-AI\_\-snort\_\-alert}}
+\subsubsection[{dst\_\-port}]{\setlength{\rightskip}{0pt plus 5cm}{\bf uint16\_\-t} {\bf \_\-AI\_\-snort\_\-alert::dst\_\-port}}}
+\label{struct__AI__snort__alert_a6b323c07ae501d221e330e13646a96a3}
+\hypertarget{struct__AI__snort__alert_af8408be5da59cda853442dd13465c0f6}{
+\index{\_\-AI\_\-snort\_\-alert@{\_\-AI\_\-snort\_\-alert}!gid@{gid}}
+\index{gid@{gid}!_AI_snort_alert@{\_\-AI\_\-snort\_\-alert}}
+\subsubsection[{gid}]{\setlength{\rightskip}{0pt plus 5cm}unsigned int {\bf \_\-AI\_\-snort\_\-alert::gid}}}
+\label{struct__AI__snort__alert_af8408be5da59cda853442dd13465c0f6}
+\hypertarget{struct__AI__snort__alert_a285aff12d6bac03c316ccc5305d28e53}{
+\index{\_\-AI\_\-snort\_\-alert@{\_\-AI\_\-snort\_\-alert}!grouped\_\-alarms\_\-count@{grouped\_\-alarms\_\-count}}
+\index{grouped\_\-alarms\_\-count@{grouped\_\-alarms\_\-count}!_AI_snort_alert@{\_\-AI\_\-snort\_\-alert}}
+\subsubsection[{grouped\_\-alarms\_\-count}]{\setlength{\rightskip}{0pt plus 5cm}unsigned int {\bf \_\-AI\_\-snort\_\-alert::grouped\_\-alarms\_\-count}}}
+\label{struct__AI__snort__alert_a285aff12d6bac03c316ccc5305d28e53}
+\hypertarget{struct__AI__snort__alert_ac53765584296ead1328eabfaba8a3aed}{
+\index{\_\-AI\_\-snort\_\-alert@{\_\-AI\_\-snort\_\-alert}!h\_\-node@{h\_\-node}}
+\index{h\_\-node@{h\_\-node}!_AI_snort_alert@{\_\-AI\_\-snort\_\-alert}}
+\subsubsection[{h\_\-node}]{\setlength{\rightskip}{0pt plus 5cm}{\bf hierarchy\_\-node}$\ast$ {\bf \_\-AI\_\-snort\_\-alert::h\_\-node}\mbox{[}CLUSTER\_\-TYPES\mbox{]}}}
+\label{struct__AI__snort__alert_ac53765584296ead1328eabfaba8a3aed}
+\hypertarget{struct__AI__snort__alert_a45e4acf90450a5f9efd4e0c290f84bcf}{
+\index{\_\-AI\_\-snort\_\-alert@{\_\-AI\_\-snort\_\-alert}!id@{id}}
+\index{id@{id}!_AI_snort_alert@{\_\-AI\_\-snort\_\-alert}}
+\subsubsection[{id}]{\setlength{\rightskip}{0pt plus 5cm}{\bf uint16\_\-t} {\bf \_\-AI\_\-snort\_\-alert::id}}}
+\label{struct__AI__snort__alert_a45e4acf90450a5f9efd4e0c290f84bcf}
+\hypertarget{struct__AI__snort__alert_a523ef8842d01a1bc4ea3c0bf27518e78}{
+\index{\_\-AI\_\-snort\_\-alert@{\_\-AI\_\-snort\_\-alert}!iplen@{iplen}}
+\index{iplen@{iplen}!_AI_snort_alert@{\_\-AI\_\-snort\_\-alert}}
+\subsubsection[{iplen}]{\setlength{\rightskip}{0pt plus 5cm}{\bf uint16\_\-t} {\bf \_\-AI\_\-snort\_\-alert::iplen}}}
+\label{struct__AI__snort__alert_a523ef8842d01a1bc4ea3c0bf27518e78}
+\hypertarget{struct__AI__snort__alert_a2a5f2741918c3c13890f2b617a7f23a4}{
+\index{\_\-AI\_\-snort\_\-alert@{\_\-AI\_\-snort\_\-alert}!ipproto@{ipproto}}
+\index{ipproto@{ipproto}!_AI_snort_alert@{\_\-AI\_\-snort\_\-alert}}
+\subsubsection[{ipproto}]{\setlength{\rightskip}{0pt plus 5cm}{\bf uint8\_\-t} {\bf \_\-AI\_\-snort\_\-alert::ipproto}}}
+\label{struct__AI__snort__alert_a2a5f2741918c3c13890f2b617a7f23a4}
+\hypertarget{struct__AI__snort__alert_aa8336d4b3359015ed8ea312ca1fd1173}{
+\index{\_\-AI\_\-snort\_\-alert@{\_\-AI\_\-snort\_\-alert}!next@{next}}
+\index{next@{next}!_AI_snort_alert@{\_\-AI\_\-snort\_\-alert}}
+\subsubsection[{next}]{\setlength{\rightskip}{0pt plus 5cm}struct {\bf \_\-AI\_\-snort\_\-alert}$\ast$ {\bf \_\-AI\_\-snort\_\-alert::next}}}
+\label{struct__AI__snort__alert_aa8336d4b3359015ed8ea312ca1fd1173}
+\hypertarget{struct__AI__snort__alert_a25661fa4e212c5e30af5e6a892985ec9}{
+\index{\_\-AI\_\-snort\_\-alert@{\_\-AI\_\-snort\_\-alert}!priority@{priority}}
+\index{priority@{priority}!_AI_snort_alert@{\_\-AI\_\-snort\_\-alert}}
+\subsubsection[{priority}]{\setlength{\rightskip}{0pt plus 5cm}unsigned short {\bf \_\-AI\_\-snort\_\-alert::priority}}}
+\label{struct__AI__snort__alert_a25661fa4e212c5e30af5e6a892985ec9}
+\hypertarget{struct__AI__snort__alert_a864d3baa48586d6a31639f4cd27d9d37}{
+\index{\_\-AI\_\-snort\_\-alert@{\_\-AI\_\-snort\_\-alert}!rev@{rev}}
+\index{rev@{rev}!_AI_snort_alert@{\_\-AI\_\-snort\_\-alert}}
+\subsubsection[{rev}]{\setlength{\rightskip}{0pt plus 5cm}unsigned int {\bf \_\-AI\_\-snort\_\-alert::rev}}}
+\label{struct__AI__snort__alert_a864d3baa48586d6a31639f4cd27d9d37}
+\hypertarget{struct__AI__snort__alert_acb20c4c55149d5806d7523720786ab77}{
+\index{\_\-AI\_\-snort\_\-alert@{\_\-AI\_\-snort\_\-alert}!sequence@{sequence}}
+\index{sequence@{sequence}!_AI_snort_alert@{\_\-AI\_\-snort\_\-alert}}
+\subsubsection[{sequence}]{\setlength{\rightskip}{0pt plus 5cm}{\bf uint32\_\-t} {\bf \_\-AI\_\-snort\_\-alert::sequence}}}
+\label{struct__AI__snort__alert_acb20c4c55149d5806d7523720786ab77}
+\hypertarget{struct__AI__snort__alert_a3349aa68d2234f8ffd897367c3a8a137}{
+\index{\_\-AI\_\-snort\_\-alert@{\_\-AI\_\-snort\_\-alert}!sid@{sid}}
+\index{sid@{sid}!_AI_snort_alert@{\_\-AI\_\-snort\_\-alert}}
+\subsubsection[{sid}]{\setlength{\rightskip}{0pt plus 5cm}unsigned int {\bf \_\-AI\_\-snort\_\-alert::sid}}}
+\label{struct__AI__snort__alert_a3349aa68d2234f8ffd897367c3a8a137}
+\hypertarget{struct__AI__snort__alert_ab16a24f368020e4b40e65b53cae33b48}{
+\index{\_\-AI\_\-snort\_\-alert@{\_\-AI\_\-snort\_\-alert}!src\_\-addr@{src\_\-addr}}
+\index{src\_\-addr@{src\_\-addr}!_AI_snort_alert@{\_\-AI\_\-snort\_\-alert}}
+\subsubsection[{src\_\-addr}]{\setlength{\rightskip}{0pt plus 5cm}{\bf uint32\_\-t} {\bf \_\-AI\_\-snort\_\-alert::src\_\-addr}}}
+\label{struct__AI__snort__alert_ab16a24f368020e4b40e65b53cae33b48}
+\hypertarget{struct__AI__snort__alert_a856cccd3eaabd38aa9974f26d3edc5e3}{
+\index{\_\-AI\_\-snort\_\-alert@{\_\-AI\_\-snort\_\-alert}!src\_\-port@{src\_\-port}}
+\index{src\_\-port@{src\_\-port}!_AI_snort_alert@{\_\-AI\_\-snort\_\-alert}}
+\subsubsection[{src\_\-port}]{\setlength{\rightskip}{0pt plus 5cm}{\bf uint16\_\-t} {\bf \_\-AI\_\-snort\_\-alert::src\_\-port}}}
+\label{struct__AI__snort__alert_a856cccd3eaabd38aa9974f26d3edc5e3}
+\hypertarget{struct__AI__snort__alert_a09dfe0a841fd3912ec78060d4547cb31}{
+\index{\_\-AI\_\-snort\_\-alert@{\_\-AI\_\-snort\_\-alert}!stream@{stream}}
+\index{stream@{stream}!_AI_snort_alert@{\_\-AI\_\-snort\_\-alert}}
+\subsubsection[{stream}]{\setlength{\rightskip}{0pt plus 5cm}struct {\bf pkt\_\-info}$\ast$ {\bf \_\-AI\_\-snort\_\-alert::stream}}}
+\label{struct__AI__snort__alert_a09dfe0a841fd3912ec78060d4547cb31}
+\hypertarget{struct__AI__snort__alert_aa643f11db93b70242b57f0a04775e507}{
+\index{\_\-AI\_\-snort\_\-alert@{\_\-AI\_\-snort\_\-alert}!tcp\_\-flags@{tcp\_\-flags}}
+\index{tcp\_\-flags@{tcp\_\-flags}!_AI_snort_alert@{\_\-AI\_\-snort\_\-alert}}
+\subsubsection[{tcp\_\-flags}]{\setlength{\rightskip}{0pt plus 5cm}{\bf uint8\_\-t} {\bf \_\-AI\_\-snort\_\-alert::tcp\_\-flags}}}
+\label{struct__AI__snort__alert_aa643f11db93b70242b57f0a04775e507}
+\hypertarget{struct__AI__snort__alert_a519a103f5e8f1cb006c0c137b7c6a1c0}{
+\index{\_\-AI\_\-snort\_\-alert@{\_\-AI\_\-snort\_\-alert}!tcplen@{tcplen}}
+\index{tcplen@{tcplen}!_AI_snort_alert@{\_\-AI\_\-snort\_\-alert}}
+\subsubsection[{tcplen}]{\setlength{\rightskip}{0pt plus 5cm}{\bf uint16\_\-t} {\bf \_\-AI\_\-snort\_\-alert::tcplen}}}
+\label{struct__AI__snort__alert_a519a103f5e8f1cb006c0c137b7c6a1c0}
+\hypertarget{struct__AI__snort__alert_a10a67f60ca3da339a2104849a0b2ac19}{
+\index{\_\-AI\_\-snort\_\-alert@{\_\-AI\_\-snort\_\-alert}!timestamp@{timestamp}}
+\index{timestamp@{timestamp}!_AI_snort_alert@{\_\-AI\_\-snort\_\-alert}}
+\subsubsection[{timestamp}]{\setlength{\rightskip}{0pt plus 5cm}time\_\-t {\bf \_\-AI\_\-snort\_\-alert::timestamp}}}
+\label{struct__AI__snort__alert_a10a67f60ca3da339a2104849a0b2ac19}
+\hypertarget{struct__AI__snort__alert_a882ae6db43dc0fe08071947ccb044b93}{
+\index{\_\-AI\_\-snort\_\-alert@{\_\-AI\_\-snort\_\-alert}!tos@{tos}}
+\index{tos@{tos}!_AI_snort_alert@{\_\-AI\_\-snort\_\-alert}}
+\subsubsection[{tos}]{\setlength{\rightskip}{0pt plus 5cm}{\bf uint8\_\-t} {\bf \_\-AI\_\-snort\_\-alert::tos}}}
+\label{struct__AI__snort__alert_a882ae6db43dc0fe08071947ccb044b93}
+\hypertarget{struct__AI__snort__alert_ab9b1ce8ee440a324af116403ac9c51a2}{
+\index{\_\-AI\_\-snort\_\-alert@{\_\-AI\_\-snort\_\-alert}!ttl@{ttl}}
+\index{ttl@{ttl}!_AI_snort_alert@{\_\-AI\_\-snort\_\-alert}}
+\subsubsection[{ttl}]{\setlength{\rightskip}{0pt plus 5cm}{\bf uint8\_\-t} {\bf \_\-AI\_\-snort\_\-alert::ttl}}}
+\label{struct__AI__snort__alert_ab9b1ce8ee440a324af116403ac9c51a2}
+\hypertarget{struct__AI__snort__alert_a63e94be3d248cf4beb0d4d5ab75331b1}{
+\index{\_\-AI\_\-snort\_\-alert@{\_\-AI\_\-snort\_\-alert}!window@{window}}
+\index{window@{window}!_AI_snort_alert@{\_\-AI\_\-snort\_\-alert}}
+\subsubsection[{window}]{\setlength{\rightskip}{0pt plus 5cm}{\bf uint16\_\-t} {\bf \_\-AI\_\-snort\_\-alert::window}}}
+\label{struct__AI__snort__alert_a63e94be3d248cf4beb0d4d5ab75331b1}
+
+
+The documentation for this struct was generated from the following file:\begin{DoxyCompactItemize}
+\item 
+\hyperlink{spp__ai_8h}{spp\_\-ai.h}\end{DoxyCompactItemize}
diff --git a/doc/latex/struct__hierarchy__node.tex b/doc/latex/struct__hierarchy__node.tex
new file mode 100644
index 0000000..d49d5b3
--- /dev/null
+++ b/doc/latex/struct__hierarchy__node.tex
@@ -0,0 +1,68 @@
+\hypertarget{struct__hierarchy__node}{
+\section{\_\-hierarchy\_\-node Struct Reference}
+\label{struct__hierarchy__node}\index{\_\-hierarchy\_\-node@{\_\-hierarchy\_\-node}}
+}
+
+
+{\ttfamily \#include $<$spp\_\-ai.h$>$}
+
+\subsection*{Data Fields}
+\begin{DoxyCompactItemize}
+\item 
+\hyperlink{spp__ai_8h_ae2ff3c6586aa2ab211a102abfde86640}{cluster\_\-type} \hyperlink{struct__hierarchy__node_a3b18e3ddfa2212c5e4ff9c0b4bde4296}{type}
+\item 
+char \hyperlink{struct__hierarchy__node_ae498f6fd14ca058a3ae0a95d5425451a}{label} \mbox{[}256\mbox{]}
+\item 
+int \hyperlink{struct__hierarchy__node_a13ceebd7b435b9ef347fb90d9e6bbfe4}{min\_\-val}
+\item 
+int \hyperlink{struct__hierarchy__node_a79ea88029938dc30ab8f159405d12c87}{max\_\-val}
+\item 
+int \hyperlink{struct__hierarchy__node_a849256ce1039e2cefaaf64d91171be0a}{nchildren}
+\item 
+struct \hyperlink{struct__hierarchy__node}{\_\-hierarchy\_\-node} $\ast$ \hyperlink{struct__hierarchy__node_a5c94c89d7e2aea393f1c550afb766bbe}{parent}
+\item 
+struct \hyperlink{struct__hierarchy__node}{\_\-hierarchy\_\-node} $\ast$$\ast$ \hyperlink{struct__hierarchy__node_afc23d4fe6426873164cdaab2f3d4f0cd}{children}
+\end{DoxyCompactItemize}
+
+
+\subsection{Field Documentation}
+\hypertarget{struct__hierarchy__node_afc23d4fe6426873164cdaab2f3d4f0cd}{
+\index{\_\-hierarchy\_\-node@{\_\-hierarchy\_\-node}!children@{children}}
+\index{children@{children}!_hierarchy_node@{\_\-hierarchy\_\-node}}
+\subsubsection[{children}]{\setlength{\rightskip}{0pt plus 5cm}struct {\bf \_\-hierarchy\_\-node}$\ast$$\ast$ {\bf \_\-hierarchy\_\-node::children}}}
+\label{struct__hierarchy__node_afc23d4fe6426873164cdaab2f3d4f0cd}
+\hypertarget{struct__hierarchy__node_ae498f6fd14ca058a3ae0a95d5425451a}{
+\index{\_\-hierarchy\_\-node@{\_\-hierarchy\_\-node}!label@{label}}
+\index{label@{label}!_hierarchy_node@{\_\-hierarchy\_\-node}}
+\subsubsection[{label}]{\setlength{\rightskip}{0pt plus 5cm}char {\bf \_\-hierarchy\_\-node::label}\mbox{[}256\mbox{]}}}
+\label{struct__hierarchy__node_ae498f6fd14ca058a3ae0a95d5425451a}
+\hypertarget{struct__hierarchy__node_a79ea88029938dc30ab8f159405d12c87}{
+\index{\_\-hierarchy\_\-node@{\_\-hierarchy\_\-node}!max\_\-val@{max\_\-val}}
+\index{max\_\-val@{max\_\-val}!_hierarchy_node@{\_\-hierarchy\_\-node}}
+\subsubsection[{max\_\-val}]{\setlength{\rightskip}{0pt plus 5cm}int {\bf \_\-hierarchy\_\-node::max\_\-val}}}
+\label{struct__hierarchy__node_a79ea88029938dc30ab8f159405d12c87}
+\hypertarget{struct__hierarchy__node_a13ceebd7b435b9ef347fb90d9e6bbfe4}{
+\index{\_\-hierarchy\_\-node@{\_\-hierarchy\_\-node}!min\_\-val@{min\_\-val}}
+\index{min\_\-val@{min\_\-val}!_hierarchy_node@{\_\-hierarchy\_\-node}}
+\subsubsection[{min\_\-val}]{\setlength{\rightskip}{0pt plus 5cm}int {\bf \_\-hierarchy\_\-node::min\_\-val}}}
+\label{struct__hierarchy__node_a13ceebd7b435b9ef347fb90d9e6bbfe4}
+\hypertarget{struct__hierarchy__node_a849256ce1039e2cefaaf64d91171be0a}{
+\index{\_\-hierarchy\_\-node@{\_\-hierarchy\_\-node}!nchildren@{nchildren}}
+\index{nchildren@{nchildren}!_hierarchy_node@{\_\-hierarchy\_\-node}}
+\subsubsection[{nchildren}]{\setlength{\rightskip}{0pt plus 5cm}int {\bf \_\-hierarchy\_\-node::nchildren}}}
+\label{struct__hierarchy__node_a849256ce1039e2cefaaf64d91171be0a}
+\hypertarget{struct__hierarchy__node_a5c94c89d7e2aea393f1c550afb766bbe}{
+\index{\_\-hierarchy\_\-node@{\_\-hierarchy\_\-node}!parent@{parent}}
+\index{parent@{parent}!_hierarchy_node@{\_\-hierarchy\_\-node}}
+\subsubsection[{parent}]{\setlength{\rightskip}{0pt plus 5cm}struct {\bf \_\-hierarchy\_\-node}$\ast$ {\bf \_\-hierarchy\_\-node::parent}}}
+\label{struct__hierarchy__node_a5c94c89d7e2aea393f1c550afb766bbe}
+\hypertarget{struct__hierarchy__node_a3b18e3ddfa2212c5e4ff9c0b4bde4296}{
+\index{\_\-hierarchy\_\-node@{\_\-hierarchy\_\-node}!type@{type}}
+\index{type@{type}!_hierarchy_node@{\_\-hierarchy\_\-node}}
+\subsubsection[{type}]{\setlength{\rightskip}{0pt plus 5cm}{\bf cluster\_\-type} {\bf \_\-hierarchy\_\-node::type}}}
+\label{struct__hierarchy__node_a3b18e3ddfa2212c5e4ff9c0b4bde4296}
+
+
+The documentation for this struct was generated from the following file:\begin{DoxyCompactItemize}
+\item 
+\hyperlink{spp__ai_8h}{spp\_\-ai.h}\end{DoxyCompactItemize}
diff --git a/doc/latex/structattribute__key.tex b/doc/latex/structattribute__key.tex
new file mode 100644
index 0000000..94a2bac
--- /dev/null
+++ b/doc/latex/structattribute__key.tex
@@ -0,0 +1,29 @@
+\hypertarget{structattribute__key}{
+\section{attribute\_\-key Struct Reference}
+\label{structattribute__key}\index{attribute\_\-key@{attribute\_\-key}}
+}
+\subsection*{Data Fields}
+\begin{DoxyCompactItemize}
+\item 
+int \hyperlink{structattribute__key_a4fdb3d7aabeac6b1052b59e05e3d8842}{min}
+\item 
+int \hyperlink{structattribute__key_a82b7e5ac49820b816871a4ddf30c462d}{max}
+\end{DoxyCompactItemize}
+
+
+\subsection{Field Documentation}
+\hypertarget{structattribute__key_a82b7e5ac49820b816871a4ddf30c462d}{
+\index{attribute\_\-key@{attribute\_\-key}!max@{max}}
+\index{max@{max}!attribute_key@{attribute\_\-key}}
+\subsubsection[{max}]{\setlength{\rightskip}{0pt plus 5cm}int {\bf attribute\_\-key::max}}}
+\label{structattribute__key_a82b7e5ac49820b816871a4ddf30c462d}
+\hypertarget{structattribute__key_a4fdb3d7aabeac6b1052b59e05e3d8842}{
+\index{attribute\_\-key@{attribute\_\-key}!min@{min}}
+\index{min@{min}!attribute_key@{attribute\_\-key}}
+\subsubsection[{min}]{\setlength{\rightskip}{0pt plus 5cm}int {\bf attribute\_\-key::min}}}
+\label{structattribute__key_a4fdb3d7aabeac6b1052b59e05e3d8842}
+
+
+The documentation for this struct was generated from the following file:\begin{DoxyCompactItemize}
+\item 
+\hyperlink{cluster_8c}{cluster.c}\end{DoxyCompactItemize}
diff --git a/doc/latex/structattribute__value.tex b/doc/latex/structattribute__value.tex
new file mode 100644
index 0000000..35b6929
--- /dev/null
+++ b/doc/latex/structattribute__value.tex
@@ -0,0 +1,43 @@
+\hypertarget{structattribute__value}{
+\section{attribute\_\-value Struct Reference}
+\label{structattribute__value}\index{attribute\_\-value@{attribute\_\-value}}
+}
+\subsection*{Data Fields}
+\begin{DoxyCompactItemize}
+\item 
+\hyperlink{structattribute__key}{attribute\_\-key} \hyperlink{structattribute__value_aa8b5ae41c150e4fefb800d3b1924278d}{key}
+\item 
+\hyperlink{spp__ai_8h_ae2ff3c6586aa2ab211a102abfde86640}{cluster\_\-type} \hyperlink{structattribute__value_a5322c4edde771a7ee0d9fc5f5e45484c}{type}
+\item 
+unsigned int \hyperlink{structattribute__value_a5579c0304c2e9ab488ac94905b385045}{count}
+\item 
+UT\_\-hash\_\-handle \hyperlink{structattribute__value_a9abf5d1758ee0cc4803e3b40fc4481cc}{hh}
+\end{DoxyCompactItemize}
+
+
+\subsection{Field Documentation}
+\hypertarget{structattribute__value_a5579c0304c2e9ab488ac94905b385045}{
+\index{attribute\_\-value@{attribute\_\-value}!count@{count}}
+\index{count@{count}!attribute_value@{attribute\_\-value}}
+\subsubsection[{count}]{\setlength{\rightskip}{0pt plus 5cm}unsigned int {\bf attribute\_\-value::count}}}
+\label{structattribute__value_a5579c0304c2e9ab488ac94905b385045}
+\hypertarget{structattribute__value_a9abf5d1758ee0cc4803e3b40fc4481cc}{
+\index{attribute\_\-value@{attribute\_\-value}!hh@{hh}}
+\index{hh@{hh}!attribute_value@{attribute\_\-value}}
+\subsubsection[{hh}]{\setlength{\rightskip}{0pt plus 5cm}UT\_\-hash\_\-handle {\bf attribute\_\-value::hh}}}
+\label{structattribute__value_a9abf5d1758ee0cc4803e3b40fc4481cc}
+\hypertarget{structattribute__value_aa8b5ae41c150e4fefb800d3b1924278d}{
+\index{attribute\_\-value@{attribute\_\-value}!key@{key}}
+\index{key@{key}!attribute_value@{attribute\_\-value}}
+\subsubsection[{key}]{\setlength{\rightskip}{0pt plus 5cm}{\bf attribute\_\-key} {\bf attribute\_\-value::key}}}
+\label{structattribute__value_aa8b5ae41c150e4fefb800d3b1924278d}
+\hypertarget{structattribute__value_a5322c4edde771a7ee0d9fc5f5e45484c}{
+\index{attribute\_\-value@{attribute\_\-value}!type@{type}}
+\index{type@{type}!attribute_value@{attribute\_\-value}}
+\subsubsection[{type}]{\setlength{\rightskip}{0pt plus 5cm}{\bf cluster\_\-type} {\bf attribute\_\-value::type}}}
+\label{structattribute__value_a5322c4edde771a7ee0d9fc5f5e45484c}
+
+
+The documentation for this struct was generated from the following file:\begin{DoxyCompactItemize}
+\item 
+\hyperlink{cluster_8c}{cluster.c}\end{DoxyCompactItemize}
diff --git a/doc/latex/structpkt__info.tex b/doc/latex/structpkt__info.tex
index 668d3cb..ab65ae8 100644
--- a/doc/latex/structpkt__info.tex
+++ b/doc/latex/structpkt__info.tex
@@ -2,6 +2,10 @@
 \section{pkt\_\-info Struct Reference}
 \label{structpkt__info}\index{pkt\_\-info@{pkt\_\-info}}
 }
+
+
+{\ttfamily \#include $<$spp\_\-ai.h$>$}
+
 \subsection*{Data Fields}
 \begin{DoxyCompactItemize}
 \item 
@@ -13,6 +17,8 @@ SFSnortPacket $\ast$ \hyperlink{structpkt__info_a8d5ebd04a32067b05387e5c5056fe16
 \item 
 struct \hyperlink{structpkt__info}{pkt\_\-info} $\ast$ \hyperlink{structpkt__info_a5ee3c51f2ca5768b94819182641ef168}{next}
 \item 
+\hyperlink{spp__ai_8h_a3e5b8192e7d9ffaf3542f1210aec18dd}{BOOL} \hyperlink{structpkt__info_ac7ff78ea5faf333fc91f92e3085ea7c9}{observed}
+\item 
 UT\_\-hash\_\-handle \hyperlink{structpkt__info_a264e90d4b5d490de040f38c1072e142f}{hh}
 \end{DoxyCompactItemize}
 
@@ -33,6 +39,11 @@ UT\_\-hash\_\-handle \hyperlink{structpkt__info_a264e90d4b5d490de040f38c1072e142
 \index{next@{next}!pkt_info@{pkt\_\-info}}
 \subsubsection[{next}]{\setlength{\rightskip}{0pt plus 5cm}struct {\bf pkt\_\-info}$\ast$ {\bf pkt\_\-info::next}}}
 \label{structpkt__info_a5ee3c51f2ca5768b94819182641ef168}
+\hypertarget{structpkt__info_ac7ff78ea5faf333fc91f92e3085ea7c9}{
+\index{pkt\_\-info@{pkt\_\-info}!observed@{observed}}
+\index{observed@{observed}!pkt_info@{pkt\_\-info}}
+\subsubsection[{observed}]{\setlength{\rightskip}{0pt plus 5cm}{\bf BOOL} {\bf pkt\_\-info::observed}}}
+\label{structpkt__info_ac7ff78ea5faf333fc91f92e3085ea7c9}
 \hypertarget{structpkt__info_a8d5ebd04a32067b05387e5c5056fe168}{
 \index{pkt\_\-info@{pkt\_\-info}!pkt@{pkt}}
 \index{pkt@{pkt}!pkt_info@{pkt\_\-info}}
@@ -47,4 +58,4 @@ UT\_\-hash\_\-handle \hyperlink{structpkt__info_a264e90d4b5d490de040f38c1072e142
 
 The documentation for this struct was generated from the following file:\begin{DoxyCompactItemize}
 \item 
-\hyperlink{stream_8c}{stream.c}\end{DoxyCompactItemize}
+\hyperlink{spp__ai_8h}{spp\_\-ai.h}\end{DoxyCompactItemize}
diff --git a/doc/latex/structpkt__key.tex b/doc/latex/structpkt__key.tex
index c0db4da..53a7baf 100644
--- a/doc/latex/structpkt__key.tex
+++ b/doc/latex/structpkt__key.tex
@@ -2,6 +2,10 @@
 \section{pkt\_\-key Struct Reference}
 \label{structpkt__key}\index{pkt\_\-key@{pkt\_\-key}}
 }
+
+
+{\ttfamily \#include $<$spp\_\-ai.h$>$}
+
 \subsection*{Data Fields}
 \begin{DoxyCompactItemize}
 \item 
@@ -26,4 +30,4 @@
 
 The documentation for this struct was generated from the following file:\begin{DoxyCompactItemize}
 \item 
-\hyperlink{stream_8c}{stream.c}\end{DoxyCompactItemize}
+\hyperlink{spp__ai_8h}{spp\_\-ai.h}\end{DoxyCompactItemize}
diff --git a/spp_ai.c b/spp_ai.c
index 3a2cc5a..c712909 100644
--- a/spp_ai.c
+++ b/spp_ai.c
@@ -149,7 +149,8 @@ static AI_config * AI_parse(char *args)
 	BOOL has_cleanup_interval       = false,
 		has_stream_expire_interval = false,
 		has_alertfile              = false,
-		has_clusterfile            = false;
+		has_clusterfile            = false,
+		has_clustering             = false;
 
 	AI_config *config               = NULL;
 
@@ -282,10 +283,8 @@ static AI_config * AI_parse(char *args)
 	/* Parsing cluster options */
 	while ( preg_match ( "\\s*(cluster\\s*\\(\\s*)([^\\)]+)\\)", args, &matches, &nmatches ) > 0 )
 	{
-		if ( !has_clusterfile )
-		{
-			_dpd.fatalMsg ( "AIPreproc: cluster option specified in configuration: '%s'\nBut no 'clusterfile' option was specified", matches[1] );
-		}
+		if ( ! has_clustering )
+			has_clustering = true;
 
 		memset ( label, 0, sizeof(label) );
 		min_val = -1;
@@ -312,8 +311,6 @@ static AI_config * AI_parse(char *args)
 				type = src_addr;
 			else if ( !strcasecmp ( matches[0], "dst_addr" ))
 				type = dst_addr;
-			else if ( !strcasecmp ( matches[0], "time" ))
-				type = timestamp;
 			else
 				_dpd.fatalMsg ( "AIPreproc: Unknown class type in configuration: '%s'\n", matches[0] );
 
@@ -358,6 +355,11 @@ static AI_config * AI_parse(char *args)
 						min_val = strtoul ( matches[0], NULL, 10 );
 						max_val = strtoul ( matches[1], NULL, 10 );
 
+						if ( min_val > max_val )
+						{
+							_dpd.fatalMsg ( "AIPreproc: Parse error in configuration: '%s', minval > maxval\n", arg );
+						}
+
 						for ( i=0; i < nmatches; i++ )
 							free ( matches[i] );
 				
@@ -497,29 +499,34 @@ static AI_config * AI_parse(char *args)
 
 	if ( ! has_cleanup_interval )
 	{
-		config->hashCleanupInterval = 60;
+		config->hashCleanupInterval = DEFAULT_HASH_CLEANUP_INTERVAL;
 	}
 
 	if ( ! has_stream_expire_interval )
 	{
-		config->streamExpireInterval = 600;
+		config->streamExpireInterval = DEFAULT_STREAM_EXPIRE_INTERVAL;
 	}
 
 	if ( ! has_alertfile )
 	{
-		strcpy ( config->alertfile, "/var/log/snort/alert" );
+		strncpy ( config->alertfile, DEFAULT_ALERT_LOG_FILE, sizeof ( config->alertfile ));
 	}
 
-	if ( has_clusterfile )
+	if ( has_clustering )
 	{
 		if ( ! hierarchy_nodes )
 		{
 			_dpd.fatalMsg ( "AIPreproc: cluster file specified in the configuration but no clusters were specified\n" );
 		}
 
+		if ( ! has_clusterfile )
+		{
+			strncpy ( config->clusterfile, DEFAULT_CLUSTER_LOG_FILE, sizeof ( config->clusterfile ));
+		}
+
 		if ( ! alert_clustering_interval )
 		{
-			config->alertClusteringInterval = 600;
+			config->alertClusteringInterval = DEFAULT_ALERT_CLUSTERING_INTERVAL;
 		}
 
 		AI_hierarchies_build ( config, hierarchy_nodes, n_hierarchy_nodes );
diff --git a/spp_ai.h b/spp_ai.h
index 416451e..075e47e 100644
--- a/spp_ai.h
+++ b/spp_ai.h
@@ -26,6 +26,12 @@
 
 #define 	PRIVATE 		static
 
+#define 	DEFAULT_HASH_CLEANUP_INTERVAL 		300
+#define 	DEFAULT_STREAM_EXPIRE_INTERVAL 		300
+#define 	DEFAULT_ALERT_CLUSTERING_INTERVAL 		3600
+#define 	DEFAULT_ALERT_LOG_FILE 				"/var/log/snort/alert"
+#define 	DEFAULT_CLUSTER_LOG_FILE 			"/var/log/snort/cluster_alert"
+
 extern DynamicPreprocessorData _dpd;
 typedef unsigned char   uint8_t;
 typedef unsigned short  uint16_t;
@@ -34,7 +40,7 @@ typedef unsigned int    uint32_t;
 typedef enum { false, true } BOOL;
 
 typedef enum {
-	none, src_port, dst_port, src_addr, dst_addr, timestamp
+	none, src_addr, dst_addr, src_port, dst_port, CLUSTER_TYPES
 } cluster_type;
 
 /* Each stream in the hash table is identified by the couple (src_ip, dst_port) */
@@ -120,10 +126,7 @@ typedef struct _AI_snort_alert  {
 
 	/* Hierarchies for addresses and ports,
 	 * if the clustering algorithm is used */
-	hierarchy_node  *src_addr_node;
-	hierarchy_node  *dst_addr_node;
-	hierarchy_node  *src_port_node;
-	hierarchy_node  *dst_port_node;
+	hierarchy_node  *h_node[CLUSTER_TYPES];
 
 	/* If the clustering algorithm is used,
 	 * we also count how many alerts this
@@ -139,8 +142,10 @@ void*              AI_alertparser_thread ( void* );
 void               AI_pkt_enqueue ( SFSnortPacket* );
 void               AI_set_stream_observed ( struct pkt_key key );
 void               AI_hierarchies_build ( AI_config*, hierarchy_node**, int );
+
 struct pkt_info*   AI_get_stream_by_key ( struct pkt_key );
 AI_snort_alert*    AI_get_alerts ( void );
+void               AI_free_alerts ( AI_snort_alert *node );
 
 #endif  /* _SPP_AI_H */
 
diff --git a/tags b/tags
index b4461c4..9ee1a01 100644
--- a/tags
+++ b/tags
@@ -7,6 +7,8 @@
 AI_alertparser_thread	alert_parser.c	/^AI_alertparser_thread ( void* arg )$/;"	f	signature:( void* arg )
 AI_alertparser_thread	spp_ai.h	/^void*              AI_alertparser_thread ( void* );$/;"	p	signature:( void* )
 AI_config	spp_ai.h	/^} AI_config;$/;"	t	typeref:struct:__anon3
+AI_free_alerts	alert_parser.c	/^AI_free_alerts ( AI_snort_alert *node )$/;"	f	signature:( AI_snort_alert *node )
+AI_free_alerts	spp_ai.h	/^void               AI_free_alerts ( AI_snort_alert *node );$/;"	p	signature:( AI_snort_alert *node )
 AI_get_alerts	alert_parser.c	/^AI_get_alerts ()$/;"	f
 AI_get_alerts	spp_ai.h	/^AI_snort_alert*    AI_get_alerts ( void );$/;"	p	signature:( void )
 AI_get_stream_by_key	spp_ai.h	/^struct pkt_info*   AI_get_stream_by_key ( struct pkt_key );$/;"	p	signature:( struct pkt_key )
@@ -45,12 +47,18 @@ CDL_PREPEND	uthash/utlist.h	442;"	d
 CDL_SEARCH	uthash/utlist.h	482;"	d
 CDL_SEARCH_SCALAR	uthash/utlist.h	475;"	d
 CDL_SORT	uthash/utlist.h	214;"	d
+CLUSTER_TYPES	spp_ai.h	/^	none, src_addr, dst_addr, src_port, dst_port, CLUSTER_TYPES$/;"	e	enum:__anon2
 CMDLINE	Makefile	/^CMDLINE=-g -O2 -fvisibility=hidden -fno-strict-aliasing -Wall -fstack-protector$/;"	m
 DECLTYPE	uthash/uthash.h	36;"	d
 DECLTYPE	uthash/uthash.h	39;"	d
 DECLTYPE	uthash/uthash.h	42;"	d
 DECLTYPE_ASSIGN	uthash/uthash.h	46;"	d
 DECLTYPE_ASSIGN	uthash/uthash.h	52;"	d
+DEFAULT_ALERT_CLUSTERING_INTERVAL	spp_ai.h	31;"	d
+DEFAULT_ALERT_LOG_FILE	spp_ai.h	32;"	d
+DEFAULT_CLUSTER_LOG_FILE	spp_ai.h	33;"	d
+DEFAULT_HASH_CLEANUP_INTERVAL	spp_ai.h	29;"	d
+DEFAULT_STREAM_EXPIRE_INTERVAL	spp_ai.h	30;"	d
 DEFINES	Makefile	/^DEFINES=-D_GNU_SOURCE -D_XOPEN_SOURCE -DDYNAMIC_PLUGIN -DSUP_IP6 -DENABLE_MYSQL -DHAVE_CONFIG_H$/;"	m
 DL_APPEND	uthash/utlist.h	396;"	d
 DL_DELETE	uthash/utlist.h	410;"	d
@@ -213,7 +221,7 @@ UTLIST_H	uthash/utlist.h	25;"	d
 UTLIST_VERSION	uthash/utlist.h	27;"	d
 UTSTRING_H	uthash/utstring.h	28;"	d
 UTSTRING_VERSION	uthash/utstring.h	30;"	d
-UT_array	uthash/utarray.h	/^} UT_array;$/;"	t	typeref:struct:__anon6
+UT_array	uthash/utarray.h	/^} UT_array;$/;"	t	typeref:struct:__anon8
 UT_hash_bucket	uthash/uthash.h	/^typedef struct UT_hash_bucket {$/;"	s
 UT_hash_bucket	uthash/uthash.h	/^} UT_hash_bucket;$/;"	t	typeref:struct:UT_hash_bucket
 UT_hash_bucket::count	uthash/uthash.h	/^   unsigned count;$/;"	m	struct:UT_hash_bucket	access:public
@@ -245,20 +253,24 @@ UT_hash_table::num_buckets	uthash/uthash.h	/^   unsigned num_buckets, log2_num_b
 UT_hash_table::num_items	uthash/uthash.h	/^   unsigned num_items;$/;"	m	struct:UT_hash_table	access:public
 UT_hash_table::signature	uthash/uthash.h	/^   uint32_t signature; \/* used only to find hash tables in external analysis *\/$/;"	m	struct:UT_hash_table	access:public
 UT_hash_table::tail	uthash/uthash.h	/^   struct UT_hash_handle *tail; \/* tail hh in app order, for fast append    *\/$/;"	m	struct:UT_hash_table	typeref:struct:UT_hash_table::UT_hash_handle	access:public
-UT_icd	uthash/utarray.h	/^} UT_icd;$/;"	t	typeref:struct:__anon5
-UT_string	uthash/utstring.h	/^} UT_string;$/;"	t	typeref:struct:__anon4
+UT_icd	uthash/utarray.h	/^} UT_icd;$/;"	t	typeref:struct:__anon7
+UT_string	uthash/utstring.h	/^} UT_string;$/;"	t	typeref:struct:__anon6
 _ AI _ config Struct Reference	doc/latex/struct__AI__config.tex	/^\\section{\\_\\-AI\\_\\-config Struct Reference}$/;"	s
 _AI_cluster_thread	cluster.c	/^_AI_cluster_thread ( void* arg )$/;"	f	signature:( void* arg )
+_AI_copy_alerts	alert_parser.c	/^_AI_copy_alerts ( AI_snort_alert *node )$/;"	f	signature:( AI_snort_alert *node )
+_AI_equal_alarms	cluster.c	/^_AI_equal_alarms ( AI_snort_alert *a1, AI_snort_alert *a2 )$/;"	f	signature:( AI_snort_alert *a1, AI_snort_alert *a2 )
+_AI_get_min_hierarchy_node	cluster.c	/^_AI_get_min_hierarchy_node ( int val, hierarchy_node *root )$/;"	f	signature:( int val, hierarchy_node *root )
+_AI_merge_alerts	cluster.c	/^_AI_merge_alerts ( AI_snort_alert **log )$/;"	f	signature:( AI_snort_alert **log )
+_AI_print_clustered_alerts	cluster.c	/^_AI_print_clustered_alerts ( AI_snort_alert *log, FILE *fp )$/;"	f	signature:( AI_snort_alert *log, FILE *fp )
 _AI_snort_alert	spp_ai.h	/^typedef struct _AI_snort_alert  {$/;"	s
 _AI_snort_alert::ack	spp_ai.h	/^	uint32_t        ack;$/;"	m	struct:_AI_snort_alert	access:public
 _AI_snort_alert::classification	spp_ai.h	/^	char            *classification;$/;"	m	struct:_AI_snort_alert	access:public
 _AI_snort_alert::desc	spp_ai.h	/^	char            *desc;$/;"	m	struct:_AI_snort_alert	access:public
 _AI_snort_alert::dst_addr	spp_ai.h	/^	uint32_t        dst_addr;$/;"	m	struct:_AI_snort_alert	access:public
-_AI_snort_alert::dst_addr_node	spp_ai.h	/^	hierarchy_node  *dst_addr_node;$/;"	m	struct:_AI_snort_alert	access:public
 _AI_snort_alert::dst_port	spp_ai.h	/^	uint16_t        dst_port;$/;"	m	struct:_AI_snort_alert	access:public
-_AI_snort_alert::dst_port_node	spp_ai.h	/^	hierarchy_node  *dst_port_node;$/;"	m	struct:_AI_snort_alert	access:public
 _AI_snort_alert::gid	spp_ai.h	/^	unsigned int    gid;$/;"	m	struct:_AI_snort_alert	access:public
 _AI_snort_alert::grouped_alarms_count	spp_ai.h	/^	unsigned int    grouped_alarms_count;$/;"	m	struct:_AI_snort_alert	access:public
+_AI_snort_alert::h_node	spp_ai.h	/^	hierarchy_node  *h_node[CLUSTER_TYPES];$/;"	m	struct:_AI_snort_alert	access:public
 _AI_snort_alert::id	spp_ai.h	/^	uint16_t        id;$/;"	m	struct:_AI_snort_alert	access:public
 _AI_snort_alert::iplen	spp_ai.h	/^	uint16_t        iplen;$/;"	m	struct:_AI_snort_alert	access:public
 _AI_snort_alert::ipproto	spp_ai.h	/^	uint8_t         ipproto;$/;"	m	struct:_AI_snort_alert	access:public
@@ -268,9 +280,7 @@ _AI_snort_alert::rev	spp_ai.h	/^	unsigned int    rev;$/;"	m	struct:_AI_snort_ale
 _AI_snort_alert::sequence	spp_ai.h	/^	uint32_t        sequence;$/;"	m	struct:_AI_snort_alert	access:public
 _AI_snort_alert::sid	spp_ai.h	/^	unsigned int    sid;$/;"	m	struct:_AI_snort_alert	access:public
 _AI_snort_alert::src_addr	spp_ai.h	/^	uint32_t        src_addr;$/;"	m	struct:_AI_snort_alert	access:public
-_AI_snort_alert::src_addr_node	spp_ai.h	/^	hierarchy_node  *src_addr_node;$/;"	m	struct:_AI_snort_alert	access:public
 _AI_snort_alert::src_port	spp_ai.h	/^	uint16_t        src_port;$/;"	m	struct:_AI_snort_alert	access:public
-_AI_snort_alert::src_port_node	spp_ai.h	/^	hierarchy_node  *src_port_node;$/;"	m	struct:_AI_snort_alert	access:public
 _AI_snort_alert::stream	spp_ai.h	/^	struct pkt_info *stream;$/;"	m	struct:_AI_snort_alert	typeref:struct:_AI_snort_alert::pkt_info	access:public
 _AI_snort_alert::tcp_flags	spp_ai.h	/^	uint8_t         tcp_flags;$/;"	m	struct:_AI_snort_alert	access:public
 _AI_snort_alert::tcplen	spp_ai.h	/^	uint16_t        tcplen;$/;"	m	struct:_AI_snort_alert	access:public
@@ -305,20 +315,27 @@ __anon3::alertfile	spp_ai.h	/^	char          alertfile[1024];$/;"	m	struct:__ano
 __anon3::clusterfile	spp_ai.h	/^	char          clusterfile[1024];$/;"	m	struct:__anon3	access:public
 __anon3::hashCleanupInterval	spp_ai.h	/^	unsigned long hashCleanupInterval;$/;"	m	struct:__anon3	access:public
 __anon3::streamExpireInterval	spp_ai.h	/^	unsigned long streamExpireInterval;$/;"	m	struct:__anon3	access:public
-__anon4::d	uthash/utstring.h	/^    char *d;$/;"	m	struct:__anon4	access:public
-__anon4::i	uthash/utstring.h	/^    size_t i; \/* index of first unused byte *\/$/;"	m	struct:__anon4	access:public
-__anon4::n	uthash/utstring.h	/^    size_t n; \/* allocd size *\/$/;"	m	struct:__anon4	access:public
-__anon5::copy	uthash/utarray.h	/^    ctor_f *copy;$/;"	m	struct:__anon5	access:public
-__anon5::dtor	uthash/utarray.h	/^    dtor_f *dtor;$/;"	m	struct:__anon5	access:public
-__anon5::init	uthash/utarray.h	/^    init_f *init;$/;"	m	struct:__anon5	access:public
-__anon5::sz	uthash/utarray.h	/^    size_t sz;$/;"	m	struct:__anon5	access:public
-__anon6::d	uthash/utarray.h	/^    char *d;     \/* n slots of size icd->sz*\/$/;"	m	struct:__anon6	access:public
-__anon6::i	uthash/utarray.h	/^    unsigned i,n;\/* i: index of next available slot, n: num slots *\/$/;"	m	struct:__anon6	access:public
-__anon6::icd	uthash/utarray.h	/^    const UT_icd *icd; \/* initializer, copy and destructor functions *\/$/;"	m	struct:__anon6	access:public
-__anon6::n	uthash/utarray.h	/^    unsigned i,n;\/* i: index of next available slot, n: num slots *\/$/;"	m	struct:__anon6	access:public
-_config	cluster.c	/^PRIVATE AI_config      *_config       = NULL;$/;"	v
+__anon4::max	cluster.c	/^	int max;$/;"	m	struct:__anon4	file:	access:public
+__anon4::min	cluster.c	/^	int min;$/;"	m	struct:__anon4	file:	access:public
+__anon5::count	cluster.c	/^	unsigned int    count;$/;"	m	struct:__anon5	file:	access:public
+__anon5::hh	cluster.c	/^	UT_hash_handle  hh;$/;"	m	struct:__anon5	file:	access:public
+__anon5::key	cluster.c	/^	attribute_key   key;$/;"	m	struct:__anon5	file:	access:public
+__anon5::type	cluster.c	/^	cluster_type    type;$/;"	m	struct:__anon5	file:	access:public
+__anon6::d	uthash/utstring.h	/^    char *d;$/;"	m	struct:__anon6	access:public
+__anon6::i	uthash/utstring.h	/^    size_t i; \/* index of first unused byte *\/$/;"	m	struct:__anon6	access:public
+__anon6::n	uthash/utstring.h	/^    size_t n; \/* allocd size *\/$/;"	m	struct:__anon6	access:public
+__anon7::copy	uthash/utarray.h	/^    ctor_f *copy;$/;"	m	struct:__anon7	access:public
+__anon7::dtor	uthash/utarray.h	/^    dtor_f *dtor;$/;"	m	struct:__anon7	access:public
+__anon7::init	uthash/utarray.h	/^    init_f *init;$/;"	m	struct:__anon7	access:public
+__anon7::sz	uthash/utarray.h	/^    size_t sz;$/;"	m	struct:__anon7	access:public
+__anon8::d	uthash/utarray.h	/^    char *d;     \/* n slots of size icd->sz*\/$/;"	m	struct:__anon8	access:public
+__anon8::i	uthash/utarray.h	/^    unsigned i,n;\/* i: index of next available slot, n: num slots *\/$/;"	m	struct:__anon8	access:public
+__anon8::icd	uthash/utarray.h	/^    const UT_icd *icd; \/* initializer, copy and destructor functions *\/$/;"	m	struct:__anon8	access:public
+__anon8::n	uthash/utarray.h	/^    unsigned i,n;\/* i: index of next available slot, n: num slots *\/$/;"	m	struct:__anon8	access:public
+_config	cluster.c	/^PRIVATE AI_config      *_config               = NULL;$/;"	v
 _details	doc/html/group__sfPolicyConfig.html	/^<hr\/><a name="_details"><\/a><h2>Detailed Description<\/h2>$/;"	a
 _dpd	sf_dynamic_preproc_lib.c	/^DynamicPreprocessorData _dpd;$/;"	v
+_heuristic_func	cluster.c	/^_heuristic_func ( cluster_type type )$/;"	f	signature:( cluster_type type )
 _hierarchy_node	spp_ai.h	/^typedef struct _hierarchy_node$/;"	s
 _hierarchy_node::children	spp_ai.h	/^	struct _hierarchy_node  **children;$/;"	m	struct:_hierarchy_node	typeref:struct:_hierarchy_node::_hierarchy_node	access:public
 _hierarchy_node::label	spp_ai.h	/^	char                    label[256];$/;"	m	struct:_hierarchy_node	access:public
@@ -333,9 +350,11 @@ _utarray_eltptr	uthash/utarray.h	116;"	d
 ack	spp_ai.h	/^	uint32_t        ack;$/;"	m	struct:_AI_snort_alert	access:public
 alertClusteringInterval	spp_ai.h	/^	unsigned long alertClusteringInterval;$/;"	m	struct:__anon3	access:public
 alert_fp	alert_parser.c	/^PRIVATE FILE           *alert_fp = NULL;$/;"	v
-alert_log	cluster.c	/^PRIVATE AI_snort_alert *alert_log     = NULL;$/;"	v
+alert_log	cluster.c	/^PRIVATE AI_snort_alert *alert_log             = NULL;$/;"	v
 alertfile	spp_ai.h	/^	char          alertfile[1024];$/;"	m	struct:__anon3	access:public
 alerts	alert_parser.c	/^PRIVATE AI_snort_alert *alerts   = NULL;$/;"	v
+attribute_key	cluster.c	/^} attribute_key;$/;"	t	typeref:struct:__anon4	file:
+attribute_value	cluster.c	/^} attribute_value;$/;"	t	typeref:struct:__anon5	file:
 bloom_bv	uthash/uthash.h	/^   uint8_t *bloom_bv;$/;"	m	struct:UT_hash_table	access:public
 bloom_nbits	uthash/uthash.h	/^   char bloom_nbits;$/;"	m	struct:UT_hash_table	access:public
 bloom_sig	uthash/uthash.h	/^   uint32_t bloom_sig; \/* used only to test bloom exists in external analysis *\/$/;"	m	struct:UT_hash_table	access:public
@@ -345,25 +364,22 @@ classification	spp_ai.h	/^	char            *classification;$/;"	m	struct:_AI_sno
 cluster_type	spp_ai.h	/^} cluster_type;$/;"	t	typeref:enum:__anon2
 clusterfile	spp_ai.h	/^	char          clusterfile[1024];$/;"	m	struct:__anon3	access:public
 convertToId	doc/html/search/search.js	/^function convertToId(search)$/;"	f
-copy	uthash/utarray.h	/^    ctor_f *copy;$/;"	m	struct:__anon5	access:public
+copy	uthash/utarray.h	/^    ctor_f *copy;$/;"	m	struct:__anon7	access:public
+count	cluster.c	/^	unsigned int    count;$/;"	m	struct:__anon5	file:	access:public
 count	uthash/uthash.h	/^   unsigned count;$/;"	m	struct:UT_hash_bucket	access:public
 ctor_f	uthash/utarray.h	/^typedef void (ctor_f)(void *dst, const void *src);$/;"	t
-d	uthash/utarray.h	/^    char *d;     \/* n slots of size icd->sz*\/$/;"	m	struct:__anon6	access:public
-d	uthash/utstring.h	/^    char *d;$/;"	m	struct:__anon4	access:public
+d	uthash/utarray.h	/^    char *d;     \/* n slots of size icd->sz*\/$/;"	m	struct:__anon8	access:public
+d	uthash/utstring.h	/^    char *d;$/;"	m	struct:__anon6	access:public
 define-members	doc/html/sf__preproc__info_8h.html	/^<tr><td colspan="2"><h2><a name="define-members"><\/a>$/;"	a
 define-members	doc/html/spp__ai_8c.html	/^<tr><td colspan="2"><h2><a name="define-members"><\/a>$/;"	a
 desc	spp_ai.h	/^	char            *desc;$/;"	m	struct:_AI_snort_alert	access:public
 dst _ port	doc/latex/structpkt__key.tex	/^\\subsubsection[{dst\\_\\-port}]{\\setlength{\\rightskip}{0pt plus 5cm}{\\bf uint16\\_\\-t} {\\bf pkt\\_\\-key::dst\\_\\-port}}}$/;"	b
-dst_addr	spp_ai.h	/^	none, src_port, dst_port, src_addr, dst_addr, timestamp$/;"	e	enum:__anon2
+dst_addr	spp_ai.h	/^	none, src_addr, dst_addr, src_port, dst_port, CLUSTER_TYPES$/;"	e	enum:__anon2
 dst_addr	spp_ai.h	/^	uint32_t        dst_addr;$/;"	m	struct:_AI_snort_alert	access:public
-dst_addr_node	spp_ai.h	/^	hierarchy_node  *dst_addr_node;$/;"	m	struct:_AI_snort_alert	access:public
-dst_addr_root	cluster.c	/^PRIVATE hierarchy_node *dst_addr_root = NULL;$/;"	v
-dst_port	spp_ai.h	/^	none, src_port, dst_port, src_addr, dst_addr, timestamp$/;"	e	enum:__anon2
+dst_port	spp_ai.h	/^	none, src_addr, dst_addr, src_port, dst_port, CLUSTER_TYPES$/;"	e	enum:__anon2
 dst_port	spp_ai.h	/^	uint16_t        dst_port;$/;"	m	struct:_AI_snort_alert	access:public
 dst_port	spp_ai.h	/^	uint16_t dst_port;$/;"	m	struct:pkt_key	access:public
-dst_port_node	spp_ai.h	/^	hierarchy_node  *dst_port_node;$/;"	m	struct:_AI_snort_alert	access:public
-dst_port_root	cluster.c	/^PRIVATE hierarchy_node *dst_port_root = NULL;$/;"	v
-dtor	uthash/utarray.h	/^    dtor_f *dtor;$/;"	m	struct:__anon5	access:public
+dtor	uthash/utarray.h	/^    dtor_f *dtor;$/;"	m	struct:__anon7	access:public
 dtor_f	uthash/utarray.h	/^typedef void (dtor_f)(void *elt);$/;"	t
 enum-members	doc/html/spp__ai_8h.html	/^<tr><td colspan="2"><h2><a name="enum-members"><\/a>$/;"	a
 ex_config	spp_ai.c	/^tSfPolicyUserContextId ex_config = NULL;$/;"	v
@@ -443,10 +459,13 @@ getXPos	doc/html/search/search.js	/^function getXPos(item)$/;"	f
 getYPos	doc/html/search/search.js	/^function getYPos(item)$/;"	f
 gid	spp_ai.h	/^	unsigned int    gid;$/;"	m	struct:_AI_snort_alert	access:public
 grouped_alarms_count	spp_ai.h	/^	unsigned int    grouped_alarms_count;$/;"	m	struct:_AI_snort_alert	access:public
+h_node	spp_ai.h	/^	hierarchy_node  *h_node[CLUSTER_TYPES];$/;"	m	struct:_AI_snort_alert	access:public
+h_root	cluster.c	/^PRIVATE hierarchy_node *h_root[CLUSTER_TYPES] = { NULL };$/;"	v
 hash	stream.c	/^PRIVATE struct pkt_info *hash = NULL;$/;"	v	typeref:struct:pkt_info
 hashCleanupInterval	doc/latex/struct__AI__config.tex	/^\\subsubsection[{hashCleanupInterval}]{\\setlength{\\rightskip}{0pt plus 5cm}unsigned long {\\bf \\_\\-AI\\_\\-config::hashCleanupInterval}}}$/;"	b
 hashCleanupInterval	spp_ai.h	/^	unsigned long hashCleanupInterval;$/;"	m	struct:__anon3	access:public
 hashv	uthash/uthash.h	/^   unsigned hashv;                   \/* result of hash-fcn(key)        *\/$/;"	m	struct:UT_hash_handle	access:public
+hh	cluster.c	/^	UT_hash_handle  hh;$/;"	m	struct:__anon5	file:	access:public
 hh	doc/latex/structpkt__info.tex	/^\\subsubsection[{hh}]{\\setlength{\\rightskip}{0pt plus 5cm}UT\\_\\-hash\\_\\-handle {\\bf pkt\\_\\-info::hh}}}$/;"	b
 hh	spp_ai.h	/^	UT_hash_handle    hh; 		      \/* Make the struct 'hashable' *\/$/;"	m	struct:pkt_info	access:public
 hh_head	uthash/uthash.h	/^   struct UT_hash_handle *hh_head;$/;"	m	struct:UT_hash_bucket	typeref:struct:UT_hash_bucket::UT_hash_handle	access:public
@@ -454,9 +473,9 @@ hh_next	uthash/uthash.h	/^   struct UT_hash_handle *hh_next;   \/* next hh in bu
 hh_prev	uthash/uthash.h	/^   struct UT_hash_handle *hh_prev;   \/* previous hh in bucket order    *\/$/;"	m	struct:UT_hash_handle	typeref:struct:UT_hash_handle::UT_hash_handle	access:public
 hho	uthash/uthash.h	/^   ptrdiff_t hho; \/* hash handle offset (byte pos of hash handle in element *\/$/;"	m	struct:UT_hash_table	access:public
 hierarchy_node	spp_ai.h	/^} hierarchy_node;$/;"	t	typeref:struct:_hierarchy_node
-i	uthash/utarray.h	/^    unsigned i,n;\/* i: index of next available slot, n: num slots *\/$/;"	m	struct:__anon6	access:public
-i	uthash/utstring.h	/^    size_t i; \/* index of first unused byte *\/$/;"	m	struct:__anon4	access:public
-icd	uthash/utarray.h	/^    const UT_icd *icd; \/* initializer, copy and destructor functions *\/$/;"	m	struct:__anon6	access:public
+i	uthash/utarray.h	/^    unsigned i,n;\/* i: index of next available slot, n: num slots *\/$/;"	m	struct:__anon8	access:public
+i	uthash/utstring.h	/^    size_t i; \/* index of first unused byte *\/$/;"	m	struct:__anon6	access:public
+icd	uthash/utarray.h	/^    const UT_icd *icd; \/* initializer, copy and destructor functions *\/$/;"	m	struct:__anon8	access:public
 id	spp_ai.h	/^	uint16_t        id;$/;"	m	struct:_AI_snort_alert	access:public
 ideal_chain_maxlen	uthash/uthash.h	/^   unsigned ideal_chain_maxlen;$/;"	m	struct:UT_hash_table	access:public
 indexSectionNames.0	doc/html/search/search.js	/^  0: "all",$/;"	p
@@ -478,10 +497,11 @@ indexSectionsWithContent.6	doc/html/search/search.js	/^  6: "0000000000000000000
 indexSectionsWithContent.7	doc/html/search/search.js	/^  7: "0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000",$/;"	p
 indexSectionsWithContent.8	doc/html/search/search.js	/^  8: "0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010100100000100100100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"$/;"	p
 ineff_expands	uthash/uthash.h	/^   unsigned ineff_expands, noexpand;$/;"	m	struct:UT_hash_table	access:public
-init	uthash/utarray.h	/^    init_f *init;$/;"	m	struct:__anon5	access:public
+init	uthash/utarray.h	/^    init_f *init;$/;"	m	struct:__anon7	access:public
 init_f	uthash/utarray.h	/^typedef void (init_f)(void *elt);$/;"	t
 iplen	spp_ai.h	/^	uint16_t        iplen;$/;"	m	struct:_AI_snort_alert	access:public
 ipproto	spp_ai.h	/^	uint8_t         ipproto;$/;"	m	struct:_AI_snort_alert	access:public
+key	cluster.c	/^	attribute_key   key;$/;"	m	struct:__anon5	file:	access:public
 key	doc/latex/structpkt__info.tex	/^\\subsubsection[{key}]{\\setlength{\\rightskip}{0pt plus 5cm}struct {\\bf pkt\\_\\-key} {\\bf pkt\\_\\-info::key}}}$/;"	b
 key	spp_ai.h	/^	struct pkt_key    key; 	           \/* Key of the packet (src_ip, dst_port) *\/$/;"	m	struct:pkt_info	typeref:struct:pkt_info::pkt_key	access:public
 key	uthash/uthash.h	/^   void *key;                        \/* ptr to enclosing struct's key  *\/$/;"	m	struct:UT_hash_handle	access:public
@@ -546,10 +566,12 @@ latex_count	doc/latex/Makefile	/^	latex_count=5 ; \\$/;"	m
 letter_P	doc/html/classes.html	/^<tr><td><a name="letter_P"><\/a><table border="0" cellspacing="0" cellpadding="0"><tr><td><div class="ah">&nbsp;&nbsp;P&nbsp;&nbsp;<\/div><\/td><\/tr><\/table>$/;"	a
 letter__	doc/html/classes.html	/^<\/td><td><a class="el" href="structpkt__info.html">pkt_info<\/a>&nbsp;&nbsp;&nbsp;<\/td><td><a class="el" href="structpkt__key.html">pkt_key<\/a>&nbsp;&nbsp;&nbsp;<\/td><td><a name="letter__"><\/a><table border="0" cellspacing="0" cellpadding="0"><tr><td><div class="ah">&nbsp;&nbsp;_&nbsp;&nbsp;<\/div><\/td><\/tr><\/table>$/;"	a
 log2_num_buckets	uthash/uthash.h	/^   unsigned num_buckets, log2_num_buckets;$/;"	m	struct:UT_hash_table	access:public
+max	cluster.c	/^	int max;$/;"	m	struct:__anon4	file:	access:public
 max_val	spp_ai.h	/^	int                     max_val;$/;"	m	struct:_hierarchy_node	access:public
+min	cluster.c	/^	int min;$/;"	m	struct:__anon4	file:	access:public
 min_val	spp_ai.h	/^	int                     min_val;$/;"	m	struct:_hierarchy_node	access:public
-n	uthash/utarray.h	/^    unsigned i,n;\/* i: index of next available slot, n: num slots *\/$/;"	m	struct:__anon6	access:public
-n	uthash/utstring.h	/^    size_t n; \/* allocd size *\/$/;"	m	struct:__anon4	access:public
+n	uthash/utarray.h	/^    unsigned i,n;\/* i: index of next available slot, n: num slots *\/$/;"	m	struct:__anon8	access:public
+n	uthash/utstring.h	/^    size_t n; \/* allocd size *\/$/;"	m	struct:__anon6	access:public
 nchildren	spp_ai.h	/^	int                     nchildren;$/;"	m	struct:_hierarchy_node	access:public
 nested-classes	doc/html/spp__ai_8h.html	/^<tr><td colspan="2"><h2><a name="nested-classes"><\/a>$/;"	a
 nested-classes	doc/html/stream_8c.html	/^<tr><td colspan="2"><h2><a name="nested-classes"><\/a>$/;"	a
@@ -558,7 +580,7 @@ next	spp_ai.h	/^	struct _AI_snort_alert *next;$/;"	m	struct:_AI_snort_alert	type
 next	spp_ai.h	/^	struct pkt_info*  next; 	           \/* Pointer to the next packet in the stream *\/$/;"	m	struct:pkt_info	typeref:struct:pkt_info::pkt_info	access:public
 next	uthash/uthash.h	/^   void *next;                       \/* next element in app order      *\/$/;"	m	struct:UT_hash_handle	access:public
 noexpand	uthash/uthash.h	/^   unsigned ineff_expands, noexpand;$/;"	m	struct:UT_hash_table	access:public
-none	spp_ai.h	/^	none, src_port, dst_port, src_addr, dst_addr, timestamp$/;"	e	enum:__anon2
+none	spp_ai.h	/^	none, src_addr, dst_addr, src_port, dst_port, CLUSTER_TYPES$/;"	e	enum:__anon2
 nonideal_items	uthash/uthash.h	/^   unsigned nonideal_items;$/;"	m	struct:UT_hash_table	access:public
 num_buckets	uthash/uthash.h	/^   unsigned num_buckets, log2_num_buckets;$/;"	m	struct:UT_hash_table	access:public
 num_items	uthash/uthash.h	/^   unsigned num_items;$/;"	m	struct:UT_hash_table	access:public
@@ -610,32 +632,28 @@ signature	uthash/uthash.h	/^   uint32_t signature; \/* used only to find hash ta
 spp _ ai c File Reference	doc/latex/spp__ai_8c.tex	/^\\section{spp\\_\\-ai.c File Reference}$/;"	s
 spp _ ai h File Reference	doc/latex/spp__ai_8h.tex	/^\\section{spp\\_\\-ai.h File Reference}$/;"	s
 src _ ip	doc/latex/structpkt__key.tex	/^\\subsubsection[{src\\_\\-ip}]{\\setlength{\\rightskip}{0pt plus 5cm}{\\bf uint32\\_\\-t} {\\bf pkt\\_\\-key::src\\_\\-ip}}}$/;"	b
-src_addr	spp_ai.h	/^	none, src_port, dst_port, src_addr, dst_addr, timestamp$/;"	e	enum:__anon2
+src_addr	spp_ai.h	/^	none, src_addr, dst_addr, src_port, dst_port, CLUSTER_TYPES$/;"	e	enum:__anon2
 src_addr	spp_ai.h	/^	uint32_t        src_addr;$/;"	m	struct:_AI_snort_alert	access:public
-src_addr_node	spp_ai.h	/^	hierarchy_node  *src_addr_node;$/;"	m	struct:_AI_snort_alert	access:public
-src_addr_root	cluster.c	/^PRIVATE hierarchy_node *src_addr_root = NULL;$/;"	v
 src_ip	spp_ai.h	/^	uint32_t src_ip;$/;"	m	struct:pkt_key	access:public
-src_port	spp_ai.h	/^	none, src_port, dst_port, src_addr, dst_addr, timestamp$/;"	e	enum:__anon2
+src_port	spp_ai.h	/^	none, src_addr, dst_addr, src_port, dst_port, CLUSTER_TYPES$/;"	e	enum:__anon2
 src_port	spp_ai.h	/^	uint16_t        src_port;$/;"	m	struct:_AI_snort_alert	access:public
-src_port_node	spp_ai.h	/^	hierarchy_node  *src_port_node;$/;"	m	struct:_AI_snort_alert	access:public
-src_port_root	cluster.c	/^PRIVATE hierarchy_node *src_port_root = NULL;$/;"	v
 start_time	stream.c	/^PRIVATE time_t start_time = 0;$/;"	v
 stream	spp_ai.h	/^	struct pkt_info *stream;$/;"	m	struct:_AI_snort_alert	typeref:struct:_AI_snort_alert::pkt_info	access:public
 stream c File Reference	doc/latex/stream_8c.tex	/^\\section{stream.c File Reference}$/;"	s
 streamExpireInterval	doc/latex/struct__AI__config.tex	/^\\subsubsection[{streamExpireInterval}]{\\setlength{\\rightskip}{0pt plus 5cm}unsigned long {\\bf \\_\\-AI\\_\\-config::streamExpireInterval}}}$/;"	b
 streamExpireInterval	spp_ai.h	/^	unsigned long streamExpireInterval;$/;"	m	struct:__anon3	access:public
-sz	uthash/utarray.h	/^    size_t sz;$/;"	m	struct:__anon5	access:public
+sz	uthash/utarray.h	/^    size_t sz;$/;"	m	struct:__anon7	access:public
 tail	uthash/uthash.h	/^   struct UT_hash_handle *tail; \/* tail hh in app order, for fast append    *\/$/;"	m	struct:UT_hash_table	typeref:struct:UT_hash_table::UT_hash_handle	access:public
 tbl	uthash/uthash.h	/^   struct UT_hash_table *tbl;$/;"	m	struct:UT_hash_handle	typeref:struct:UT_hash_handle::UT_hash_table	access:public
 tcp_flags	spp_ai.h	/^	uint8_t         tcp_flags;$/;"	m	struct:_AI_snort_alert	access:public
 tcplen	spp_ai.h	/^	uint16_t        tcplen;$/;"	m	struct:_AI_snort_alert	access:public
 timestamp	doc/latex/structpkt__info.tex	/^\\subsubsection[{timestamp}]{\\setlength{\\rightskip}{0pt plus 5cm}time\\_\\-t {\\bf pkt\\_\\-info::timestamp}}}$/;"	b
-timestamp	spp_ai.h	/^	none, src_port, dst_port, src_addr, dst_addr, timestamp$/;"	e	enum:__anon2
 timestamp	spp_ai.h	/^	time_t            timestamp;        \/* Timestamp *\/$/;"	m	struct:pkt_info	access:public
 timestamp	spp_ai.h	/^	time_t          timestamp;$/;"	m	struct:_AI_snort_alert	access:public
 tos	spp_ai.h	/^	uint8_t         tos;$/;"	m	struct:_AI_snort_alert	access:public
 true	spp_ai.h	/^typedef enum { false, true } BOOL;$/;"	e	enum:__anon1
 ttl	spp_ai.h	/^	uint8_t         ttl;$/;"	m	struct:_AI_snort_alert	access:public
+type	cluster.c	/^	cluster_type    type;$/;"	m	struct:__anon5	file:	access:public
 type	spp_ai.h	/^	cluster_type            type;$/;"	m	struct:_hierarchy_node	access:public
 typedef-members	doc/html/spp__ai_8h.html	/^<tr><td colspan="2"><h2><a name="typedef-members"><\/a>$/;"	a
 uint16_t	spp_ai.h	/^typedef unsigned short  uint16_t;$/;"	t