mirror of
https://github.com/BlackLight/Snort_AIPreproc.git
synced 2024-11-23 20:25:12 +01:00
Fixing alert correlation logical condition
This commit is contained in:
parent
bd19aa77c7
commit
da77d08a25
1 changed files with 16 additions and 2 deletions
|
@ -1447,14 +1447,28 @@ AI_alert_correlation_thread ( void *arg )
|
|||
HASH_FIND ( hh, manual_correlations, &pair_key, sizeof ( pair_key ), pair );
|
||||
HASH_FIND ( hh, manual_uncorrelations, &pair_key, sizeof ( pair_key ), unpair );
|
||||
|
||||
/* Yes, BlackLight wrote this line of code in a pair of minutes and immediately
|
||||
* compiled it without a single error */
|
||||
if ( !unpair && ( pair || (
|
||||
corr->correlation >= corr_threshold &&
|
||||
corr_threshold != 0.0 &&
|
||||
corr->key.a->timestamp <= corr->key.b->timestamp && ! (
|
||||
corr->key.a->gid == corr->key.b->gid &&
|
||||
corr->key.a->sid == corr->key.b->sid &&
|
||||
corr->key.a->rev == corr->key.b->rev ))))
|
||||
{
|
||||
corr->key.a->rev == corr->key.b->rev ) && (
|
||||
corr->key.a->ip_src_addr == corr->key.b->ip_src_addr || (
|
||||
(corr->key.a->h_node[src_addr] && corr->key.b->h_node[src_addr]) ?
|
||||
( corr->key.a->h_node[src_addr]->max_val == corr->key.b->h_node[src_addr]->max_val &&
|
||||
corr->key.a->h_node[src_addr]->min_val == corr->key.b->h_node[src_addr]->min_val ) : 0
|
||||
)) && (
|
||||
corr->key.a->ip_dst_addr == corr->key.b->ip_dst_addr || (
|
||||
(corr->key.a->h_node[dst_addr] && corr->key.b->h_node[dst_addr]) ?
|
||||
( corr->key.a->h_node[dst_addr]->max_val == corr->key.b->h_node[dst_addr]->max_val &&
|
||||
corr->key.a->h_node[dst_addr]->min_val == corr->key.b->h_node[dst_addr]->min_val ) : 0
|
||||
))
|
||||
)
|
||||
)
|
||||
) {
|
||||
if ( !( corr->key.a->derived_alerts = ( AI_snort_alert** ) realloc ( corr->key.a->derived_alerts, (++corr->key.a->n_derived_alerts) * sizeof ( AI_snort_alert* ))))
|
||||
AI_fatal_err ( "Fatal dynamic memory allocation error", __FILE__, __LINE__ );
|
||||
|
||||
|
|
Loading…
Reference in a new issue