diff --git a/ChangeLog b/ChangeLog
index ac394d8..68aa2f7 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -5,10 +5,10 @@
 2010-09-09  Fabio "BlackLight" Manganiello <blacklight@autistici.org>
 	* Makefile.am: Complete support for make dist
 
-2010-09-05  Fabio "BlackLight" Manganiello <blacklight@autistici.org>
+2010-05-09  Fabio "BlackLight" Manganiello <blacklight@autistici.org>
 	* all: Using autotools now
 
-2010-09-04  Fabio "BlackLight" Manganiello <blacklight@autistici.org>
+2010-04-04  Fabio "BlackLight" Manganiello <blacklight@autistici.org>
 	* mysql.c: This file now only contains the functions for managing MySQL
 	connections in the database wrapper
 	* db.c: Renamed from 'mysql.c' to 'db.c', now it should be abstract
diff --git a/Makefile.am b/Makefile.am
index 3b564d8..64e85c1 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -4,7 +4,7 @@ AUTOMAKE_OPTIONS=foreign no-dependencies
 
 libdir = ${exec_prefix}/lib/snort_dynamicpreprocessor
 lib_LTLIBRARIES = libsf_ai_preproc.la
-libsf_ai_preproc_la_CFLAGS   = -I./uthash -I./include ${LIBXML2_INCLUDES} -DDYNAMIC_PLUGIN -D_XOPEN_SOURCE -D_GNU_SOURCE -fvisibility=hidden -fno-strict-aliasing -Wall -pedantic -pedantic-errors -fstack-protector
+libsf_ai_preproc_la_CFLAGS   = -I./uthash -I./include ${LIBXML2_INCLUDES} ${LIBGRAPH_INCLUDES} -DDYNAMIC_PLUGIN -D_XOPEN_SOURCE -D_GNU_SOURCE -fvisibility=hidden -fno-strict-aliasing -Wall -pedantic -pedantic-errors -fstack-protector
 libsf_ai_preproc_la_LDFLAGS  = -module -export-dynamic
 
 BUILT_SOURCES = \
diff --git a/Makefile.in b/Makefile.in
index 8ff7363..9e0a08c 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -150,6 +150,7 @@ INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
+LIBGRAPH_INCLUDES = @LIBGRAPH_INCLUDES@
 LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
@@ -159,7 +160,6 @@ LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
 MKDIR_P = @MKDIR_P@
-MYSQL = @MYSQL@
 NM = @NM@
 NMEDIT = @NMEDIT@
 OBJDUMP = @OBJDUMP@
@@ -235,7 +235,7 @@ top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
 AUTOMAKE_OPTIONS = foreign no-dependencies
 lib_LTLIBRARIES = libsf_ai_preproc.la
-libsf_ai_preproc_la_CFLAGS = -I./uthash -I./include ${LIBXML2_INCLUDES} -DDYNAMIC_PLUGIN -D_XOPEN_SOURCE -D_GNU_SOURCE -fvisibility=hidden -fno-strict-aliasing -Wall -pedantic -pedantic-errors -fstack-protector
+libsf_ai_preproc_la_CFLAGS = -I./uthash -I./include ${LIBXML2_INCLUDES} ${LIBGRAPH_INCLUDES} -DDYNAMIC_PLUGIN -D_XOPEN_SOURCE -D_GNU_SOURCE -fvisibility=hidden -fno-strict-aliasing -Wall -pedantic -pedantic-errors -fstack-protector
 libsf_ai_preproc_la_LDFLAGS = -module -export-dynamic
 BUILT_SOURCES = \
 include/sf_dynamic_preproc_lib.c \
diff --git a/TODO b/TODO
index 7703c4e..5b78910 100644
--- a/TODO
+++ b/TODO
@@ -1,5 +1,6 @@
 - Correlation macros valid also for hierarchies flags
 - Bayesian learning among alerts in alert log
+- libgc support
 
 - Managing clusters for addresses, timestamps (and more?)
 - Dynamic cluster_min_size algorithm
diff --git a/alert_parser.c b/alert_parser.c
index 1a93bb4..b93d0e2 100644
--- a/alert_parser.c
+++ b/alert_parser.c
@@ -385,6 +385,9 @@ AI_free_alerts ( AI_snort_alert *node )
 		node->hyperalert = NULL;
 	}
 
+	if ( node->derived_alerts )
+		free ( node->derived_alerts );
+
 	free ( node );
 	node = NULL;
 }		/* -----  end of function AI_free_alerts  ----- */
diff --git a/autom4te.cache/output.0 b/autom4te.cache/output.0
index d6b9e38..9a532ba 100644
--- a/autom4te.cache/output.0
+++ b/autom4te.cache/output.0
@@ -743,6 +743,7 @@ ac_includes_default="\
 # include <unistd.h>
 #endif"
 
+ac_default_prefix=/usr
 ac_header_list=
 ac_func_list=
 ac_subst_vars='am__EXEEXT_FALSE
@@ -750,7 +751,9 @@ am__EXEEXT_TRUE
 LTLIBOBJS
 LIB@&t@OBJS
 ALLOCA
-MYSQL
+LIBGRAPH_INCLUDES
+LIBXML2_INCLUDES
+CORR_RULES_PREFIX
 extra_incl
 CPP
 OTOOL64
@@ -868,6 +871,7 @@ enable_dependency_tracking
 with_gnu_ld
 enable_libtool_lock
 with_mysql
+with_graphviz
 '
       ac_precious_vars='build_alias
 host_alias
@@ -1514,6 +1518,8 @@ Optional Packages:
                           both@:>@
   --with-gnu-ld           assume the C compiler uses GNU ld @<:@default=no@:>@
   --with-mysql            Enable support for MySQL alert logs @<:@default=no@:>@
+  --without-graphviz      Disable Graphviz support for rendering correlated
+                          alerts as a PNG graph @<:@default=yes@:>@
 
 Some influential environment variables:
   CC          C compiler command
@@ -10527,6 +10533,9 @@ CC="$lt_save_CC"
 
 
 
+
+test "$prefix" = "NONE" && prefix=/usr
+
 case "$host" in
   *-openbsd2.6|*-openbsd2.5|*-openbsd2.4|*-openbsd2.3*)
     
@@ -11367,6 +11376,15 @@ else
 fi
 
 
+
+@%:@ Check whether --with-graphviz was given.
+if test "${with_graphviz+set}" = set; then :
+  withval=$with_graphviz; 
+else
+  with_graphviz=yes
+fi
+
+
 # Checks for libraries.
 if test "x$with_mysql" != xno; then :
   { $as_echo "$as_me:${as_lineno-$LINENO}: checking for mysql_query in -lmysqlclient" >&5
@@ -11375,7 +11393,7 @@ if test "${ac_cv_lib_mysqlclient_mysql_query+set}" = set; then :
   $as_echo_n "(cached) " >&6
 else
   ac_check_lib_save_LIBS=$LIBS
-LIBS="-lmysqlclient -lmysqlclient $LIBS"
+LIBS="-lmysqlclient  $LIBS"
 cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
 
@@ -11406,15 +11424,12 @@ fi
 { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_mysqlclient_mysql_query" >&5
 $as_echo "$ac_cv_lib_mysqlclient_mysql_query" >&6; }
 if test "x$ac_cv_lib_mysqlclient_mysql_query" = x""yes; then :
-  MYSQL="-lmysqlclient"
-
-		
+  
 $as_echo "@%:@define ENABLE_MYSQL 1" >>confdefs.h
 
 		
 $as_echo "@%:@define ENABLE_DB 1" >>confdefs.h
 
-	
 else
   if test "x$with_mysql" != xno; then
 		{ { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
@@ -11426,7 +11441,63 @@ fi
 
 fi
 
-#AC_CHECK_LIB([mysqlclient], [mysql_query])
+#AS_IF([test "x$with_graphviz" != xno],
+#	[AC_CHECK_LIB([gvc], [agread],
+#		[AC_DEFINE(ENABLE_GRAPHVIZ, 1, [Define if you want to use libgraphviz for rendering the correlated alerts graph as a PNG image])],
+#	[if test "x$with_graphviz" != xno; then
+#		AC_MSG_FAILURE([libgraphviz support required but the library was not found (use --without-graphviz if you do not want to enable the support for it)])
+#	fi])])
+
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for xmlReaderForFile in -lxml2" >&5
+$as_echo_n "checking for xmlReaderForFile in -lxml2... " >&6; }
+if test "${ac_cv_lib_xml2_xmlReaderForFile+set}" = set; then :
+  $as_echo_n "(cached) " >&6
+else
+  ac_check_lib_save_LIBS=$LIBS
+LIBS="-lxml2  $LIBS"
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+char xmlReaderForFile ();
+int
+main ()
+{
+return xmlReaderForFile ();
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_link "$LINENO"; then :
+  ac_cv_lib_xml2_xmlReaderForFile=yes
+else
+  ac_cv_lib_xml2_xmlReaderForFile=no
+fi
+rm -f core conftest.err conftest.$ac_objext \
+    conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_xml2_xmlReaderForFile" >&5
+$as_echo "$ac_cv_lib_xml2_xmlReaderForFile" >&6; }
+if test "x$ac_cv_lib_xml2_xmlReaderForFile" = x""yes; then :
+  cat >>confdefs.h <<_ACEOF
+@%:@define HAVE_LIBXML2 1
+_ACEOF
+
+  LIBS="-lxml2 $LIBS"
+
+else
+  { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
+$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
+as_fn_error $? "libxml2 not found on the system
+See \`config.log' for more details" "$LINENO" 5 ; }
+fi
+
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for pthread_create in -lpthread" >&5
 $as_echo_n "checking for pthread_create in -lpthread... " >&6; }
 if test "${ac_cv_lib_pthread_pthread_create+set}" = set; then :
@@ -11470,10 +11541,151 @@ _ACEOF
 
   LIBS="-lpthread $LIBS"
 
+else
+  { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
+$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
+as_fn_error $? "libpthread not found on the system
+See \`config.log' for more details" "$LINENO" 5 ; }
 fi
 
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for sqrt in -lm" >&5
+$as_echo_n "checking for sqrt in -lm... " >&6; }
+if test "${ac_cv_lib_m_sqrt+set}" = set; then :
+  $as_echo_n "(cached) " >&6
+else
+  ac_check_lib_save_LIBS=$LIBS
+LIBS="-lm  $LIBS"
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+char sqrt ();
+int
+main ()
+{
+return sqrt ();
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_link "$LINENO"; then :
+  ac_cv_lib_m_sqrt=yes
+else
+  ac_cv_lib_m_sqrt=no
+fi
+rm -f core conftest.err conftest.$ac_objext \
+    conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_m_sqrt" >&5
+$as_echo "$ac_cv_lib_m_sqrt" >&6; }
+if test "x$ac_cv_lib_m_sqrt" = x""yes; then :
+  cat >>confdefs.h <<_ACEOF
+@%:@define HAVE_LIBM 1
+_ACEOF
+
+  LIBS="-lm $LIBS"
+
+else
+  { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
+$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
+as_fn_error $? "libm not found on the system
+See \`config.log' for more details" "$LINENO" 5 ; }
+fi
+
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for agread in -lgvc" >&5
+$as_echo_n "checking for agread in -lgvc... " >&6; }
+if test "${ac_cv_lib_gvc_agread+set}" = set; then :
+  $as_echo_n "(cached) " >&6
+else
+  ac_check_lib_save_LIBS=$LIBS
+LIBS="-lgvc  $LIBS"
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+char agread ();
+int
+main ()
+{
+return agread ();
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_link "$LINENO"; then :
+  ac_cv_lib_gvc_agread=yes
+else
+  ac_cv_lib_gvc_agread=no
+fi
+rm -f core conftest.err conftest.$ac_objext \
+    conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_gvc_agread" >&5
+$as_echo "$ac_cv_lib_gvc_agread" >&6; }
+if test "x$ac_cv_lib_gvc_agread" = x""yes; then :
+  cat >>confdefs.h <<_ACEOF
+@%:@define HAVE_LIBGVC 1
+_ACEOF
+
+  LIBS="-lgvc $LIBS"
+
+fi
+
+#AC_CHECK_LIB([gvc], [agread], [AC_DEFINE(ENABLE_GRAPHVIZ, 1, [Define if you want to use libgraphviz for rendering the correlated alerts graph as a PNG image])],[])
+	#[if test "x$with_graphviz" != xno; then
+	#	AC_MSG_FAILURE([libgraphviz support required but the library was not found (use --without-graphviz if you do not want to enable the support for it or, on a Debian-based system, install libgraphviz-dev)])
+	#fi])
+
+if test "x$prefix" == x/usr; then :
+  CORR_RULES_PREFIX="/etc/snort/corr_rules"
+
+else
+  CORR_RULES_PREFIX="${prefix}/etc/corr_rules"
+
+fi
 
 # Checks for header files.
+
+if test ! -z "`pkg-config --cflags libxml-2.0 2> /dev/null`"; then :
+  LIBXML2_INCLUDES="$(pkg-config --cflags libxml-2.0 2> /dev/null)"
+
+else
+  { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
+$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
+as_fn_error $? "libxml2 not found, okr pkg-config not working
+See \`config.log' for more details" "$LINENO" 5 ; }
+fi
+
+if test "x$with_graphviz" != xno; then :
+  if test ! -z "`pkg-config --cflags libgraph 2> /dev/null`"; then :
+  LIBGRAPH_INCLUDES="$(pkg-config --cflags libgraph 2> /dev/null)"
+
+else
+  { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
+$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
+as_fn_error $? "libgraphviz support enabled, but the library was not found or pkg-config is not working
+See \`config.log' for more details" "$LINENO" 5 ; }
+fi
+fi
+
+if test "x$with_graphviz" != xno; then :
+  
+$as_echo "@%:@define HAVE_BOOLEAN 1" >>confdefs.h
+
+fi
+
 # The Ultrix 4.2 mips builtin alloca declared by alloca.h only works
 # for constant arguments.  Useless!
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for working alloca.h" >&5
@@ -11663,7 +11875,7 @@ _ACEOF
 
 fi
 
-for ac_header in inttypes.h limits.h stddef.h stdlib.h string.h unistd.h wchar.h
+for ac_header in inttypes.h limits.h stddef.h stdlib.h string.h unistd.h wchar.h math.h
 do :
   as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh`
 ac_fn_c_check_header_mongrel "$LINENO" "$ac_header" "$as_ac_Header" "$ac_includes_default"
@@ -11672,6 +11884,8 @@ if eval test \"x\$"$as_ac_Header"\" = x"yes"; then :
 @%:@define `$as_echo "HAVE_$ac_header" | $as_tr_cpp` 1
 _ACEOF
  
+else
+  as_fn_error $? "At least one of the required headers was not found" "$LINENO" 5 
 fi
 
 done
@@ -11786,6 +12000,15 @@ cat >>confdefs.h <<_ACEOF
 _ACEOF
 
 
+fi
+ac_fn_c_check_type "$LINENO" "boolean" "ac_cv_type_boolean" "$ac_includes_default"
+if test "x$ac_cv_type_boolean" = x""yes; then :
+  
+cat >>confdefs.h <<_ACEOF
+@%:@define HAVE_BOOLEAN 1
+_ACEOF
+
+
 fi
 
 
@@ -12404,6 +12627,8 @@ if eval test \"x\$"$as_ac_var"\" = x"yes"; then :
 @%:@define `$as_echo "HAVE_$ac_func" | $as_tr_cpp` 1
 _ACEOF
  
+else
+  as_fn_error $? "At least one of the required functions was not found" "$LINENO" 5 
 fi
 done
 
@@ -12424,7 +12649,7 @@ $as_echo "@%:@define PACKAGE_NAME \"sf_ai_preprocessor\"" >>confdefs.h
 $as_echo "@%:@define PACKAGE_STRING \"Snort AI preprocessor\"" >>confdefs.h
 
 
-$as_echo "@%:@define PACKAGE_TARNAME \"sf_ai_preprocessor\"" >>confdefs.h
+$as_echo "@%:@define PACKAGE_TARNAME \"snort_ai_preproc\"" >>confdefs.h
 
 
 $as_echo "@%:@define PACKAGE_VERSION \"0.1.0\"" >>confdefs.h
@@ -12437,6 +12662,11 @@ $as_echo "@%:@define SUP_IP6 /**/" >>confdefs.h
 $as_echo "@%:@define HAVE_VISIBILITY 1" >>confdefs.h
 
 
+cat >>confdefs.h <<_ACEOF
+@%:@define PREFIX "${prefix}"
+_ACEOF
+
+
 ac_config_files="$ac_config_files Makefile"
 
 cat >confcache <<\_ACEOF
diff --git a/autom4te.cache/output.1 b/autom4te.cache/output.1
index 14decfd..ba246c0 100644
--- a/autom4te.cache/output.1
+++ b/autom4te.cache/output.1
@@ -751,9 +751,9 @@ am__EXEEXT_TRUE
 LTLIBOBJS
 LIB@&t@OBJS
 ALLOCA
+LIBGRAPH_INCLUDES
 LIBXML2_INCLUDES
 CORR_RULES_PREFIX
-MYSQL
 extra_incl
 CPP
 OTOOL64
@@ -871,6 +871,7 @@ enable_dependency_tracking
 with_gnu_ld
 enable_libtool_lock
 with_mysql
+with_graphviz
 '
       ac_precious_vars='build_alias
 host_alias
@@ -1517,6 +1518,8 @@ Optional Packages:
                           both@:>@
   --with-gnu-ld           assume the C compiler uses GNU ld @<:@default=no@:>@
   --with-mysql            Enable support for MySQL alert logs @<:@default=no@:>@
+  --without-graphviz      Disable Graphviz support for rendering correlated
+                          alerts as a PNG graph @<:@default=yes@:>@
 
 Some influential environment variables:
   CC          C compiler command
@@ -11369,6 +11372,15 @@ else
 fi
 
 
+
+@%:@ Check whether --with-graphviz was given.
+if test "${with_graphviz+set}" = set; then :
+  withval=$with_graphviz; 
+else
+  with_graphviz=yes
+fi
+
+
 # Checks for libraries.
 if test "x$with_mysql" != xno; then :
   { $as_echo "$as_me:${as_lineno-$LINENO}: checking for mysql_query in -lmysqlclient" >&5
@@ -11377,7 +11389,7 @@ if test "${ac_cv_lib_mysqlclient_mysql_query+set}" = set; then :
   $as_echo_n "(cached) " >&6
 else
   ac_check_lib_save_LIBS=$LIBS
-LIBS="-lmysqlclient -lmysqlclient $LIBS"
+LIBS="-lmysqlclient  $LIBS"
 cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
 
@@ -11408,22 +11420,70 @@ fi
 { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_mysqlclient_mysql_query" >&5
 $as_echo "$ac_cv_lib_mysqlclient_mysql_query" >&6; }
 if test "x$ac_cv_lib_mysqlclient_mysql_query" = x""yes; then :
-  MYSQL="-lmysqlclient"
+  cat >>confdefs.h <<_ACEOF
+@%:@define HAVE_LIBMYSQLCLIENT 1
+_ACEOF
 
-		
-$as_echo "@%:@define ENABLE_MYSQL 1" >>confdefs.h
+  LIBS="-lmysqlclient $LIBS"
 
-		
-$as_echo "@%:@define ENABLE_DB 1" >>confdefs.h
-
-	
 else
-  if test "x$with_mysql" != xno; then
-		{ { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
+  { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
 $as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
-as_fn_error $? "--with-mysql option used, but libmysqlclient was not found
+as_fn_error $? "--with-mysql option used, but libmysqlclient was not found - do not use --with-mysql, or, on a Debian-based system, install libmysqlclient-dev
+See \`config.log' for more details" "$LINENO" 5 ; }
+fi
+
+fi
+
+if test "x$with_graphviz" != xno; then :
+  { $as_echo "$as_me:${as_lineno-$LINENO}: checking for agread in -lgvc" >&5
+$as_echo_n "checking for agread in -lgvc... " >&6; }
+if test "${ac_cv_lib_gvc_agread+set}" = set; then :
+  $as_echo_n "(cached) " >&6
+else
+  ac_check_lib_save_LIBS=$LIBS
+LIBS="-lgvc  $LIBS"
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+char agread ();
+int
+main ()
+{
+return agread ();
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_link "$LINENO"; then :
+  ac_cv_lib_gvc_agread=yes
+else
+  ac_cv_lib_gvc_agread=no
+fi
+rm -f core conftest.err conftest.$ac_objext \
+    conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_gvc_agread" >&5
+$as_echo "$ac_cv_lib_gvc_agread" >&6; }
+if test "x$ac_cv_lib_gvc_agread" = x""yes; then :
+  cat >>confdefs.h <<_ACEOF
+@%:@define HAVE_LIBGVC 1
+_ACEOF
+
+  LIBS="-lgvc $LIBS"
+
+else
+  { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
+$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
+as_fn_error $? "libgraphviz support required but the library was not found - use --without-graphviz if you do not want to enable the support for it, or, on a Debian-based system, install libgraphviz-dev
 See \`config.log' for more details" "$LINENO" 5 ; }
-	fi
 fi
 
 fi
@@ -11471,6 +11531,11 @@ _ACEOF
 
   LIBS="-lxml2 $LIBS"
 
+else
+  { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
+$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
+as_fn_error $? "libxml2 not found on the system
+See \`config.log' for more details" "$LINENO" 5 ; }
 fi
 
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for pthread_create in -lpthread" >&5
@@ -11516,6 +11581,61 @@ _ACEOF
 
   LIBS="-lpthread $LIBS"
 
+else
+  { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
+$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
+as_fn_error $? "libpthread not found on the system
+See \`config.log' for more details" "$LINENO" 5 ; }
+fi
+
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for sqrt in -lm" >&5
+$as_echo_n "checking for sqrt in -lm... " >&6; }
+if test "${ac_cv_lib_m_sqrt+set}" = set; then :
+  $as_echo_n "(cached) " >&6
+else
+  ac_check_lib_save_LIBS=$LIBS
+LIBS="-lm  $LIBS"
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+char sqrt ();
+int
+main ()
+{
+return sqrt ();
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_link "$LINENO"; then :
+  ac_cv_lib_m_sqrt=yes
+else
+  ac_cv_lib_m_sqrt=no
+fi
+rm -f core conftest.err conftest.$ac_objext \
+    conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_m_sqrt" >&5
+$as_echo "$ac_cv_lib_m_sqrt" >&6; }
+if test "x$ac_cv_lib_m_sqrt" = x""yes; then :
+  cat >>confdefs.h <<_ACEOF
+@%:@define HAVE_LIBM 1
+_ACEOF
+
+  LIBS="-lm $LIBS"
+
+else
+  { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
+$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
+as_fn_error $? "libm not found on the system
+See \`config.log' for more details" "$LINENO" 5 ; }
 fi
 
 
@@ -11539,6 +11659,24 @@ as_fn_error $? "libxml2 not found, okr pkg-config not working
 See \`config.log' for more details" "$LINENO" 5 ; }
 fi
 
+if test "x$with_graphviz" != xno; then :
+  if test ! -z "`pkg-config --cflags libgraph 2> /dev/null`"; then :
+  LIBGRAPH_INCLUDES="$(pkg-config --cflags libgraph 2> /dev/null)"
+
+else
+  { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
+$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
+as_fn_error $? "libgraphviz support enabled, but the library was not found or pkg-config is not working
+See \`config.log' for more details" "$LINENO" 5 ; }
+fi
+fi
+
+if test "x$with_graphviz" != xno; then :
+  
+$as_echo "@%:@define HAVE_BOOLEAN 1" >>confdefs.h
+
+fi
+
 # The Ultrix 4.2 mips builtin alloca declared by alloca.h only works
 # for constant arguments.  Useless!
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for working alloca.h" >&5
@@ -11728,7 +11866,7 @@ _ACEOF
 
 fi
 
-for ac_header in inttypes.h limits.h stddef.h stdlib.h string.h unistd.h wchar.h
+for ac_header in inttypes.h limits.h stddef.h stdlib.h string.h unistd.h wchar.h math.h
 do :
   as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh`
 ac_fn_c_check_header_mongrel "$LINENO" "$ac_header" "$as_ac_Header" "$ac_includes_default"
@@ -11853,6 +11991,15 @@ cat >>confdefs.h <<_ACEOF
 _ACEOF
 
 
+fi
+ac_fn_c_check_type "$LINENO" "boolean" "ac_cv_type_boolean" "$ac_includes_default"
+if test "x$ac_cv_type_boolean" = x""yes; then :
+  
+cat >>confdefs.h <<_ACEOF
+@%:@define HAVE_BOOLEAN 1
+_ACEOF
+
+
 fi
 
 
diff --git a/autom4te.cache/traces.0 b/autom4te.cache/traces.0
index 6e2e959..70b8dc9 100644
--- a/autom4te.cache/traces.0
+++ b/autom4te.cache/traces.0
@@ -2304,113 +2304,122 @@ m4trace:configure.ac:10: -1- m4_pattern_allow([^CPPFLAGS$])
 m4trace:configure.ac:10: -1- m4_pattern_allow([^CPP$])
 m4trace:configure.ac:10: -1- m4_pattern_allow([^STDC_HEADERS$])
 m4trace:configure.ac:10: -1- m4_pattern_allow([^HAVE_DLFCN_H$])
-m4trace:configure.ac:14: -1- m4_pattern_allow([^OPENBSD$])
-m4trace:configure.ac:15: -1- m4_pattern_allow([^BROKEN_SIOCGIFMTU$])
-m4trace:configure.ac:19: -1- m4_pattern_allow([^OPENBSD$])
-m4trace:configure.ac:23: -1- m4_pattern_allow([^IRIX$])
-m4trace:configure.ac:33: -1- m4_pattern_allow([^IRIX$])
-m4trace:configure.ac:43: -1- m4_pattern_allow([^SOLARIS$])
-m4trace:configure.ac:48: -1- m4_pattern_allow([^SUNOS$])
-m4trace:configure.ac:53: -1- m4_pattern_allow([^LINUX$])
-m4trace:configure.ac:55: -1- m4_pattern_allow([^PCAP_TIMEOUT_IGNORED$])
-m4trace:configure.ac:56: -1- m4_pattern_allow([^extra_incl$])
-m4trace:configure.ac:60: -1- m4_pattern_allow([^HPUX$])
-m4trace:configure.ac:61: -1- m4_pattern_allow([^WORDS_BIGENDIAN$])
-m4trace:configure.ac:62: -1- m4_pattern_allow([^extra_incl$])
-m4trace:configure.ac:67: -1- m4_pattern_allow([^FREEBSD$])
-m4trace:configure.ac:71: -1- m4_pattern_allow([^BSDI$])
-m4trace:configure.ac:74: -1- m4_pattern_allow([^AIX$])
-m4trace:configure.ac:77: -1- m4_pattern_allow([^OSF1$])
+m4trace:configure.ac:17: -1- m4_pattern_allow([^OPENBSD$])
+m4trace:configure.ac:18: -1- m4_pattern_allow([^BROKEN_SIOCGIFMTU$])
+m4trace:configure.ac:22: -1- m4_pattern_allow([^OPENBSD$])
+m4trace:configure.ac:26: -1- m4_pattern_allow([^IRIX$])
+m4trace:configure.ac:36: -1- m4_pattern_allow([^IRIX$])
+m4trace:configure.ac:46: -1- m4_pattern_allow([^SOLARIS$])
+m4trace:configure.ac:51: -1- m4_pattern_allow([^SUNOS$])
+m4trace:configure.ac:56: -1- m4_pattern_allow([^LINUX$])
+m4trace:configure.ac:58: -1- m4_pattern_allow([^PCAP_TIMEOUT_IGNORED$])
+m4trace:configure.ac:59: -1- m4_pattern_allow([^extra_incl$])
+m4trace:configure.ac:63: -1- m4_pattern_allow([^HPUX$])
+m4trace:configure.ac:64: -1- m4_pattern_allow([^WORDS_BIGENDIAN$])
+m4trace:configure.ac:65: -1- m4_pattern_allow([^extra_incl$])
+m4trace:configure.ac:70: -1- m4_pattern_allow([^FREEBSD$])
+m4trace:configure.ac:74: -1- m4_pattern_allow([^BSDI$])
+m4trace:configure.ac:77: -1- m4_pattern_allow([^AIX$])
 m4trace:configure.ac:80: -1- m4_pattern_allow([^OSF1$])
 m4trace:configure.ac:83: -1- m4_pattern_allow([^OSF1$])
-m4trace:configure.ac:87: -1- m4_pattern_allow([^MACOS$])
-m4trace:configure.ac:88: -1- m4_pattern_allow([^BROKEN_SIOCGIFMTU$])
-m4trace:configure.ac:94: -1- m4_pattern_allow([^CC$])
-m4trace:configure.ac:94: -1- m4_pattern_allow([^CFLAGS$])
-m4trace:configure.ac:94: -1- m4_pattern_allow([^LDFLAGS$])
-m4trace:configure.ac:94: -1- m4_pattern_allow([^LIBS$])
-m4trace:configure.ac:94: -1- m4_pattern_allow([^CPPFLAGS$])
-m4trace:configure.ac:94: -1- m4_pattern_allow([^CC$])
-m4trace:configure.ac:94: -1- m4_pattern_allow([^CC$])
-m4trace:configure.ac:94: -1- m4_pattern_allow([^CC$])
-m4trace:configure.ac:94: -1- m4_pattern_allow([^CC$])
-m4trace:configure.ac:94: -1- m4_pattern_allow([^ac_ct_CC$])
-m4trace:configure.ac:94: -1- _AM_DEPENDENCIES([CC])
-m4trace:configure.ac:94: -1- m4_pattern_allow([^CCDEPMODE$])
-m4trace:configure.ac:94: -1- AM_CONDITIONAL([am__fastdepCC], [
+m4trace:configure.ac:86: -1- m4_pattern_allow([^OSF1$])
+m4trace:configure.ac:90: -1- m4_pattern_allow([^MACOS$])
+m4trace:configure.ac:91: -1- m4_pattern_allow([^BROKEN_SIOCGIFMTU$])
+m4trace:configure.ac:97: -1- m4_pattern_allow([^CC$])
+m4trace:configure.ac:97: -1- m4_pattern_allow([^CFLAGS$])
+m4trace:configure.ac:97: -1- m4_pattern_allow([^LDFLAGS$])
+m4trace:configure.ac:97: -1- m4_pattern_allow([^LIBS$])
+m4trace:configure.ac:97: -1- m4_pattern_allow([^CPPFLAGS$])
+m4trace:configure.ac:97: -1- m4_pattern_allow([^CC$])
+m4trace:configure.ac:97: -1- m4_pattern_allow([^CC$])
+m4trace:configure.ac:97: -1- m4_pattern_allow([^CC$])
+m4trace:configure.ac:97: -1- m4_pattern_allow([^CC$])
+m4trace:configure.ac:97: -1- m4_pattern_allow([^ac_ct_CC$])
+m4trace:configure.ac:97: -1- _AM_DEPENDENCIES([CC])
+m4trace:configure.ac:97: -1- m4_pattern_allow([^CCDEPMODE$])
+m4trace:configure.ac:97: -1- AM_CONDITIONAL([am__fastdepCC], [
   test "x$enable_dependency_tracking" != xno \
   && test "$am_cv_CC_dependencies_compiler_type" = gcc3])
-m4trace:configure.ac:94: -1- m4_pattern_allow([^am__fastdepCC_TRUE$])
-m4trace:configure.ac:94: -1- m4_pattern_allow([^am__fastdepCC_FALSE$])
-m4trace:configure.ac:94: -1- _AM_SUBST_NOTMAKE([am__fastdepCC_TRUE])
-m4trace:configure.ac:94: -1- _AM_SUBST_NOTMAKE([am__fastdepCC_FALSE])
-m4trace:configure.ac:95: -1- m4_pattern_allow([^LN_S$])
-m4trace:configure.ac:96: -1- m4_pattern_allow([^SET_MAKE$])
-m4trace:configure.ac:106: -1- m4_pattern_allow([^MYSQL$])
-m4trace:configure.ac:106: -1- m4_pattern_allow([^ENABLE_MYSQL$])
-m4trace:configure.ac:106: -1- m4_pattern_allow([^ENABLE_DB$])
-m4trace:configure.ac:118: -1- m4_pattern_allow([^HAVE_LIBPTHREAD$])
-m4trace:configure.ac:121: -1- m4_pattern_allow([^HAVE_ALLOCA_H$])
-m4trace:configure.ac:121: -1- m4_pattern_allow([^HAVE_ALLOCA$])
-m4trace:configure.ac:121: -1- m4_pattern_allow([^ALLOCA$])
-m4trace:configure.ac:121: -1- m4_pattern_allow([^C_ALLOCA$])
-m4trace:configure.ac:121: -1- m4_pattern_allow([^CRAY_STACKSEG_END$])
-m4trace:configure.ac:121: -1- m4_pattern_allow([^STACK_DIRECTION$])
-m4trace:configure.ac:125: -1- m4_pattern_allow([^HAVE_U_INT8_T$])
-m4trace:configure.ac:125: -1- m4_pattern_allow([^HAVE_U_INT16_T$])
-m4trace:configure.ac:125: -1- m4_pattern_allow([^HAVE_U_INT32_T$])
-m4trace:configure.ac:125: -1- m4_pattern_allow([^HAVE_U_INT64_T$])
-m4trace:configure.ac:125: -1- m4_pattern_allow([^HAVE_UINT8_T$])
-m4trace:configure.ac:125: -1- m4_pattern_allow([^HAVE_UINT16_T$])
-m4trace:configure.ac:125: -1- m4_pattern_allow([^HAVE_UINT32_T$])
-m4trace:configure.ac:125: -1- m4_pattern_allow([^HAVE_UINT64_T$])
-m4trace:configure.ac:126: -1- m4_pattern_allow([^HAVE_INT8_T$])
-m4trace:configure.ac:126: -1- m4_pattern_allow([^HAVE_INT16_T$])
-m4trace:configure.ac:126: -1- m4_pattern_allow([^HAVE_INT32_T$])
-m4trace:configure.ac:126: -1- m4_pattern_allow([^HAVE_INT64_T$])
-m4trace:configure.ac:129: -1- m4_pattern_allow([^HAVE__BOOL$])
-m4trace:configure.ac:129: -1- m4_pattern_allow([^HAVE_STDBOOL_H$])
-m4trace:configure.ac:130: -1- m4_pattern_allow([^size_t$])
-m4trace:configure.ac:131: -1- m4_pattern_allow([^uint16_t$])
-m4trace:configure.ac:132: -1- m4_pattern_allow([^_UINT32_T$])
-m4trace:configure.ac:132: -1- m4_pattern_allow([^uint32_t$])
-m4trace:configure.ac:133: -1- m4_pattern_allow([^_UINT8_T$])
-m4trace:configure.ac:133: -1- m4_pattern_allow([^uint8_t$])
-m4trace:configure.ac:134: -1- m4_pattern_allow([^HAVE_PTRDIFF_T$])
-m4trace:configure.ac:137: -1- m4_pattern_allow([^HAVE_STDLIB_H$])
-m4trace:configure.ac:137: -1- m4_pattern_allow([^HAVE_MALLOC$])
-m4trace:configure.ac:137: -1- m4_pattern_allow([^HAVE_MALLOC$])
-m4trace:configure.ac:137: -1- m4_pattern_allow([^LIB@&t@OBJS$])
-m4trace:configure.ac:137: -1- m4_pattern_allow([^malloc$])
-m4trace:configure.ac:138: -1- m4_pattern_allow([^TIME_WITH_SYS_TIME$])
-m4trace:configure.ac:138: -1- AC_DEFUN([_AC_Header_sys_time_h], [m4_divert_text([INIT_PREPARE], [AS_VAR_APPEND([ac_header_list], [" sys/time.h"])])
+m4trace:configure.ac:97: -1- m4_pattern_allow([^am__fastdepCC_TRUE$])
+m4trace:configure.ac:97: -1- m4_pattern_allow([^am__fastdepCC_FALSE$])
+m4trace:configure.ac:97: -1- _AM_SUBST_NOTMAKE([am__fastdepCC_TRUE])
+m4trace:configure.ac:97: -1- _AM_SUBST_NOTMAKE([am__fastdepCC_FALSE])
+m4trace:configure.ac:98: -1- m4_pattern_allow([^LN_S$])
+m4trace:configure.ac:99: -1- m4_pattern_allow([^SET_MAKE$])
+m4trace:configure.ac:115: -1- m4_pattern_allow([^ENABLE_MYSQL$])
+m4trace:configure.ac:115: -1- m4_pattern_allow([^ENABLE_DB$])
+m4trace:configure.ac:130: -1- m4_pattern_allow([^HAVE_LIBXML2$])
+m4trace:configure.ac:131: -1- m4_pattern_allow([^HAVE_LIBPTHREAD$])
+m4trace:configure.ac:132: -1- m4_pattern_allow([^HAVE_LIBM$])
+m4trace:configure.ac:133: -1- m4_pattern_allow([^HAVE_LIBGVC$])
+m4trace:configure.ac:139: -1- m4_pattern_allow([^CORR_RULES_PREFIX$])
+m4trace:configure.ac:139: -1- m4_pattern_allow([^CORR_RULES_PREFIX$])
+m4trace:configure.ac:145: -1- m4_pattern_allow([^LIBXML2_INCLUDES$])
+m4trace:configure.ac:149: -1- m4_pattern_allow([^LIBGRAPH_INCLUDES$])
+m4trace:configure.ac:154: -1- m4_pattern_allow([^HAVE_BOOLEAN$])
+m4trace:configure.ac:157: -1- m4_pattern_allow([^HAVE_ALLOCA_H$])
+m4trace:configure.ac:157: -1- m4_pattern_allow([^HAVE_ALLOCA$])
+m4trace:configure.ac:157: -1- m4_pattern_allow([^ALLOCA$])
+m4trace:configure.ac:157: -1- m4_pattern_allow([^C_ALLOCA$])
+m4trace:configure.ac:157: -1- m4_pattern_allow([^CRAY_STACKSEG_END$])
+m4trace:configure.ac:157: -1- m4_pattern_allow([^STACK_DIRECTION$])
+m4trace:configure.ac:161: -1- m4_pattern_allow([^HAVE_U_INT8_T$])
+m4trace:configure.ac:161: -1- m4_pattern_allow([^HAVE_U_INT16_T$])
+m4trace:configure.ac:161: -1- m4_pattern_allow([^HAVE_U_INT32_T$])
+m4trace:configure.ac:161: -1- m4_pattern_allow([^HAVE_U_INT64_T$])
+m4trace:configure.ac:161: -1- m4_pattern_allow([^HAVE_UINT8_T$])
+m4trace:configure.ac:161: -1- m4_pattern_allow([^HAVE_UINT16_T$])
+m4trace:configure.ac:161: -1- m4_pattern_allow([^HAVE_UINT32_T$])
+m4trace:configure.ac:161: -1- m4_pattern_allow([^HAVE_UINT64_T$])
+m4trace:configure.ac:162: -1- m4_pattern_allow([^HAVE_INT8_T$])
+m4trace:configure.ac:162: -1- m4_pattern_allow([^HAVE_INT16_T$])
+m4trace:configure.ac:162: -1- m4_pattern_allow([^HAVE_INT32_T$])
+m4trace:configure.ac:162: -1- m4_pattern_allow([^HAVE_INT64_T$])
+m4trace:configure.ac:162: -1- m4_pattern_allow([^HAVE_BOOLEAN$])
+m4trace:configure.ac:165: -1- m4_pattern_allow([^HAVE__BOOL$])
+m4trace:configure.ac:165: -1- m4_pattern_allow([^HAVE_STDBOOL_H$])
+m4trace:configure.ac:166: -1- m4_pattern_allow([^size_t$])
+m4trace:configure.ac:167: -1- m4_pattern_allow([^uint16_t$])
+m4trace:configure.ac:168: -1- m4_pattern_allow([^_UINT32_T$])
+m4trace:configure.ac:168: -1- m4_pattern_allow([^uint32_t$])
+m4trace:configure.ac:169: -1- m4_pattern_allow([^_UINT8_T$])
+m4trace:configure.ac:169: -1- m4_pattern_allow([^uint8_t$])
+m4trace:configure.ac:170: -1- m4_pattern_allow([^HAVE_PTRDIFF_T$])
+m4trace:configure.ac:173: -1- m4_pattern_allow([^HAVE_STDLIB_H$])
+m4trace:configure.ac:173: -1- m4_pattern_allow([^HAVE_MALLOC$])
+m4trace:configure.ac:173: -1- m4_pattern_allow([^HAVE_MALLOC$])
+m4trace:configure.ac:173: -1- m4_pattern_allow([^LIB@&t@OBJS$])
+m4trace:configure.ac:173: -1- m4_pattern_allow([^malloc$])
+m4trace:configure.ac:174: -1- m4_pattern_allow([^TIME_WITH_SYS_TIME$])
+m4trace:configure.ac:174: -1- AC_DEFUN([_AC_Header_sys_time_h], [m4_divert_text([INIT_PREPARE], [AS_VAR_APPEND([ac_header_list], [" sys/time.h"])])
 _AC_HEADERS_EXPANSION])
-m4trace:configure.ac:138: -1- AC_DEFUN([_AC_Header_unistd_h], [m4_divert_text([INIT_PREPARE], [AS_VAR_APPEND([ac_header_list], [" unistd.h"])])
+m4trace:configure.ac:174: -1- AC_DEFUN([_AC_Header_unistd_h], [m4_divert_text([INIT_PREPARE], [AS_VAR_APPEND([ac_header_list], [" unistd.h"])])
 _AC_HEADERS_EXPANSION])
-m4trace:configure.ac:138: -1- AC_DEFUN([_AC_Func_alarm], [m4_divert_text([INIT_PREPARE], [AS_VAR_APPEND([ac_func_list], [" alarm"])])
+m4trace:configure.ac:174: -1- AC_DEFUN([_AC_Func_alarm], [m4_divert_text([INIT_PREPARE], [AS_VAR_APPEND([ac_func_list], [" alarm"])])
 _AC_FUNCS_EXPANSION])
-m4trace:configure.ac:138: -1- m4_pattern_allow([^LIB@&t@OBJS$])
-m4trace:configure.ac:139: -1- m4_pattern_allow([^HAVE_STDLIB_H$])
-m4trace:configure.ac:139: -1- m4_pattern_allow([^HAVE_REALLOC$])
-m4trace:configure.ac:139: -1- m4_pattern_allow([^HAVE_REALLOC$])
-m4trace:configure.ac:139: -1- m4_pattern_allow([^LIB@&t@OBJS$])
-m4trace:configure.ac:139: -1- m4_pattern_allow([^realloc$])
-m4trace:configure.ac:142: -1- m4_pattern_allow([^VERSION$])
-m4trace:configure.ac:143: -1- m4_pattern_allow([^PACKAGE$])
-m4trace:configure.ac:144: -1- m4_pattern_allow([^PACKAGE_BUGREPORT$])
-m4trace:configure.ac:145: -1- m4_pattern_allow([^PACKAGE_NAME$])
-m4trace:configure.ac:146: -1- m4_pattern_allow([^PACKAGE_STRING$])
-m4trace:configure.ac:147: -1- m4_pattern_allow([^PACKAGE_TARNAME$])
-m4trace:configure.ac:148: -1- m4_pattern_allow([^PACKAGE_VERSION$])
-m4trace:configure.ac:149: -1- m4_pattern_allow([^SUP_IP6$])
-m4trace:configure.ac:151: -1- m4_pattern_allow([^HAVE_VISIBILITY$])
-m4trace:configure.ac:154: -1- m4_pattern_allow([^LIB@&t@OBJS$])
-m4trace:configure.ac:154: -1- m4_pattern_allow([^LTLIBOBJS$])
-m4trace:configure.ac:154: -1- AM_CONDITIONAL([am__EXEEXT], [test -n "$EXEEXT"])
-m4trace:configure.ac:154: -1- m4_pattern_allow([^am__EXEEXT_TRUE$])
-m4trace:configure.ac:154: -1- m4_pattern_allow([^am__EXEEXT_FALSE$])
-m4trace:configure.ac:154: -1- _AM_SUBST_NOTMAKE([am__EXEEXT_TRUE])
-m4trace:configure.ac:154: -1- _AM_SUBST_NOTMAKE([am__EXEEXT_FALSE])
-m4trace:configure.ac:154: -1- _AC_AM_CONFIG_HEADER_HOOK(["$ac_file"])
-m4trace:configure.ac:154: -1- _AM_OUTPUT_DEPENDENCY_COMMANDS
-m4trace:configure.ac:154: -1- _LT_PROG_LTMAIN
+m4trace:configure.ac:174: -1- m4_pattern_allow([^LIB@&t@OBJS$])
+m4trace:configure.ac:175: -1- m4_pattern_allow([^HAVE_STDLIB_H$])
+m4trace:configure.ac:175: -1- m4_pattern_allow([^HAVE_REALLOC$])
+m4trace:configure.ac:175: -1- m4_pattern_allow([^HAVE_REALLOC$])
+m4trace:configure.ac:175: -1- m4_pattern_allow([^LIB@&t@OBJS$])
+m4trace:configure.ac:175: -1- m4_pattern_allow([^realloc$])
+m4trace:configure.ac:178: -1- m4_pattern_allow([^VERSION$])
+m4trace:configure.ac:179: -1- m4_pattern_allow([^PACKAGE$])
+m4trace:configure.ac:180: -1- m4_pattern_allow([^PACKAGE_BUGREPORT$])
+m4trace:configure.ac:181: -1- m4_pattern_allow([^PACKAGE_NAME$])
+m4trace:configure.ac:182: -1- m4_pattern_allow([^PACKAGE_STRING$])
+m4trace:configure.ac:183: -1- m4_pattern_allow([^PACKAGE_TARNAME$])
+m4trace:configure.ac:184: -1- m4_pattern_allow([^PACKAGE_VERSION$])
+m4trace:configure.ac:185: -1- m4_pattern_allow([^SUP_IP6$])
+m4trace:configure.ac:187: -1- m4_pattern_allow([^HAVE_VISIBILITY$])
+m4trace:configure.ac:188: -1- m4_pattern_allow([^PREFIX$])
+m4trace:configure.ac:191: -1- m4_pattern_allow([^LIB@&t@OBJS$])
+m4trace:configure.ac:191: -1- m4_pattern_allow([^LTLIBOBJS$])
+m4trace:configure.ac:191: -1- AM_CONDITIONAL([am__EXEEXT], [test -n "$EXEEXT"])
+m4trace:configure.ac:191: -1- m4_pattern_allow([^am__EXEEXT_TRUE$])
+m4trace:configure.ac:191: -1- m4_pattern_allow([^am__EXEEXT_FALSE$])
+m4trace:configure.ac:191: -1- _AM_SUBST_NOTMAKE([am__EXEEXT_TRUE])
+m4trace:configure.ac:191: -1- _AM_SUBST_NOTMAKE([am__EXEEXT_FALSE])
+m4trace:configure.ac:191: -1- _AC_AM_CONFIG_HEADER_HOOK(["$ac_file"])
+m4trace:configure.ac:191: -1- _AM_OUTPUT_DEPENDENCY_COMMANDS
+m4trace:configure.ac:191: -1- _LT_PROG_LTMAIN
diff --git a/autom4te.cache/traces.1 b/autom4te.cache/traces.1
index 910af02..941259c 100644
--- a/autom4te.cache/traces.1
+++ b/autom4te.cache/traces.1
@@ -570,304 +570,318 @@ m4trace:configure.ac:98: -1- m4_pattern_allow([^LN_S$])
 m4trace:configure.ac:99: -1- AC_SUBST([SET_MAKE])
 m4trace:configure.ac:99: -1- AC_SUBST_TRACE([SET_MAKE])
 m4trace:configure.ac:99: -1- m4_pattern_allow([^SET_MAKE$])
-m4trace:configure.ac:109: -1- AC_SUBST([MYSQL], ["-lmysqlclient"])
-m4trace:configure.ac:109: -1- AC_SUBST_TRACE([MYSQL])
-m4trace:configure.ac:109: -1- m4_pattern_allow([^MYSQL$])
-m4trace:configure.ac:109: -1- AC_DEFINE_TRACE_LITERAL([ENABLE_MYSQL])
-m4trace:configure.ac:109: -1- m4_pattern_allow([^ENABLE_MYSQL$])
-m4trace:configure.ac:109: -1- AH_OUTPUT([ENABLE_MYSQL], [/* Define if you want to use MySQL */
-@%:@undef ENABLE_MYSQL])
-m4trace:configure.ac:109: -1- AC_DEFINE_TRACE_LITERAL([ENABLE_DB])
-m4trace:configure.ac:109: -1- m4_pattern_allow([^ENABLE_DB$])
-m4trace:configure.ac:109: -1- AH_OUTPUT([ENABLE_DB], [/* Define if you want to enable database support */
-@%:@undef ENABLE_DB])
-m4trace:configure.ac:120: -1- AH_OUTPUT([HAVE_LIBXML2], [/* Define to 1 if you have the `xml2\' library (-lxml2). */
+m4trace:configure.ac:115: -1- AH_OUTPUT([HAVE_LIBMYSQLCLIENT], [/* Define to 1 if you have the `mysqlclient\' library (-lmysqlclient). */
+@%:@undef HAVE_LIBMYSQLCLIENT])
+m4trace:configure.ac:115: -1- AC_DEFINE_TRACE_LITERAL([HAVE_LIBMYSQLCLIENT])
+m4trace:configure.ac:115: -1- m4_pattern_allow([^HAVE_LIBMYSQLCLIENT$])
+m4trace:configure.ac:119: -1- AH_OUTPUT([HAVE_LIBGVC], [/* Define to 1 if you have the `gvc\' library (-lgvc). */
+@%:@undef HAVE_LIBGVC])
+m4trace:configure.ac:119: -1- AC_DEFINE_TRACE_LITERAL([HAVE_LIBGVC])
+m4trace:configure.ac:119: -1- m4_pattern_allow([^HAVE_LIBGVC$])
+m4trace:configure.ac:123: -1- AH_OUTPUT([HAVE_LIBXML2], [/* Define to 1 if you have the `xml2\' library (-lxml2). */
 @%:@undef HAVE_LIBXML2])
-m4trace:configure.ac:120: -1- AC_DEFINE_TRACE_LITERAL([HAVE_LIBXML2])
-m4trace:configure.ac:120: -1- m4_pattern_allow([^HAVE_LIBXML2$])
-m4trace:configure.ac:121: -1- AH_OUTPUT([HAVE_LIBPTHREAD], [/* Define to 1 if you have the `pthread\' library (-lpthread). */
+m4trace:configure.ac:123: -1- AC_DEFINE_TRACE_LITERAL([HAVE_LIBXML2])
+m4trace:configure.ac:123: -1- m4_pattern_allow([^HAVE_LIBXML2$])
+m4trace:configure.ac:124: -1- AH_OUTPUT([HAVE_LIBPTHREAD], [/* Define to 1 if you have the `pthread\' library (-lpthread). */
 @%:@undef HAVE_LIBPTHREAD])
-m4trace:configure.ac:121: -1- AC_DEFINE_TRACE_LITERAL([HAVE_LIBPTHREAD])
-m4trace:configure.ac:121: -1- m4_pattern_allow([^HAVE_LIBPTHREAD$])
-m4trace:configure.ac:123: -1- AC_SUBST([CORR_RULES_PREFIX], ["/etc/snort/corr_rules"])
-m4trace:configure.ac:123: -1- AC_SUBST_TRACE([CORR_RULES_PREFIX])
-m4trace:configure.ac:123: -1- m4_pattern_allow([^CORR_RULES_PREFIX$])
-m4trace:configure.ac:123: -1- AC_SUBST([CORR_RULES_PREFIX], ["${prefix}/etc/corr_rules"])
-m4trace:configure.ac:123: -1- AC_SUBST_TRACE([CORR_RULES_PREFIX])
-m4trace:configure.ac:123: -1- m4_pattern_allow([^CORR_RULES_PREFIX$])
-m4trace:configure.ac:129: -1- AC_SUBST([LIBXML2_INCLUDES], ["$(pkg-config --cflags libxml-2.0 2> /dev/null)"])
-m4trace:configure.ac:129: -1- AC_SUBST_TRACE([LIBXML2_INCLUDES])
-m4trace:configure.ac:129: -1- m4_pattern_allow([^LIBXML2_INCLUDES$])
-m4trace:configure.ac:133: -1- AC_DEFINE_TRACE_LITERAL([HAVE_ALLOCA_H])
-m4trace:configure.ac:133: -1- m4_pattern_allow([^HAVE_ALLOCA_H$])
-m4trace:configure.ac:133: -1- AH_OUTPUT([HAVE_ALLOCA_H], [/* Define to 1 if you have <alloca.h> and it should be used (not on Ultrix).
+m4trace:configure.ac:124: -1- AC_DEFINE_TRACE_LITERAL([HAVE_LIBPTHREAD])
+m4trace:configure.ac:124: -1- m4_pattern_allow([^HAVE_LIBPTHREAD$])
+m4trace:configure.ac:125: -1- AH_OUTPUT([HAVE_LIBM], [/* Define to 1 if you have the `m\' library (-lm). */
+@%:@undef HAVE_LIBM])
+m4trace:configure.ac:125: -1- AC_DEFINE_TRACE_LITERAL([HAVE_LIBM])
+m4trace:configure.ac:125: -1- m4_pattern_allow([^HAVE_LIBM$])
+m4trace:configure.ac:127: -1- AC_SUBST([CORR_RULES_PREFIX], ["/etc/snort/corr_rules"])
+m4trace:configure.ac:127: -1- AC_SUBST_TRACE([CORR_RULES_PREFIX])
+m4trace:configure.ac:127: -1- m4_pattern_allow([^CORR_RULES_PREFIX$])
+m4trace:configure.ac:127: -1- AC_SUBST([CORR_RULES_PREFIX], ["${prefix}/etc/corr_rules"])
+m4trace:configure.ac:127: -1- AC_SUBST_TRACE([CORR_RULES_PREFIX])
+m4trace:configure.ac:127: -1- m4_pattern_allow([^CORR_RULES_PREFIX$])
+m4trace:configure.ac:133: -1- AC_SUBST([LIBXML2_INCLUDES], ["$(pkg-config --cflags libxml-2.0 2> /dev/null)"])
+m4trace:configure.ac:133: -1- AC_SUBST_TRACE([LIBXML2_INCLUDES])
+m4trace:configure.ac:133: -1- m4_pattern_allow([^LIBXML2_INCLUDES$])
+m4trace:configure.ac:137: -1- AC_SUBST([LIBGRAPH_INCLUDES], ["$(pkg-config --cflags libgraph 2> /dev/null)"])
+m4trace:configure.ac:137: -1- AC_SUBST_TRACE([LIBGRAPH_INCLUDES])
+m4trace:configure.ac:137: -1- m4_pattern_allow([^LIBGRAPH_INCLUDES$])
+m4trace:configure.ac:142: -1- AC_DEFINE_TRACE_LITERAL([HAVE_BOOLEAN])
+m4trace:configure.ac:142: -1- m4_pattern_allow([^HAVE_BOOLEAN$])
+m4trace:configure.ac:142: -1- AH_OUTPUT([HAVE_BOOLEAN], [/* Check if the boolean type is defined */
+@%:@undef HAVE_BOOLEAN])
+m4trace:configure.ac:145: -1- AC_DEFINE_TRACE_LITERAL([HAVE_ALLOCA_H])
+m4trace:configure.ac:145: -1- m4_pattern_allow([^HAVE_ALLOCA_H$])
+m4trace:configure.ac:145: -1- AH_OUTPUT([HAVE_ALLOCA_H], [/* Define to 1 if you have <alloca.h> and it should be used (not on Ultrix).
    */
 @%:@undef HAVE_ALLOCA_H])
-m4trace:configure.ac:133: -1- AC_DEFINE_TRACE_LITERAL([HAVE_ALLOCA])
-m4trace:configure.ac:133: -1- m4_pattern_allow([^HAVE_ALLOCA$])
-m4trace:configure.ac:133: -1- AH_OUTPUT([HAVE_ALLOCA], [/* Define to 1 if you have `alloca\', as a function or macro. */
+m4trace:configure.ac:145: -1- AC_DEFINE_TRACE_LITERAL([HAVE_ALLOCA])
+m4trace:configure.ac:145: -1- m4_pattern_allow([^HAVE_ALLOCA$])
+m4trace:configure.ac:145: -1- AH_OUTPUT([HAVE_ALLOCA], [/* Define to 1 if you have `alloca\', as a function or macro. */
 @%:@undef HAVE_ALLOCA])
-m4trace:configure.ac:133: -1- AC_LIBSOURCE([alloca.c])
-m4trace:configure.ac:133: -1- AC_SUBST([ALLOCA], [\${LIBOBJDIR}alloca.$ac_objext])
-m4trace:configure.ac:133: -1- AC_SUBST_TRACE([ALLOCA])
-m4trace:configure.ac:133: -1- m4_pattern_allow([^ALLOCA$])
-m4trace:configure.ac:133: -1- AC_DEFINE_TRACE_LITERAL([C_ALLOCA])
-m4trace:configure.ac:133: -1- m4_pattern_allow([^C_ALLOCA$])
-m4trace:configure.ac:133: -1- AH_OUTPUT([C_ALLOCA], [/* Define to 1 if using `alloca.c\'. */
+m4trace:configure.ac:145: -1- AC_LIBSOURCE([alloca.c])
+m4trace:configure.ac:145: -1- AC_SUBST([ALLOCA], [\${LIBOBJDIR}alloca.$ac_objext])
+m4trace:configure.ac:145: -1- AC_SUBST_TRACE([ALLOCA])
+m4trace:configure.ac:145: -1- m4_pattern_allow([^ALLOCA$])
+m4trace:configure.ac:145: -1- AC_DEFINE_TRACE_LITERAL([C_ALLOCA])
+m4trace:configure.ac:145: -1- m4_pattern_allow([^C_ALLOCA$])
+m4trace:configure.ac:145: -1- AH_OUTPUT([C_ALLOCA], [/* Define to 1 if using `alloca.c\'. */
 @%:@undef C_ALLOCA])
-m4trace:configure.ac:133: -1- AC_DEFINE_TRACE_LITERAL([CRAY_STACKSEG_END])
-m4trace:configure.ac:133: -1- m4_pattern_allow([^CRAY_STACKSEG_END$])
-m4trace:configure.ac:133: -1- AH_OUTPUT([CRAY_STACKSEG_END], [/* Define to one of `_getb67\', `GETB67\', `getb67\' for Cray-2 and Cray-YMP
+m4trace:configure.ac:145: -1- AC_DEFINE_TRACE_LITERAL([CRAY_STACKSEG_END])
+m4trace:configure.ac:145: -1- m4_pattern_allow([^CRAY_STACKSEG_END$])
+m4trace:configure.ac:145: -1- AH_OUTPUT([CRAY_STACKSEG_END], [/* Define to one of `_getb67\', `GETB67\', `getb67\' for Cray-2 and Cray-YMP
    systems. This function is required for `alloca.c\' support on those systems.
    */
 @%:@undef CRAY_STACKSEG_END])
-m4trace:configure.ac:133: -1- AH_OUTPUT([STACK_DIRECTION], [/* If using the C implementation of alloca, define if you know the
+m4trace:configure.ac:145: -1- AH_OUTPUT([STACK_DIRECTION], [/* If using the C implementation of alloca, define if you know the
    direction of stack growth for your system; otherwise it will be
    automatically deduced at runtime.
 	STACK_DIRECTION > 0 => grows toward higher addresses
 	STACK_DIRECTION < 0 => grows toward lower addresses
 	STACK_DIRECTION = 0 => direction of growth unknown */
 @%:@undef STACK_DIRECTION])
-m4trace:configure.ac:133: -1- AC_DEFINE_TRACE_LITERAL([STACK_DIRECTION])
-m4trace:configure.ac:133: -1- m4_pattern_allow([^STACK_DIRECTION$])
-m4trace:configure.ac:134: -1- AH_OUTPUT([HAVE_INTTYPES_H], [/* Define to 1 if you have the <inttypes.h> header file. */
+m4trace:configure.ac:145: -1- AC_DEFINE_TRACE_LITERAL([STACK_DIRECTION])
+m4trace:configure.ac:145: -1- m4_pattern_allow([^STACK_DIRECTION$])
+m4trace:configure.ac:146: -1- AH_OUTPUT([HAVE_INTTYPES_H], [/* Define to 1 if you have the <inttypes.h> header file. */
 @%:@undef HAVE_INTTYPES_H])
-m4trace:configure.ac:134: -1- AH_OUTPUT([HAVE_LIMITS_H], [/* Define to 1 if you have the <limits.h> header file. */
+m4trace:configure.ac:146: -1- AH_OUTPUT([HAVE_LIMITS_H], [/* Define to 1 if you have the <limits.h> header file. */
 @%:@undef HAVE_LIMITS_H])
-m4trace:configure.ac:134: -1- AH_OUTPUT([HAVE_STDDEF_H], [/* Define to 1 if you have the <stddef.h> header file. */
+m4trace:configure.ac:146: -1- AH_OUTPUT([HAVE_STDDEF_H], [/* Define to 1 if you have the <stddef.h> header file. */
 @%:@undef HAVE_STDDEF_H])
-m4trace:configure.ac:134: -1- AH_OUTPUT([HAVE_STDLIB_H], [/* Define to 1 if you have the <stdlib.h> header file. */
+m4trace:configure.ac:146: -1- AH_OUTPUT([HAVE_STDLIB_H], [/* Define to 1 if you have the <stdlib.h> header file. */
 @%:@undef HAVE_STDLIB_H])
-m4trace:configure.ac:134: -1- AH_OUTPUT([HAVE_STRING_H], [/* Define to 1 if you have the <string.h> header file. */
+m4trace:configure.ac:146: -1- AH_OUTPUT([HAVE_STRING_H], [/* Define to 1 if you have the <string.h> header file. */
 @%:@undef HAVE_STRING_H])
-m4trace:configure.ac:134: -1- AH_OUTPUT([HAVE_UNISTD_H], [/* Define to 1 if you have the <unistd.h> header file. */
+m4trace:configure.ac:146: -1- AH_OUTPUT([HAVE_UNISTD_H], [/* Define to 1 if you have the <unistd.h> header file. */
 @%:@undef HAVE_UNISTD_H])
-m4trace:configure.ac:134: -1- AH_OUTPUT([HAVE_WCHAR_H], [/* Define to 1 if you have the <wchar.h> header file. */
+m4trace:configure.ac:146: -1- AH_OUTPUT([HAVE_WCHAR_H], [/* Define to 1 if you have the <wchar.h> header file. */
 @%:@undef HAVE_WCHAR_H])
-m4trace:configure.ac:137: -1- AC_DEFINE_TRACE_LITERAL([HAVE_U_INT8_T])
-m4trace:configure.ac:137: -1- m4_pattern_allow([^HAVE_U_INT8_T$])
-m4trace:configure.ac:137: -1- AH_OUTPUT([HAVE_U_INT8_T], [/* Define to 1 if the system has the type `u_int8_t\'. */
+m4trace:configure.ac:146: -1- AH_OUTPUT([HAVE_MATH_H], [/* Define to 1 if you have the <math.h> header file. */
+@%:@undef HAVE_MATH_H])
+m4trace:configure.ac:149: -1- AC_DEFINE_TRACE_LITERAL([HAVE_U_INT8_T])
+m4trace:configure.ac:149: -1- m4_pattern_allow([^HAVE_U_INT8_T$])
+m4trace:configure.ac:149: -1- AH_OUTPUT([HAVE_U_INT8_T], [/* Define to 1 if the system has the type `u_int8_t\'. */
 @%:@undef HAVE_U_INT8_T])
-m4trace:configure.ac:137: -1- AC_DEFINE_TRACE_LITERAL([HAVE_U_INT16_T])
-m4trace:configure.ac:137: -1- m4_pattern_allow([^HAVE_U_INT16_T$])
-m4trace:configure.ac:137: -1- AH_OUTPUT([HAVE_U_INT16_T], [/* Define to 1 if the system has the type `u_int16_t\'. */
+m4trace:configure.ac:149: -1- AC_DEFINE_TRACE_LITERAL([HAVE_U_INT16_T])
+m4trace:configure.ac:149: -1- m4_pattern_allow([^HAVE_U_INT16_T$])
+m4trace:configure.ac:149: -1- AH_OUTPUT([HAVE_U_INT16_T], [/* Define to 1 if the system has the type `u_int16_t\'. */
 @%:@undef HAVE_U_INT16_T])
-m4trace:configure.ac:137: -1- AC_DEFINE_TRACE_LITERAL([HAVE_U_INT32_T])
-m4trace:configure.ac:137: -1- m4_pattern_allow([^HAVE_U_INT32_T$])
-m4trace:configure.ac:137: -1- AH_OUTPUT([HAVE_U_INT32_T], [/* Define to 1 if the system has the type `u_int32_t\'. */
+m4trace:configure.ac:149: -1- AC_DEFINE_TRACE_LITERAL([HAVE_U_INT32_T])
+m4trace:configure.ac:149: -1- m4_pattern_allow([^HAVE_U_INT32_T$])
+m4trace:configure.ac:149: -1- AH_OUTPUT([HAVE_U_INT32_T], [/* Define to 1 if the system has the type `u_int32_t\'. */
 @%:@undef HAVE_U_INT32_T])
-m4trace:configure.ac:137: -1- AC_DEFINE_TRACE_LITERAL([HAVE_U_INT64_T])
-m4trace:configure.ac:137: -1- m4_pattern_allow([^HAVE_U_INT64_T$])
-m4trace:configure.ac:137: -1- AH_OUTPUT([HAVE_U_INT64_T], [/* Define to 1 if the system has the type `u_int64_t\'. */
+m4trace:configure.ac:149: -1- AC_DEFINE_TRACE_LITERAL([HAVE_U_INT64_T])
+m4trace:configure.ac:149: -1- m4_pattern_allow([^HAVE_U_INT64_T$])
+m4trace:configure.ac:149: -1- AH_OUTPUT([HAVE_U_INT64_T], [/* Define to 1 if the system has the type `u_int64_t\'. */
 @%:@undef HAVE_U_INT64_T])
-m4trace:configure.ac:137: -1- AC_DEFINE_TRACE_LITERAL([HAVE_UINT8_T])
-m4trace:configure.ac:137: -1- m4_pattern_allow([^HAVE_UINT8_T$])
-m4trace:configure.ac:137: -1- AH_OUTPUT([HAVE_UINT8_T], [/* Define to 1 if the system has the type `uint8_t\'. */
+m4trace:configure.ac:149: -1- AC_DEFINE_TRACE_LITERAL([HAVE_UINT8_T])
+m4trace:configure.ac:149: -1- m4_pattern_allow([^HAVE_UINT8_T$])
+m4trace:configure.ac:149: -1- AH_OUTPUT([HAVE_UINT8_T], [/* Define to 1 if the system has the type `uint8_t\'. */
 @%:@undef HAVE_UINT8_T])
-m4trace:configure.ac:137: -1- AC_DEFINE_TRACE_LITERAL([HAVE_UINT16_T])
-m4trace:configure.ac:137: -1- m4_pattern_allow([^HAVE_UINT16_T$])
-m4trace:configure.ac:137: -1- AH_OUTPUT([HAVE_UINT16_T], [/* Define to 1 if the system has the type `uint16_t\'. */
+m4trace:configure.ac:149: -1- AC_DEFINE_TRACE_LITERAL([HAVE_UINT16_T])
+m4trace:configure.ac:149: -1- m4_pattern_allow([^HAVE_UINT16_T$])
+m4trace:configure.ac:149: -1- AH_OUTPUT([HAVE_UINT16_T], [/* Define to 1 if the system has the type `uint16_t\'. */
 @%:@undef HAVE_UINT16_T])
-m4trace:configure.ac:137: -1- AC_DEFINE_TRACE_LITERAL([HAVE_UINT32_T])
-m4trace:configure.ac:137: -1- m4_pattern_allow([^HAVE_UINT32_T$])
-m4trace:configure.ac:137: -1- AH_OUTPUT([HAVE_UINT32_T], [/* Define to 1 if the system has the type `uint32_t\'. */
+m4trace:configure.ac:149: -1- AC_DEFINE_TRACE_LITERAL([HAVE_UINT32_T])
+m4trace:configure.ac:149: -1- m4_pattern_allow([^HAVE_UINT32_T$])
+m4trace:configure.ac:149: -1- AH_OUTPUT([HAVE_UINT32_T], [/* Define to 1 if the system has the type `uint32_t\'. */
 @%:@undef HAVE_UINT32_T])
-m4trace:configure.ac:137: -1- AC_DEFINE_TRACE_LITERAL([HAVE_UINT64_T])
-m4trace:configure.ac:137: -1- m4_pattern_allow([^HAVE_UINT64_T$])
-m4trace:configure.ac:137: -1- AH_OUTPUT([HAVE_UINT64_T], [/* Define to 1 if the system has the type `uint64_t\'. */
+m4trace:configure.ac:149: -1- AC_DEFINE_TRACE_LITERAL([HAVE_UINT64_T])
+m4trace:configure.ac:149: -1- m4_pattern_allow([^HAVE_UINT64_T$])
+m4trace:configure.ac:149: -1- AH_OUTPUT([HAVE_UINT64_T], [/* Define to 1 if the system has the type `uint64_t\'. */
 @%:@undef HAVE_UINT64_T])
-m4trace:configure.ac:138: -1- AC_DEFINE_TRACE_LITERAL([HAVE_INT8_T])
-m4trace:configure.ac:138: -1- m4_pattern_allow([^HAVE_INT8_T$])
-m4trace:configure.ac:138: -1- AH_OUTPUT([HAVE_INT8_T], [/* Define to 1 if the system has the type `int8_t\'. */
+m4trace:configure.ac:150: -1- AC_DEFINE_TRACE_LITERAL([HAVE_INT8_T])
+m4trace:configure.ac:150: -1- m4_pattern_allow([^HAVE_INT8_T$])
+m4trace:configure.ac:150: -1- AH_OUTPUT([HAVE_INT8_T], [/* Define to 1 if the system has the type `int8_t\'. */
 @%:@undef HAVE_INT8_T])
-m4trace:configure.ac:138: -1- AC_DEFINE_TRACE_LITERAL([HAVE_INT16_T])
-m4trace:configure.ac:138: -1- m4_pattern_allow([^HAVE_INT16_T$])
-m4trace:configure.ac:138: -1- AH_OUTPUT([HAVE_INT16_T], [/* Define to 1 if the system has the type `int16_t\'. */
+m4trace:configure.ac:150: -1- AC_DEFINE_TRACE_LITERAL([HAVE_INT16_T])
+m4trace:configure.ac:150: -1- m4_pattern_allow([^HAVE_INT16_T$])
+m4trace:configure.ac:150: -1- AH_OUTPUT([HAVE_INT16_T], [/* Define to 1 if the system has the type `int16_t\'. */
 @%:@undef HAVE_INT16_T])
-m4trace:configure.ac:138: -1- AC_DEFINE_TRACE_LITERAL([HAVE_INT32_T])
-m4trace:configure.ac:138: -1- m4_pattern_allow([^HAVE_INT32_T$])
-m4trace:configure.ac:138: -1- AH_OUTPUT([HAVE_INT32_T], [/* Define to 1 if the system has the type `int32_t\'. */
+m4trace:configure.ac:150: -1- AC_DEFINE_TRACE_LITERAL([HAVE_INT32_T])
+m4trace:configure.ac:150: -1- m4_pattern_allow([^HAVE_INT32_T$])
+m4trace:configure.ac:150: -1- AH_OUTPUT([HAVE_INT32_T], [/* Define to 1 if the system has the type `int32_t\'. */
 @%:@undef HAVE_INT32_T])
-m4trace:configure.ac:138: -1- AC_DEFINE_TRACE_LITERAL([HAVE_INT64_T])
-m4trace:configure.ac:138: -1- m4_pattern_allow([^HAVE_INT64_T$])
-m4trace:configure.ac:138: -1- AH_OUTPUT([HAVE_INT64_T], [/* Define to 1 if the system has the type `int64_t\'. */
+m4trace:configure.ac:150: -1- AC_DEFINE_TRACE_LITERAL([HAVE_INT64_T])
+m4trace:configure.ac:150: -1- m4_pattern_allow([^HAVE_INT64_T$])
+m4trace:configure.ac:150: -1- AH_OUTPUT([HAVE_INT64_T], [/* Define to 1 if the system has the type `int64_t\'. */
 @%:@undef HAVE_INT64_T])
-m4trace:configure.ac:141: -1- AC_DEFINE_TRACE_LITERAL([HAVE__BOOL])
-m4trace:configure.ac:141: -1- m4_pattern_allow([^HAVE__BOOL$])
-m4trace:configure.ac:141: -1- AH_OUTPUT([HAVE__BOOL], [/* Define to 1 if the system has the type `_Bool\'. */
+m4trace:configure.ac:150: -1- AC_DEFINE_TRACE_LITERAL([HAVE_BOOLEAN])
+m4trace:configure.ac:150: -1- m4_pattern_allow([^HAVE_BOOLEAN$])
+m4trace:configure.ac:150: -1- AH_OUTPUT([HAVE_BOOLEAN], [/* Define to 1 if the system has the type `boolean\'. */
+@%:@undef HAVE_BOOLEAN])
+m4trace:configure.ac:153: -1- AC_DEFINE_TRACE_LITERAL([HAVE__BOOL])
+m4trace:configure.ac:153: -1- m4_pattern_allow([^HAVE__BOOL$])
+m4trace:configure.ac:153: -1- AH_OUTPUT([HAVE__BOOL], [/* Define to 1 if the system has the type `_Bool\'. */
 @%:@undef HAVE__BOOL])
-m4trace:configure.ac:141: -1- AC_DEFINE_TRACE_LITERAL([HAVE_STDBOOL_H])
-m4trace:configure.ac:141: -1- m4_pattern_allow([^HAVE_STDBOOL_H$])
-m4trace:configure.ac:141: -1- AH_OUTPUT([HAVE_STDBOOL_H], [/* Define to 1 if stdbool.h conforms to C99. */
+m4trace:configure.ac:153: -1- AC_DEFINE_TRACE_LITERAL([HAVE_STDBOOL_H])
+m4trace:configure.ac:153: -1- m4_pattern_allow([^HAVE_STDBOOL_H$])
+m4trace:configure.ac:153: -1- AH_OUTPUT([HAVE_STDBOOL_H], [/* Define to 1 if stdbool.h conforms to C99. */
 @%:@undef HAVE_STDBOOL_H])
-m4trace:configure.ac:142: -1- AC_DEFINE_TRACE_LITERAL([size_t])
-m4trace:configure.ac:142: -1- m4_pattern_allow([^size_t$])
-m4trace:configure.ac:142: -1- AH_OUTPUT([size_t], [/* Define to `unsigned int\' if <sys/types.h> does not define. */
+m4trace:configure.ac:154: -1- AC_DEFINE_TRACE_LITERAL([size_t])
+m4trace:configure.ac:154: -1- m4_pattern_allow([^size_t$])
+m4trace:configure.ac:154: -1- AH_OUTPUT([size_t], [/* Define to `unsigned int\' if <sys/types.h> does not define. */
 @%:@undef size_t])
-m4trace:configure.ac:143: -1- AC_DEFINE_TRACE_LITERAL([uint16_t])
-m4trace:configure.ac:143: -1- m4_pattern_allow([^uint16_t$])
-m4trace:configure.ac:143: -1- AH_OUTPUT([uint16_t], [/* Define to the type of an unsigned integer type of width exactly 16 bits if
+m4trace:configure.ac:155: -1- AC_DEFINE_TRACE_LITERAL([uint16_t])
+m4trace:configure.ac:155: -1- m4_pattern_allow([^uint16_t$])
+m4trace:configure.ac:155: -1- AH_OUTPUT([uint16_t], [/* Define to the type of an unsigned integer type of width exactly 16 bits if
    such a type exists and the standard includes do not define it. */
 @%:@undef uint16_t])
-m4trace:configure.ac:144: -1- AC_DEFINE_TRACE_LITERAL([_UINT32_T])
-m4trace:configure.ac:144: -1- m4_pattern_allow([^_UINT32_T$])
-m4trace:configure.ac:144: -1- AH_OUTPUT([_UINT32_T], [/* Define for Solaris 2.5.1 so the uint32_t typedef from <sys/synch.h>,
+m4trace:configure.ac:156: -1- AC_DEFINE_TRACE_LITERAL([_UINT32_T])
+m4trace:configure.ac:156: -1- m4_pattern_allow([^_UINT32_T$])
+m4trace:configure.ac:156: -1- AH_OUTPUT([_UINT32_T], [/* Define for Solaris 2.5.1 so the uint32_t typedef from <sys/synch.h>,
    <pthread.h>, or <semaphore.h> is not used. If the typedef were allowed, the
    @%:@define below would cause a syntax error. */
 @%:@undef _UINT32_T])
-m4trace:configure.ac:144: -1- AC_DEFINE_TRACE_LITERAL([uint32_t])
-m4trace:configure.ac:144: -1- m4_pattern_allow([^uint32_t$])
-m4trace:configure.ac:144: -1- AH_OUTPUT([uint32_t], [/* Define to the type of an unsigned integer type of width exactly 32 bits if
+m4trace:configure.ac:156: -1- AC_DEFINE_TRACE_LITERAL([uint32_t])
+m4trace:configure.ac:156: -1- m4_pattern_allow([^uint32_t$])
+m4trace:configure.ac:156: -1- AH_OUTPUT([uint32_t], [/* Define to the type of an unsigned integer type of width exactly 32 bits if
    such a type exists and the standard includes do not define it. */
 @%:@undef uint32_t])
-m4trace:configure.ac:145: -1- AC_DEFINE_TRACE_LITERAL([_UINT8_T])
-m4trace:configure.ac:145: -1- m4_pattern_allow([^_UINT8_T$])
-m4trace:configure.ac:145: -1- AH_OUTPUT([_UINT8_T], [/* Define for Solaris 2.5.1 so the uint8_t typedef from <sys/synch.h>,
+m4trace:configure.ac:157: -1- AC_DEFINE_TRACE_LITERAL([_UINT8_T])
+m4trace:configure.ac:157: -1- m4_pattern_allow([^_UINT8_T$])
+m4trace:configure.ac:157: -1- AH_OUTPUT([_UINT8_T], [/* Define for Solaris 2.5.1 so the uint8_t typedef from <sys/synch.h>,
    <pthread.h>, or <semaphore.h> is not used. If the typedef were allowed, the
    @%:@define below would cause a syntax error. */
 @%:@undef _UINT8_T])
-m4trace:configure.ac:145: -1- AC_DEFINE_TRACE_LITERAL([uint8_t])
-m4trace:configure.ac:145: -1- m4_pattern_allow([^uint8_t$])
-m4trace:configure.ac:145: -1- AH_OUTPUT([uint8_t], [/* Define to the type of an unsigned integer type of width exactly 8 bits if
+m4trace:configure.ac:157: -1- AC_DEFINE_TRACE_LITERAL([uint8_t])
+m4trace:configure.ac:157: -1- m4_pattern_allow([^uint8_t$])
+m4trace:configure.ac:157: -1- AH_OUTPUT([uint8_t], [/* Define to the type of an unsigned integer type of width exactly 8 bits if
    such a type exists and the standard includes do not define it. */
 @%:@undef uint8_t])
-m4trace:configure.ac:146: -1- AC_DEFINE_TRACE_LITERAL([HAVE_PTRDIFF_T])
-m4trace:configure.ac:146: -1- m4_pattern_allow([^HAVE_PTRDIFF_T$])
-m4trace:configure.ac:146: -1- AH_OUTPUT([HAVE_PTRDIFF_T], [/* Define to 1 if the system has the type `ptrdiff_t\'. */
+m4trace:configure.ac:158: -1- AC_DEFINE_TRACE_LITERAL([HAVE_PTRDIFF_T])
+m4trace:configure.ac:158: -1- m4_pattern_allow([^HAVE_PTRDIFF_T$])
+m4trace:configure.ac:158: -1- AH_OUTPUT([HAVE_PTRDIFF_T], [/* Define to 1 if the system has the type `ptrdiff_t\'. */
 @%:@undef HAVE_PTRDIFF_T])
-m4trace:configure.ac:149: -1- AH_OUTPUT([HAVE_STDLIB_H], [/* Define to 1 if you have the <stdlib.h> header file. */
+m4trace:configure.ac:161: -1- AH_OUTPUT([HAVE_STDLIB_H], [/* Define to 1 if you have the <stdlib.h> header file. */
 @%:@undef HAVE_STDLIB_H])
-m4trace:configure.ac:149: -1- AC_DEFINE_TRACE_LITERAL([HAVE_STDLIB_H])
-m4trace:configure.ac:149: -1- m4_pattern_allow([^HAVE_STDLIB_H$])
-m4trace:configure.ac:149: -1- AC_DEFINE_TRACE_LITERAL([HAVE_MALLOC])
-m4trace:configure.ac:149: -1- m4_pattern_allow([^HAVE_MALLOC$])
-m4trace:configure.ac:149: -1- AH_OUTPUT([HAVE_MALLOC], [/* Define to 1 if your system has a GNU libc compatible `malloc\' function, and
+m4trace:configure.ac:161: -1- AC_DEFINE_TRACE_LITERAL([HAVE_STDLIB_H])
+m4trace:configure.ac:161: -1- m4_pattern_allow([^HAVE_STDLIB_H$])
+m4trace:configure.ac:161: -1- AC_DEFINE_TRACE_LITERAL([HAVE_MALLOC])
+m4trace:configure.ac:161: -1- m4_pattern_allow([^HAVE_MALLOC$])
+m4trace:configure.ac:161: -1- AH_OUTPUT([HAVE_MALLOC], [/* Define to 1 if your system has a GNU libc compatible `malloc\' function, and
    to 0 otherwise. */
 @%:@undef HAVE_MALLOC])
-m4trace:configure.ac:149: -1- AC_DEFINE_TRACE_LITERAL([HAVE_MALLOC])
-m4trace:configure.ac:149: -1- m4_pattern_allow([^HAVE_MALLOC$])
-m4trace:configure.ac:149: -1- AC_LIBSOURCE([malloc.c])
-m4trace:configure.ac:149: -1- AC_SUBST([LIB@&t@OBJS], ["$LIB@&t@OBJS malloc.$ac_objext"])
-m4trace:configure.ac:149: -1- AC_SUBST_TRACE([LIB@&t@OBJS])
-m4trace:configure.ac:149: -1- m4_pattern_allow([^LIB@&t@OBJS$])
-m4trace:configure.ac:149: -1- AC_DEFINE_TRACE_LITERAL([malloc])
-m4trace:configure.ac:149: -1- m4_pattern_allow([^malloc$])
-m4trace:configure.ac:149: -1- AH_OUTPUT([malloc], [/* Define to rpl_malloc if the replacement function should be used. */
+m4trace:configure.ac:161: -1- AC_DEFINE_TRACE_LITERAL([HAVE_MALLOC])
+m4trace:configure.ac:161: -1- m4_pattern_allow([^HAVE_MALLOC$])
+m4trace:configure.ac:161: -1- AC_LIBSOURCE([malloc.c])
+m4trace:configure.ac:161: -1- AC_SUBST([LIB@&t@OBJS], ["$LIB@&t@OBJS malloc.$ac_objext"])
+m4trace:configure.ac:161: -1- AC_SUBST_TRACE([LIB@&t@OBJS])
+m4trace:configure.ac:161: -1- m4_pattern_allow([^LIB@&t@OBJS$])
+m4trace:configure.ac:161: -1- AC_DEFINE_TRACE_LITERAL([malloc])
+m4trace:configure.ac:161: -1- m4_pattern_allow([^malloc$])
+m4trace:configure.ac:161: -1- AH_OUTPUT([malloc], [/* Define to rpl_malloc if the replacement function should be used. */
 @%:@undef malloc])
-m4trace:configure.ac:150: -1- AC_DEFINE_TRACE_LITERAL([TIME_WITH_SYS_TIME])
-m4trace:configure.ac:150: -1- m4_pattern_allow([^TIME_WITH_SYS_TIME$])
-m4trace:configure.ac:150: -1- AH_OUTPUT([TIME_WITH_SYS_TIME], [/* Define to 1 if you can safely include both <sys/time.h> and <time.h>. */
+m4trace:configure.ac:162: -1- AC_DEFINE_TRACE_LITERAL([TIME_WITH_SYS_TIME])
+m4trace:configure.ac:162: -1- m4_pattern_allow([^TIME_WITH_SYS_TIME$])
+m4trace:configure.ac:162: -1- AH_OUTPUT([TIME_WITH_SYS_TIME], [/* Define to 1 if you can safely include both <sys/time.h> and <time.h>. */
 @%:@undef TIME_WITH_SYS_TIME])
-m4trace:configure.ac:150: -1- AH_OUTPUT([HAVE_SYS_TIME_H], [/* Define to 1 if you have the <sys/time.h> header file. */
+m4trace:configure.ac:162: -1- AH_OUTPUT([HAVE_SYS_TIME_H], [/* Define to 1 if you have the <sys/time.h> header file. */
 @%:@undef HAVE_SYS_TIME_H])
-m4trace:configure.ac:150: -1- AH_OUTPUT([HAVE_UNISTD_H], [/* Define to 1 if you have the <unistd.h> header file. */
+m4trace:configure.ac:162: -1- AH_OUTPUT([HAVE_UNISTD_H], [/* Define to 1 if you have the <unistd.h> header file. */
 @%:@undef HAVE_UNISTD_H])
-m4trace:configure.ac:150: -1- AH_OUTPUT([HAVE_ALARM], [/* Define to 1 if you have the `alarm\' function. */
+m4trace:configure.ac:162: -1- AH_OUTPUT([HAVE_ALARM], [/* Define to 1 if you have the `alarm\' function. */
 @%:@undef HAVE_ALARM])
-m4trace:configure.ac:150: -1- AC_LIBSOURCE([mktime.c])
-m4trace:configure.ac:150: -1- AC_SUBST([LIB@&t@OBJS], ["$LIB@&t@OBJS mktime.$ac_objext"])
-m4trace:configure.ac:150: -1- AC_SUBST_TRACE([LIB@&t@OBJS])
-m4trace:configure.ac:150: -1- m4_pattern_allow([^LIB@&t@OBJS$])
-m4trace:configure.ac:151: -1- AH_OUTPUT([HAVE_STDLIB_H], [/* Define to 1 if you have the <stdlib.h> header file. */
+m4trace:configure.ac:162: -1- AC_LIBSOURCE([mktime.c])
+m4trace:configure.ac:162: -1- AC_SUBST([LIB@&t@OBJS], ["$LIB@&t@OBJS mktime.$ac_objext"])
+m4trace:configure.ac:162: -1- AC_SUBST_TRACE([LIB@&t@OBJS])
+m4trace:configure.ac:162: -1- m4_pattern_allow([^LIB@&t@OBJS$])
+m4trace:configure.ac:163: -1- AH_OUTPUT([HAVE_STDLIB_H], [/* Define to 1 if you have the <stdlib.h> header file. */
 @%:@undef HAVE_STDLIB_H])
-m4trace:configure.ac:151: -1- AC_DEFINE_TRACE_LITERAL([HAVE_STDLIB_H])
-m4trace:configure.ac:151: -1- m4_pattern_allow([^HAVE_STDLIB_H$])
-m4trace:configure.ac:151: -1- AC_DEFINE_TRACE_LITERAL([HAVE_REALLOC])
-m4trace:configure.ac:151: -1- m4_pattern_allow([^HAVE_REALLOC$])
-m4trace:configure.ac:151: -1- AH_OUTPUT([HAVE_REALLOC], [/* Define to 1 if your system has a GNU libc compatible `realloc\' function,
+m4trace:configure.ac:163: -1- AC_DEFINE_TRACE_LITERAL([HAVE_STDLIB_H])
+m4trace:configure.ac:163: -1- m4_pattern_allow([^HAVE_STDLIB_H$])
+m4trace:configure.ac:163: -1- AC_DEFINE_TRACE_LITERAL([HAVE_REALLOC])
+m4trace:configure.ac:163: -1- m4_pattern_allow([^HAVE_REALLOC$])
+m4trace:configure.ac:163: -1- AH_OUTPUT([HAVE_REALLOC], [/* Define to 1 if your system has a GNU libc compatible `realloc\' function,
    and to 0 otherwise. */
 @%:@undef HAVE_REALLOC])
-m4trace:configure.ac:151: -1- AC_DEFINE_TRACE_LITERAL([HAVE_REALLOC])
-m4trace:configure.ac:151: -1- m4_pattern_allow([^HAVE_REALLOC$])
-m4trace:configure.ac:151: -1- AC_LIBSOURCE([realloc.c])
-m4trace:configure.ac:151: -1- AC_SUBST([LIB@&t@OBJS], ["$LIB@&t@OBJS realloc.$ac_objext"])
-m4trace:configure.ac:151: -1- AC_SUBST_TRACE([LIB@&t@OBJS])
-m4trace:configure.ac:151: -1- m4_pattern_allow([^LIB@&t@OBJS$])
-m4trace:configure.ac:151: -1- AC_DEFINE_TRACE_LITERAL([realloc])
-m4trace:configure.ac:151: -1- m4_pattern_allow([^realloc$])
-m4trace:configure.ac:151: -1- AH_OUTPUT([realloc], [/* Define to rpl_realloc if the replacement function should be used. */
+m4trace:configure.ac:163: -1- AC_DEFINE_TRACE_LITERAL([HAVE_REALLOC])
+m4trace:configure.ac:163: -1- m4_pattern_allow([^HAVE_REALLOC$])
+m4trace:configure.ac:163: -1- AC_LIBSOURCE([realloc.c])
+m4trace:configure.ac:163: -1- AC_SUBST([LIB@&t@OBJS], ["$LIB@&t@OBJS realloc.$ac_objext"])
+m4trace:configure.ac:163: -1- AC_SUBST_TRACE([LIB@&t@OBJS])
+m4trace:configure.ac:163: -1- m4_pattern_allow([^LIB@&t@OBJS$])
+m4trace:configure.ac:163: -1- AC_DEFINE_TRACE_LITERAL([realloc])
+m4trace:configure.ac:163: -1- m4_pattern_allow([^realloc$])
+m4trace:configure.ac:163: -1- AH_OUTPUT([realloc], [/* Define to rpl_realloc if the replacement function should be used. */
 @%:@undef realloc])
-m4trace:configure.ac:152: -1- AH_OUTPUT([HAVE_MEMMOVE], [/* Define to 1 if you have the `memmove\' function. */
+m4trace:configure.ac:164: -1- AH_OUTPUT([HAVE_MEMMOVE], [/* Define to 1 if you have the `memmove\' function. */
 @%:@undef HAVE_MEMMOVE])
-m4trace:configure.ac:152: -1- AH_OUTPUT([HAVE_MEMSET], [/* Define to 1 if you have the `memset\' function. */
+m4trace:configure.ac:164: -1- AH_OUTPUT([HAVE_MEMSET], [/* Define to 1 if you have the `memset\' function. */
 @%:@undef HAVE_MEMSET])
-m4trace:configure.ac:152: -1- AH_OUTPUT([HAVE_REGCOMP], [/* Define to 1 if you have the `regcomp\' function. */
+m4trace:configure.ac:164: -1- AH_OUTPUT([HAVE_REGCOMP], [/* Define to 1 if you have the `regcomp\' function. */
 @%:@undef HAVE_REGCOMP])
-m4trace:configure.ac:152: -1- AH_OUTPUT([HAVE_STRCASECMP], [/* Define to 1 if you have the `strcasecmp\' function. */
+m4trace:configure.ac:164: -1- AH_OUTPUT([HAVE_STRCASECMP], [/* Define to 1 if you have the `strcasecmp\' function. */
 @%:@undef HAVE_STRCASECMP])
-m4trace:configure.ac:152: -1- AH_OUTPUT([HAVE_STRDUP], [/* Define to 1 if you have the `strdup\' function. */
+m4trace:configure.ac:164: -1- AH_OUTPUT([HAVE_STRDUP], [/* Define to 1 if you have the `strdup\' function. */
 @%:@undef HAVE_STRDUP])
-m4trace:configure.ac:152: -1- AH_OUTPUT([HAVE_STRSTR], [/* Define to 1 if you have the `strstr\' function. */
+m4trace:configure.ac:164: -1- AH_OUTPUT([HAVE_STRSTR], [/* Define to 1 if you have the `strstr\' function. */
 @%:@undef HAVE_STRSTR])
-m4trace:configure.ac:152: -1- AH_OUTPUT([HAVE_STRTOL], [/* Define to 1 if you have the `strtol\' function. */
+m4trace:configure.ac:164: -1- AH_OUTPUT([HAVE_STRTOL], [/* Define to 1 if you have the `strtol\' function. */
 @%:@undef HAVE_STRTOL])
-m4trace:configure.ac:152: -1- AH_OUTPUT([HAVE_STRTOUL], [/* Define to 1 if you have the `strtoul\' function. */
+m4trace:configure.ac:164: -1- AH_OUTPUT([HAVE_STRTOUL], [/* Define to 1 if you have the `strtoul\' function. */
 @%:@undef HAVE_STRTOUL])
-m4trace:configure.ac:154: -1- AC_DEFINE_TRACE_LITERAL([VERSION])
-m4trace:configure.ac:154: -1- m4_pattern_allow([^VERSION$])
-m4trace:configure.ac:154: -1- AH_OUTPUT([VERSION], [/* Module version */
+m4trace:configure.ac:166: -1- AC_DEFINE_TRACE_LITERAL([VERSION])
+m4trace:configure.ac:166: -1- m4_pattern_allow([^VERSION$])
+m4trace:configure.ac:166: -1- AH_OUTPUT([VERSION], [/* Module version */
 @%:@undef VERSION])
-m4trace:configure.ac:155: -1- AC_DEFINE_TRACE_LITERAL([PACKAGE])
-m4trace:configure.ac:155: -1- m4_pattern_allow([^PACKAGE$])
-m4trace:configure.ac:155: -1- AH_OUTPUT([PACKAGE], [/* Package name */
+m4trace:configure.ac:167: -1- AC_DEFINE_TRACE_LITERAL([PACKAGE])
+m4trace:configure.ac:167: -1- m4_pattern_allow([^PACKAGE$])
+m4trace:configure.ac:167: -1- AH_OUTPUT([PACKAGE], [/* Package name */
 @%:@undef PACKAGE])
-m4trace:configure.ac:156: -1- AC_DEFINE_TRACE_LITERAL([PACKAGE_BUGREPORT])
-m4trace:configure.ac:156: -1- m4_pattern_allow([^PACKAGE_BUGREPORT$])
-m4trace:configure.ac:156: -1- AH_OUTPUT([PACKAGE_BUGREPORT], [/* Bug report address */
+m4trace:configure.ac:168: -1- AC_DEFINE_TRACE_LITERAL([PACKAGE_BUGREPORT])
+m4trace:configure.ac:168: -1- m4_pattern_allow([^PACKAGE_BUGREPORT$])
+m4trace:configure.ac:168: -1- AH_OUTPUT([PACKAGE_BUGREPORT], [/* Bug report address */
 @%:@undef PACKAGE_BUGREPORT])
-m4trace:configure.ac:157: -1- AC_DEFINE_TRACE_LITERAL([PACKAGE_NAME])
-m4trace:configure.ac:157: -1- m4_pattern_allow([^PACKAGE_NAME$])
-m4trace:configure.ac:157: -1- AH_OUTPUT([PACKAGE_NAME], [/* Package full name */
+m4trace:configure.ac:169: -1- AC_DEFINE_TRACE_LITERAL([PACKAGE_NAME])
+m4trace:configure.ac:169: -1- m4_pattern_allow([^PACKAGE_NAME$])
+m4trace:configure.ac:169: -1- AH_OUTPUT([PACKAGE_NAME], [/* Package full name */
 @%:@undef PACKAGE_NAME])
-m4trace:configure.ac:158: -1- AC_DEFINE_TRACE_LITERAL([PACKAGE_STRING])
-m4trace:configure.ac:158: -1- m4_pattern_allow([^PACKAGE_STRING$])
-m4trace:configure.ac:158: -1- AH_OUTPUT([PACKAGE_STRING], [/* Package string */
+m4trace:configure.ac:170: -1- AC_DEFINE_TRACE_LITERAL([PACKAGE_STRING])
+m4trace:configure.ac:170: -1- m4_pattern_allow([^PACKAGE_STRING$])
+m4trace:configure.ac:170: -1- AH_OUTPUT([PACKAGE_STRING], [/* Package string */
 @%:@undef PACKAGE_STRING])
-m4trace:configure.ac:159: -1- AC_DEFINE_TRACE_LITERAL([PACKAGE_TARNAME])
-m4trace:configure.ac:159: -1- m4_pattern_allow([^PACKAGE_TARNAME$])
-m4trace:configure.ac:159: -1- AH_OUTPUT([PACKAGE_TARNAME], [/* Package tarname */
+m4trace:configure.ac:171: -1- AC_DEFINE_TRACE_LITERAL([PACKAGE_TARNAME])
+m4trace:configure.ac:171: -1- m4_pattern_allow([^PACKAGE_TARNAME$])
+m4trace:configure.ac:171: -1- AH_OUTPUT([PACKAGE_TARNAME], [/* Package tarname */
 @%:@undef PACKAGE_TARNAME])
-m4trace:configure.ac:160: -1- AC_DEFINE_TRACE_LITERAL([PACKAGE_VERSION])
-m4trace:configure.ac:160: -1- m4_pattern_allow([^PACKAGE_VERSION$])
-m4trace:configure.ac:160: -1- AH_OUTPUT([PACKAGE_VERSION], [/* Package version */
+m4trace:configure.ac:172: -1- AC_DEFINE_TRACE_LITERAL([PACKAGE_VERSION])
+m4trace:configure.ac:172: -1- m4_pattern_allow([^PACKAGE_VERSION$])
+m4trace:configure.ac:172: -1- AH_OUTPUT([PACKAGE_VERSION], [/* Package version */
 @%:@undef PACKAGE_VERSION])
-m4trace:configure.ac:161: -1- AC_DEFINE_TRACE_LITERAL([SUP_IP6])
-m4trace:configure.ac:161: -1- m4_pattern_allow([^SUP_IP6$])
-m4trace:configure.ac:161: -1- AH_OUTPUT([SUP_IP6], [/* Use SUP_IP6 */
+m4trace:configure.ac:173: -1- AC_DEFINE_TRACE_LITERAL([SUP_IP6])
+m4trace:configure.ac:173: -1- m4_pattern_allow([^SUP_IP6$])
+m4trace:configure.ac:173: -1- AH_OUTPUT([SUP_IP6], [/* Use SUP_IP6 */
 @%:@undef SUP_IP6])
-m4trace:configure.ac:163: -1- AC_DEFINE_TRACE_LITERAL([HAVE_VISIBILITY])
-m4trace:configure.ac:163: -1- m4_pattern_allow([^HAVE_VISIBILITY$])
-m4trace:configure.ac:163: -1- AH_OUTPUT([HAVE_VISIBILITY], [/* Check if the compiler supports visibility */
+m4trace:configure.ac:175: -1- AC_DEFINE_TRACE_LITERAL([HAVE_VISIBILITY])
+m4trace:configure.ac:175: -1- m4_pattern_allow([^HAVE_VISIBILITY$])
+m4trace:configure.ac:175: -1- AH_OUTPUT([HAVE_VISIBILITY], [/* Check if the compiler supports visibility */
 @%:@undef HAVE_VISIBILITY])
-m4trace:configure.ac:164: -1- AC_DEFINE_TRACE_LITERAL([PREFIX])
-m4trace:configure.ac:164: -1- m4_pattern_allow([^PREFIX$])
-m4trace:configure.ac:164: -1- AH_OUTPUT([PREFIX], [/* Installation prefix */
+m4trace:configure.ac:176: -1- AC_DEFINE_TRACE_LITERAL([PREFIX])
+m4trace:configure.ac:176: -1- m4_pattern_allow([^PREFIX$])
+m4trace:configure.ac:176: -1- AH_OUTPUT([PREFIX], [/* Installation prefix */
 @%:@undef PREFIX])
-m4trace:configure.ac:166: -1- AC_CONFIG_FILES([Makefile])
-m4trace:configure.ac:167: -1- AC_SUBST([LIB@&t@OBJS], [$ac_libobjs])
-m4trace:configure.ac:167: -1- AC_SUBST_TRACE([LIB@&t@OBJS])
-m4trace:configure.ac:167: -1- m4_pattern_allow([^LIB@&t@OBJS$])
-m4trace:configure.ac:167: -1- AC_SUBST([LTLIBOBJS], [$ac_ltlibobjs])
-m4trace:configure.ac:167: -1- AC_SUBST_TRACE([LTLIBOBJS])
-m4trace:configure.ac:167: -1- m4_pattern_allow([^LTLIBOBJS$])
-m4trace:configure.ac:167: -1- AM_CONDITIONAL([am__EXEEXT], [test -n "$EXEEXT"])
-m4trace:configure.ac:167: -1- AC_SUBST([am__EXEEXT_TRUE])
-m4trace:configure.ac:167: -1- AC_SUBST_TRACE([am__EXEEXT_TRUE])
-m4trace:configure.ac:167: -1- m4_pattern_allow([^am__EXEEXT_TRUE$])
-m4trace:configure.ac:167: -1- AC_SUBST([am__EXEEXT_FALSE])
-m4trace:configure.ac:167: -1- AC_SUBST_TRACE([am__EXEEXT_FALSE])
-m4trace:configure.ac:167: -1- m4_pattern_allow([^am__EXEEXT_FALSE$])
-m4trace:configure.ac:167: -1- _AM_SUBST_NOTMAKE([am__EXEEXT_TRUE])
-m4trace:configure.ac:167: -1- _AM_SUBST_NOTMAKE([am__EXEEXT_FALSE])
-m4trace:configure.ac:167: -1- AC_SUBST_TRACE([top_builddir])
-m4trace:configure.ac:167: -1- AC_SUBST_TRACE([top_build_prefix])
-m4trace:configure.ac:167: -1- AC_SUBST_TRACE([srcdir])
-m4trace:configure.ac:167: -1- AC_SUBST_TRACE([abs_srcdir])
-m4trace:configure.ac:167: -1- AC_SUBST_TRACE([top_srcdir])
-m4trace:configure.ac:167: -1- AC_SUBST_TRACE([abs_top_srcdir])
-m4trace:configure.ac:167: -1- AC_SUBST_TRACE([builddir])
-m4trace:configure.ac:167: -1- AC_SUBST_TRACE([abs_builddir])
-m4trace:configure.ac:167: -1- AC_SUBST_TRACE([abs_top_builddir])
-m4trace:configure.ac:167: -1- AC_SUBST_TRACE([INSTALL])
-m4trace:configure.ac:167: -1- AC_SUBST_TRACE([MKDIR_P])
-m4trace:configure.ac:167: -1- AC_REQUIRE_AUX_FILE([ltmain.sh])
+m4trace:configure.ac:178: -1- AC_CONFIG_FILES([Makefile])
+m4trace:configure.ac:179: -1- AC_SUBST([LIB@&t@OBJS], [$ac_libobjs])
+m4trace:configure.ac:179: -1- AC_SUBST_TRACE([LIB@&t@OBJS])
+m4trace:configure.ac:179: -1- m4_pattern_allow([^LIB@&t@OBJS$])
+m4trace:configure.ac:179: -1- AC_SUBST([LTLIBOBJS], [$ac_ltlibobjs])
+m4trace:configure.ac:179: -1- AC_SUBST_TRACE([LTLIBOBJS])
+m4trace:configure.ac:179: -1- m4_pattern_allow([^LTLIBOBJS$])
+m4trace:configure.ac:179: -1- AM_CONDITIONAL([am__EXEEXT], [test -n "$EXEEXT"])
+m4trace:configure.ac:179: -1- AC_SUBST([am__EXEEXT_TRUE])
+m4trace:configure.ac:179: -1- AC_SUBST_TRACE([am__EXEEXT_TRUE])
+m4trace:configure.ac:179: -1- m4_pattern_allow([^am__EXEEXT_TRUE$])
+m4trace:configure.ac:179: -1- AC_SUBST([am__EXEEXT_FALSE])
+m4trace:configure.ac:179: -1- AC_SUBST_TRACE([am__EXEEXT_FALSE])
+m4trace:configure.ac:179: -1- m4_pattern_allow([^am__EXEEXT_FALSE$])
+m4trace:configure.ac:179: -1- _AM_SUBST_NOTMAKE([am__EXEEXT_TRUE])
+m4trace:configure.ac:179: -1- _AM_SUBST_NOTMAKE([am__EXEEXT_FALSE])
+m4trace:configure.ac:179: -1- AC_SUBST_TRACE([top_builddir])
+m4trace:configure.ac:179: -1- AC_SUBST_TRACE([top_build_prefix])
+m4trace:configure.ac:179: -1- AC_SUBST_TRACE([srcdir])
+m4trace:configure.ac:179: -1- AC_SUBST_TRACE([abs_srcdir])
+m4trace:configure.ac:179: -1- AC_SUBST_TRACE([top_srcdir])
+m4trace:configure.ac:179: -1- AC_SUBST_TRACE([abs_top_srcdir])
+m4trace:configure.ac:179: -1- AC_SUBST_TRACE([builddir])
+m4trace:configure.ac:179: -1- AC_SUBST_TRACE([abs_builddir])
+m4trace:configure.ac:179: -1- AC_SUBST_TRACE([abs_top_builddir])
+m4trace:configure.ac:179: -1- AC_SUBST_TRACE([INSTALL])
+m4trace:configure.ac:179: -1- AC_SUBST_TRACE([MKDIR_P])
+m4trace:configure.ac:179: -1- AC_REQUIRE_AUX_FILE([ltmain.sh])
diff --git a/config.h.in b/config.h.in
index eb0217f..9f5e748 100644
--- a/config.h.in
+++ b/config.h.in
@@ -17,12 +17,6 @@
 /* Define to 1 if using `alloca.c'. */
 #undef C_ALLOCA
 
-/* Define if you want to enable database support */
-#undef ENABLE_DB
-
-/* Define if you want to use MySQL */
-#undef ENABLE_MYSQL
-
 /* Define if FreeBSD */
 #undef FREEBSD
 
@@ -36,6 +30,9 @@
    */
 #undef HAVE_ALLOCA_H
 
+/* Define to 1 if the system has the type `boolean'. */
+#undef HAVE_BOOLEAN
+
 /* Define to 1 if you have the <dlfcn.h> header file. */
 #undef HAVE_DLFCN_H
 
@@ -54,6 +51,15 @@
 /* Define to 1 if you have the <inttypes.h> header file. */
 #undef HAVE_INTTYPES_H
 
+/* Define to 1 if you have the `gvc' library (-lgvc). */
+#undef HAVE_LIBGVC
+
+/* Define to 1 if you have the `m' library (-lm). */
+#undef HAVE_LIBM
+
+/* Define to 1 if you have the `mysqlclient' library (-lmysqlclient). */
+#undef HAVE_LIBMYSQLCLIENT
+
 /* Define to 1 if you have the `pthread' library (-lpthread). */
 #undef HAVE_LIBPTHREAD
 
@@ -67,6 +73,9 @@
    to 0 otherwise. */
 #undef HAVE_MALLOC
 
+/* Define to 1 if you have the <math.h> header file. */
+#undef HAVE_MATH_H
+
 /* Define to 1 if you have the `memmove' function. */
 #undef HAVE_MEMMOVE
 
diff --git a/configure b/configure
index f55037b..414474d 100755
--- a/configure
+++ b/configure
@@ -751,9 +751,9 @@ am__EXEEXT_TRUE
 LTLIBOBJS
 LIBOBJS
 ALLOCA
+LIBGRAPH_INCLUDES
 LIBXML2_INCLUDES
 CORR_RULES_PREFIX
-MYSQL
 extra_incl
 CPP
 OTOOL64
@@ -871,6 +871,7 @@ enable_dependency_tracking
 with_gnu_ld
 enable_libtool_lock
 with_mysql
+with_graphviz
 '
       ac_precious_vars='build_alias
 host_alias
@@ -1517,6 +1518,8 @@ Optional Packages:
                           both]
   --with-gnu-ld           assume the C compiler uses GNU ld [default=no]
   --with-mysql            Enable support for MySQL alert logs [default=no]
+  --without-graphviz      Disable Graphviz support for rendering correlated
+                          alerts as a PNG graph [default=yes]
 
 Some influential environment variables:
   CC          C compiler command
@@ -4582,13 +4585,13 @@ if test "${lt_cv_nm_interface+set}" = set; then :
 else
   lt_cv_nm_interface="BSD nm"
   echo "int some_variable = 0;" > conftest.$ac_ext
-  (eval echo "\"\$as_me:4585: $ac_compile\"" >&5)
+  (eval echo "\"\$as_me:4588: $ac_compile\"" >&5)
   (eval "$ac_compile" 2>conftest.err)
   cat conftest.err >&5
-  (eval echo "\"\$as_me:4588: $NM \\\"conftest.$ac_objext\\\"\"" >&5)
+  (eval echo "\"\$as_me:4591: $NM \\\"conftest.$ac_objext\\\"\"" >&5)
   (eval "$NM \"conftest.$ac_objext\"" 2>conftest.err > conftest.out)
   cat conftest.err >&5
-  (eval echo "\"\$as_me:4591: output\"" >&5)
+  (eval echo "\"\$as_me:4594: output\"" >&5)
   cat conftest.out >&5
   if $GREP 'External.*some_variable' conftest.out > /dev/null; then
     lt_cv_nm_interface="MS dumpbin"
@@ -5794,7 +5797,7 @@ ia64-*-hpux*)
   ;;
 *-*-irix6*)
   # Find out which ABI we are using.
-  echo '#line 5797 "configure"' > conftest.$ac_ext
+  echo '#line 5800 "configure"' > conftest.$ac_ext
   if { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$ac_compile\""; } >&5
   (eval $ac_compile) 2>&5
   ac_status=$?
@@ -7319,11 +7322,11 @@ else
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:7322: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:7325: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>conftest.err)
    ac_status=$?
    cat conftest.err >&5
-   echo "$as_me:7326: \$? = $ac_status" >&5
+   echo "$as_me:7329: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s "$ac_outfile"; then
      # The compiler can only warn and ignore the option if not recognized
      # So say no if there are warnings other than the usual output.
@@ -7658,11 +7661,11 @@ else
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:7661: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:7664: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>conftest.err)
    ac_status=$?
    cat conftest.err >&5
-   echo "$as_me:7665: \$? = $ac_status" >&5
+   echo "$as_me:7668: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s "$ac_outfile"; then
      # The compiler can only warn and ignore the option if not recognized
      # So say no if there are warnings other than the usual output.
@@ -7763,11 +7766,11 @@ else
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:7766: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:7769: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>out/conftest.err)
    ac_status=$?
    cat out/conftest.err >&5
-   echo "$as_me:7770: \$? = $ac_status" >&5
+   echo "$as_me:7773: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s out/conftest2.$ac_objext
    then
      # The compiler can only warn and ignore the option if not recognized
@@ -7818,11 +7821,11 @@ else
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:7821: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:7824: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>out/conftest.err)
    ac_status=$?
    cat out/conftest.err >&5
-   echo "$as_me:7825: \$? = $ac_status" >&5
+   echo "$as_me:7828: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s out/conftest2.$ac_objext
    then
      # The compiler can only warn and ignore the option if not recognized
@@ -10202,7 +10205,7 @@ else
   lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
   lt_status=$lt_dlunknown
   cat > conftest.$ac_ext <<_LT_EOF
-#line 10205 "configure"
+#line 10208 "configure"
 #include "confdefs.h"
 
 #if HAVE_DLFCN_H
@@ -10298,7 +10301,7 @@ else
   lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
   lt_status=$lt_dlunknown
   cat > conftest.$ac_ext <<_LT_EOF
-#line 10301 "configure"
+#line 10304 "configure"
 #include "confdefs.h"
 
 #if HAVE_DLFCN_H
@@ -11369,6 +11372,15 @@ else
 fi
 
 
+
+# Check whether --with-graphviz was given.
+if test "${with_graphviz+set}" = set; then :
+  withval=$with_graphviz;
+else
+  with_graphviz=yes
+fi
+
+
 # Checks for libraries.
 if test "x$with_mysql" != xno; then :
   { $as_echo "$as_me:${as_lineno-$LINENO}: checking for mysql_query in -lmysqlclient" >&5
@@ -11377,7 +11389,7 @@ if test "${ac_cv_lib_mysqlclient_mysql_query+set}" = set; then :
   $as_echo_n "(cached) " >&6
 else
   ac_check_lib_save_LIBS=$LIBS
-LIBS="-lmysqlclient -lmysqlclient $LIBS"
+LIBS="-lmysqlclient  $LIBS"
 cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
 
@@ -11408,22 +11420,70 @@ fi
 { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_mysqlclient_mysql_query" >&5
 $as_echo "$ac_cv_lib_mysqlclient_mysql_query" >&6; }
 if test "x$ac_cv_lib_mysqlclient_mysql_query" = x""yes; then :
-  MYSQL="-lmysqlclient"
-
-
-$as_echo "#define ENABLE_MYSQL 1" >>confdefs.h
-
-
-$as_echo "#define ENABLE_DB 1" >>confdefs.h
+  cat >>confdefs.h <<_ACEOF
+#define HAVE_LIBMYSQLCLIENT 1
+_ACEOF
 
+  LIBS="-lmysqlclient $LIBS"
 
 else
-  if test "x$with_mysql" != xno; then
-		{ { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
+  { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
 $as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
-as_fn_error $? "--with-mysql option used, but libmysqlclient was not found
+as_fn_error $? "--with-mysql option used, but libmysqlclient was not found - do not use --with-mysql, or, on a Debian-based system, install libmysqlclient-dev
+See \`config.log' for more details" "$LINENO" 5 ; }
+fi
+
+fi
+
+if test "x$with_graphviz" != xno; then :
+  { $as_echo "$as_me:${as_lineno-$LINENO}: checking for agread in -lgvc" >&5
+$as_echo_n "checking for agread in -lgvc... " >&6; }
+if test "${ac_cv_lib_gvc_agread+set}" = set; then :
+  $as_echo_n "(cached) " >&6
+else
+  ac_check_lib_save_LIBS=$LIBS
+LIBS="-lgvc  $LIBS"
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+char agread ();
+int
+main ()
+{
+return agread ();
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_link "$LINENO"; then :
+  ac_cv_lib_gvc_agread=yes
+else
+  ac_cv_lib_gvc_agread=no
+fi
+rm -f core conftest.err conftest.$ac_objext \
+    conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_gvc_agread" >&5
+$as_echo "$ac_cv_lib_gvc_agread" >&6; }
+if test "x$ac_cv_lib_gvc_agread" = x""yes; then :
+  cat >>confdefs.h <<_ACEOF
+#define HAVE_LIBGVC 1
+_ACEOF
+
+  LIBS="-lgvc $LIBS"
+
+else
+  { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
+$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
+as_fn_error $? "libgraphviz support required but the library was not found - use --without-graphviz if you do not want to enable the support for it, or, on a Debian-based system, install libgraphviz-dev
 See \`config.log' for more details" "$LINENO" 5 ; }
-	fi
 fi
 
 fi
@@ -11471,6 +11531,11 @@ _ACEOF
 
   LIBS="-lxml2 $LIBS"
 
+else
+  { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
+$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
+as_fn_error $? "libxml2 not found on the system
+See \`config.log' for more details" "$LINENO" 5 ; }
 fi
 
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for pthread_create in -lpthread" >&5
@@ -11516,6 +11581,61 @@ _ACEOF
 
   LIBS="-lpthread $LIBS"
 
+else
+  { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
+$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
+as_fn_error $? "libpthread not found on the system
+See \`config.log' for more details" "$LINENO" 5 ; }
+fi
+
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for sqrt in -lm" >&5
+$as_echo_n "checking for sqrt in -lm... " >&6; }
+if test "${ac_cv_lib_m_sqrt+set}" = set; then :
+  $as_echo_n "(cached) " >&6
+else
+  ac_check_lib_save_LIBS=$LIBS
+LIBS="-lm  $LIBS"
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+char sqrt ();
+int
+main ()
+{
+return sqrt ();
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_link "$LINENO"; then :
+  ac_cv_lib_m_sqrt=yes
+else
+  ac_cv_lib_m_sqrt=no
+fi
+rm -f core conftest.err conftest.$ac_objext \
+    conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_m_sqrt" >&5
+$as_echo "$ac_cv_lib_m_sqrt" >&6; }
+if test "x$ac_cv_lib_m_sqrt" = x""yes; then :
+  cat >>confdefs.h <<_ACEOF
+#define HAVE_LIBM 1
+_ACEOF
+
+  LIBS="-lm $LIBS"
+
+else
+  { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
+$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
+as_fn_error $? "libm not found on the system
+See \`config.log' for more details" "$LINENO" 5 ; }
 fi
 
 
@@ -11539,6 +11659,24 @@ as_fn_error $? "libxml2 not found, okr pkg-config not working
 See \`config.log' for more details" "$LINENO" 5 ; }
 fi
 
+if test "x$with_graphviz" != xno; then :
+  if test ! -z "`pkg-config --cflags libgraph 2> /dev/null`"; then :
+  LIBGRAPH_INCLUDES="$(pkg-config --cflags libgraph 2> /dev/null)"
+
+else
+  { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
+$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
+as_fn_error $? "libgraphviz support enabled, but the library was not found or pkg-config is not working
+See \`config.log' for more details" "$LINENO" 5 ; }
+fi
+fi
+
+if test "x$with_graphviz" != xno; then :
+
+$as_echo "#define HAVE_BOOLEAN 1" >>confdefs.h
+
+fi
+
 # The Ultrix 4.2 mips builtin alloca declared by alloca.h only works
 # for constant arguments.  Useless!
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for working alloca.h" >&5
@@ -11728,7 +11866,7 @@ _ACEOF
 
 fi
 
-for ac_header in inttypes.h limits.h stddef.h stdlib.h string.h unistd.h wchar.h
+for ac_header in inttypes.h limits.h stddef.h stdlib.h string.h unistd.h wchar.h math.h
 do :
   as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh`
 ac_fn_c_check_header_mongrel "$LINENO" "$ac_header" "$as_ac_Header" "$ac_includes_default"
@@ -11853,6 +11991,15 @@ cat >>confdefs.h <<_ACEOF
 _ACEOF
 
 
+fi
+ac_fn_c_check_type "$LINENO" "boolean" "ac_cv_type_boolean" "$ac_includes_default"
+if test "x$ac_cv_type_boolean" = x""yes; then :
+
+cat >>confdefs.h <<_ACEOF
+#define HAVE_BOOLEAN 1
+_ACEOF
+
+
 fi
 
 
diff --git a/configure.ac b/configure.ac
index 1b97ca3..b4b666a 100644
--- a/configure.ac
+++ b/configure.ac
@@ -105,20 +105,24 @@ AC_ARG_WITH(mysql,
 	[with_mysql=yes],
 	[with_mysql=no])
 
+AC_ARG_WITH(graphviz,
+	AS_HELP_STRING([--without-graphviz],
+		[Disable Graphviz support for rendering correlated alerts as a PNG graph @<:@default=yes@:>@]),
+	[],
+	[with_graphviz=yes])
+
 # Checks for libraries.
 AS_IF([test "x$with_mysql" != xno],
-	[AC_CHECK_LIB([mysqlclient], [mysql_query],
-		[AC_SUBST([MYSQL], ["-lmysqlclient"])
-		AC_DEFINE(ENABLE_MYSQL, 1, [Define if you want to use MySQL])
-		AC_DEFINE(ENABLE_DB, 1, [Define if you want to enable database support])
-	],
-	[if test "x$with_mysql" != xno; then
-		AC_MSG_FAILURE([--with-mysql option used, but libmysqlclient was not found])
-	fi],
-	-lmysqlclient)])
+	[AC_CHECK_LIB([mysqlclient], [mysql_query],,
+		[AC_MSG_FAILURE([--with-mysql option used, but libmysqlclient was not found - do not use --with-mysql, or, on a Debian-based system, install libmysqlclient-dev])])])
 
-AC_CHECK_LIB([xml2], [xmlReaderForFile])
-AC_CHECK_LIB([pthread], [pthread_create])
+AS_IF([test "x$with_graphviz" != xno],
+	[AC_CHECK_LIB([gvc], [agread],,
+	[AC_MSG_FAILURE([libgraphviz support required but the library was not found - use --without-graphviz if you do not want to enable the support for it, or, on a Debian-based system, install libgraphviz-dev])])])
+
+AC_CHECK_LIB([xml2], [xmlReaderForFile],, AC_MSG_FAILURE(libxml2 not found on the system))
+AC_CHECK_LIB([pthread], [pthread_create],, AC_MSG_FAILURE(libpthread not found on the system))
+AC_CHECK_LIB([m], [sqrt],, AC_MSG_FAILURE(libm not found on the system))
 
 AS_IF([test "x$prefix" == x/usr],
 	[AC_SUBST([CORR_RULES_PREFIX], ["/etc/snort/corr_rules"])],
@@ -130,12 +134,20 @@ AS_IF([test ! -z "`pkg-config --cflags libxml-2.0 2> /dev/null`"],
 	[AC_SUBST([LIBXML2_INCLUDES], ["$(pkg-config --cflags libxml-2.0 2> /dev/null)"])],
 	[AC_MSG_FAILURE([libxml2 not found, okr pkg-config not working])])
 
+AS_IF([test "x$with_graphviz" != xno],
+	[AS_IF([test ! -z "`pkg-config --cflags libgraph 2> /dev/null`"],
+		[AC_SUBST([LIBGRAPH_INCLUDES], ["$(pkg-config --cflags libgraph 2> /dev/null)"])],
+		[AC_MSG_FAILURE([libgraphviz support enabled, but the library was not found or pkg-config is not working])])])
+
+AS_IF([test "x$with_graphviz" != xno],
+	[AC_DEFINE([HAVE_BOOLEAN], [1], [Check if the boolean type is defined])])
+
 AC_FUNC_ALLOCA
-AC_CHECK_HEADERS([inttypes.h limits.h stddef.h stdlib.h string.h unistd.h wchar.h],,AC_MSG_ERROR(At least one of the required headers was not found))
+AC_CHECK_HEADERS([inttypes.h limits.h stddef.h stdlib.h string.h unistd.h wchar.h math.h],,AC_MSG_ERROR(At least one of the required headers was not found))
 
 # Check for int types
 AC_CHECK_TYPES([u_int8_t,u_int16_t,u_int32_t,u_int64_t,uint8_t,uint16_t,uint32_t,uint64_t])
-AC_CHECK_TYPES([int8_t,int16_t,int32_t,int64_t])
+AC_CHECK_TYPES([int8_t,int16_t,int32_t,int64_t,boolean])
 
 # Checks for typedefs, structures, and compiler characteristics.
 AC_HEADER_STDBOOL
diff --git a/corr_rules/1-1394-12.xml b/corr_rules/1-1394-12.xml
new file mode 100644
index 0000000..77cca0f
--- /dev/null
+++ b/corr_rules/1-1394-12.xml
@@ -0,0 +1,13 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE hyperalert PUBLIC "-//blacklighth//DTD HYPERALERT SNORT MODEL//EN" "http://0x00.ath.cx/hyperalert.dtd">
+
+<hyperalert>
+	<snort-id>1.1394.12</snort-id>
+	<desc>Shellcode x86 inc ecx noop</desc>
+
+	<pre>HostExists(+DST_ADDR+)</pre>
+	<pre>HasService(+DST_ADDR+, +DST_PORT+)</pre>
+
+	<post>HasLocalAccess(+SRC_ADDR+, +DST_ADDR+)</post>
+</hyperalert>
+
diff --git a/corr_rules/1-469-4.xml b/corr_rules/1-469-4.xml
index a50f5eb..3d56a42 100644
--- a/corr_rules/1-469-4.xml
+++ b/corr_rules/1-469-4.xml
@@ -1,8 +1,9 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE hyperalert PUBLIC "-//blacklighth//DTD HYPERALERT SNORT MODEL//EN" "http://devio.us/~blacklight/hyperalert.dtd">
+<!DOCTYPE hyperalert PUBLIC "-//blacklighth//DTD HYPERALERT SNORT MODEL//EN" "http://0x00.ath.cx/hyperalert.dtd">
 
 <hyperalert>
 	<snort-id>1.469.4</snort-id>
+	<desc>ICMP PING NMAP</desc>
 	<post>HostExists(+DST_ADDR+)</post>
 </hyperalert>
 
diff --git a/corr_rules/122-1-0.xml b/corr_rules/122-1-0.xml
index 3af5755..a7ba04e 100644
--- a/corr_rules/122-1-0.xml
+++ b/corr_rules/122-1-0.xml
@@ -1,9 +1,11 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE hyperalert PUBLIC "-//blacklighth//DTD HYPERALERT SNORT MODEL//EN" "http://devio.us/~blacklight/hyperalert.dtd">
+<!DOCTYPE hyperalert PUBLIC "-//blacklighth//DTD HYPERALERT SNORT MODEL//EN" "http://0x00.ath.cx/hyperalert.dtd">
 
 <hyperalert>
 	<snort-id>122.1.0</snort-id>
+	<desc>(portscan) TCP Portscan</desc>
+
 	<pre>HostExists(+DST_ADDR+)</pre>
-	<post>HasVulnService(+DST_ADDR+, +ANY_PORT+)</post>
+	<post>HasService(+DST_ADDR+, +ANY_PORT+)</post>
 </hyperalert>
 
diff --git a/correlation.c b/correlation.c
index be3b037..a1fbaf2 100644
--- a/correlation.c
+++ b/correlation.c
@@ -19,34 +19,51 @@
 
 #include	"spp_ai.h"
 
+#include	<stdio.h>
+#include	<stdlib.h>
+#include	<string.h>
 #include	<unistd.h>
+#include	<time.h>
+#include	<math.h>
+#include	<alloca.h>
 #include	<sys/stat.h>
 #include 	<pthread.h>
 #include	<libxml/xmlreader.h>
 
+#ifdef 	HAVE_LIBGVC
+	#include	<gvc.h>
+#endif
+
 /** \defgroup correlation Module for the correlation of hyperalerts
  * @{ */
 
 #ifndef 	LIBXML_READER_ENABLED
-#error 	"libxml reader not enabled\n"
+#error 	"libxml2 reader not enabled\n"
 #endif
 
 /** Enumeration for the types of XML tags */
 enum  { inHyperAlert, inSnortIdTag, inPreTag, inPostTag, TAG_NUM };
 
-/** Struct representing the correlation between all the couples of alerts */
+/** Key for the correlation hash table */
 typedef struct  {
 	/** First alert */
 	AI_snort_alert *a;
 
 	/** Second alert */
 	AI_snort_alert *b;
+} AI_alert_correlation_key;
+
+
+/** Struct representing the correlation between all the couples of alerts */
+typedef struct  {
+	/** Hash key */
+	AI_alert_correlation_key  key;
 
 	/** Correlation coefficient */
-	double         correlation;
+	double                    correlation;
 
 	/** Make the struct 'hashable' */
-	UT_hash_handle hh;
+	UT_hash_handle            hh;
 } AI_alert_correlation;
 
 PRIVATE AI_hyperalert_info   *hyperalerts       = NULL;
@@ -55,6 +72,195 @@ PRIVATE AI_snort_alert       *alerts            = NULL;
 PRIVATE AI_alert_correlation *correlation_table = NULL;
 PRIVATE BOOL                 lock_flag          = false;
 
+/**
+ * \brief  Clean up the correlation hash table
+ */
+PRIVATE void
+_AI_correlation_table_cleanup ()
+{
+	AI_alert_correlation *current;
+
+	while ( correlation_table )
+	{
+		current = correlation_table;
+		HASH_DEL ( correlation_table, current );
+		free ( current );
+	}
+}		/* -----  end of function _AI_correlation_table_cleanup  ----- */
+
+/**
+ * \brief  Recursively write a flow of correlated alerts to a .dot file, ready for being rendered as graph
+ * \param  corr_alerts 	Correlated alerts
+ * \param  fp            File pointer
+ */
+PRIVATE void
+_AI_print_correlated_alerts ( AI_alert_correlation *corr, FILE *fp )
+{
+	char  src_addr1[INET_ADDRSTRLEN],
+		 dst_addr1[INET_ADDRSTRLEN],
+		 src_addr2[INET_ADDRSTRLEN],
+		 dst_addr2[INET_ADDRSTRLEN],
+		 src_port1[10],
+		 dst_port1[10],
+		 src_port2[10],
+		 dst_port2[10],
+		 timestamp1[40],
+		 timestamp2[40];
+
+	struct tm *t1, *t2;
+
+	if ( !corr )
+		return;
+
+	inet_ntop ( AF_INET, &(corr->key.a->ip_src_addr), src_addr1, INET_ADDRSTRLEN );
+	inet_ntop ( AF_INET, &(corr->key.a->ip_dst_addr), dst_addr1, INET_ADDRSTRLEN );
+
+	snprintf ( src_port1, sizeof ( src_port1 ), "%d", ntohs ( corr->key.a->tcp_src_port ));
+	snprintf ( dst_port1, sizeof ( dst_port1 ), "%d", ntohs ( corr->key.a->tcp_dst_port ));
+
+	t1 = localtime ( &(corr->key.a->timestamp ));
+	strftime ( timestamp1, sizeof ( timestamp1 ), "%a %b %d %Y, %H:%M:%S", t1 );
+
+	inet_ntop ( AF_INET, &(corr->key.b->ip_src_addr), src_addr2, INET_ADDRSTRLEN );
+	inet_ntop ( AF_INET, &(corr->key.b->ip_dst_addr), dst_addr2, INET_ADDRSTRLEN );
+
+	snprintf ( src_port2, sizeof ( src_port2 ), "%d", ntohs ( corr->key.b->tcp_src_port ));
+	snprintf ( dst_port2, sizeof ( dst_port2 ), "%d", ntohs ( corr->key.b->tcp_dst_port ));
+
+	t2 = localtime ( &(corr->key.b->timestamp ));
+	strftime ( timestamp2, sizeof ( timestamp2 ), "%a %b %d %Y, %H:%M:%S", t2 );
+
+	fprintf ( fp,
+		"\t\"[%d.%d.%d] %s\\n"
+		"%s%s%s:%s%s%s -> %s%s%s:%s%s%s\\n"
+		"%s\\n"
+		"(%d alerts grouped)\" -> "
+
+		"\"[%d.%d.%d] %s\\n"
+		"%s%s%s:%s%s%s -> %s%s%s:%s%s%s\\n"
+		"%s\\n"
+		"(%d alerts grouped)\";\n",
+
+		corr->key.a->gid, corr->key.a->sid, corr->key.a->rev, corr->key.a->desc,
+
+		( corr->key.a->h_node[src_addr] ) ? "[" : "",
+		( corr->key.a->h_node[src_addr] ) ? corr->key.a->h_node[src_addr]->label : src_addr1,
+		( corr->key.a->h_node[src_addr] ) ? "]" : "",
+
+		( corr->key.a->h_node[src_port] ) ? "[" : "",
+		( corr->key.a->h_node[src_port] ) ? corr->key.a->h_node[src_port]->label : src_port1,
+		( corr->key.a->h_node[src_port] ) ? "]" : "",
+
+		( corr->key.a->h_node[dst_addr] ) ? "[" : "",
+		( corr->key.a->h_node[dst_addr] ) ? corr->key.a->h_node[dst_addr]->label : dst_addr1,
+		( corr->key.a->h_node[dst_addr] ) ? "]" : "",
+
+		( corr->key.a->h_node[dst_port] ) ? "[" : "",
+		( corr->key.a->h_node[dst_port] ) ? corr->key.a->h_node[dst_port]->label : dst_port1,
+		( corr->key.a->h_node[dst_port] ) ? "]" : "",
+
+		timestamp1,
+		corr->key.a->grouped_alarms_count,
+
+
+		corr->key.b->gid, corr->key.b->sid, corr->key.b->rev, corr->key.b->desc,
+
+		( corr->key.b->h_node[src_addr] ) ? "[" : "",
+		( corr->key.b->h_node[src_addr] ) ? corr->key.b->h_node[src_addr]->label : src_addr2,
+		( corr->key.b->h_node[src_addr] ) ? "]" : "",
+
+		( corr->key.b->h_node[src_port] ) ? "[" : "",
+		( corr->key.b->h_node[src_port] ) ? corr->key.b->h_node[src_port]->label : src_port2,
+		( corr->key.b->h_node[src_port] ) ? "]" : "",
+
+		( corr->key.b->h_node[dst_addr] ) ? "[" : "",
+		( corr->key.b->h_node[dst_addr] ) ? corr->key.b->h_node[dst_addr]->label : dst_addr2,
+		( corr->key.b->h_node[dst_addr] ) ? "]" : "",
+
+		( corr->key.b->h_node[dst_port] ) ? "[" : "",
+		( corr->key.b->h_node[dst_port] ) ? corr->key.b->h_node[dst_port]->label : dst_port2,
+		( corr->key.b->h_node[dst_port] ) ? "]" : "",
+
+		timestamp2,
+		corr->key.b->grouped_alarms_count
+	);
+}		/* -----  end of function _AI_correlation_flow_to_file  ----- */
+
+
+/**
+ * \brief  Get the name of the function called by a pre-condition or post-condition predicate
+ * \param  orig_stmt 	Statement representing a pre-condition or post-condition
+ * \return The name of the function called by that statement
+ */
+PRIVATE char*
+_AI_get_function_name ( const char *orig_stmt )
+{
+	int parenthesis_pos, function_name_len;
+	char function_name[4096];
+	char *stmt = NULL;
+
+	if ( !( stmt = (char*) alloca ( strlen ( orig_stmt ))))
+		return NULL;
+	strcpy ( stmt, orig_stmt );
+
+	memset ( function_name, 0, sizeof ( function_name ));
+
+	if ( !( parenthesis_pos = (int) strstr ( stmt, "(" )))
+		return NULL;
+
+	parenthesis_pos -= (int) stmt;
+	function_name_len = ( parenthesis_pos < sizeof ( function_name )) ? parenthesis_pos : sizeof ( function_name );
+	strncpy ( function_name, stmt, function_name_len );
+
+	return strdup(function_name);
+}		/* -----  end of function _AI_get_function_name  ----- */
+
+
+/**
+ * FUNCTION: _AI_get_function_arguments
+ * \brief  Get the arguments passed to a function predicate in a pre-condition or post-condition (comma-separated values)
+ * \param  origstmt 	Statement representing a pre-condition or post-condition
+ * \param  n_args 		Reference to an integer that will contain the number of arguments read
+ * \return An array of strings containing the arguments of the function
+ */
+PRIVATE char**
+_AI_get_function_arguments ( char *orig_stmt, int *n_args )
+{
+	char **args  = NULL;
+	char *tok    = NULL;
+	char *stmt   = NULL;
+	int  par_pos = 0;
+	     *n_args = 0;
+
+	if ( !( stmt = (char*) alloca ( strlen ( orig_stmt ))))
+		return NULL;
+	strcpy ( stmt, orig_stmt );
+
+	if ( !( par_pos = (int) strstr ( stmt, "(" )))
+		return NULL;
+	
+	par_pos -= (int) stmt;
+	stmt += par_pos + 1;
+
+	if ( stmt [ strlen(stmt) - 1 ] == ')' )
+		stmt[ strlen(stmt) - 1 ] = 0;
+
+	tok = (char*) strtok ( stmt, "," );
+
+	while ( tok )  {
+		if ( !( args = (char**) realloc ( args, (++(*n_args)) * sizeof ( char* ))))
+			_dpd.fatalMsg ( "AIPreproc: Fatal memory allocation error at %s:%d\n", __FILE__, __LINE__ );
+
+		args [ (*n_args) - 1 ] = strdup ( tok );
+		tok = (char*) strtok ( NULL, " " );
+	}
+
+	if ( !(*n_args) )
+		return NULL;
+
+	return args;
+}		/* -----  end of function _AI_get_function_arguments  ----- */
+
 /**
  * \brief  Compute the correlation coefficient between two alerts, as #INTERSECTION(pre(B), post(A) / #UNION(pre(B), post(A))
  * \param  a 	Alert a
@@ -62,13 +268,23 @@ PRIVATE BOOL                 lock_flag          = false;
  * \return The correlation coefficient between A and B as coefficient in [0,1]
  */
 
-double
+PRIVATE double
 _AI_correlation_coefficient ( AI_snort_alert *a, AI_snort_alert *b )
 {
-	unsigned int i, j,
+	unsigned int i, j, k,
 			   n_intersection = 0,
 			   n_union = 0;
 
+	char         **args1 = NULL,
+			   **args2 = NULL,
+			   *function_name1 = NULL,
+			   *function_name2 = NULL,
+			   new_stmt1[4096] = {0},
+			   new_stmt2[4096] = {0};
+
+	int          n_args1 = 0,
+			   n_args2 = 0;
+
 	if ( !a->hyperalert || !b->hyperalert )
 		return 0.0;
 
@@ -84,6 +300,100 @@ _AI_correlation_coefficient ( AI_snort_alert *a, AI_snort_alert *b )
 			if ( !strcasecmp ( a->hyperalert->postconds[i], b->hyperalert->preconds[j] ))
 			{
 				n_intersection += 2;
+			} else {
+				/* Check if the predicates are the same, have the same number of arguments, and
+				 * substitute possible occurrencies of +ANY_ADDR+ and +ANY_PORT+ */
+				function_name1 = _AI_get_function_name ( a->hyperalert->postconds[i] );
+				function_name2 = _AI_get_function_name ( b->hyperalert->preconds[j] );
+
+				if ( !strcasecmp ( function_name1, function_name2 ))
+				{
+					args1 = _AI_get_function_arguments ( a->hyperalert->postconds[i], &n_args1 );
+					args2 = _AI_get_function_arguments ( b->hyperalert->preconds[j] , &n_args2 );
+
+					if ( args1 && args2 )
+					{
+						if ( n_args1 == n_args2 )
+						{
+							memset ( new_stmt1, 0, sizeof ( new_stmt1 ));
+							memset ( new_stmt2, 0, sizeof ( new_stmt2 ));
+
+							for ( k=0; k < n_args1; k++ )
+							{
+								if ( !strcasecmp ( args1[k], "+ANY_ADDR+" ) || !strcasecmp ( args1[k], "+ANY_PORT+" ))
+								{
+									free ( args1[k] );
+									args1[k] = args2[k];
+								}
+
+								if ( !strcasecmp ( args2[k], "+ANY_ADDR+" ) || !strcasecmp ( args2[k], "+ANY_PORT+" ))
+								{
+									free ( args2[k] );
+									args2[k] = args1[k];
+								}
+							}
+
+							snprintf ( new_stmt1, sizeof ( new_stmt1 ), "%s(", function_name1 );
+							snprintf ( new_stmt2, sizeof ( new_stmt2 ), "%s(", function_name2 );
+
+							for ( k=0; k < n_args1; k++ )
+							{
+								if ( strlen ( new_stmt1 ) + strlen ( args1[k] ) + 1 < sizeof ( new_stmt1 ))
+									sprintf ( new_stmt1, "%s%s%s", new_stmt1, args1[k], ( k < n_args1 - 1 ) ? "," : ")" );
+								
+								if ( strlen ( new_stmt2 ) + strlen ( args2[k] ) + 1 < sizeof ( new_stmt2 ))
+									sprintf ( new_stmt2, "%s%s%s", new_stmt2, args2[k], ( k < n_args2 - 1 ) ? "," : ")" );
+							}
+
+							if ( !strcmp ( new_stmt1, new_stmt2 ))
+							{
+								n_intersection += 2;
+							}
+						}
+
+						for ( k=0; k < n_args1; k++ )
+						{
+							if ( args1[k] )
+							{
+								free ( args1[k] );
+								args1[k] = NULL;
+							}
+						}
+
+						if ( args1 )
+						{
+							free ( args1 );
+							args1 = NULL;
+						}
+
+						for ( k=0; k < n_args2; k++ )
+						{
+							if ( args2[k] )
+							{
+								/* free ( args2[k] ); */
+								args2[k] = NULL;
+							}
+						}
+
+						if ( args2 )
+						{
+							free ( args2 );
+							args2 = NULL;
+						}
+					}
+				}
+
+				if ( function_name1 )
+				{
+					free ( function_name1 );
+					function_name1 = NULL;
+				}
+
+				if ( function_name2 )
+				{
+					free ( function_name2 );
+					function_name2 = NULL;
+				}
 			}
 		}
 	}
@@ -91,12 +401,13 @@ _AI_correlation_coefficient ( AI_snort_alert *a, AI_snort_alert *b )
 	return (double) ((double) n_intersection / (double) n_union );
 }		/* -----  end of function _AI_correlation_coefficient  ----- */
 
+
 /**
  * \brief  Substitute the macros in hyperalert pre-conditions and post-conditions with their associated values
  * \param  alert 	Reference to the hyperalert to work on
  */
 
-void
+PRIVATE void
 _AI_macro_subst ( AI_snort_alert **alert )
 {
 	/*
@@ -130,12 +441,6 @@ _AI_macro_subst ( AI_snort_alert **alert )
 			free ( tmp );
 		}
 		
-		if ( strstr ( (*alert)->hyperalert->preconds[i], "+ANY_ADDR+" )) {
-			tmp = (*alert)->hyperalert->preconds[i];
-			(*alert)->hyperalert->preconds[i] = str_replace ( (*alert)->hyperalert->preconds[i], "+ANY_ADDR+", "0.0.0.0" );
-			free ( tmp );
-		}
-		
 		if ( strstr ( (*alert)->hyperalert->preconds[i], "+SRC_PORT+" )) {
 			snprintf ( src_port, sizeof ( src_port ), "%d", ntohs ((*alert)->tcp_src_port) );
 			tmp = (*alert)->hyperalert->preconds[i];
@@ -149,12 +454,6 @@ _AI_macro_subst ( AI_snort_alert **alert )
 			(*alert)->hyperalert->preconds[i] = str_replace ( (*alert)->hyperalert->preconds[i], "+DST_PORT+", dst_port );
 			free ( tmp );
 		}
-		
-		if ( strstr ( (*alert)->hyperalert->preconds[i], "+ANY_PORT+" )) {
-			tmp = (*alert)->hyperalert->preconds[i];
-			(*alert)->hyperalert->preconds[i] = str_replace ( (*alert)->hyperalert->preconds[i], "+ANY_PORT+", "0" );
-			free ( tmp );
-		}
 	}
 
 	for ( i=0; i < (*alert)->hyperalert->n_postconds; i++ )
@@ -178,11 +477,11 @@ _AI_macro_subst ( AI_snort_alert **alert )
 			free ( tmp );
 		}
 		
-		if ( strstr ( (*alert)->hyperalert->postconds[i], "+ANY_ADDR+" )) {
-			tmp = (*alert)->hyperalert->postconds[i];
-			(*alert)->hyperalert->postconds[i] = str_replace ( (*alert)->hyperalert->postconds[i], "+ANY_ADDR+", "0.0.0.0" );
-			free ( tmp );
-		}
+		/* if ( strstr ( (*alert)->hyperalert->postconds[i], "+ANY_ADDR+" )) { */
+		/* 	tmp = (*alert)->hyperalert->postconds[i]; */
+		/* 	(*alert)->hyperalert->postconds[i] = str_replace ( (*alert)->hyperalert->postconds[i], "+ANY_ADDR+", "0.0.0.0" ); */
+		/* 	free ( tmp ); */
+		/* } */
 		
 		if ( strstr ( (*alert)->hyperalert->postconds[i], "+SRC_PORT+" )) {
 			snprintf ( src_port, sizeof ( src_port ), "%d", ntohs ((*alert)->tcp_src_port) );
@@ -198,11 +497,11 @@ _AI_macro_subst ( AI_snort_alert **alert )
 			free ( tmp );
 		}
 		
-		if ( strstr ( (*alert)->hyperalert->postconds[i], "+ANY_PORT+" )) {
-			tmp = (*alert)->hyperalert->postconds[i];
-			(*alert)->hyperalert->postconds[i] = str_replace ( (*alert)->hyperalert->postconds[i], "+ANY_PORT+", "0" );
-			free ( tmp );
-		}
+		/* if ( strstr ( (*alert)->hyperalert->postconds[i], "+ANY_PORT+" )) { */
+		/* 	tmp = (*alert)->hyperalert->postconds[i]; */
+		/* 	(*alert)->hyperalert->postconds[i] = str_replace ( (*alert)->hyperalert->postconds[i], "+ANY_PORT+", "0" ); */
+		/* 	free ( tmp ); */
+		/* } */
 	}
 }		/* -----  end of function _AI_macro_subst  ----- */
 
@@ -277,7 +576,8 @@ _AI_hyperalert_from_XML ( AI_hyperalert_key key )
 					_dpd.fatalMsg ( "AIPreproc: Error in XML file '%s': 'post' tag open outside of 'hyperalert' tag\n", hyperalert_file );
 				else
 					xmlFlags[inPostTag] = true;
-			} else {
+			} else if ( !strcasecmp ((const char*) tagname, "desc" )) {}
+			  else {
 				_dpd.fatalMsg ( "AIPreproc: Unrecognized tag '%s' in XML file '%s'\n", tagname, hyperalert_file );
 			}
 		} else if ( xmlTextReaderNodeType ( xml ) == XML_READER_TYPE_END_ELEMENT ) {
@@ -302,7 +602,8 @@ _AI_hyperalert_from_XML ( AI_hyperalert_key key )
 					_dpd.fatalMsg ( "AIPreproc: Error in XML file '%s': post tag closed but never opend\n", hyperalert_file );
 				else
 					xmlFlags[inPostTag] = false;
-			} else {
+			} else if ( !strcasecmp ((const char*) tagname, "desc" )) {}
+			  else {
 				_dpd.fatalMsg ( "AIPreproc: Unrecognized tag '%s' in XML file '%s'\n", tagname, hyperalert_file );
 			}
 		} else if ( xmlTextReaderNodeType ( xml ) == XML_READER_TYPE_TEXT ) {
@@ -350,15 +651,30 @@ _AI_hyperalert_from_XML ( AI_hyperalert_key key )
 void*
 AI_alert_correlation_thread ( void *arg )
 {
-	int                    i;
-	struct stat            st;
-	AI_hyperalert_key      key;
-	AI_hyperalert_info     *hyp             = NULL;
-	AI_snort_alert         *alert_iterator  = NULL,
-					   *alert_iterator2 = NULL;
+	int                       i;
+	struct stat               st;
+	char                      corr_dot_file[4096] = { 0 };
 
-	FILE *fp = fopen ( "/home/blacklight/LOG", "w" );
-	fclose ( fp );
+	double                    avg_correlation     = 0.0,
+						 std_deviation       = 0.0,
+						 corr_threshold      = 0.0;
+
+	FILE                      *fp                 = NULL;
+
+	AI_alert_correlation_key  corr_key;
+	AI_alert_correlation      *corr               = NULL;
+
+	AI_hyperalert_key         key;
+	AI_hyperalert_info        *hyp                = NULL;
+
+	AI_snort_alert            *alert_iterator     = NULL,
+					      *alert_iterator2    = NULL;
+
+	#ifdef                    HAVE_LIBGVC
+	char                      corr_png_file[4096] = { 0 };
+	GVC_t                     *gvc                = NULL;
+	graph_t                   *g                  = NULL;
+	#endif
 
 	conf = (AI_config*) arg;
 
@@ -431,20 +747,109 @@ AI_alert_correlation_thread ( void *arg )
 			_AI_macro_subst ( &alert_iterator );
 		}
 
+		_AI_correlation_table_cleanup();
+		correlation_table = NULL;
+
 		for ( alert_iterator = alerts; alert_iterator; alert_iterator = alert_iterator->next )
 		{
 			for ( alert_iterator2 = alerts; alert_iterator2; alert_iterator2 = alert_iterator2->next )
 			{
-				if ( alert_iterator != alert_iterator2 )
+				if ( alert_iterator != alert_iterator2 && ! (
+					alert_iterator->gid == alert_iterator2->gid &&
+					alert_iterator->sid == alert_iterator2->sid &&
+					alert_iterator->rev == alert_iterator2->rev ))
 				{
-					fp = fopen ( "/home/blacklight/LOG", "a" );
-					fprintf ( fp, "alert1: (%s), alert2: (%s)\n", alert_iterator->desc, alert_iterator2->desc );
-					fprintf ( fp, "correlation (alert1, alert2): %f\n\n", _AI_correlation_coefficient ( alert_iterator, alert_iterator2 ));
-					fclose ( fp );
+					if ( !( corr = ( AI_alert_correlation* ) malloc ( sizeof ( AI_alert_correlation ))))
+						_dpd.fatalMsg ( "AIPreproc: Fatal memory allocation error at %s:%d\n", __FILE__, __LINE__ );
+
+					corr_key.a = alert_iterator;
+					corr_key.b = alert_iterator2;
+
+					corr->key  = corr_key;
+					corr->correlation = _AI_correlation_coefficient ( corr_key.a, corr_key.b );
+					HASH_ADD ( hh, correlation_table, key, sizeof ( AI_alert_correlation_key ), corr );
 				}
 			}
 		}
 
+		if ( HASH_COUNT ( correlation_table ) > 0 )
+		{
+			avg_correlation = 0.0;
+			std_deviation   = 0.0;
+
+			/* Compute the average correlation coefficient */
+			for ( corr = correlation_table; corr; corr = ( AI_alert_correlation* ) corr->hh.next )
+			{
+				avg_correlation += corr->correlation;
+			}
+
+			avg_correlation /= (double) HASH_COUNT ( correlation_table );
+
+			/* Compute the standard deviation */
+			for ( corr = correlation_table; corr; corr = ( AI_alert_correlation* ) corr->hh.next )
+			{
+				std_deviation += ( corr->correlation - avg_correlation ) * ( corr->correlation - avg_correlation );
+			}
+
+			std_deviation = sqrt ( std_deviation / (double) HASH_COUNT ( correlation_table ));
+			corr_threshold = avg_correlation + ( conf->correlationThresholdCoefficient * std_deviation );
+			snprintf ( corr_dot_file, sizeof ( corr_dot_file ), "%s/correlated_alerts.dot", conf->corr_alerts_dir );
+			
+			if ( stat ( conf->corr_alerts_dir, &st ) < 0 )
+			{
+				if ( mkdir ( conf->corr_alerts_dir, 0755 ) < 0 )
+				{
+					_dpd.fatalMsg ( "AIPreproc: Unable to create directory '%s'\n", conf->corr_alerts_dir );
+				}
+			}
+
+			if ( !( fp = fopen ( corr_dot_file, "w" )))
+				_dpd.fatalMsg ( "AIPreproc: Could not write on file '%s'\n", corr_dot_file );
+			fprintf ( fp, "digraph G  {\n" );
+
+			/* Find correlated alerts */
+			for ( corr = correlation_table; corr; corr = ( AI_alert_correlation* ) corr->hh.next )
+			{
+				if ( corr->correlation >= avg_correlation + std_deviation &&
+						avg_correlation + std_deviation != 0.0 &&
+						corr->key.a->timestamp <= corr->key.b->timestamp && ! (
+						corr->key.a->gid == corr->key.b->gid &&
+						corr->key.a->sid == corr->key.b->sid &&
+						corr->key.a->rev == corr->key.b->rev ))
+				{
+					if ( !( corr->key.a->derived_alerts = ( AI_snort_alert** ) realloc ( corr->key.a->derived_alerts, (++corr->key.a->n_derived_alerts) * sizeof ( AI_snort_alert* ))))
+						_dpd.fatalMsg ( "AIPreproc: Fatal memory allocation error at %s:%d\n", __FILE__, __LINE__ );
+
+					corr->key.a->derived_alerts[ corr->key.a->n_derived_alerts - 1 ] = corr->key.b;
+					corr->key.b->previous_correlated = corr->key.a;
+					_AI_print_correlated_alerts ( corr, fp );
+				}
+			}
+
+			fprintf ( fp, "}\n" );
+			fclose ( fp );
+
+			#ifdef HAVE_LIBGVC
+				snprintf ( corr_png_file, sizeof ( corr_png_file ), "%s/correlated_alerts.png", conf->corr_alerts_dir );
+
+				if ( !( gvc = gvContext() ))
+					continue;
+
+				if ( !( fp = fopen ( corr_dot_file, "r" )))
+					continue;
+
+				if ( !( g = agread ( fp )))
+					continue;
+
+				gvLayout ( gvc, g, "dot" );
+				gvRenderFilename ( gvc, g, "png", corr_png_file );
+
+				gvFreeLayout ( gvc, g );
+				agclose ( g );
+				fclose ( fp );
+			#endif
+		}
+
 		lock_flag = false;
 	}
 
diff --git a/db.c b/db.c
index 1f84741..aa35de1 100644
--- a/db.c
+++ b/db.c
@@ -18,7 +18,7 @@
  */
 
 #include	"spp_ai.h"
-#ifdef 	ENABLE_DB
+#ifdef 	HAVE_LIBMYSQLCLIENT
 
 #include	"db.h"
 
diff --git a/db.h b/db.h
index ca2f0d6..8aafad5 100644
--- a/db.h
+++ b/db.h
@@ -17,23 +17,21 @@
  * =====================================================================================
  */
 
-#ifdef 	ENABLE_DB
+#ifdef 	HAVE_LIBMYSQLCLIENT
 	#ifndef 	_AI_DB_H
 	#define 	_AI_DB_H
 
-	#ifdef 	ENABLE_MYSQL
-		#include	<mysql/mysql.h>
+	#include	<mysql/mysql.h>
 
-		typedef   MYSQL_RES* 	DB_result;
-		typedef 	MYSQL_ROW 	DB_row;
+	typedef   MYSQL_RES* 	DB_result;
+	typedef 	MYSQL_ROW 	DB_row;
 
-		#define 	DB_init 		mysql_do_init
-		#define 	DB_query 		mysql_do_query
-		#define 	DB_num_rows 	mysql_num_rows
-		#define 	DB_fetch_row 	mysql_fetch_row
-		#define 	DB_free_result mysql_free_result
-		#define 	DB_close 		mysql_do_close
-	#endif
+	#define 	DB_init 		mysql_do_init
+	#define 	DB_query 		mysql_do_query
+	#define 	DB_num_rows 	mysql_num_rows
+	#define 	DB_fetch_row 	mysql_fetch_row
+	#define 	DB_free_result mysql_free_result
+	#define 	DB_close 		mysql_do_close
 
 	/** Initializer for the database */
 	void*      DB_init ( AI_config* );
diff --git a/doc/html/alert__parser_8c.html b/doc/html/alert__parser_8c.html
index a14b5c1..d41aadb 100644
--- a/doc/html/alert__parser_8c.html
+++ b/doc/html/alert__parser_8c.html
@@ -132,7 +132,7 @@ Variables</h2></td></tr>
 </iframe>
 </div>
 
-<hr class="footer"/><address class="footer"><small>Generated on Sat Sep 11 2010 12:45:18 for Snort AI preprocessor module by&nbsp;
+<hr class="footer"/><address class="footer"><small>Generated on Tue Sep 14 2010 19:23:42 for Snort AI preprocessor module by&nbsp;
 <a href="http://www.doxygen.org/index.html">
 <img class="footer" src="doxygen.png" alt="doxygen"/></a> 1.7.1 </small></address>
 </body>
diff --git a/doc/html/annotated.html b/doc/html/annotated.html
index 07f1117..9578362 100644
--- a/doc/html/annotated.html
+++ b/doc/html/annotated.html
@@ -55,6 +55,7 @@ Here are the data structures with brief descriptions:<table>
   <tr><td class="indexkey"><a class="el" href="struct__AI__snort__alert.html">_AI_snort_alert</a></td><td class="indexvalue"></td></tr>
   <tr><td class="indexkey"><a class="el" href="struct__hierarchy__node.html">_hierarchy_node</a></td><td class="indexvalue"></td></tr>
   <tr><td class="indexkey"><a class="el" href="structAI__alert__correlation.html">AI_alert_correlation</a></td><td class="indexvalue"></td></tr>
+  <tr><td class="indexkey"><a class="el" href="structAI__alert__correlation__key.html">AI_alert_correlation_key</a></td><td class="indexvalue"></td></tr>
   <tr><td class="indexkey"><a class="el" href="structAI__config.html">AI_config</a></td><td class="indexvalue"></td></tr>
   <tr><td class="indexkey"><a class="el" href="structAI__hyperalert__info.html">AI_hyperalert_info</a></td><td class="indexvalue"></td></tr>
   <tr><td class="indexkey"><a class="el" href="structAI__hyperalert__key.html">AI_hyperalert_key</a></td><td class="indexvalue"></td></tr>
@@ -78,7 +79,7 @@ Here are the data structures with brief descriptions:<table>
 </iframe>
 </div>
 
-<hr class="footer"/><address class="footer"><small>Generated on Sat Sep 11 2010 12:45:18 for Snort AI preprocessor module by&nbsp;
+<hr class="footer"/><address class="footer"><small>Generated on Tue Sep 14 2010 19:23:42 for Snort AI preprocessor module by&nbsp;
 <a href="http://www.doxygen.org/index.html">
 <img class="footer" src="doxygen.png" alt="doxygen"/></a> 1.7.1 </small></address>
 </body>
diff --git a/doc/html/classes.html b/doc/html/classes.html
index e0f7525..6084476 100644
--- a/doc/html/classes.html
+++ b/doc/html/classes.html
@@ -54,9 +54,9 @@ var searchBox = new SearchBox("searchBox", "search",false,'Search');
 <div class="qindex"><a class="qindex" href="#letter_A">A</a>&nbsp;|&nbsp;<a class="qindex" href="#letter_P">P</a>&nbsp;|&nbsp;<a class="qindex" href="#letter__">_</a></div>
 <table align="center" width="95%" border="0" cellspacing="0" cellpadding="0">
 <tr><td><a name="letter_A"></a><table border="0" cellspacing="0" cellpadding="0"><tr><td><div class="ah">&nbsp;&nbsp;A&nbsp;&nbsp;</div></td></tr></table>
-</td><td><a class="el" href="structAI__hyperalert__info.html">AI_hyperalert_info</a>&nbsp;&nbsp;&nbsp;</td><td><a class="el" href="structattribute__value.html">attribute_value</a>&nbsp;&nbsp;&nbsp;</td><td><a class="el" href="structpkt__key.html">pkt_key</a>&nbsp;&nbsp;&nbsp;</td><td><a class="el" href="struct__AI__snort__alert.html">_AI_snort_alert</a>&nbsp;&nbsp;&nbsp;</td></tr><tr><td><a class="el" href="structAI__alert__correlation.html">AI_alert_correlation</a>&nbsp;&nbsp;&nbsp;</td><td><a class="el" href="structAI__hyperalert__key.html">AI_hyperalert_key</a>&nbsp;&nbsp;&nbsp;</td><td><a name="letter_P"></a><table border="0" cellspacing="0" cellpadding="0"><tr><td><div class="ah">&nbsp;&nbsp;P&nbsp;&nbsp;</div></td></tr></table>
+</td><td><a class="el" href="structAI__config.html">AI_config</a>&nbsp;&nbsp;&nbsp;</td><td><a class="el" href="structattribute__key.html">attribute_key</a>&nbsp;&nbsp;&nbsp;</td><td><a class="el" href="structpkt__info.html">pkt_info</a>&nbsp;&nbsp;&nbsp;</td><td><a class="el" href="struct__AI__snort__alert.html">_AI_snort_alert</a>&nbsp;&nbsp;&nbsp;</td></tr><tr><td><a class="el" href="structAI__alert__correlation.html">AI_alert_correlation</a>&nbsp;&nbsp;&nbsp;</td><td><a class="el" href="structAI__hyperalert__info.html">AI_hyperalert_info</a>&nbsp;&nbsp;&nbsp;</td><td><a class="el" href="structattribute__value.html">attribute_value</a>&nbsp;&nbsp;&nbsp;</td><td><a class="el" href="structpkt__key.html">pkt_key</a>&nbsp;&nbsp;&nbsp;</td><td><a class="el" href="struct__hierarchy__node.html">_hierarchy_node</a>&nbsp;&nbsp;&nbsp;</td></tr><tr><td><a class="el" href="structAI__alert__correlation__key.html">AI_alert_correlation_key</a>&nbsp;&nbsp;&nbsp;</td><td><a class="el" href="structAI__hyperalert__key.html">AI_hyperalert_key</a>&nbsp;&nbsp;&nbsp;</td><td><a name="letter_P"></a><table border="0" cellspacing="0" cellpadding="0"><tr><td><div class="ah">&nbsp;&nbsp;P&nbsp;&nbsp;</div></td></tr></table>
 </td><td><a name="letter__"></a><table border="0" cellspacing="0" cellpadding="0"><tr><td><div class="ah">&nbsp;&nbsp;_&nbsp;&nbsp;</div></td></tr></table>
-</td><td><a class="el" href="struct__hierarchy__node.html">_hierarchy_node</a>&nbsp;&nbsp;&nbsp;</td></tr><tr><td><a class="el" href="structAI__config.html">AI_config</a>&nbsp;&nbsp;&nbsp;</td><td><a class="el" href="structattribute__key.html">attribute_key</a>&nbsp;&nbsp;&nbsp;</td><td><a class="el" href="structpkt__info.html">pkt_info</a>&nbsp;&nbsp;&nbsp;</td></tr></table><div class="qindex"><a class="qindex" href="#letter_A">A</a>&nbsp;|&nbsp;<a class="qindex" href="#letter_P">P</a>&nbsp;|&nbsp;<a class="qindex" href="#letter__">_</a></div>
+</td></tr></table><div class="qindex"><a class="qindex" href="#letter_A">A</a>&nbsp;|&nbsp;<a class="qindex" href="#letter_P">P</a>&nbsp;|&nbsp;<a class="qindex" href="#letter__">_</a></div>
 </div>
 <!--- window showing the filter options -->
 <div id="MSearchSelectWindow"
@@ -72,7 +72,7 @@ var searchBox = new SearchBox("searchBox", "search",false,'Search');
 </iframe>
 </div>
 
-<hr class="footer"/><address class="footer"><small>Generated on Sat Sep 11 2010 12:45:18 for Snort AI preprocessor module by&nbsp;
+<hr class="footer"/><address class="footer"><small>Generated on Tue Sep 14 2010 19:23:42 for Snort AI preprocessor module by&nbsp;
 <a href="http://www.doxygen.org/index.html">
 <img class="footer" src="doxygen.png" alt="doxygen"/></a> 1.7.1 </small></address>
 </body>
diff --git a/doc/html/cluster_8c.html b/doc/html/cluster_8c.html
index f7ab9a1..7277b05 100644
--- a/doc/html/cluster_8c.html
+++ b/doc/html/cluster_8c.html
@@ -112,7 +112,7 @@ Variables</h2></td></tr>
 </iframe>
 </div>
 
-<hr class="footer"/><address class="footer"><small>Generated on Sat Sep 11 2010 12:45:18 for Snort AI preprocessor module by&nbsp;
+<hr class="footer"/><address class="footer"><small>Generated on Tue Sep 14 2010 19:23:42 for Snort AI preprocessor module by&nbsp;
 <a href="http://www.doxygen.org/index.html">
 <img class="footer" src="doxygen.png" alt="doxygen"/></a> 1.7.1 </small></address>
 </body>
diff --git a/doc/html/correlation_8c.html b/doc/html/correlation_8c.html
index 1beff00..25a23d3 100644
--- a/doc/html/correlation_8c.html
+++ b/doc/html/correlation_8c.html
@@ -56,13 +56,20 @@ var searchBox = new SearchBox("searchBox", "search",false,'Search');
 </div>
 <div class="contents">
 <code>#include &quot;<a class="el" href="spp__ai_8h_source.html">spp_ai.h</a>&quot;</code><br/>
+<code>#include &lt;stdio.h&gt;</code><br/>
+<code>#include &lt;stdlib.h&gt;</code><br/>
+<code>#include &lt;string.h&gt;</code><br/>
 <code>#include &lt;unistd.h&gt;</code><br/>
+<code>#include &lt;time.h&gt;</code><br/>
+<code>#include &lt;math.h&gt;</code><br/>
+<code>#include &lt;alloca.h&gt;</code><br/>
 <code>#include &lt;sys/stat.h&gt;</code><br/>
 <code>#include &lt;pthread.h&gt;</code><br/>
 <code>#include &lt;libxml/xmlreader.h&gt;</code><br/>
 <table class="memberdecls">
 <tr><td colspan="2"><h2><a name="nested-classes"></a>
 Data Structures</h2></td></tr>
+<tr><td class="memItemLeft" align="right" valign="top">struct &nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="structAI__alert__correlation__key.html">AI_alert_correlation_key</a></td></tr>
 <tr><td class="memItemLeft" align="right" valign="top">struct &nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="structAI__alert__correlation.html">AI_alert_correlation</a></td></tr>
 <tr><td colspan="2"><h2><a name="enum-members"></a>
 Enumerations</h2></td></tr>
@@ -77,10 +84,18 @@ Enumerations</h2></td></tr>
  }</td></tr>
 <tr><td colspan="2"><h2><a name="func-members"></a>
 Functions</h2></td></tr>
-<tr><td class="memItemLeft" align="right" valign="top">double&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="group__correlation.html#ga130e82017fc0abcb76b1a7740ae2f4df">_AI_correlation_coefficient</a> (<a class="el" href="struct__AI__snort__alert.html">AI_snort_alert</a> *a, <a class="el" href="struct__AI__snort__alert.html">AI_snort_alert</a> *b)</td></tr>
-<tr><td class="mdescLeft">&nbsp;</td><td class="mdescRight">Compute the correlation coefficient between two alerts, as INTERSECTION(pre(B), post(A) / UNION(pre(B), post(A)).  <a href="group__correlation.html#ga130e82017fc0abcb76b1a7740ae2f4df"></a><br/></td></tr>
-<tr><td class="memItemLeft" align="right" valign="top">void&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="group__correlation.html#ga0d094eae1d014d89a2de21263fa747da">_AI_macro_subst</a> (<a class="el" href="struct__AI__snort__alert.html">AI_snort_alert</a> **alert)</td></tr>
-<tr><td class="mdescLeft">&nbsp;</td><td class="mdescRight">Substitute the macros in hyperalert pre-conditions and post-conditions with their associated values.  <a href="group__correlation.html#ga0d094eae1d014d89a2de21263fa747da"></a><br/></td></tr>
+<tr><td class="memItemLeft" align="right" valign="top">PRIVATE void&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="group__correlation.html#ga9bcb94264ffe30f113f3fb7287b774e3">_AI_correlation_table_cleanup</a> ()</td></tr>
+<tr><td class="mdescLeft">&nbsp;</td><td class="mdescRight">Clean up the correlation hash table.  <a href="group__correlation.html#ga9bcb94264ffe30f113f3fb7287b774e3"></a><br/></td></tr>
+<tr><td class="memItemLeft" align="right" valign="top">PRIVATE void&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="group__correlation.html#ga4267a39fa1a5ac035015823bca43288e">_AI_print_correlated_alerts</a> (<a class="el" href="structAI__alert__correlation.html">AI_alert_correlation</a> *corr, FILE *fp)</td></tr>
+<tr><td class="mdescLeft">&nbsp;</td><td class="mdescRight">Recursively write a flow of correlated alerts to a .dot file, ready for being rendered as graph.  <a href="group__correlation.html#ga4267a39fa1a5ac035015823bca43288e"></a><br/></td></tr>
+<tr><td class="memItemLeft" align="right" valign="top">PRIVATE char *&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="group__correlation.html#ga7a1b2d01f526f24ea91d7f08bdefd4fe">_AI_get_function_name</a> (const char *orig_stmt)</td></tr>
+<tr><td class="mdescLeft">&nbsp;</td><td class="mdescRight">Get the name of the function called by a pre-condition or post-condition predicate.  <a href="group__correlation.html#ga7a1b2d01f526f24ea91d7f08bdefd4fe"></a><br/></td></tr>
+<tr><td class="memItemLeft" align="right" valign="top">PRIVATE char **&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="group__correlation.html#gab716702cd226ab2ad957234a92da6e4a">_AI_get_function_arguments</a> (char *orig_stmt, int *n_args)</td></tr>
+<tr><td class="mdescLeft">&nbsp;</td><td class="mdescRight">Get the arguments passed to a function predicate in a pre-condition or post-condition (comma-separated values).  <a href="group__correlation.html#gab716702cd226ab2ad957234a92da6e4a"></a><br/></td></tr>
+<tr><td class="memItemLeft" align="right" valign="top">PRIVATE double&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="group__correlation.html#ga9cb283b28a66829574add58a251b93c6">_AI_correlation_coefficient</a> (<a class="el" href="struct__AI__snort__alert.html">AI_snort_alert</a> *a, <a class="el" href="struct__AI__snort__alert.html">AI_snort_alert</a> *b)</td></tr>
+<tr><td class="mdescLeft">&nbsp;</td><td class="mdescRight">Compute the correlation coefficient between two alerts, as INTERSECTION(pre(B), post(A) / UNION(pre(B), post(A)).  <a href="group__correlation.html#ga9cb283b28a66829574add58a251b93c6"></a><br/></td></tr>
+<tr><td class="memItemLeft" align="right" valign="top">PRIVATE void&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="group__correlation.html#ga70a4aaf8b689472dad62ba7a9bbde1a6">_AI_macro_subst</a> (<a class="el" href="struct__AI__snort__alert.html">AI_snort_alert</a> **alert)</td></tr>
+<tr><td class="mdescLeft">&nbsp;</td><td class="mdescRight">Substitute the macros in hyperalert pre-conditions and post-conditions with their associated values.  <a href="group__correlation.html#ga70a4aaf8b689472dad62ba7a9bbde1a6"></a><br/></td></tr>
 <tr><td class="memItemLeft" align="right" valign="top">PRIVATE <a class="el" href="structAI__hyperalert__info.html">AI_hyperalert_info</a> *&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="group__correlation.html#ga929e5c17fdb247a998d83ed6a4ae5a65">_AI_hyperalert_from_XML</a> (<a class="el" href="structAI__hyperalert__key.html">AI_hyperalert_key</a> key)</td></tr>
 <tr><td class="mdescLeft">&nbsp;</td><td class="mdescRight">Parse info about a hyperalert from a correlation XML file, if it exists.  <a href="group__correlation.html#ga929e5c17fdb247a998d83ed6a4ae5a65"></a><br/></td></tr>
 <tr><td class="memItemLeft" align="right" valign="top">void *&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="group__correlation.html#ga939353a4e15de7a8f4145ab986f584be">AI_alert_correlation_thread</a> (void *arg)</td></tr>
@@ -108,7 +123,7 @@ Variables</h2></td></tr>
 </iframe>
 </div>
 
-<hr class="footer"/><address class="footer"><small>Generated on Sat Sep 11 2010 12:45:18 for Snort AI preprocessor module by&nbsp;
+<hr class="footer"/><address class="footer"><small>Generated on Tue Sep 14 2010 19:23:42 for Snort AI preprocessor module by&nbsp;
 <a href="http://www.doxygen.org/index.html">
 <img class="footer" src="doxygen.png" alt="doxygen"/></a> 1.7.1 </small></address>
 </body>
diff --git a/doc/html/db_8c.html b/doc/html/db_8c.html
index 86340f0..1665130 100644
--- a/doc/html/db_8c.html
+++ b/doc/html/db_8c.html
@@ -68,7 +68,7 @@ var searchBox = new SearchBox("searchBox", "search",false,'Search');
 </iframe>
 </div>
 
-<hr class="footer"/><address class="footer"><small>Generated on Sat Sep 11 2010 12:45:18 for Snort AI preprocessor module by&nbsp;
+<hr class="footer"/><address class="footer"><small>Generated on Tue Sep 14 2010 19:23:42 for Snort AI preprocessor module by&nbsp;
 <a href="http://www.doxygen.org/index.html">
 <img class="footer" src="doxygen.png" alt="doxygen"/></a> 1.7.1 </small></address>
 </body>
diff --git a/doc/html/db_8h.html b/doc/html/db_8h.html
index e0815a0..37bd7fb 100644
--- a/doc/html/db_8h.html
+++ b/doc/html/db_8h.html
@@ -69,7 +69,7 @@ var searchBox = new SearchBox("searchBox", "search",false,'Search');
 </iframe>
 </div>
 
-<hr class="footer"/><address class="footer"><small>Generated on Sat Sep 11 2010 12:45:18 for Snort AI preprocessor module by&nbsp;
+<hr class="footer"/><address class="footer"><small>Generated on Tue Sep 14 2010 19:23:42 for Snort AI preprocessor module by&nbsp;
 <a href="http://www.doxygen.org/index.html">
 <img class="footer" src="doxygen.png" alt="doxygen"/></a> 1.7.1 </small></address>
 </body>
diff --git a/doc/html/db_8h_source.html b/doc/html/db_8h_source.html
index 98340db..387b3f9 100644
--- a/doc/html/db_8h_source.html
+++ b/doc/html/db_8h_source.html
@@ -68,33 +68,31 @@ var searchBox = new SearchBox("searchBox", "search",false,'Search');
 <a name="l00017"></a>00017 <span class="comment"> * =====================================================================================</span>
 <a name="l00018"></a>00018 <span class="comment"> */</span>
 <a name="l00019"></a>00019 
-<a name="l00020"></a>00020 <span class="preprocessor">#ifdef  ENABLE_DB</span>
+<a name="l00020"></a>00020 <span class="preprocessor">#ifdef  HAVE_LIBMYSQLCLIENT</span>
 <a name="l00021"></a>00021 <span class="preprocessor"></span><span class="preprocessor">        #ifndef         _AI_DB_H</span>
 <a name="l00022"></a>00022 <span class="preprocessor"></span><span class="preprocessor">        #define         _AI_DB_H</span>
 <a name="l00023"></a>00023 <span class="preprocessor"></span>
-<a name="l00024"></a>00024 <span class="preprocessor">        #ifdef  ENABLE_MYSQL</span>
-<a name="l00025"></a>00025 <span class="preprocessor"></span><span class="preprocessor">                #include        &lt;mysql/mysql.h&gt;</span>
-<a name="l00026"></a>00026 
-<a name="l00027"></a>00027                 <span class="keyword">typedef</span>   MYSQL_RES*    DB_result;
-<a name="l00028"></a>00028                 <span class="keyword">typedef</span>         MYSQL_ROW       DB_row;
-<a name="l00029"></a>00029 
-<a name="l00030"></a>00030 <span class="preprocessor">                #define         DB_init                 mysql_do_init</span>
-<a name="l00031"></a>00031 <span class="preprocessor"></span><span class="preprocessor">                #define         DB_query                mysql_do_query</span>
-<a name="l00032"></a>00032 <span class="preprocessor"></span><span class="preprocessor">                #define         DB_num_rows     mysql_num_rows</span>
-<a name="l00033"></a>00033 <span class="preprocessor"></span><span class="preprocessor">                #define         DB_fetch_row    mysql_fetch_row</span>
-<a name="l00034"></a>00034 <span class="preprocessor"></span><span class="preprocessor">                #define         DB_free_result mysql_free_result</span>
-<a name="l00035"></a>00035 <span class="preprocessor"></span><span class="preprocessor">                #define         DB_close                mysql_do_close</span>
-<a name="l00036"></a>00036 <span class="preprocessor"></span><span class="preprocessor">        #endif</span>
-<a name="l00037"></a>00037 <span class="preprocessor"></span>
-<a name="l00039"></a>00039         <span class="keywordtype">void</span>*      DB_init ( <a class="code" href="structAI__config.html">AI_config</a>* );
-<a name="l00040"></a>00040 
-<a name="l00042"></a>00042         DB_result* DB_query ( <span class="keyword">const</span> <span class="keywordtype">char</span>* );
-<a name="l00043"></a>00043 
-<a name="l00045"></a>00045         <span class="keywordtype">void</span>       DB_close();
-<a name="l00046"></a>00046 
-<a name="l00047"></a>00047 <span class="preprocessor">        #endif</span>
-<a name="l00048"></a>00048 <span class="preprocessor"></span><span class="preprocessor">#endif</span>
-<a name="l00049"></a>00049 <span class="preprocessor"></span>
+<a name="l00024"></a>00024 <span class="preprocessor">        #include        &lt;mysql/mysql.h&gt;</span>
+<a name="l00025"></a>00025 
+<a name="l00026"></a>00026         <span class="keyword">typedef</span>   MYSQL_RES*    DB_result;
+<a name="l00027"></a>00027         <span class="keyword">typedef</span>         MYSQL_ROW       DB_row;
+<a name="l00028"></a>00028 
+<a name="l00029"></a>00029 <span class="preprocessor">        #define         DB_init                 mysql_do_init</span>
+<a name="l00030"></a>00030 <span class="preprocessor"></span><span class="preprocessor">        #define         DB_query                mysql_do_query</span>
+<a name="l00031"></a>00031 <span class="preprocessor"></span><span class="preprocessor">        #define         DB_num_rows     mysql_num_rows</span>
+<a name="l00032"></a>00032 <span class="preprocessor"></span><span class="preprocessor">        #define         DB_fetch_row    mysql_fetch_row</span>
+<a name="l00033"></a>00033 <span class="preprocessor"></span><span class="preprocessor">        #define         DB_free_result mysql_free_result</span>
+<a name="l00034"></a>00034 <span class="preprocessor"></span><span class="preprocessor">        #define         DB_close                mysql_do_close</span>
+<a name="l00035"></a>00035 <span class="preprocessor"></span>
+<a name="l00037"></a>00037         <span class="keywordtype">void</span>*      DB_init ( <a class="code" href="structAI__config.html">AI_config</a>* );
+<a name="l00038"></a>00038 
+<a name="l00040"></a>00040         DB_result* DB_query ( <span class="keyword">const</span> <span class="keywordtype">char</span>* );
+<a name="l00041"></a>00041 
+<a name="l00043"></a>00043         <span class="keywordtype">void</span>       DB_close();
+<a name="l00044"></a>00044 
+<a name="l00045"></a>00045 <span class="preprocessor">        #endif</span>
+<a name="l00046"></a>00046 <span class="preprocessor"></span><span class="preprocessor">#endif</span>
+<a name="l00047"></a>00047 <span class="preprocessor"></span>
 </pre></div></div>
 </div>
 <!--- window showing the filter options -->
@@ -111,7 +109,7 @@ var searchBox = new SearchBox("searchBox", "search",false,'Search');
 </iframe>
 </div>
 
-<hr class="footer"/><address class="footer"><small>Generated on Sat Sep 11 2010 12:45:18 for Snort AI preprocessor module by&nbsp;
+<hr class="footer"/><address class="footer"><small>Generated on Tue Sep 14 2010 19:23:42 for Snort AI preprocessor module by&nbsp;
 <a href="http://www.doxygen.org/index.html">
 <img class="footer" src="doxygen.png" alt="doxygen"/></a> 1.7.1 </small></address>
 </body>
diff --git a/doc/html/files.html b/doc/html/files.html
index 50ac166..a702470 100644
--- a/doc/html/files.html
+++ b/doc/html/files.html
@@ -78,7 +78,7 @@ Here is a list of all files with brief descriptions:<table>
 </iframe>
 </div>
 
-<hr class="footer"/><address class="footer"><small>Generated on Sat Sep 11 2010 12:45:18 for Snort AI preprocessor module by&nbsp;
+<hr class="footer"/><address class="footer"><small>Generated on Tue Sep 14 2010 19:23:42 for Snort AI preprocessor module by&nbsp;
 <a href="http://www.doxygen.org/index.html">
 <img class="footer" src="doxygen.png" alt="doxygen"/></a> 1.7.1 </small></address>
 </body>
diff --git a/doc/html/functions.html b/doc/html/functions.html
index ff8c17e..292ef07 100644
--- a/doc/html/functions.html
+++ b/doc/html/functions.html
@@ -77,7 +77,7 @@ Here is a list of all struct and union fields with links to the structures/union
 
 <h3><a class="anchor" id="index_a"></a>- a -</h3><ul>
 <li>a
-: <a class="el" href="structAI__alert__correlation.html#a8737f171e1c1b2305c8fe77101d6aeb7">AI_alert_correlation</a>
+: <a class="el" href="structAI__alert__correlation__key.html#a774daec9332da25835a0904d853acadb">AI_alert_correlation_key</a>
 </li>
 <li>alertClusteringInterval
 : <a class="el" href="structAI__config.html#a7d0d098b8263aa3d8415b11d1ec7f93d">AI_config</a>
@@ -90,7 +90,7 @@ Here is a list of all struct and union fields with links to the structures/union
 
 <h3><a class="anchor" id="index_b"></a>- b -</h3><ul>
 <li>b
-: <a class="el" href="structAI__alert__correlation.html#a478f1a6f18f9c083b203efdf776379cd">AI_alert_correlation</a>
+: <a class="el" href="structAI__alert__correlation__key.html#a5805dec6499a83b818091b4f21c715dc">AI_alert_correlation_key</a>
 </li>
 </ul>
 
@@ -105,6 +105,9 @@ Here is a list of all struct and union fields with links to the structures/union
 <li>clusterfile
 : <a class="el" href="structAI__config.html#a6da02a3f7116fd3810a41b738e8883a3">AI_config</a>
 </li>
+<li>corr_alerts_dir
+: <a class="el" href="structAI__config.html#ae68f5489e2ec9ea1408f98fe36d050c9">AI_config</a>
+</li>
 <li>corr_rules_dir
 : <a class="el" href="structAI__config.html#ab7ea93bbe72b85c4019b4f5656ad62fc">AI_config</a>
 </li>
@@ -114,6 +117,9 @@ Here is a list of all struct and union fields with links to the structures/union
 <li>correlationGraphInterval
 : <a class="el" href="structAI__config.html#aa736375e57a59936e2e782b7cd200e41">AI_config</a>
 </li>
+<li>correlationThresholdCoefficient
+: <a class="el" href="structAI__config.html#adf6ef0faedfb4dea0a1353e781b14883">AI_config</a>
+</li>
 <li>count
 : <a class="el" href="structattribute__value.html#a5579c0304c2e9ab488ac94905b385045">attribute_value</a>
 </li>
@@ -136,6 +142,9 @@ Here is a list of all struct and union fields with links to the structures/union
 <li>dbuser
 : <a class="el" href="structAI__config.html#aa004adebfdafb6d14092aecd7f4912b0">AI_config</a>
 </li>
+<li>derived_alerts
+: <a class="el" href="struct__AI__snort__alert.html#aac5e4078600ed17532db1f3d78165390">_AI_snort_alert</a>
+</li>
 <li>desc
 : <a class="el" href="struct__AI__snort__alert.html#ac0902d7c756ec675fb06347ce4706135">_AI_snort_alert</a>
 </li>
@@ -205,6 +214,7 @@ Here is a list of all struct and union fields with links to the structures/union
 : <a class="el" href="structattribute__value.html#aa8b5ae41c150e4fefb800d3b1924278d">attribute_value</a>
 , <a class="el" href="structAI__hyperalert__info.html#a9d461da8f00415ef03b24edb3bbd6cf8">AI_hyperalert_info</a>
 , <a class="el" href="structpkt__info.html#a231d4734d3c62292b06eb9ea4b49c339">pkt_info</a>
+, <a class="el" href="structAI__alert__correlation.html#a4e27da4922a1d44497634c8e5968d870">AI_alert_correlation</a>
 </li>
 </ul>
 
@@ -233,6 +243,9 @@ Here is a list of all struct and union fields with links to the structures/union
 
 
 <h3><a class="anchor" id="index_n"></a>- n -</h3><ul>
+<li>n_derived_alerts
+: <a class="el" href="struct__AI__snort__alert.html#a1f2d5e8cfd0e6321b977173d1e90cb68">_AI_snort_alert</a>
+</li>
 <li>n_postconds
 : <a class="el" href="structAI__hyperalert__info.html#a73322b6cad3e883abed03b62c6c21719">AI_hyperalert_info</a>
 </li>
@@ -269,6 +282,9 @@ Here is a list of all struct and union fields with links to the structures/union
 <li>preconds
 : <a class="el" href="structAI__hyperalert__info.html#a8ac4e028c47a98a8be5afd4363164031">AI_hyperalert_info</a>
 </li>
+<li>previous_correlated
+: <a class="el" href="struct__AI__snort__alert.html#a55a5488c7ee7706ded4c16b1235fd9c7">_AI_snort_alert</a>
+</li>
 <li>priority
 : <a class="el" href="struct__AI__snort__alert.html#a25661fa4e212c5e30af5e6a892985ec9">_AI_snort_alert</a>
 </li>
@@ -346,7 +362,7 @@ Here is a list of all struct and union fields with links to the structures/union
 </iframe>
 </div>
 
-<hr class="footer"/><address class="footer"><small>Generated on Sat Sep 11 2010 12:45:18 for Snort AI preprocessor module by&nbsp;
+<hr class="footer"/><address class="footer"><small>Generated on Tue Sep 14 2010 19:23:42 for Snort AI preprocessor module by&nbsp;
 <a href="http://www.doxygen.org/index.html">
 <img class="footer" src="doxygen.png" alt="doxygen"/></a> 1.7.1 </small></address>
 </body>
diff --git a/doc/html/functions_vars.html b/doc/html/functions_vars.html
index 64809be..f683a91 100644
--- a/doc/html/functions_vars.html
+++ b/doc/html/functions_vars.html
@@ -77,7 +77,7 @@ var searchBox = new SearchBox("searchBox", "search",false,'Search');
 
 <h3><a class="anchor" id="index_a"></a>- a -</h3><ul>
 <li>a
-: <a class="el" href="structAI__alert__correlation.html#a8737f171e1c1b2305c8fe77101d6aeb7">AI_alert_correlation</a>
+: <a class="el" href="structAI__alert__correlation__key.html#a774daec9332da25835a0904d853acadb">AI_alert_correlation_key</a>
 </li>
 <li>alertClusteringInterval
 : <a class="el" href="structAI__config.html#a7d0d098b8263aa3d8415b11d1ec7f93d">AI_config</a>
@@ -90,7 +90,7 @@ var searchBox = new SearchBox("searchBox", "search",false,'Search');
 
 <h3><a class="anchor" id="index_b"></a>- b -</h3><ul>
 <li>b
-: <a class="el" href="structAI__alert__correlation.html#a478f1a6f18f9c083b203efdf776379cd">AI_alert_correlation</a>
+: <a class="el" href="structAI__alert__correlation__key.html#a5805dec6499a83b818091b4f21c715dc">AI_alert_correlation_key</a>
 </li>
 </ul>
 
@@ -105,6 +105,9 @@ var searchBox = new SearchBox("searchBox", "search",false,'Search');
 <li>clusterfile
 : <a class="el" href="structAI__config.html#a6da02a3f7116fd3810a41b738e8883a3">AI_config</a>
 </li>
+<li>corr_alerts_dir
+: <a class="el" href="structAI__config.html#ae68f5489e2ec9ea1408f98fe36d050c9">AI_config</a>
+</li>
 <li>corr_rules_dir
 : <a class="el" href="structAI__config.html#ab7ea93bbe72b85c4019b4f5656ad62fc">AI_config</a>
 </li>
@@ -114,6 +117,9 @@ var searchBox = new SearchBox("searchBox", "search",false,'Search');
 <li>correlationGraphInterval
 : <a class="el" href="structAI__config.html#aa736375e57a59936e2e782b7cd200e41">AI_config</a>
 </li>
+<li>correlationThresholdCoefficient
+: <a class="el" href="structAI__config.html#adf6ef0faedfb4dea0a1353e781b14883">AI_config</a>
+</li>
 <li>count
 : <a class="el" href="structattribute__value.html#a5579c0304c2e9ab488ac94905b385045">attribute_value</a>
 </li>
@@ -136,6 +142,9 @@ var searchBox = new SearchBox("searchBox", "search",false,'Search');
 <li>dbuser
 : <a class="el" href="structAI__config.html#aa004adebfdafb6d14092aecd7f4912b0">AI_config</a>
 </li>
+<li>derived_alerts
+: <a class="el" href="struct__AI__snort__alert.html#aac5e4078600ed17532db1f3d78165390">_AI_snort_alert</a>
+</li>
 <li>desc
 : <a class="el" href="struct__AI__snort__alert.html#ac0902d7c756ec675fb06347ce4706135">_AI_snort_alert</a>
 </li>
@@ -205,6 +214,7 @@ var searchBox = new SearchBox("searchBox", "search",false,'Search');
 : <a class="el" href="structattribute__value.html#aa8b5ae41c150e4fefb800d3b1924278d">attribute_value</a>
 , <a class="el" href="structAI__hyperalert__info.html#a9d461da8f00415ef03b24edb3bbd6cf8">AI_hyperalert_info</a>
 , <a class="el" href="structpkt__info.html#a231d4734d3c62292b06eb9ea4b49c339">pkt_info</a>
+, <a class="el" href="structAI__alert__correlation.html#a4e27da4922a1d44497634c8e5968d870">AI_alert_correlation</a>
 </li>
 </ul>
 
@@ -233,6 +243,9 @@ var searchBox = new SearchBox("searchBox", "search",false,'Search');
 
 
 <h3><a class="anchor" id="index_n"></a>- n -</h3><ul>
+<li>n_derived_alerts
+: <a class="el" href="struct__AI__snort__alert.html#a1f2d5e8cfd0e6321b977173d1e90cb68">_AI_snort_alert</a>
+</li>
 <li>n_postconds
 : <a class="el" href="structAI__hyperalert__info.html#a73322b6cad3e883abed03b62c6c21719">AI_hyperalert_info</a>
 </li>
@@ -269,6 +282,9 @@ var searchBox = new SearchBox("searchBox", "search",false,'Search');
 <li>preconds
 : <a class="el" href="structAI__hyperalert__info.html#a8ac4e028c47a98a8be5afd4363164031">AI_hyperalert_info</a>
 </li>
+<li>previous_correlated
+: <a class="el" href="struct__AI__snort__alert.html#a55a5488c7ee7706ded4c16b1235fd9c7">_AI_snort_alert</a>
+</li>
 <li>priority
 : <a class="el" href="struct__AI__snort__alert.html#a25661fa4e212c5e30af5e6a892985ec9">_AI_snort_alert</a>
 </li>
@@ -346,7 +362,7 @@ var searchBox = new SearchBox("searchBox", "search",false,'Search');
 </iframe>
 </div>
 
-<hr class="footer"/><address class="footer"><small>Generated on Sat Sep 11 2010 12:45:18 for Snort AI preprocessor module by&nbsp;
+<hr class="footer"/><address class="footer"><small>Generated on Tue Sep 14 2010 19:23:42 for Snort AI preprocessor module by&nbsp;
 <a href="http://www.doxygen.org/index.html">
 <img class="footer" src="doxygen.png" alt="doxygen"/></a> 1.7.1 </small></address>
 </body>
diff --git a/doc/html/globals.html b/doc/html/globals.html
index 213f4ed..726115c 100644
--- a/doc/html/globals.html
+++ b/doc/html/globals.html
@@ -94,11 +94,20 @@ Here is a list of all functions, variables, defines, enums, and typedefs with li
 : <a class="el" href="group__cluster.html#gab4c8ab92691e85a6f0ac4abb122712fd">cluster.c</a>
 </li>
 <li>_AI_correlation_coefficient()
-: <a class="el" href="group__correlation.html#ga130e82017fc0abcb76b1a7740ae2f4df">correlation.c</a>
+: <a class="el" href="group__correlation.html#ga9cb283b28a66829574add58a251b93c6">correlation.c</a>
+</li>
+<li>_AI_correlation_table_cleanup()
+: <a class="el" href="group__correlation.html#ga9bcb94264ffe30f113f3fb7287b774e3">correlation.c</a>
 </li>
 <li>_AI_equal_alarms()
 : <a class="el" href="group__cluster.html#ga0f91c8bfc37a3975f5c26b19fd6c5cba">cluster.c</a>
 </li>
+<li>_AI_get_function_arguments()
+: <a class="el" href="group__correlation.html#gab716702cd226ab2ad957234a92da6e4a">correlation.c</a>
+</li>
+<li>_AI_get_function_name()
+: <a class="el" href="group__correlation.html#ga7a1b2d01f526f24ea91d7f08bdefd4fe">correlation.c</a>
+</li>
 <li>_AI_get_min_hierarchy_node()
 : <a class="el" href="group__cluster.html#ga6ddddcd505b1f763c339e81fc143e079">cluster.c</a>
 </li>
@@ -106,7 +115,7 @@ Here is a list of all functions, variables, defines, enums, and typedefs with li
 : <a class="el" href="group__correlation.html#ga929e5c17fdb247a998d83ed6a4ae5a65">correlation.c</a>
 </li>
 <li>_AI_macro_subst()
-: <a class="el" href="group__correlation.html#ga0d094eae1d014d89a2de21263fa747da">correlation.c</a>
+: <a class="el" href="group__correlation.html#ga70a4aaf8b689472dad62ba7a9bbde1a6">correlation.c</a>
 </li>
 <li>_AI_merge_alerts()
 : <a class="el" href="group__cluster.html#ga8ce8e5a5d8954672297fa2dedb380dcd">cluster.c</a>
@@ -114,6 +123,9 @@ Here is a list of all functions, variables, defines, enums, and typedefs with li
 <li>_AI_print_clustered_alerts()
 : <a class="el" href="group__cluster.html#ga7d151880080470b542e99643dc0426a7">cluster.c</a>
 </li>
+<li>_AI_print_correlated_alerts()
+: <a class="el" href="group__correlation.html#ga4267a39fa1a5ac035015823bca43288e">correlation.c</a>
+</li>
 <li>_AI_stream_free()
 : <a class="el" href="group__stream.html#ga80016adf701c717a6ebfb5b15b8a5749">stream.c</a>
 </li>
@@ -247,9 +259,15 @@ Here is a list of all functions, variables, defines, enums, and typedefs with li
 <li>DEFAULT_CLUSTER_LOG_FILE
 : <a class="el" href="spp__ai_8h.html#a803dc913297ccdace9e604dbfecda97d">spp_ai.h</a>
 </li>
+<li>DEFAULT_CORR_ALERTS_DIR
+: <a class="el" href="spp__ai_8h.html#a7bbeccba60012abcc98db33d39294829">spp_ai.h</a>
+</li>
 <li>DEFAULT_CORR_RULES_DIR
 : <a class="el" href="spp__ai_8h.html#a89448386cad5d5533992ae7ee84f4f1d">spp_ai.h</a>
 </li>
+<li>DEFAULT_CORR_THRESHOLD
+: <a class="el" href="spp__ai_8h.html#aaedb0b7dc2bdf8d44d3fee2189a55a19">spp_ai.h</a>
+</li>
 <li>DEFAULT_DATABASE_INTERVAL
 : <a class="el" href="spp__ai_8h.html#a3c4984a0ee515fbc091ac6e33b05e310">spp_ai.h</a>
 </li>
@@ -424,7 +442,7 @@ Here is a list of all functions, variables, defines, enums, and typedefs with li
 </iframe>
 </div>
 
-<hr class="footer"/><address class="footer"><small>Generated on Sat Sep 11 2010 12:45:18 for Snort AI preprocessor module by&nbsp;
+<hr class="footer"/><address class="footer"><small>Generated on Tue Sep 14 2010 19:23:42 for Snort AI preprocessor module by&nbsp;
 <a href="http://www.doxygen.org/index.html">
 <img class="footer" src="doxygen.png" alt="doxygen"/></a> 1.7.1 </small></address>
 </body>
diff --git a/doc/html/globals_defs.html b/doc/html/globals_defs.html
index 43e9788..ce5a454 100644
--- a/doc/html/globals_defs.html
+++ b/doc/html/globals_defs.html
@@ -73,9 +73,15 @@ var searchBox = new SearchBox("searchBox", "search",false,'Search');
 <li>DEFAULT_CLUSTER_LOG_FILE
 : <a class="el" href="spp__ai_8h.html#a803dc913297ccdace9e604dbfecda97d">spp_ai.h</a>
 </li>
+<li>DEFAULT_CORR_ALERTS_DIR
+: <a class="el" href="spp__ai_8h.html#a7bbeccba60012abcc98db33d39294829">spp_ai.h</a>
+</li>
 <li>DEFAULT_CORR_RULES_DIR
 : <a class="el" href="spp__ai_8h.html#a89448386cad5d5533992ae7ee84f4f1d">spp_ai.h</a>
 </li>
+<li>DEFAULT_CORR_THRESHOLD
+: <a class="el" href="spp__ai_8h.html#aaedb0b7dc2bdf8d44d3fee2189a55a19">spp_ai.h</a>
+</li>
 <li>DEFAULT_DATABASE_INTERVAL
 : <a class="el" href="spp__ai_8h.html#a3c4984a0ee515fbc091ac6e33b05e310">spp_ai.h</a>
 </li>
@@ -116,7 +122,7 @@ var searchBox = new SearchBox("searchBox", "search",false,'Search');
 </iframe>
 </div>
 
-<hr class="footer"/><address class="footer"><small>Generated on Sat Sep 11 2010 12:45:18 for Snort AI preprocessor module by&nbsp;
+<hr class="footer"/><address class="footer"><small>Generated on Tue Sep 14 2010 19:23:42 for Snort AI preprocessor module by&nbsp;
 <a href="http://www.doxygen.org/index.html">
 <img class="footer" src="doxygen.png" alt="doxygen"/></a> 1.7.1 </small></address>
 </body>
diff --git a/doc/html/globals_enum.html b/doc/html/globals_enum.html
index 1672b16..60d7b08 100644
--- a/doc/html/globals_enum.html
+++ b/doc/html/globals_enum.html
@@ -80,7 +80,7 @@ var searchBox = new SearchBox("searchBox", "search",false,'Search');
 </iframe>
 </div>
 
-<hr class="footer"/><address class="footer"><small>Generated on Sat Sep 11 2010 12:45:18 for Snort AI preprocessor module by&nbsp;
+<hr class="footer"/><address class="footer"><small>Generated on Tue Sep 14 2010 19:23:42 for Snort AI preprocessor module by&nbsp;
 <a href="http://www.doxygen.org/index.html">
 <img class="footer" src="doxygen.png" alt="doxygen"/></a> 1.7.1 </small></address>
 </body>
diff --git a/doc/html/globals_eval.html b/doc/html/globals_eval.html
index a215cfc..54edfb6 100644
--- a/doc/html/globals_eval.html
+++ b/doc/html/globals_eval.html
@@ -113,7 +113,7 @@ var searchBox = new SearchBox("searchBox", "search",false,'Search');
 </iframe>
 </div>
 
-<hr class="footer"/><address class="footer"><small>Generated on Sat Sep 11 2010 12:45:18 for Snort AI preprocessor module by&nbsp;
+<hr class="footer"/><address class="footer"><small>Generated on Tue Sep 14 2010 19:23:42 for Snort AI preprocessor module by&nbsp;
 <a href="http://www.doxygen.org/index.html">
 <img class="footer" src="doxygen.png" alt="doxygen"/></a> 1.7.1 </small></address>
 </body>
diff --git a/doc/html/globals_func.html b/doc/html/globals_func.html
index ca1f02f..f83ae1c 100644
--- a/doc/html/globals_func.html
+++ b/doc/html/globals_func.html
@@ -81,11 +81,20 @@ var searchBox = new SearchBox("searchBox", "search",false,'Search');
 : <a class="el" href="group__cluster.html#gab4c8ab92691e85a6f0ac4abb122712fd">cluster.c</a>
 </li>
 <li>_AI_correlation_coefficient()
-: <a class="el" href="group__correlation.html#ga130e82017fc0abcb76b1a7740ae2f4df">correlation.c</a>
+: <a class="el" href="group__correlation.html#ga9cb283b28a66829574add58a251b93c6">correlation.c</a>
+</li>
+<li>_AI_correlation_table_cleanup()
+: <a class="el" href="group__correlation.html#ga9bcb94264ffe30f113f3fb7287b774e3">correlation.c</a>
 </li>
 <li>_AI_equal_alarms()
 : <a class="el" href="group__cluster.html#ga0f91c8bfc37a3975f5c26b19fd6c5cba">cluster.c</a>
 </li>
+<li>_AI_get_function_arguments()
+: <a class="el" href="group__correlation.html#gab716702cd226ab2ad957234a92da6e4a">correlation.c</a>
+</li>
+<li>_AI_get_function_name()
+: <a class="el" href="group__correlation.html#ga7a1b2d01f526f24ea91d7f08bdefd4fe">correlation.c</a>
+</li>
 <li>_AI_get_min_hierarchy_node()
 : <a class="el" href="group__cluster.html#ga6ddddcd505b1f763c339e81fc143e079">cluster.c</a>
 </li>
@@ -93,7 +102,7 @@ var searchBox = new SearchBox("searchBox", "search",false,'Search');
 : <a class="el" href="group__correlation.html#ga929e5c17fdb247a998d83ed6a4ae5a65">correlation.c</a>
 </li>
 <li>_AI_macro_subst()
-: <a class="el" href="group__correlation.html#ga0d094eae1d014d89a2de21263fa747da">correlation.c</a>
+: <a class="el" href="group__correlation.html#ga70a4aaf8b689472dad62ba7a9bbde1a6">correlation.c</a>
 </li>
 <li>_AI_merge_alerts()
 : <a class="el" href="group__cluster.html#ga8ce8e5a5d8954672297fa2dedb380dcd">cluster.c</a>
@@ -101,6 +110,9 @@ var searchBox = new SearchBox("searchBox", "search",false,'Search');
 <li>_AI_print_clustered_alerts()
 : <a class="el" href="group__cluster.html#ga7d151880080470b542e99643dc0426a7">cluster.c</a>
 </li>
+<li>_AI_print_correlated_alerts()
+: <a class="el" href="group__correlation.html#ga4267a39fa1a5ac035015823bca43288e">correlation.c</a>
+</li>
 <li>_AI_stream_free()
 : <a class="el" href="group__stream.html#ga80016adf701c717a6ebfb5b15b8a5749">stream.c</a>
 </li>
@@ -206,7 +218,7 @@ var searchBox = new SearchBox("searchBox", "search",false,'Search');
 </iframe>
 </div>
 
-<hr class="footer"/><address class="footer"><small>Generated on Sat Sep 11 2010 12:45:18 for Snort AI preprocessor module by&nbsp;
+<hr class="footer"/><address class="footer"><small>Generated on Tue Sep 14 2010 19:23:42 for Snort AI preprocessor module by&nbsp;
 <a href="http://www.doxygen.org/index.html">
 <img class="footer" src="doxygen.png" alt="doxygen"/></a> 1.7.1 </small></address>
 </body>
diff --git a/doc/html/globals_type.html b/doc/html/globals_type.html
index 96c84e6..38ae5b9 100644
--- a/doc/html/globals_type.html
+++ b/doc/html/globals_type.html
@@ -89,7 +89,7 @@ var searchBox = new SearchBox("searchBox", "search",false,'Search');
 </iframe>
 </div>
 
-<hr class="footer"/><address class="footer"><small>Generated on Sat Sep 11 2010 12:45:18 for Snort AI preprocessor module by&nbsp;
+<hr class="footer"/><address class="footer"><small>Generated on Tue Sep 14 2010 19:23:42 for Snort AI preprocessor module by&nbsp;
 <a href="http://www.doxygen.org/index.html">
 <img class="footer" src="doxygen.png" alt="doxygen"/></a> 1.7.1 </small></address>
 </body>
diff --git a/doc/html/globals_vars.html b/doc/html/globals_vars.html
index 6ac306f..6da6e99 100644
--- a/doc/html/globals_vars.html
+++ b/doc/html/globals_vars.html
@@ -125,7 +125,7 @@ var searchBox = new SearchBox("searchBox", "search",false,'Search');
 </iframe>
 </div>
 
-<hr class="footer"/><address class="footer"><small>Generated on Sat Sep 11 2010 12:45:18 for Snort AI preprocessor module by&nbsp;
+<hr class="footer"/><address class="footer"><small>Generated on Tue Sep 14 2010 19:23:42 for Snort AI preprocessor module by&nbsp;
 <a href="http://www.doxygen.org/index.html">
 <img class="footer" src="doxygen.png" alt="doxygen"/></a> 1.7.1 </small></address>
 </body>
diff --git a/doc/html/group__alert__parser.html b/doc/html/group__alert__parser.html
index 44c5005..2f4ef53 100644
--- a/doc/html/group__alert__parser.html
+++ b/doc/html/group__alert__parser.html
@@ -174,7 +174,7 @@ Functions</h2></td></tr>
 </iframe>
 </div>
 
-<hr class="footer"/><address class="footer"><small>Generated on Sat Sep 11 2010 12:45:18 for Snort AI preprocessor module by&nbsp;
+<hr class="footer"/><address class="footer"><small>Generated on Tue Sep 14 2010 19:23:42 for Snort AI preprocessor module by&nbsp;
 <a href="http://www.doxygen.org/index.html">
 <img class="footer" src="doxygen.png" alt="doxygen"/></a> 1.7.1 </small></address>
 </body>
diff --git a/doc/html/group__cluster.html b/doc/html/group__cluster.html
index bd73f60..9f23ecb 100644
--- a/doc/html/group__cluster.html
+++ b/doc/html/group__cluster.html
@@ -541,7 +541,7 @@ Variables</h2></td></tr>
 </iframe>
 </div>
 
-<hr class="footer"/><address class="footer"><small>Generated on Sat Sep 11 2010 12:45:18 for Snort AI preprocessor module by&nbsp;
+<hr class="footer"/><address class="footer"><small>Generated on Tue Sep 14 2010 19:23:42 for Snort AI preprocessor module by&nbsp;
 <a href="http://www.doxygen.org/index.html">
 <img class="footer" src="doxygen.png" alt="doxygen"/></a> 1.7.1 </small></address>
 </body>
diff --git a/doc/html/group__correlation.html b/doc/html/group__correlation.html
index 66b98bc..7863eb5 100644
--- a/doc/html/group__correlation.html
+++ b/doc/html/group__correlation.html
@@ -52,6 +52,7 @@ var searchBox = new SearchBox("searchBox", "search",false,'Search');
 <table class="memberdecls">
 <tr><td colspan="2"><h2><a name="nested-classes"></a>
 Data Structures</h2></td></tr>
+<tr><td class="memItemLeft" align="right" valign="top">struct &nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="structAI__alert__correlation__key.html">AI_alert_correlation_key</a></td></tr>
 <tr><td class="memItemLeft" align="right" valign="top">struct &nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="structAI__alert__correlation.html">AI_alert_correlation</a></td></tr>
 <tr><td colspan="2"><h2><a name="enum-members"></a>
 Enumerations</h2></td></tr>
@@ -66,10 +67,18 @@ Enumerations</h2></td></tr>
  }</td></tr>
 <tr><td colspan="2"><h2><a name="func-members"></a>
 Functions</h2></td></tr>
-<tr><td class="memItemLeft" align="right" valign="top">double&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="group__correlation.html#ga130e82017fc0abcb76b1a7740ae2f4df">_AI_correlation_coefficient</a> (<a class="el" href="struct__AI__snort__alert.html">AI_snort_alert</a> *a, <a class="el" href="struct__AI__snort__alert.html">AI_snort_alert</a> *b)</td></tr>
-<tr><td class="mdescLeft">&nbsp;</td><td class="mdescRight">Compute the correlation coefficient between two alerts, as INTERSECTION(pre(B), post(A) / UNION(pre(B), post(A)).  <a href="#ga130e82017fc0abcb76b1a7740ae2f4df"></a><br/></td></tr>
-<tr><td class="memItemLeft" align="right" valign="top">void&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="group__correlation.html#ga0d094eae1d014d89a2de21263fa747da">_AI_macro_subst</a> (<a class="el" href="struct__AI__snort__alert.html">AI_snort_alert</a> **alert)</td></tr>
-<tr><td class="mdescLeft">&nbsp;</td><td class="mdescRight">Substitute the macros in hyperalert pre-conditions and post-conditions with their associated values.  <a href="#ga0d094eae1d014d89a2de21263fa747da"></a><br/></td></tr>
+<tr><td class="memItemLeft" align="right" valign="top">PRIVATE void&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="group__correlation.html#ga9bcb94264ffe30f113f3fb7287b774e3">_AI_correlation_table_cleanup</a> ()</td></tr>
+<tr><td class="mdescLeft">&nbsp;</td><td class="mdescRight">Clean up the correlation hash table.  <a href="#ga9bcb94264ffe30f113f3fb7287b774e3"></a><br/></td></tr>
+<tr><td class="memItemLeft" align="right" valign="top">PRIVATE void&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="group__correlation.html#ga4267a39fa1a5ac035015823bca43288e">_AI_print_correlated_alerts</a> (<a class="el" href="structAI__alert__correlation.html">AI_alert_correlation</a> *corr, FILE *fp)</td></tr>
+<tr><td class="mdescLeft">&nbsp;</td><td class="mdescRight">Recursively write a flow of correlated alerts to a .dot file, ready for being rendered as graph.  <a href="#ga4267a39fa1a5ac035015823bca43288e"></a><br/></td></tr>
+<tr><td class="memItemLeft" align="right" valign="top">PRIVATE char *&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="group__correlation.html#ga7a1b2d01f526f24ea91d7f08bdefd4fe">_AI_get_function_name</a> (const char *orig_stmt)</td></tr>
+<tr><td class="mdescLeft">&nbsp;</td><td class="mdescRight">Get the name of the function called by a pre-condition or post-condition predicate.  <a href="#ga7a1b2d01f526f24ea91d7f08bdefd4fe"></a><br/></td></tr>
+<tr><td class="memItemLeft" align="right" valign="top">PRIVATE char **&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="group__correlation.html#gab716702cd226ab2ad957234a92da6e4a">_AI_get_function_arguments</a> (char *orig_stmt, int *n_args)</td></tr>
+<tr><td class="mdescLeft">&nbsp;</td><td class="mdescRight">Get the arguments passed to a function predicate in a pre-condition or post-condition (comma-separated values).  <a href="#gab716702cd226ab2ad957234a92da6e4a"></a><br/></td></tr>
+<tr><td class="memItemLeft" align="right" valign="top">PRIVATE double&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="group__correlation.html#ga9cb283b28a66829574add58a251b93c6">_AI_correlation_coefficient</a> (<a class="el" href="struct__AI__snort__alert.html">AI_snort_alert</a> *a, <a class="el" href="struct__AI__snort__alert.html">AI_snort_alert</a> *b)</td></tr>
+<tr><td class="mdescLeft">&nbsp;</td><td class="mdescRight">Compute the correlation coefficient between two alerts, as INTERSECTION(pre(B), post(A) / UNION(pre(B), post(A)).  <a href="#ga9cb283b28a66829574add58a251b93c6"></a><br/></td></tr>
+<tr><td class="memItemLeft" align="right" valign="top">PRIVATE void&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="group__correlation.html#ga70a4aaf8b689472dad62ba7a9bbde1a6">_AI_macro_subst</a> (<a class="el" href="struct__AI__snort__alert.html">AI_snort_alert</a> **alert)</td></tr>
+<tr><td class="mdescLeft">&nbsp;</td><td class="mdescRight">Substitute the macros in hyperalert pre-conditions and post-conditions with their associated values.  <a href="#ga70a4aaf8b689472dad62ba7a9bbde1a6"></a><br/></td></tr>
 <tr><td class="memItemLeft" align="right" valign="top">PRIVATE <a class="el" href="structAI__hyperalert__info.html">AI_hyperalert_info</a> *&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="group__correlation.html#ga929e5c17fdb247a998d83ed6a4ae5a65">_AI_hyperalert_from_XML</a> (<a class="el" href="structAI__hyperalert__key.html">AI_hyperalert_key</a> key)</td></tr>
 <tr><td class="mdescLeft">&nbsp;</td><td class="mdescRight">Parse info about a hyperalert from a correlation XML file, if it exists.  <a href="#ga929e5c17fdb247a998d83ed6a4ae5a65"></a><br/></td></tr>
 <tr><td class="memItemLeft" align="right" valign="top">void *&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="group__correlation.html#ga939353a4e15de7a8f4145ab986f584be">AI_alert_correlation_thread</a> (void *arg)</td></tr>
@@ -112,12 +121,12 @@ Variables</h2></td></tr>
 </div>
 </div>
 <hr/><h2>Function Documentation</h2>
-<a class="anchor" id="ga130e82017fc0abcb76b1a7740ae2f4df"></a><!-- doxytag: member="correlation.c::_AI_correlation_coefficient" ref="ga130e82017fc0abcb76b1a7740ae2f4df" args="(AI_snort_alert *a, AI_snort_alert *b)" -->
+<a class="anchor" id="ga9cb283b28a66829574add58a251b93c6"></a><!-- doxytag: member="correlation.c::_AI_correlation_coefficient" ref="ga9cb283b28a66829574add58a251b93c6" args="(AI_snort_alert *a, AI_snort_alert *b)" -->
 <div class="memitem">
 <div class="memproto">
       <table class="memname">
         <tr>
-          <td class="memname">double _AI_correlation_coefficient </td>
+          <td class="memname">PRIVATE double _AI_correlation_coefficient </td>
           <td>(</td>
           <td class="paramtype"><a class="el" href="struct__AI__snort__alert.html">AI_snort_alert</a> *&nbsp;</td>
           <td class="paramname"> <em>a</em>, </td>
@@ -147,6 +156,90 @@ Variables</h2></td></tr>
 </dl>
 <dl class="return"><dt><b>Returns:</b></dt><dd>The correlation coefficient between A and B as coefficient in [0,1] </dd></dl>
 
+</div>
+</div>
+<a class="anchor" id="ga9bcb94264ffe30f113f3fb7287b774e3"></a><!-- doxytag: member="correlation.c::_AI_correlation_table_cleanup" ref="ga9bcb94264ffe30f113f3fb7287b774e3" args="()" -->
+<div class="memitem">
+<div class="memproto">
+      <table class="memname">
+        <tr>
+          <td class="memname">PRIVATE void _AI_correlation_table_cleanup </td>
+          <td>(</td>
+          <td class="paramname"></td>
+          <td>&nbsp;)&nbsp;</td>
+          <td></td>
+        </tr>
+      </table>
+</div>
+<div class="memdoc">
+
+<p>Clean up the correlation hash table. </p>
+
+</div>
+</div>
+<a class="anchor" id="gab716702cd226ab2ad957234a92da6e4a"></a><!-- doxytag: member="correlation.c::_AI_get_function_arguments" ref="gab716702cd226ab2ad957234a92da6e4a" args="(char *orig_stmt, int *n_args)" -->
+<div class="memitem">
+<div class="memproto">
+      <table class="memname">
+        <tr>
+          <td class="memname">PRIVATE char** _AI_get_function_arguments </td>
+          <td>(</td>
+          <td class="paramtype">char *&nbsp;</td>
+          <td class="paramname"> <em>orig_stmt</em>, </td>
+        </tr>
+        <tr>
+          <td class="paramkey"></td>
+          <td></td>
+          <td class="paramtype">int *&nbsp;</td>
+          <td class="paramname"> <em>n_args</em></td><td>&nbsp;</td>
+        </tr>
+        <tr>
+          <td></td>
+          <td>)</td>
+          <td></td><td></td><td></td>
+        </tr>
+      </table>
+</div>
+<div class="memdoc">
+
+<p>Get the arguments passed to a function predicate in a pre-condition or post-condition (comma-separated values). </p>
+<p>FUNCTION: _AI_get_function_arguments </p>
+<dl><dt><b>Parameters:</b></dt><dd>
+  <table border="0" cellspacing="2" cellpadding="0">
+    <tr><td valign="top"></td><td valign="top"><em>origstmt</em>&nbsp;</td><td>Statement representing a pre-condition or post-condition </td></tr>
+    <tr><td valign="top"></td><td valign="top"><em>n_args</em>&nbsp;</td><td>Reference to an integer that will contain the number of arguments read </td></tr>
+  </table>
+  </dd>
+</dl>
+<dl class="return"><dt><b>Returns:</b></dt><dd>An array of strings containing the arguments of the function </dd></dl>
+
+</div>
+</div>
+<a class="anchor" id="ga7a1b2d01f526f24ea91d7f08bdefd4fe"></a><!-- doxytag: member="correlation.c::_AI_get_function_name" ref="ga7a1b2d01f526f24ea91d7f08bdefd4fe" args="(const char *orig_stmt)" -->
+<div class="memitem">
+<div class="memproto">
+      <table class="memname">
+        <tr>
+          <td class="memname">PRIVATE char* _AI_get_function_name </td>
+          <td>(</td>
+          <td class="paramtype">const char *&nbsp;</td>
+          <td class="paramname"> <em>orig_stmt</em></td>
+          <td>&nbsp;)&nbsp;</td>
+          <td></td>
+        </tr>
+      </table>
+</div>
+<div class="memdoc">
+
+<p>Get the name of the function called by a pre-condition or post-condition predicate. </p>
+<dl><dt><b>Parameters:</b></dt><dd>
+  <table border="0" cellspacing="2" cellpadding="0">
+    <tr><td valign="top"></td><td valign="top"><em>orig_stmt</em>&nbsp;</td><td>Statement representing a pre-condition or post-condition </td></tr>
+  </table>
+  </dd>
+</dl>
+<dl class="return"><dt><b>Returns:</b></dt><dd>The name of the function called by that statement </dd></dl>
+
 </div>
 </div>
 <a class="anchor" id="ga929e5c17fdb247a998d83ed6a4ae5a65"></a><!-- doxytag: member="correlation.c::_AI_hyperalert_from_XML" ref="ga929e5c17fdb247a998d83ed6a4ae5a65" args="(AI_hyperalert_key key)" -->
@@ -176,12 +269,12 @@ Variables</h2></td></tr>
 
 </div>
 </div>
-<a class="anchor" id="ga0d094eae1d014d89a2de21263fa747da"></a><!-- doxytag: member="correlation.c::_AI_macro_subst" ref="ga0d094eae1d014d89a2de21263fa747da" args="(AI_snort_alert **alert)" -->
+<a class="anchor" id="ga70a4aaf8b689472dad62ba7a9bbde1a6"></a><!-- doxytag: member="correlation.c::_AI_macro_subst" ref="ga70a4aaf8b689472dad62ba7a9bbde1a6" args="(AI_snort_alert **alert)" -->
 <div class="memitem">
 <div class="memproto">
       <table class="memname">
         <tr>
-          <td class="memname">void _AI_macro_subst </td>
+          <td class="memname">PRIVATE void _AI_macro_subst </td>
           <td>(</td>
           <td class="paramtype"><a class="el" href="struct__AI__snort__alert.html">AI_snort_alert</a> **&nbsp;</td>
           <td class="paramname"> <em>alert</em></td>
@@ -200,6 +293,42 @@ Variables</h2></td></tr>
   </dd>
 </dl>
 
+</div>
+</div>
+<a class="anchor" id="ga4267a39fa1a5ac035015823bca43288e"></a><!-- doxytag: member="correlation.c::_AI_print_correlated_alerts" ref="ga4267a39fa1a5ac035015823bca43288e" args="(AI_alert_correlation *corr, FILE *fp)" -->
+<div class="memitem">
+<div class="memproto">
+      <table class="memname">
+        <tr>
+          <td class="memname">PRIVATE void _AI_print_correlated_alerts </td>
+          <td>(</td>
+          <td class="paramtype"><a class="el" href="structAI__alert__correlation.html">AI_alert_correlation</a> *&nbsp;</td>
+          <td class="paramname"> <em>corr</em>, </td>
+        </tr>
+        <tr>
+          <td class="paramkey"></td>
+          <td></td>
+          <td class="paramtype">FILE *&nbsp;</td>
+          <td class="paramname"> <em>fp</em></td><td>&nbsp;</td>
+        </tr>
+        <tr>
+          <td></td>
+          <td>)</td>
+          <td></td><td></td><td></td>
+        </tr>
+      </table>
+</div>
+<div class="memdoc">
+
+<p>Recursively write a flow of correlated alerts to a .dot file, ready for being rendered as graph. </p>
+<dl><dt><b>Parameters:</b></dt><dd>
+  <table border="0" cellspacing="2" cellpadding="0">
+    <tr><td valign="top"></td><td valign="top"><em>corr_alerts</em>&nbsp;</td><td>Correlated alerts </td></tr>
+    <tr><td valign="top"></td><td valign="top"><em>fp</em>&nbsp;</td><td>File pointer </td></tr>
+  </table>
+  </dd>
+</dl>
+
 </div>
 </div>
 <a class="anchor" id="ga939353a4e15de7a8f4145ab986f584be"></a><!-- doxytag: member="correlation.c::AI_alert_correlation_thread" ref="ga939353a4e15de7a8f4145ab986f584be" args="(void *arg)" -->
@@ -309,7 +438,7 @@ Variables</h2></td></tr>
 </iframe>
 </div>
 
-<hr class="footer"/><address class="footer"><small>Generated on Sat Sep 11 2010 12:45:18 for Snort AI preprocessor module by&nbsp;
+<hr class="footer"/><address class="footer"><small>Generated on Tue Sep 14 2010 19:23:42 for Snort AI preprocessor module by&nbsp;
 <a href="http://www.doxygen.org/index.html">
 <img class="footer" src="doxygen.png" alt="doxygen"/></a> 1.7.1 </small></address>
 </body>
diff --git a/doc/html/group__regex.html b/doc/html/group__regex.html
index 848c7dc..15479f3 100644
--- a/doc/html/group__regex.html
+++ b/doc/html/group__regex.html
@@ -211,7 +211,7 @@ Functions</h2></td></tr>
 </iframe>
 </div>
 
-<hr class="footer"/><address class="footer"><small>Generated on Sat Sep 11 2010 12:45:18 for Snort AI preprocessor module by&nbsp;
+<hr class="footer"/><address class="footer"><small>Generated on Tue Sep 14 2010 19:23:42 for Snort AI preprocessor module by&nbsp;
 <a href="http://www.doxygen.org/index.html">
 <img class="footer" src="doxygen.png" alt="doxygen"/></a> 1.7.1 </small></address>
 </body>
diff --git a/doc/html/group__spp__ai.html b/doc/html/group__spp__ai.html
index b142286..e9b8f0d 100644
--- a/doc/html/group__spp__ai.html
+++ b/doc/html/group__spp__ai.html
@@ -215,7 +215,7 @@ Variables</h2></td></tr>
 </iframe>
 </div>
 
-<hr class="footer"/><address class="footer"><small>Generated on Sat Sep 11 2010 12:45:18 for Snort AI preprocessor module by&nbsp;
+<hr class="footer"/><address class="footer"><small>Generated on Tue Sep 14 2010 19:23:42 for Snort AI preprocessor module by&nbsp;
 <a href="http://www.doxygen.org/index.html">
 <img class="footer" src="doxygen.png" alt="doxygen"/></a> 1.7.1 </small></address>
 </body>
diff --git a/doc/html/group__stream.html b/doc/html/group__stream.html
index 79d0e3e..8b9e5c1 100644
--- a/doc/html/group__stream.html
+++ b/doc/html/group__stream.html
@@ -207,7 +207,7 @@ Functions</h2></td></tr>
 </iframe>
 </div>
 
-<hr class="footer"/><address class="footer"><small>Generated on Sat Sep 11 2010 12:45:18 for Snort AI preprocessor module by&nbsp;
+<hr class="footer"/><address class="footer"><small>Generated on Tue Sep 14 2010 19:23:42 for Snort AI preprocessor module by&nbsp;
 <a href="http://www.doxygen.org/index.html">
 <img class="footer" src="doxygen.png" alt="doxygen"/></a> 1.7.1 </small></address>
 </body>
diff --git a/doc/html/index.html b/doc/html/index.html
index 79433dd..45b4f01 100644
--- a/doc/html/index.html
+++ b/doc/html/index.html
@@ -59,7 +59,7 @@ var searchBox = new SearchBox("searchBox", "search",false,'Search');
 </iframe>
 </div>
 
-<hr class="footer"/><address class="footer"><small>Generated on Sat Sep 11 2010 12:45:18 for Snort AI preprocessor module by&nbsp;
+<hr class="footer"/><address class="footer"><small>Generated on Tue Sep 14 2010 19:23:42 for Snort AI preprocessor module by&nbsp;
 <a href="http://www.doxygen.org/index.html">
 <img class="footer" src="doxygen.png" alt="doxygen"/></a> 1.7.1 </small></address>
 </body>
diff --git a/doc/html/modules.html b/doc/html/modules.html
index 7d8d85c..6727fa1 100644
--- a/doc/html/modules.html
+++ b/doc/html/modules.html
@@ -67,7 +67,7 @@ Here is a list of all modules:<ul>
 </iframe>
 </div>
 
-<hr class="footer"/><address class="footer"><small>Generated on Sat Sep 11 2010 12:45:18 for Snort AI preprocessor module by&nbsp;
+<hr class="footer"/><address class="footer"><small>Generated on Tue Sep 14 2010 19:23:42 for Snort AI preprocessor module by&nbsp;
 <a href="http://www.doxygen.org/index.html">
 <img class="footer" src="doxygen.png" alt="doxygen"/></a> 1.7.1 </small></address>
 </body>
diff --git a/doc/html/mysql_8c.html b/doc/html/mysql_8c.html
index 9f25937..2587eb4 100644
--- a/doc/html/mysql_8c.html
+++ b/doc/html/mysql_8c.html
@@ -68,7 +68,7 @@ var searchBox = new SearchBox("searchBox", "search",false,'Search');
 </iframe>
 </div>
 
-<hr class="footer"/><address class="footer"><small>Generated on Sat Sep 11 2010 12:45:18 for Snort AI preprocessor module by&nbsp;
+<hr class="footer"/><address class="footer"><small>Generated on Tue Sep 14 2010 19:23:42 for Snort AI preprocessor module by&nbsp;
 <a href="http://www.doxygen.org/index.html">
 <img class="footer" src="doxygen.png" alt="doxygen"/></a> 1.7.1 </small></address>
 </body>
diff --git a/doc/html/regex_8c.html b/doc/html/regex_8c.html
index 8fe13d8..828d33b 100644
--- a/doc/html/regex_8c.html
+++ b/doc/html/regex_8c.html
@@ -82,7 +82,7 @@ Functions</h2></td></tr>
 </iframe>
 </div>
 
-<hr class="footer"/><address class="footer"><small>Generated on Sat Sep 11 2010 12:45:18 for Snort AI preprocessor module by&nbsp;
+<hr class="footer"/><address class="footer"><small>Generated on Tue Sep 14 2010 19:23:42 for Snort AI preprocessor module by&nbsp;
 <a href="http://www.doxygen.org/index.html">
 <img class="footer" src="doxygen.png" alt="doxygen"/></a> 1.7.1 </small></address>
 </body>
diff --git a/doc/html/search/all_5f.html b/doc/html/search/all_5f.html
index 86c8c86..296f697 100644
--- a/doc/html/search/all_5f.html
+++ b/doc/html/search/all_5f.html
@@ -33,89 +33,113 @@
 </div>
 <div class="SRResult" id="SR__5fai_5fcorrelation_5fcoefficient">
  <div class="SREntry">
-  <a id="Item4" onkeydown="return searchResults.Nav(event,4)" onkeypress="return searchResults.Nav(event,4)" onkeyup="return searchResults.Nav(event,4)" class="SRSymbol" href="../group__correlation.html#ga130e82017fc0abcb76b1a7740ae2f4df" target="_parent">_AI_correlation_coefficient</a>
+  <a id="Item4" onkeydown="return searchResults.Nav(event,4)" onkeypress="return searchResults.Nav(event,4)" onkeyup="return searchResults.Nav(event,4)" class="SRSymbol" href="../group__correlation.html#ga9cb283b28a66829574add58a251b93c6" target="_parent">_AI_correlation_coefficient</a>
+  <span class="SRScope">correlation.c</span>
+ </div>
+</div>
+<div class="SRResult" id="SR__5fai_5fcorrelation_5ftable_5fcleanup">
+ <div class="SREntry">
+  <a id="Item5" onkeydown="return searchResults.Nav(event,5)" onkeypress="return searchResults.Nav(event,5)" onkeyup="return searchResults.Nav(event,5)" class="SRSymbol" href="../group__correlation.html#ga9bcb94264ffe30f113f3fb7287b774e3" target="_parent">_AI_correlation_table_cleanup</a>
   <span class="SRScope">correlation.c</span>
  </div>
 </div>
 <div class="SRResult" id="SR__5fai_5fequal_5falarms">
  <div class="SREntry">
-  <a id="Item5" onkeydown="return searchResults.Nav(event,5)" onkeypress="return searchResults.Nav(event,5)" onkeyup="return searchResults.Nav(event,5)" class="SRSymbol" href="../group__cluster.html#ga0f91c8bfc37a3975f5c26b19fd6c5cba" target="_parent">_AI_equal_alarms</a>
+  <a id="Item6" onkeydown="return searchResults.Nav(event,6)" onkeypress="return searchResults.Nav(event,6)" onkeyup="return searchResults.Nav(event,6)" class="SRSymbol" href="../group__cluster.html#ga0f91c8bfc37a3975f5c26b19fd6c5cba" target="_parent">_AI_equal_alarms</a>
   <span class="SRScope">cluster.c</span>
  </div>
 </div>
+<div class="SRResult" id="SR__5fai_5fget_5ffunction_5farguments">
+ <div class="SREntry">
+  <a id="Item7" onkeydown="return searchResults.Nav(event,7)" onkeypress="return searchResults.Nav(event,7)" onkeyup="return searchResults.Nav(event,7)" class="SRSymbol" href="../group__correlation.html#gab716702cd226ab2ad957234a92da6e4a" target="_parent">_AI_get_function_arguments</a>
+  <span class="SRScope">correlation.c</span>
+ </div>
+</div>
+<div class="SRResult" id="SR__5fai_5fget_5ffunction_5fname">
+ <div class="SREntry">
+  <a id="Item8" onkeydown="return searchResults.Nav(event,8)" onkeypress="return searchResults.Nav(event,8)" onkeyup="return searchResults.Nav(event,8)" class="SRSymbol" href="../group__correlation.html#ga7a1b2d01f526f24ea91d7f08bdefd4fe" target="_parent">_AI_get_function_name</a>
+  <span class="SRScope">correlation.c</span>
+ </div>
+</div>
 <div class="SRResult" id="SR__5fai_5fget_5fmin_5fhierarchy_5fnode">
  <div class="SREntry">
-  <a id="Item6" onkeydown="return searchResults.Nav(event,6)" onkeypress="return searchResults.Nav(event,6)" onkeyup="return searchResults.Nav(event,6)" class="SRSymbol" href="../group__cluster.html#ga6ddddcd505b1f763c339e81fc143e079" target="_parent">_AI_get_min_hierarchy_node</a>
+  <a id="Item9" onkeydown="return searchResults.Nav(event,9)" onkeypress="return searchResults.Nav(event,9)" onkeyup="return searchResults.Nav(event,9)" class="SRSymbol" href="../group__cluster.html#ga6ddddcd505b1f763c339e81fc143e079" target="_parent">_AI_get_min_hierarchy_node</a>
   <span class="SRScope">cluster.c</span>
  </div>
 </div>
 <div class="SRResult" id="SR__5fai_5fhyperalert_5ffrom_5fxml">
  <div class="SREntry">
-  <a id="Item7" onkeydown="return searchResults.Nav(event,7)" onkeypress="return searchResults.Nav(event,7)" onkeyup="return searchResults.Nav(event,7)" class="SRSymbol" href="../group__correlation.html#ga929e5c17fdb247a998d83ed6a4ae5a65" target="_parent">_AI_hyperalert_from_XML</a>
+  <a id="Item10" onkeydown="return searchResults.Nav(event,10)" onkeypress="return searchResults.Nav(event,10)" onkeyup="return searchResults.Nav(event,10)" class="SRSymbol" href="../group__correlation.html#ga929e5c17fdb247a998d83ed6a4ae5a65" target="_parent">_AI_hyperalert_from_XML</a>
   <span class="SRScope">correlation.c</span>
  </div>
 </div>
 <div class="SRResult" id="SR__5fai_5fmacro_5fsubst">
  <div class="SREntry">
-  <a id="Item8" onkeydown="return searchResults.Nav(event,8)" onkeypress="return searchResults.Nav(event,8)" onkeyup="return searchResults.Nav(event,8)" class="SRSymbol" href="../group__correlation.html#ga0d094eae1d014d89a2de21263fa747da" target="_parent">_AI_macro_subst</a>
+  <a id="Item11" onkeydown="return searchResults.Nav(event,11)" onkeypress="return searchResults.Nav(event,11)" onkeyup="return searchResults.Nav(event,11)" class="SRSymbol" href="../group__correlation.html#ga70a4aaf8b689472dad62ba7a9bbde1a6" target="_parent">_AI_macro_subst</a>
   <span class="SRScope">correlation.c</span>
  </div>
 </div>
 <div class="SRResult" id="SR__5fai_5fmerge_5falerts">
  <div class="SREntry">
-  <a id="Item9" onkeydown="return searchResults.Nav(event,9)" onkeypress="return searchResults.Nav(event,9)" onkeyup="return searchResults.Nav(event,9)" class="SRSymbol" href="../group__cluster.html#ga8ce8e5a5d8954672297fa2dedb380dcd" target="_parent">_AI_merge_alerts</a>
+  <a id="Item12" onkeydown="return searchResults.Nav(event,12)" onkeypress="return searchResults.Nav(event,12)" onkeyup="return searchResults.Nav(event,12)" class="SRSymbol" href="../group__cluster.html#ga8ce8e5a5d8954672297fa2dedb380dcd" target="_parent">_AI_merge_alerts</a>
   <span class="SRScope">cluster.c</span>
  </div>
 </div>
 <div class="SRResult" id="SR__5fai_5fprint_5fclustered_5falerts">
  <div class="SREntry">
-  <a id="Item10" onkeydown="return searchResults.Nav(event,10)" onkeypress="return searchResults.Nav(event,10)" onkeyup="return searchResults.Nav(event,10)" class="SRSymbol" href="../group__cluster.html#ga7d151880080470b542e99643dc0426a7" target="_parent">_AI_print_clustered_alerts</a>
+  <a id="Item13" onkeydown="return searchResults.Nav(event,13)" onkeypress="return searchResults.Nav(event,13)" onkeyup="return searchResults.Nav(event,13)" class="SRSymbol" href="../group__cluster.html#ga7d151880080470b542e99643dc0426a7" target="_parent">_AI_print_clustered_alerts</a>
   <span class="SRScope">cluster.c</span>
  </div>
 </div>
+<div class="SRResult" id="SR__5fai_5fprint_5fcorrelated_5falerts">
+ <div class="SREntry">
+  <a id="Item14" onkeydown="return searchResults.Nav(event,14)" onkeypress="return searchResults.Nav(event,14)" onkeyup="return searchResults.Nav(event,14)" class="SRSymbol" href="../group__correlation.html#ga4267a39fa1a5ac035015823bca43288e" target="_parent">_AI_print_correlated_alerts</a>
+  <span class="SRScope">correlation.c</span>
+ </div>
+</div>
 <div class="SRResult" id="SR__5fai_5fsnort_5falert">
  <div class="SREntry">
-  <a id="Item11" onkeydown="return searchResults.Nav(event,11)" onkeypress="return searchResults.Nav(event,11)" onkeyup="return searchResults.Nav(event,11)" class="SRSymbol" href="../struct__AI__snort__alert.html" target="_parent">_AI_snort_alert</a>
+  <a id="Item15" onkeydown="return searchResults.Nav(event,15)" onkeypress="return searchResults.Nav(event,15)" onkeyup="return searchResults.Nav(event,15)" class="SRSymbol" href="../struct__AI__snort__alert.html" target="_parent">_AI_snort_alert</a>
  </div>
 </div>
 <div class="SRResult" id="SR__5fai_5fstream_5ffree">
  <div class="SREntry">
-  <a id="Item12" onkeydown="return searchResults.Nav(event,12)" onkeypress="return searchResults.Nav(event,12)" onkeyup="return searchResults.Nav(event,12)" class="SRSymbol" href="../group__stream.html#ga80016adf701c717a6ebfb5b15b8a5749" target="_parent">_AI_stream_free</a>
+  <a id="Item16" onkeydown="return searchResults.Nav(event,16)" onkeypress="return searchResults.Nav(event,16)" onkeyup="return searchResults.Nav(event,16)" class="SRSymbol" href="../group__stream.html#ga80016adf701c717a6ebfb5b15b8a5749" target="_parent">_AI_stream_free</a>
   <span class="SRScope">stream.c</span>
  </div>
 </div>
 <div class="SRResult" id="SR__5fconfig">
  <div class="SREntry">
-  <a id="Item13" onkeydown="return searchResults.Nav(event,13)" onkeypress="return searchResults.Nav(event,13)" onkeyup="return searchResults.Nav(event,13)" class="SRSymbol" href="../group__cluster.html#ga91458e2d34595688e39fcb63ba418849" target="_parent">_config</a>
+  <a id="Item17" onkeydown="return searchResults.Nav(event,17)" onkeypress="return searchResults.Nav(event,17)" onkeyup="return searchResults.Nav(event,17)" class="SRSymbol" href="../group__cluster.html#ga91458e2d34595688e39fcb63ba418849" target="_parent">_config</a>
   <span class="SRScope">cluster.c</span>
  </div>
 </div>
 <div class="SRResult" id="SR__5fdpd">
  <div class="SREntry">
-  <a id="Item14" onkeydown="return searchResults.Nav(event,14)" onkeypress="return searchResults.Nav(event,14)" onkeyup="return searchResults.Nav(event,14)" class="SRSymbol" href="../spp__ai_8h.html#ab46420126c43c1aac5eabc5db266a71c" target="_parent">_dpd</a>
+  <a id="Item18" onkeydown="return searchResults.Nav(event,18)" onkeypress="return searchResults.Nav(event,18)" onkeyup="return searchResults.Nav(event,18)" class="SRSymbol" href="../spp__ai_8h.html#ab46420126c43c1aac5eabc5db266a71c" target="_parent">_dpd</a>
   <span class="SRScope">spp_ai.h</span>
  </div>
 </div>
 <div class="SRResult" id="SR__5fheuristic_5ffunc">
  <div class="SREntry">
-  <a id="Item15" onkeydown="return searchResults.Nav(event,15)" onkeypress="return searchResults.Nav(event,15)" onkeyup="return searchResults.Nav(event,15)" class="SRSymbol" href="../group__cluster.html#ga81f5fa721719fdb281595a568eef2101" target="_parent">_heuristic_func</a>
+  <a id="Item19" onkeydown="return searchResults.Nav(event,19)" onkeypress="return searchResults.Nav(event,19)" onkeyup="return searchResults.Nav(event,19)" class="SRSymbol" href="../group__cluster.html#ga81f5fa721719fdb281595a568eef2101" target="_parent">_heuristic_func</a>
   <span class="SRScope">cluster.c</span>
  </div>
 </div>
 <div class="SRResult" id="SR__5fhierarchy_5fnode">
  <div class="SREntry">
-  <a id="Item16" onkeydown="return searchResults.Nav(event,16)" onkeypress="return searchResults.Nav(event,16)" onkeyup="return searchResults.Nav(event,16)" class="SRSymbol" href="../struct__hierarchy__node.html" target="_parent">_hierarchy_node</a>
+  <a id="Item20" onkeydown="return searchResults.Nav(event,20)" onkeypress="return searchResults.Nav(event,20)" onkeyup="return searchResults.Nav(event,20)" class="SRSymbol" href="../struct__hierarchy__node.html" target="_parent">_hierarchy_node</a>
  </div>
 </div>
 <div class="SRResult" id="SR__5fhierarchy_5fnode_5fappend">
  <div class="SREntry">
-  <a id="Item17" onkeydown="return searchResults.Nav(event,17)" onkeypress="return searchResults.Nav(event,17)" onkeyup="return searchResults.Nav(event,17)" class="SRSymbol" href="../group__cluster.html#ga5601a1f603d9c870ef6e2df192e30c30" target="_parent">_hierarchy_node_append</a>
+  <a id="Item21" onkeydown="return searchResults.Nav(event,21)" onkeypress="return searchResults.Nav(event,21)" onkeyup="return searchResults.Nav(event,21)" class="SRSymbol" href="../group__cluster.html#ga5601a1f603d9c870ef6e2df192e30c30" target="_parent">_hierarchy_node_append</a>
   <span class="SRScope">cluster.c</span>
  </div>
 </div>
 <div class="SRResult" id="SR__5fhierarchy_5fnode_5fnew">
  <div class="SREntry">
-  <a id="Item18" onkeydown="return searchResults.Nav(event,18)" onkeypress="return searchResults.Nav(event,18)" onkeyup="return searchResults.Nav(event,18)" class="SRSymbol" href="../group__cluster.html#ga2f1a22cfea64e4669da0467620c3e3b3" target="_parent">_hierarchy_node_new</a>
+  <a id="Item22" onkeydown="return searchResults.Nav(event,22)" onkeypress="return searchResults.Nav(event,22)" onkeyup="return searchResults.Nav(event,22)" class="SRSymbol" href="../group__cluster.html#ga2f1a22cfea64e4669da0467620c3e3b3" target="_parent">_hierarchy_node_new</a>
   <span class="SRScope">cluster.c</span>
  </div>
 </div>
diff --git a/doc/html/search/all_61.html b/doc/html/search/all_61.html
index 6118213..057065a 100644
--- a/doc/html/search/all_61.html
+++ b/doc/html/search/all_61.html
@@ -9,8 +9,8 @@
 <div class="SRStatus" id="Loading">Loading...</div>
 <div class="SRResult" id="SR_a">
  <div class="SREntry">
-  <a id="Item0" onkeydown="return searchResults.Nav(event,0)" onkeypress="return searchResults.Nav(event,0)" onkeyup="return searchResults.Nav(event,0)" class="SRSymbol" href="../structAI__alert__correlation.html#a8737f171e1c1b2305c8fe77101d6aeb7" target="_parent">a</a>
-  <span class="SRScope">AI_alert_correlation</span>
+  <a id="Item0" onkeydown="return searchResults.Nav(event,0)" onkeypress="return searchResults.Nav(event,0)" onkeyup="return searchResults.Nav(event,0)" class="SRSymbol" href="../structAI__alert__correlation__key.html#a774daec9332da25835a0904d853acadb" target="_parent">a</a>
+  <span class="SRScope">AI_alert_correlation_key</span>
  </div>
 </div>
 <div class="SRResult" id="SR_ai_5falert_5fcorrelation">
@@ -18,196 +18,201 @@
   <a id="Item1" onkeydown="return searchResults.Nav(event,1)" onkeypress="return searchResults.Nav(event,1)" onkeyup="return searchResults.Nav(event,1)" class="SRSymbol" href="../structAI__alert__correlation.html" target="_parent">AI_alert_correlation</a>
  </div>
 </div>
+<div class="SRResult" id="SR_ai_5falert_5fcorrelation_5fkey">
+ <div class="SREntry">
+  <a id="Item2" onkeydown="return searchResults.Nav(event,2)" onkeypress="return searchResults.Nav(event,2)" onkeyup="return searchResults.Nav(event,2)" class="SRSymbol" href="../structAI__alert__correlation__key.html" target="_parent">AI_alert_correlation_key</a>
+ </div>
+</div>
 <div class="SRResult" id="SR_ai_5falert_5fcorrelation_5fthread">
  <div class="SREntry">
-  <a id="Item2" onkeydown="return searchResults.Nav(event,2)" onkeypress="return searchResults.Nav(event,2)" onkeyup="return searchResults.Nav(event,2)" class="SRSymbol" href="javascript:searchResults.Toggle('SR_ai_5falert_5fcorrelation_5fthread')">AI_alert_correlation_thread</a>
+  <a id="Item3" onkeydown="return searchResults.Nav(event,3)" onkeypress="return searchResults.Nav(event,3)" onkeyup="return searchResults.Nav(event,3)" class="SRSymbol" href="javascript:searchResults.Toggle('SR_ai_5falert_5fcorrelation_5fthread')">AI_alert_correlation_thread</a>
   <div class="SRChildren">
-    <a id="Item2_c0" onkeydown="return searchResults.NavChild(event,2,0)" onkeypress="return searchResults.NavChild(event,2,0)" onkeyup="return searchResults.NavChild(event,2,0)" class="SRScope" href="../group__correlation.html#ga939353a4e15de7a8f4145ab986f584be" target="_parent">AI_alert_correlation_thread(void *arg):&nbsp;correlation.c</a>
-    <a id="Item2_c1" onkeydown="return searchResults.NavChild(event,2,1)" onkeypress="return searchResults.NavChild(event,2,1)" onkeyup="return searchResults.NavChild(event,2,1)" class="SRScope" href="../group__correlation.html#ga939353a4e15de7a8f4145ab986f584be" target="_parent">AI_alert_correlation_thread(void *):&nbsp;correlation.c</a>
+    <a id="Item3_c0" onkeydown="return searchResults.NavChild(event,3,0)" onkeypress="return searchResults.NavChild(event,3,0)" onkeyup="return searchResults.NavChild(event,3,0)" class="SRScope" href="../group__correlation.html#ga939353a4e15de7a8f4145ab986f584be" target="_parent">AI_alert_correlation_thread(void *arg):&nbsp;correlation.c</a>
+    <a id="Item3_c1" onkeydown="return searchResults.NavChild(event,3,1)" onkeypress="return searchResults.NavChild(event,3,1)" onkeyup="return searchResults.NavChild(event,3,1)" class="SRScope" href="../group__correlation.html#ga939353a4e15de7a8f4145ab986f584be" target="_parent">AI_alert_correlation_thread(void *):&nbsp;correlation.c</a>
   </div>
  </div>
 </div>
 <div class="SRResult" id="SR_ai_5fconfig">
  <div class="SREntry">
-  <a id="Item3" onkeydown="return searchResults.Nav(event,3)" onkeypress="return searchResults.Nav(event,3)" onkeyup="return searchResults.Nav(event,3)" class="SRSymbol" href="../structAI__config.html" target="_parent">AI_config</a>
+  <a id="Item4" onkeydown="return searchResults.Nav(event,4)" onkeypress="return searchResults.Nav(event,4)" onkeyup="return searchResults.Nav(event,4)" class="SRSymbol" href="../structAI__config.html" target="_parent">AI_config</a>
  </div>
 </div>
 <div class="SRResult" id="SR_ai_5ffile_5falertparser_5fthread">
  <div class="SREntry">
-  <a id="Item4" onkeydown="return searchResults.Nav(event,4)" onkeypress="return searchResults.Nav(event,4)" onkeyup="return searchResults.Nav(event,4)" class="SRSymbol" href="javascript:searchResults.Toggle('SR_ai_5ffile_5falertparser_5fthread')">AI_file_alertparser_thread</a>
+  <a id="Item5" onkeydown="return searchResults.Nav(event,5)" onkeypress="return searchResults.Nav(event,5)" onkeyup="return searchResults.Nav(event,5)" class="SRSymbol" href="javascript:searchResults.Toggle('SR_ai_5ffile_5falertparser_5fthread')">AI_file_alertparser_thread</a>
   <div class="SRChildren">
-    <a id="Item4_c0" onkeydown="return searchResults.NavChild(event,4,0)" onkeypress="return searchResults.NavChild(event,4,0)" onkeyup="return searchResults.NavChild(event,4,0)" class="SRScope" href="../group__alert__parser.html#ga5aab8d9bdf0e92a51731442fd787f61f" target="_parent">AI_file_alertparser_thread(void *arg):&nbsp;alert_parser.c</a>
-    <a id="Item4_c1" onkeydown="return searchResults.NavChild(event,4,1)" onkeypress="return searchResults.NavChild(event,4,1)" onkeyup="return searchResults.NavChild(event,4,1)" class="SRScope" href="../group__alert__parser.html#ga5aab8d9bdf0e92a51731442fd787f61f" target="_parent">AI_file_alertparser_thread(void *):&nbsp;alert_parser.c</a>
+    <a id="Item5_c0" onkeydown="return searchResults.NavChild(event,5,0)" onkeypress="return searchResults.NavChild(event,5,0)" onkeyup="return searchResults.NavChild(event,5,0)" class="SRScope" href="../group__alert__parser.html#ga5aab8d9bdf0e92a51731442fd787f61f" target="_parent">AI_file_alertparser_thread(void *arg):&nbsp;alert_parser.c</a>
+    <a id="Item5_c1" onkeydown="return searchResults.NavChild(event,5,1)" onkeypress="return searchResults.NavChild(event,5,1)" onkeyup="return searchResults.NavChild(event,5,1)" class="SRScope" href="../group__alert__parser.html#ga5aab8d9bdf0e92a51731442fd787f61f" target="_parent">AI_file_alertparser_thread(void *):&nbsp;alert_parser.c</a>
   </div>
  </div>
 </div>
 <div class="SRResult" id="SR_ai_5ffree_5falerts">
  <div class="SREntry">
-  <a id="Item5" onkeydown="return searchResults.Nav(event,5)" onkeypress="return searchResults.Nav(event,5)" onkeyup="return searchResults.Nav(event,5)" class="SRSymbol" href="javascript:searchResults.Toggle('SR_ai_5ffree_5falerts')">AI_free_alerts</a>
+  <a id="Item6" onkeydown="return searchResults.Nav(event,6)" onkeypress="return searchResults.Nav(event,6)" onkeyup="return searchResults.Nav(event,6)" class="SRSymbol" href="javascript:searchResults.Toggle('SR_ai_5ffree_5falerts')">AI_free_alerts</a>
   <div class="SRChildren">
-    <a id="Item5_c0" onkeydown="return searchResults.NavChild(event,5,0)" onkeypress="return searchResults.NavChild(event,5,0)" onkeyup="return searchResults.NavChild(event,5,0)" class="SRScope" href="../group__alert__parser.html#ga270e86669a0aa64a8da37bc16cda645b" target="_parent">AI_free_alerts(AI_snort_alert *node):&nbsp;alert_parser.c</a>
-    <a id="Item5_c1" onkeydown="return searchResults.NavChild(event,5,1)" onkeypress="return searchResults.NavChild(event,5,1)" onkeyup="return searchResults.NavChild(event,5,1)" class="SRScope" href="../group__alert__parser.html#ga270e86669a0aa64a8da37bc16cda645b" target="_parent">AI_free_alerts(AI_snort_alert *node):&nbsp;alert_parser.c</a>
+    <a id="Item6_c0" onkeydown="return searchResults.NavChild(event,6,0)" onkeypress="return searchResults.NavChild(event,6,0)" onkeyup="return searchResults.NavChild(event,6,0)" class="SRScope" href="../group__alert__parser.html#ga270e86669a0aa64a8da37bc16cda645b" target="_parent">AI_free_alerts(AI_snort_alert *node):&nbsp;alert_parser.c</a>
+    <a id="Item6_c1" onkeydown="return searchResults.NavChild(event,6,1)" onkeypress="return searchResults.NavChild(event,6,1)" onkeyup="return searchResults.NavChild(event,6,1)" class="SRScope" href="../group__alert__parser.html#ga270e86669a0aa64a8da37bc16cda645b" target="_parent">AI_free_alerts(AI_snort_alert *node):&nbsp;alert_parser.c</a>
   </div>
  </div>
 </div>
 <div class="SRResult" id="SR_ai_5fget_5falerts">
  <div class="SREntry">
-  <a id="Item6" onkeydown="return searchResults.Nav(event,6)" onkeypress="return searchResults.Nav(event,6)" onkeyup="return searchResults.Nav(event,6)" class="SRSymbol" href="javascript:searchResults.Toggle('SR_ai_5fget_5falerts')">AI_get_alerts</a>
+  <a id="Item7" onkeydown="return searchResults.Nav(event,7)" onkeypress="return searchResults.Nav(event,7)" onkeyup="return searchResults.Nav(event,7)" class="SRSymbol" href="javascript:searchResults.Toggle('SR_ai_5fget_5falerts')">AI_get_alerts</a>
   <div class="SRChildren">
-    <a id="Item6_c0" onkeydown="return searchResults.NavChild(event,6,0)" onkeypress="return searchResults.NavChild(event,6,0)" onkeyup="return searchResults.NavChild(event,6,0)" class="SRScope" href="../group__alert__parser.html#ga99474495643197b3075ac22ec6f6c70f" target="_parent">AI_get_alerts():&nbsp;alert_parser.c</a>
-    <a id="Item6_c1" onkeydown="return searchResults.NavChild(event,6,1)" onkeypress="return searchResults.NavChild(event,6,1)" onkeyup="return searchResults.NavChild(event,6,1)" class="SRScope" href="../group__alert__parser.html#ga99474495643197b3075ac22ec6f6c70f" target="_parent">AI_get_alerts(void):&nbsp;alert_parser.c</a>
+    <a id="Item7_c0" onkeydown="return searchResults.NavChild(event,7,0)" onkeypress="return searchResults.NavChild(event,7,0)" onkeyup="return searchResults.NavChild(event,7,0)" class="SRScope" href="../group__alert__parser.html#ga99474495643197b3075ac22ec6f6c70f" target="_parent">AI_get_alerts():&nbsp;alert_parser.c</a>
+    <a id="Item7_c1" onkeydown="return searchResults.NavChild(event,7,1)" onkeypress="return searchResults.NavChild(event,7,1)" onkeyup="return searchResults.NavChild(event,7,1)" class="SRScope" href="../group__alert__parser.html#ga99474495643197b3075ac22ec6f6c70f" target="_parent">AI_get_alerts(void):&nbsp;alert_parser.c</a>
   </div>
  </div>
 </div>
 <div class="SRResult" id="SR_ai_5fget_5fclustered_5falerts">
  <div class="SREntry">
-  <a id="Item7" onkeydown="return searchResults.Nav(event,7)" onkeypress="return searchResults.Nav(event,7)" onkeyup="return searchResults.Nav(event,7)" class="SRSymbol" href="javascript:searchResults.Toggle('SR_ai_5fget_5fclustered_5falerts')">AI_get_clustered_alerts</a>
+  <a id="Item8" onkeydown="return searchResults.Nav(event,8)" onkeypress="return searchResults.Nav(event,8)" onkeyup="return searchResults.Nav(event,8)" class="SRSymbol" href="javascript:searchResults.Toggle('SR_ai_5fget_5fclustered_5falerts')">AI_get_clustered_alerts</a>
   <div class="SRChildren">
-    <a id="Item7_c0" onkeydown="return searchResults.NavChild(event,7,0)" onkeypress="return searchResults.NavChild(event,7,0)" onkeyup="return searchResults.NavChild(event,7,0)" class="SRScope" href="../group__cluster.html#ga2553c678eeb83282c230d649a0e8fcd4" target="_parent">AI_get_clustered_alerts():&nbsp;cluster.c</a>
-    <a id="Item7_c1" onkeydown="return searchResults.NavChild(event,7,1)" onkeypress="return searchResults.NavChild(event,7,1)" onkeyup="return searchResults.NavChild(event,7,1)" class="SRScope" href="../group__cluster.html#ga2553c678eeb83282c230d649a0e8fcd4" target="_parent">AI_get_clustered_alerts(void):&nbsp;cluster.c</a>
+    <a id="Item8_c0" onkeydown="return searchResults.NavChild(event,8,0)" onkeypress="return searchResults.NavChild(event,8,0)" onkeyup="return searchResults.NavChild(event,8,0)" class="SRScope" href="../group__cluster.html#ga2553c678eeb83282c230d649a0e8fcd4" target="_parent">AI_get_clustered_alerts():&nbsp;cluster.c</a>
+    <a id="Item8_c1" onkeydown="return searchResults.NavChild(event,8,1)" onkeypress="return searchResults.NavChild(event,8,1)" onkeyup="return searchResults.NavChild(event,8,1)" class="SRScope" href="../group__cluster.html#ga2553c678eeb83282c230d649a0e8fcd4" target="_parent">AI_get_clustered_alerts(void):&nbsp;cluster.c</a>
   </div>
  </div>
 </div>
 <div class="SRResult" id="SR_ai_5fget_5fstream_5fby_5fkey">
  <div class="SREntry">
-  <a id="Item8" onkeydown="return searchResults.Nav(event,8)" onkeypress="return searchResults.Nav(event,8)" onkeyup="return searchResults.Nav(event,8)" class="SRSymbol" href="javascript:searchResults.Toggle('SR_ai_5fget_5fstream_5fby_5fkey')">AI_get_stream_by_key</a>
+  <a id="Item9" onkeydown="return searchResults.Nav(event,9)" onkeypress="return searchResults.Nav(event,9)" onkeyup="return searchResults.Nav(event,9)" class="SRSymbol" href="javascript:searchResults.Toggle('SR_ai_5fget_5fstream_5fby_5fkey')">AI_get_stream_by_key</a>
   <div class="SRChildren">
-    <a id="Item8_c0" onkeydown="return searchResults.NavChild(event,8,0)" onkeypress="return searchResults.NavChild(event,8,0)" onkeyup="return searchResults.NavChild(event,8,0)" class="SRScope" href="../group__stream.html#ga2efedcabbfd12c5345f0c93a3dd4735c" target="_parent">AI_get_stream_by_key(struct pkt_key):&nbsp;stream.c</a>
-    <a id="Item8_c1" onkeydown="return searchResults.NavChild(event,8,1)" onkeypress="return searchResults.NavChild(event,8,1)" onkeyup="return searchResults.NavChild(event,8,1)" class="SRScope" href="../group__stream.html#ga2efedcabbfd12c5345f0c93a3dd4735c" target="_parent">AI_get_stream_by_key(struct pkt_key key):&nbsp;stream.c</a>
+    <a id="Item9_c0" onkeydown="return searchResults.NavChild(event,9,0)" onkeypress="return searchResults.NavChild(event,9,0)" onkeyup="return searchResults.NavChild(event,9,0)" class="SRScope" href="../group__stream.html#ga2efedcabbfd12c5345f0c93a3dd4735c" target="_parent">AI_get_stream_by_key(struct pkt_key):&nbsp;stream.c</a>
+    <a id="Item9_c1" onkeydown="return searchResults.NavChild(event,9,1)" onkeypress="return searchResults.NavChild(event,9,1)" onkeyup="return searchResults.NavChild(event,9,1)" class="SRScope" href="../group__stream.html#ga2efedcabbfd12c5345f0c93a3dd4735c" target="_parent">AI_get_stream_by_key(struct pkt_key key):&nbsp;stream.c</a>
   </div>
  </div>
 </div>
 <div class="SRResult" id="SR_ai_5fhashcleanup_5fthread">
  <div class="SREntry">
-  <a id="Item9" onkeydown="return searchResults.Nav(event,9)" onkeypress="return searchResults.Nav(event,9)" onkeyup="return searchResults.Nav(event,9)" class="SRSymbol" href="javascript:searchResults.Toggle('SR_ai_5fhashcleanup_5fthread')">AI_hashcleanup_thread</a>
+  <a id="Item10" onkeydown="return searchResults.Nav(event,10)" onkeypress="return searchResults.Nav(event,10)" onkeyup="return searchResults.Nav(event,10)" class="SRSymbol" href="javascript:searchResults.Toggle('SR_ai_5fhashcleanup_5fthread')">AI_hashcleanup_thread</a>
   <div class="SRChildren">
-    <a id="Item9_c0" onkeydown="return searchResults.NavChild(event,9,0)" onkeypress="return searchResults.NavChild(event,9,0)" onkeyup="return searchResults.NavChild(event,9,0)" class="SRScope" href="../group__stream.html#ga24b1131374e5059564b8a12380c4eb75" target="_parent">AI_hashcleanup_thread(void *):&nbsp;stream.c</a>
-    <a id="Item9_c1" onkeydown="return searchResults.NavChild(event,9,1)" onkeypress="return searchResults.NavChild(event,9,1)" onkeyup="return searchResults.NavChild(event,9,1)" class="SRScope" href="../group__stream.html#ga24b1131374e5059564b8a12380c4eb75" target="_parent">AI_hashcleanup_thread(void *arg):&nbsp;stream.c</a>
+    <a id="Item10_c0" onkeydown="return searchResults.NavChild(event,10,0)" onkeypress="return searchResults.NavChild(event,10,0)" onkeyup="return searchResults.NavChild(event,10,0)" class="SRScope" href="../group__stream.html#ga24b1131374e5059564b8a12380c4eb75" target="_parent">AI_hashcleanup_thread(void *):&nbsp;stream.c</a>
+    <a id="Item10_c1" onkeydown="return searchResults.NavChild(event,10,1)" onkeypress="return searchResults.NavChild(event,10,1)" onkeyup="return searchResults.NavChild(event,10,1)" class="SRScope" href="../group__stream.html#ga24b1131374e5059564b8a12380c4eb75" target="_parent">AI_hashcleanup_thread(void *arg):&nbsp;stream.c</a>
   </div>
  </div>
 </div>
 <div class="SRResult" id="SR_ai_5fhierarchies_5fbuild">
  <div class="SREntry">
-  <a id="Item10" onkeydown="return searchResults.Nav(event,10)" onkeypress="return searchResults.Nav(event,10)" onkeyup="return searchResults.Nav(event,10)" class="SRSymbol" href="javascript:searchResults.Toggle('SR_ai_5fhierarchies_5fbuild')">AI_hierarchies_build</a>
+  <a id="Item11" onkeydown="return searchResults.Nav(event,11)" onkeypress="return searchResults.Nav(event,11)" onkeyup="return searchResults.Nav(event,11)" class="SRSymbol" href="javascript:searchResults.Toggle('SR_ai_5fhierarchies_5fbuild')">AI_hierarchies_build</a>
   <div class="SRChildren">
-    <a id="Item10_c0" onkeydown="return searchResults.NavChild(event,10,0)" onkeypress="return searchResults.NavChild(event,10,0)" onkeyup="return searchResults.NavChild(event,10,0)" class="SRScope" href="../group__cluster.html#ga1445818b37483f78cc3fb2890155842c" target="_parent">AI_hierarchies_build(AI_config *conf, hierarchy_node **nodes, int n_nodes):&nbsp;cluster.c</a>
-    <a id="Item10_c1" onkeydown="return searchResults.NavChild(event,10,1)" onkeypress="return searchResults.NavChild(event,10,1)" onkeyup="return searchResults.NavChild(event,10,1)" class="SRScope" href="../group__cluster.html#ga1445818b37483f78cc3fb2890155842c" target="_parent">AI_hierarchies_build(AI_config *, hierarchy_node **, int):&nbsp;cluster.c</a>
+    <a id="Item11_c0" onkeydown="return searchResults.NavChild(event,11,0)" onkeypress="return searchResults.NavChild(event,11,0)" onkeyup="return searchResults.NavChild(event,11,0)" class="SRScope" href="../group__cluster.html#ga1445818b37483f78cc3fb2890155842c" target="_parent">AI_hierarchies_build(AI_config *conf, hierarchy_node **nodes, int n_nodes):&nbsp;cluster.c</a>
+    <a id="Item11_c1" onkeydown="return searchResults.NavChild(event,11,1)" onkeypress="return searchResults.NavChild(event,11,1)" onkeyup="return searchResults.NavChild(event,11,1)" class="SRScope" href="../group__cluster.html#ga1445818b37483f78cc3fb2890155842c" target="_parent">AI_hierarchies_build(AI_config *, hierarchy_node **, int):&nbsp;cluster.c</a>
   </div>
  </div>
 </div>
 <div class="SRResult" id="SR_ai_5fhyperalert_5finfo">
  <div class="SREntry">
-  <a id="Item11" onkeydown="return searchResults.Nav(event,11)" onkeypress="return searchResults.Nav(event,11)" onkeyup="return searchResults.Nav(event,11)" class="SRSymbol" href="../structAI__hyperalert__info.html" target="_parent">AI_hyperalert_info</a>
+  <a id="Item12" onkeydown="return searchResults.Nav(event,12)" onkeypress="return searchResults.Nav(event,12)" onkeyup="return searchResults.Nav(event,12)" class="SRSymbol" href="../structAI__hyperalert__info.html" target="_parent">AI_hyperalert_info</a>
  </div>
 </div>
 <div class="SRResult" id="SR_ai_5fhyperalert_5fkey">
  <div class="SREntry">
-  <a id="Item12" onkeydown="return searchResults.Nav(event,12)" onkeypress="return searchResults.Nav(event,12)" onkeyup="return searchResults.Nav(event,12)" class="SRSymbol" href="../structAI__hyperalert__key.html" target="_parent">AI_hyperalert_key</a>
+  <a id="Item13" onkeydown="return searchResults.Nav(event,13)" onkeypress="return searchResults.Nav(event,13)" onkeyup="return searchResults.Nav(event,13)" class="SRSymbol" href="../structAI__hyperalert__key.html" target="_parent">AI_hyperalert_key</a>
  </div>
 </div>
 <div class="SRResult" id="SR_ai_5finit">
  <div class="SREntry">
-  <a id="Item13" onkeydown="return searchResults.Nav(event,13)" onkeypress="return searchResults.Nav(event,13)" onkeyup="return searchResults.Nav(event,13)" class="SRSymbol" href="../group__spp__ai.html#ga3524cbdf8fddbcf38c4ed55241002242" target="_parent">AI_init</a>
+  <a id="Item14" onkeydown="return searchResults.Nav(event,14)" onkeypress="return searchResults.Nav(event,14)" onkeyup="return searchResults.Nav(event,14)" class="SRSymbol" href="../group__spp__ai.html#ga3524cbdf8fddbcf38c4ed55241002242" target="_parent">AI_init</a>
   <span class="SRScope">spp_ai.c</span>
  </div>
 </div>
 <div class="SRResult" id="SR_ai_5fparse">
  <div class="SREntry">
-  <a id="Item14" onkeydown="return searchResults.Nav(event,14)" onkeypress="return searchResults.Nav(event,14)" onkeyup="return searchResults.Nav(event,14)" class="SRSymbol" href="../group__spp__ai.html#gae1c5c4b38ee2819d427848eb3046373e" target="_parent">AI_parse</a>
+  <a id="Item15" onkeydown="return searchResults.Nav(event,15)" onkeypress="return searchResults.Nav(event,15)" onkeyup="return searchResults.Nav(event,15)" class="SRSymbol" href="../group__spp__ai.html#gae1c5c4b38ee2819d427848eb3046373e" target="_parent">AI_parse</a>
   <span class="SRScope">spp_ai.c</span>
  </div>
 </div>
 <div class="SRResult" id="SR_ai_5fpkt_5fenqueue">
  <div class="SREntry">
-  <a id="Item15" onkeydown="return searchResults.Nav(event,15)" onkeypress="return searchResults.Nav(event,15)" onkeyup="return searchResults.Nav(event,15)" class="SRSymbol" href="javascript:searchResults.Toggle('SR_ai_5fpkt_5fenqueue')">AI_pkt_enqueue</a>
+  <a id="Item16" onkeydown="return searchResults.Nav(event,16)" onkeypress="return searchResults.Nav(event,16)" onkeyup="return searchResults.Nav(event,16)" class="SRSymbol" href="javascript:searchResults.Toggle('SR_ai_5fpkt_5fenqueue')">AI_pkt_enqueue</a>
   <div class="SRChildren">
-    <a id="Item15_c0" onkeydown="return searchResults.NavChild(event,15,0)" onkeypress="return searchResults.NavChild(event,15,0)" onkeyup="return searchResults.NavChild(event,15,0)" class="SRScope" href="../group__stream.html#ga7d71c5645b9baff7b6c4b9a181bf80c5" target="_parent">AI_pkt_enqueue(SFSnortPacket *):&nbsp;stream.c</a>
-    <a id="Item15_c1" onkeydown="return searchResults.NavChild(event,15,1)" onkeypress="return searchResults.NavChild(event,15,1)" onkeyup="return searchResults.NavChild(event,15,1)" class="SRScope" href="../group__stream.html#ga7d71c5645b9baff7b6c4b9a181bf80c5" target="_parent">AI_pkt_enqueue(SFSnortPacket *pkt):&nbsp;stream.c</a>
+    <a id="Item16_c0" onkeydown="return searchResults.NavChild(event,16,0)" onkeypress="return searchResults.NavChild(event,16,0)" onkeyup="return searchResults.NavChild(event,16,0)" class="SRScope" href="../group__stream.html#ga7d71c5645b9baff7b6c4b9a181bf80c5" target="_parent">AI_pkt_enqueue(SFSnortPacket *):&nbsp;stream.c</a>
+    <a id="Item16_c1" onkeydown="return searchResults.NavChild(event,16,1)" onkeypress="return searchResults.NavChild(event,16,1)" onkeyup="return searchResults.NavChild(event,16,1)" class="SRScope" href="../group__stream.html#ga7d71c5645b9baff7b6c4b9a181bf80c5" target="_parent">AI_pkt_enqueue(SFSnortPacket *pkt):&nbsp;stream.c</a>
   </div>
  </div>
 </div>
 <div class="SRResult" id="SR_ai_5fprocess">
  <div class="SREntry">
-  <a id="Item16" onkeydown="return searchResults.Nav(event,16)" onkeypress="return searchResults.Nav(event,16)" onkeyup="return searchResults.Nav(event,16)" class="SRSymbol" href="../group__spp__ai.html#ga57c05cda012c443cb4c358dc327cd3d1" target="_parent">AI_process</a>
+  <a id="Item17" onkeydown="return searchResults.Nav(event,17)" onkeypress="return searchResults.Nav(event,17)" onkeyup="return searchResults.Nav(event,17)" class="SRSymbol" href="../group__spp__ai.html#ga57c05cda012c443cb4c358dc327cd3d1" target="_parent">AI_process</a>
   <span class="SRScope">spp_ai.c</span>
  </div>
 </div>
 <div class="SRResult" id="SR_ai_5fset_5fstream_5fobserved">
  <div class="SREntry">
-  <a id="Item17" onkeydown="return searchResults.Nav(event,17)" onkeypress="return searchResults.Nav(event,17)" onkeyup="return searchResults.Nav(event,17)" class="SRSymbol" href="javascript:searchResults.Toggle('SR_ai_5fset_5fstream_5fobserved')">AI_set_stream_observed</a>
+  <a id="Item18" onkeydown="return searchResults.Nav(event,18)" onkeypress="return searchResults.Nav(event,18)" onkeyup="return searchResults.Nav(event,18)" class="SRSymbol" href="javascript:searchResults.Toggle('SR_ai_5fset_5fstream_5fobserved')">AI_set_stream_observed</a>
   <div class="SRChildren">
-    <a id="Item17_c0" onkeydown="return searchResults.NavChild(event,17,0)" onkeypress="return searchResults.NavChild(event,17,0)" onkeyup="return searchResults.NavChild(event,17,0)" class="SRScope" href="../group__stream.html#ga8749989cee2ac05a7de058faac280c02" target="_parent">AI_set_stream_observed(struct pkt_key key):&nbsp;stream.c</a>
-    <a id="Item17_c1" onkeydown="return searchResults.NavChild(event,17,1)" onkeypress="return searchResults.NavChild(event,17,1)" onkeyup="return searchResults.NavChild(event,17,1)" class="SRScope" href="../group__stream.html#ga8749989cee2ac05a7de058faac280c02" target="_parent">AI_set_stream_observed(struct pkt_key key):&nbsp;stream.c</a>
+    <a id="Item18_c0" onkeydown="return searchResults.NavChild(event,18,0)" onkeypress="return searchResults.NavChild(event,18,0)" onkeyup="return searchResults.NavChild(event,18,0)" class="SRScope" href="../group__stream.html#ga8749989cee2ac05a7de058faac280c02" target="_parent">AI_set_stream_observed(struct pkt_key key):&nbsp;stream.c</a>
+    <a id="Item18_c1" onkeydown="return searchResults.NavChild(event,18,1)" onkeypress="return searchResults.NavChild(event,18,1)" onkeyup="return searchResults.NavChild(event,18,1)" class="SRScope" href="../group__stream.html#ga8749989cee2ac05a7de058faac280c02" target="_parent">AI_set_stream_observed(struct pkt_key key):&nbsp;stream.c</a>
   </div>
  </div>
 </div>
 <div class="SRResult" id="SR_ai_5fsetup">
  <div class="SREntry">
-  <a id="Item18" onkeydown="return searchResults.Nav(event,18)" onkeypress="return searchResults.Nav(event,18)" onkeyup="return searchResults.Nav(event,18)" class="SRSymbol" href="javascript:searchResults.Toggle('SR_ai_5fsetup')">AI_setup</a>
+  <a id="Item19" onkeydown="return searchResults.Nav(event,19)" onkeypress="return searchResults.Nav(event,19)" onkeyup="return searchResults.Nav(event,19)" class="SRSymbol" href="javascript:searchResults.Toggle('SR_ai_5fsetup')">AI_setup</a>
   <div class="SRChildren">
-    <a id="Item18_c0" onkeydown="return searchResults.NavChild(event,18,0)" onkeypress="return searchResults.NavChild(event,18,0)" onkeyup="return searchResults.NavChild(event,18,0)" class="SRScope" href="../group__spp__ai.html#ga1b9ebb5c719c7d9426ddfc1f3da36570" target="_parent">AI_setup():&nbsp;spp_ai.c</a>
-    <a id="Item18_c1" onkeydown="return searchResults.NavChild(event,18,1)" onkeypress="return searchResults.NavChild(event,18,1)" onkeyup="return searchResults.NavChild(event,18,1)" class="SRScope" href="../group__spp__ai.html#ga1b9ebb5c719c7d9426ddfc1f3da36570" target="_parent">AI_setup(void):&nbsp;spp_ai.c</a>
+    <a id="Item19_c0" onkeydown="return searchResults.NavChild(event,19,0)" onkeypress="return searchResults.NavChild(event,19,0)" onkeyup="return searchResults.NavChild(event,19,0)" class="SRScope" href="../group__spp__ai.html#ga1b9ebb5c719c7d9426ddfc1f3da36570" target="_parent">AI_setup():&nbsp;spp_ai.c</a>
+    <a id="Item19_c1" onkeydown="return searchResults.NavChild(event,19,1)" onkeypress="return searchResults.NavChild(event,19,1)" onkeyup="return searchResults.NavChild(event,19,1)" class="SRScope" href="../group__spp__ai.html#ga1b9ebb5c719c7d9426ddfc1f3da36570" target="_parent">AI_setup(void):&nbsp;spp_ai.c</a>
   </div>
  </div>
 </div>
 <div class="SRResult" id="SR_ai_5fsnort_5falert">
  <div class="SREntry">
-  <a id="Item19" onkeydown="return searchResults.Nav(event,19)" onkeypress="return searchResults.Nav(event,19)" onkeyup="return searchResults.Nav(event,19)" class="SRSymbol" href="../spp__ai_8h.html#a982be90e72362e88d09f28336c9a1897" target="_parent">AI_snort_alert</a>
+  <a id="Item20" onkeydown="return searchResults.Nav(event,20)" onkeypress="return searchResults.Nav(event,20)" onkeyup="return searchResults.Nav(event,20)" class="SRSymbol" href="../spp__ai_8h.html#a982be90e72362e88d09f28336c9a1897" target="_parent">AI_snort_alert</a>
   <span class="SRScope">spp_ai.h</span>
  </div>
 </div>
 <div class="SRResult" id="SR_alert_5ffp">
  <div class="SREntry">
-  <a id="Item20" onkeydown="return searchResults.Nav(event,20)" onkeypress="return searchResults.Nav(event,20)" onkeyup="return searchResults.Nav(event,20)" class="SRSymbol" href="../alert__parser_8c.html#abee2a33368912d9288c76b51160a9ed6" target="_parent">alert_fp</a>
+  <a id="Item21" onkeydown="return searchResults.Nav(event,21)" onkeypress="return searchResults.Nav(event,21)" onkeyup="return searchResults.Nav(event,21)" class="SRSymbol" href="../alert__parser_8c.html#abee2a33368912d9288c76b51160a9ed6" target="_parent">alert_fp</a>
   <span class="SRScope">alert_parser.c</span>
  </div>
 </div>
 <div class="SRResult" id="SR_alert_5flog">
  <div class="SREntry">
-  <a id="Item21" onkeydown="return searchResults.Nav(event,21)" onkeypress="return searchResults.Nav(event,21)" onkeyup="return searchResults.Nav(event,21)" class="SRSymbol" href="../group__cluster.html#gaaf4c19f60f48741b0890c6114dcff7d9" target="_parent">alert_log</a>
+  <a id="Item22" onkeydown="return searchResults.Nav(event,22)" onkeypress="return searchResults.Nav(event,22)" onkeyup="return searchResults.Nav(event,22)" class="SRSymbol" href="../group__cluster.html#gaaf4c19f60f48741b0890c6114dcff7d9" target="_parent">alert_log</a>
   <span class="SRScope">cluster.c</span>
  </div>
 </div>
 <div class="SRResult" id="SR_alert_5fparser_2ec">
  <div class="SREntry">
-  <a id="Item22" onkeydown="return searchResults.Nav(event,22)" onkeypress="return searchResults.Nav(event,22)" onkeyup="return searchResults.Nav(event,22)" class="SRSymbol" href="../alert__parser_8c.html" target="_parent">alert_parser.c</a>
+  <a id="Item23" onkeydown="return searchResults.Nav(event,23)" onkeypress="return searchResults.Nav(event,23)" onkeyup="return searchResults.Nav(event,23)" class="SRSymbol" href="../alert__parser_8c.html" target="_parent">alert_parser.c</a>
  </div>
 </div>
 <div class="SRResult" id="SR_alertclusteringinterval">
  <div class="SREntry">
-  <a id="Item23" onkeydown="return searchResults.Nav(event,23)" onkeypress="return searchResults.Nav(event,23)" onkeyup="return searchResults.Nav(event,23)" class="SRSymbol" href="../structAI__config.html#a7d0d098b8263aa3d8415b11d1ec7f93d" target="_parent">alertClusteringInterval</a>
+  <a id="Item24" onkeydown="return searchResults.Nav(event,24)" onkeypress="return searchResults.Nav(event,24)" onkeyup="return searchResults.Nav(event,24)" class="SRSymbol" href="../structAI__config.html#a7d0d098b8263aa3d8415b11d1ec7f93d" target="_parent">alertClusteringInterval</a>
   <span class="SRScope">AI_config</span>
  </div>
 </div>
 <div class="SRResult" id="SR_alertfile">
  <div class="SREntry">
-  <a id="Item24" onkeydown="return searchResults.Nav(event,24)" onkeypress="return searchResults.Nav(event,24)" onkeyup="return searchResults.Nav(event,24)" class="SRSymbol" href="../structAI__config.html#a2efa9590d7eea6dce8b5dd9aa76ed8ca" target="_parent">alertfile</a>
+  <a id="Item25" onkeydown="return searchResults.Nav(event,25)" onkeypress="return searchResults.Nav(event,25)" onkeyup="return searchResults.Nav(event,25)" class="SRSymbol" href="../structAI__config.html#a2efa9590d7eea6dce8b5dd9aa76ed8ca" target="_parent">alertfile</a>
   <span class="SRScope">AI_config</span>
  </div>
 </div>
 <div class="SRResult" id="SR_alertparser_5fthread">
  <div class="SREntry">
-  <a id="Item25" onkeydown="return searchResults.Nav(event,25)" onkeypress="return searchResults.Nav(event,25)" onkeyup="return searchResults.Nav(event,25)" class="SRSymbol" href="../group__spp__ai.html#gaa3100e48acef5cf4370c3042ff548ed0" target="_parent">alertparser_thread</a>
+  <a id="Item26" onkeydown="return searchResults.Nav(event,26)" onkeypress="return searchResults.Nav(event,26)" onkeyup="return searchResults.Nav(event,26)" class="SRSymbol" href="../group__spp__ai.html#gaa3100e48acef5cf4370c3042ff548ed0" target="_parent">alertparser_thread</a>
   <span class="SRScope">spp_ai.c</span>
  </div>
 </div>
 <div class="SRResult" id="SR_alerts">
  <div class="SREntry">
-  <a id="Item26" onkeydown="return searchResults.Nav(event,26)" onkeypress="return searchResults.Nav(event,26)" onkeyup="return searchResults.Nav(event,26)" class="SRSymbol" href="javascript:searchResults.Toggle('SR_alerts')">alerts</a>
+  <a id="Item27" onkeydown="return searchResults.Nav(event,27)" onkeypress="return searchResults.Nav(event,27)" onkeyup="return searchResults.Nav(event,27)" class="SRSymbol" href="javascript:searchResults.Toggle('SR_alerts')">alerts</a>
   <div class="SRChildren">
-    <a id="Item26_c0" onkeydown="return searchResults.NavChild(event,26,0)" onkeypress="return searchResults.NavChild(event,26,0)" onkeyup="return searchResults.NavChild(event,26,0)" class="SRScope" href="../alert__parser_8c.html#ae837fc04e61c0eb052f997c54b4fd9fe" target="_parent">alerts():&nbsp;alert_parser.c</a>
-    <a id="Item26_c1" onkeydown="return searchResults.NavChild(event,26,1)" onkeypress="return searchResults.NavChild(event,26,1)" onkeyup="return searchResults.NavChild(event,26,1)" class="SRScope" href="../group__correlation.html#gae837fc04e61c0eb052f997c54b4fd9fe" target="_parent">alerts():&nbsp;correlation.c</a>
+    <a id="Item27_c0" onkeydown="return searchResults.NavChild(event,27,0)" onkeypress="return searchResults.NavChild(event,27,0)" onkeyup="return searchResults.NavChild(event,27,0)" class="SRScope" href="../alert__parser_8c.html#ae837fc04e61c0eb052f997c54b4fd9fe" target="_parent">alerts():&nbsp;alert_parser.c</a>
+    <a id="Item27_c1" onkeydown="return searchResults.NavChild(event,27,1)" onkeypress="return searchResults.NavChild(event,27,1)" onkeyup="return searchResults.NavChild(event,27,1)" class="SRScope" href="../group__correlation.html#gae837fc04e61c0eb052f997c54b4fd9fe" target="_parent">alerts():&nbsp;correlation.c</a>
   </div>
  </div>
 </div>
 <div class="SRResult" id="SR_attribute_5fkey">
  <div class="SREntry">
-  <a id="Item27" onkeydown="return searchResults.Nav(event,27)" onkeypress="return searchResults.Nav(event,27)" onkeyup="return searchResults.Nav(event,27)" class="SRSymbol" href="../structattribute__key.html" target="_parent">attribute_key</a>
+  <a id="Item28" onkeydown="return searchResults.Nav(event,28)" onkeypress="return searchResults.Nav(event,28)" onkeyup="return searchResults.Nav(event,28)" class="SRSymbol" href="../structattribute__key.html" target="_parent">attribute_key</a>
  </div>
 </div>
 <div class="SRResult" id="SR_attribute_5fvalue">
  <div class="SREntry">
-  <a id="Item28" onkeydown="return searchResults.Nav(event,28)" onkeypress="return searchResults.Nav(event,28)" onkeyup="return searchResults.Nav(event,28)" class="SRSymbol" href="../structattribute__value.html" target="_parent">attribute_value</a>
+  <a id="Item29" onkeydown="return searchResults.Nav(event,29)" onkeypress="return searchResults.Nav(event,29)" onkeyup="return searchResults.Nav(event,29)" class="SRSymbol" href="../structattribute__value.html" target="_parent">attribute_value</a>
  </div>
 </div>
 <div class="SRStatus" id="Searching">Searching...</div>
diff --git a/doc/html/search/all_62.html b/doc/html/search/all_62.html
index c2641d0..d50c466 100644
--- a/doc/html/search/all_62.html
+++ b/doc/html/search/all_62.html
@@ -9,8 +9,8 @@
 <div class="SRStatus" id="Loading">Loading...</div>
 <div class="SRResult" id="SR_b">
  <div class="SREntry">
-  <a id="Item0" onkeydown="return searchResults.Nav(event,0)" onkeypress="return searchResults.Nav(event,0)" onkeyup="return searchResults.Nav(event,0)" class="SRSymbol" href="../structAI__alert__correlation.html#a478f1a6f18f9c083b203efdf776379cd" target="_parent">b</a>
-  <span class="SRScope">AI_alert_correlation</span>
+  <a id="Item0" onkeydown="return searchResults.Nav(event,0)" onkeypress="return searchResults.Nav(event,0)" onkeyup="return searchResults.Nav(event,0)" class="SRSymbol" href="../structAI__alert__correlation__key.html#a5805dec6499a83b818091b4f21c715dc" target="_parent">b</a>
+  <span class="SRScope">AI_alert_correlation_key</span>
  </div>
 </div>
 <div class="SRResult" id="SR_bool">
diff --git a/doc/html/search/all_63.html b/doc/html/search/all_63.html
index 434e40d..b0eb206 100644
--- a/doc/html/search/all_63.html
+++ b/doc/html/search/all_63.html
@@ -48,38 +48,50 @@
   <span class="SRScope">correlation.c</span>
  </div>
 </div>
+<div class="SRResult" id="SR_corr_5falerts_5fdir">
+ <div class="SREntry">
+  <a id="Item7" onkeydown="return searchResults.Nav(event,7)" onkeypress="return searchResults.Nav(event,7)" onkeyup="return searchResults.Nav(event,7)" class="SRSymbol" href="../structAI__config.html#ae68f5489e2ec9ea1408f98fe36d050c9" target="_parent">corr_alerts_dir</a>
+  <span class="SRScope">AI_config</span>
+ </div>
+</div>
 <div class="SRResult" id="SR_corr_5frules_5fdir">
  <div class="SREntry">
-  <a id="Item7" onkeydown="return searchResults.Nav(event,7)" onkeypress="return searchResults.Nav(event,7)" onkeyup="return searchResults.Nav(event,7)" class="SRSymbol" href="../structAI__config.html#ab7ea93bbe72b85c4019b4f5656ad62fc" target="_parent">corr_rules_dir</a>
+  <a id="Item8" onkeydown="return searchResults.Nav(event,8)" onkeypress="return searchResults.Nav(event,8)" onkeyup="return searchResults.Nav(event,8)" class="SRSymbol" href="../structAI__config.html#ab7ea93bbe72b85c4019b4f5656ad62fc" target="_parent">corr_rules_dir</a>
   <span class="SRScope">AI_config</span>
  </div>
 </div>
 <div class="SRResult" id="SR_correlation">
  <div class="SREntry">
-  <a id="Item8" onkeydown="return searchResults.Nav(event,8)" onkeypress="return searchResults.Nav(event,8)" onkeyup="return searchResults.Nav(event,8)" class="SRSymbol" href="../structAI__alert__correlation.html#aad417b2126ae26d7576f006a3dbcdc81" target="_parent">correlation</a>
+  <a id="Item9" onkeydown="return searchResults.Nav(event,9)" onkeypress="return searchResults.Nav(event,9)" onkeyup="return searchResults.Nav(event,9)" class="SRSymbol" href="../structAI__alert__correlation.html#aad417b2126ae26d7576f006a3dbcdc81" target="_parent">correlation</a>
   <span class="SRScope">AI_alert_correlation</span>
  </div>
 </div>
 <div class="SRResult" id="SR_correlation_2ec">
  <div class="SREntry">
-  <a id="Item9" onkeydown="return searchResults.Nav(event,9)" onkeypress="return searchResults.Nav(event,9)" onkeyup="return searchResults.Nav(event,9)" class="SRSymbol" href="../correlation_8c.html" target="_parent">correlation.c</a>
+  <a id="Item10" onkeydown="return searchResults.Nav(event,10)" onkeypress="return searchResults.Nav(event,10)" onkeyup="return searchResults.Nav(event,10)" class="SRSymbol" href="../correlation_8c.html" target="_parent">correlation.c</a>
  </div>
 </div>
 <div class="SRResult" id="SR_correlation_5ftable">
  <div class="SREntry">
-  <a id="Item10" onkeydown="return searchResults.Nav(event,10)" onkeypress="return searchResults.Nav(event,10)" onkeyup="return searchResults.Nav(event,10)" class="SRSymbol" href="../group__correlation.html#ga701934a296c51f2397d24e8bf4a9f021" target="_parent">correlation_table</a>
+  <a id="Item11" onkeydown="return searchResults.Nav(event,11)" onkeypress="return searchResults.Nav(event,11)" onkeyup="return searchResults.Nav(event,11)" class="SRSymbol" href="../group__correlation.html#ga701934a296c51f2397d24e8bf4a9f021" target="_parent">correlation_table</a>
   <span class="SRScope">correlation.c</span>
  </div>
 </div>
 <div class="SRResult" id="SR_correlationgraphinterval">
  <div class="SREntry">
-  <a id="Item11" onkeydown="return searchResults.Nav(event,11)" onkeypress="return searchResults.Nav(event,11)" onkeyup="return searchResults.Nav(event,11)" class="SRSymbol" href="../structAI__config.html#aa736375e57a59936e2e782b7cd200e41" target="_parent">correlationGraphInterval</a>
+  <a id="Item12" onkeydown="return searchResults.Nav(event,12)" onkeypress="return searchResults.Nav(event,12)" onkeyup="return searchResults.Nav(event,12)" class="SRSymbol" href="../structAI__config.html#aa736375e57a59936e2e782b7cd200e41" target="_parent">correlationGraphInterval</a>
+  <span class="SRScope">AI_config</span>
+ </div>
+</div>
+<div class="SRResult" id="SR_correlationthresholdcoefficient">
+ <div class="SREntry">
+  <a id="Item13" onkeydown="return searchResults.Nav(event,13)" onkeypress="return searchResults.Nav(event,13)" onkeyup="return searchResults.Nav(event,13)" class="SRSymbol" href="../structAI__config.html#adf6ef0faedfb4dea0a1353e781b14883" target="_parent">correlationThresholdCoefficient</a>
   <span class="SRScope">AI_config</span>
  </div>
 </div>
 <div class="SRResult" id="SR_count">
  <div class="SREntry">
-  <a id="Item12" onkeydown="return searchResults.Nav(event,12)" onkeypress="return searchResults.Nav(event,12)" onkeyup="return searchResults.Nav(event,12)" class="SRSymbol" href="../structattribute__value.html#a5579c0304c2e9ab488ac94905b385045" target="_parent">count</a>
+  <a id="Item14" onkeydown="return searchResults.Nav(event,14)" onkeypress="return searchResults.Nav(event,14)" onkeyup="return searchResults.Nav(event,14)" class="SRSymbol" href="../structattribute__value.html#a5579c0304c2e9ab488ac94905b385045" target="_parent">count</a>
   <span class="SRScope">attribute_value</span>
  </div>
 </div>
diff --git a/doc/html/search/all_64.html b/doc/html/search/all_64.html
index 5aeb99d..8a289e7 100644
--- a/doc/html/search/all_64.html
+++ b/doc/html/search/all_64.html
@@ -71,54 +71,72 @@
   <span class="SRScope">spp_ai.h</span>
  </div>
 </div>
+<div class="SRResult" id="SR_default_5fcorr_5falerts_5fdir">
+ <div class="SREntry">
+  <a id="Item11" onkeydown="return searchResults.Nav(event,11)" onkeypress="return searchResults.Nav(event,11)" onkeyup="return searchResults.Nav(event,11)" class="SRSymbol" href="../spp__ai_8h.html#a7bbeccba60012abcc98db33d39294829" target="_parent">DEFAULT_CORR_ALERTS_DIR</a>
+  <span class="SRScope">spp_ai.h</span>
+ </div>
+</div>
 <div class="SRResult" id="SR_default_5fcorr_5frules_5fdir">
  <div class="SREntry">
-  <a id="Item11" onkeydown="return searchResults.Nav(event,11)" onkeypress="return searchResults.Nav(event,11)" onkeyup="return searchResults.Nav(event,11)" class="SRSymbol" href="../spp__ai_8h.html#a89448386cad5d5533992ae7ee84f4f1d" target="_parent">DEFAULT_CORR_RULES_DIR</a>
+  <a id="Item12" onkeydown="return searchResults.Nav(event,12)" onkeypress="return searchResults.Nav(event,12)" onkeyup="return searchResults.Nav(event,12)" class="SRSymbol" href="../spp__ai_8h.html#a89448386cad5d5533992ae7ee84f4f1d" target="_parent">DEFAULT_CORR_RULES_DIR</a>
+  <span class="SRScope">spp_ai.h</span>
+ </div>
+</div>
+<div class="SRResult" id="SR_default_5fcorr_5fthreshold">
+ <div class="SREntry">
+  <a id="Item13" onkeydown="return searchResults.Nav(event,13)" onkeypress="return searchResults.Nav(event,13)" onkeyup="return searchResults.Nav(event,13)" class="SRSymbol" href="../spp__ai_8h.html#aaedb0b7dc2bdf8d44d3fee2189a55a19" target="_parent">DEFAULT_CORR_THRESHOLD</a>
   <span class="SRScope">spp_ai.h</span>
  </div>
 </div>
 <div class="SRResult" id="SR_default_5fdatabase_5finterval">
  <div class="SREntry">
-  <a id="Item12" onkeydown="return searchResults.Nav(event,12)" onkeypress="return searchResults.Nav(event,12)" onkeyup="return searchResults.Nav(event,12)" class="SRSymbol" href="../spp__ai_8h.html#a3c4984a0ee515fbc091ac6e33b05e310" target="_parent">DEFAULT_DATABASE_INTERVAL</a>
+  <a id="Item14" onkeydown="return searchResults.Nav(event,14)" onkeypress="return searchResults.Nav(event,14)" onkeyup="return searchResults.Nav(event,14)" class="SRSymbol" href="../spp__ai_8h.html#a3c4984a0ee515fbc091ac6e33b05e310" target="_parent">DEFAULT_DATABASE_INTERVAL</a>
   <span class="SRScope">spp_ai.h</span>
  </div>
 </div>
 <div class="SRResult" id="SR_default_5fhash_5fcleanup_5finterval">
  <div class="SREntry">
-  <a id="Item13" onkeydown="return searchResults.Nav(event,13)" onkeypress="return searchResults.Nav(event,13)" onkeyup="return searchResults.Nav(event,13)" class="SRSymbol" href="../spp__ai_8h.html#a5f555c0ebd29ce2771a3e2dd4f526746" target="_parent">DEFAULT_HASH_CLEANUP_INTERVAL</a>
+  <a id="Item15" onkeydown="return searchResults.Nav(event,15)" onkeypress="return searchResults.Nav(event,15)" onkeyup="return searchResults.Nav(event,15)" class="SRSymbol" href="../spp__ai_8h.html#a5f555c0ebd29ce2771a3e2dd4f526746" target="_parent">DEFAULT_HASH_CLEANUP_INTERVAL</a>
   <span class="SRScope">spp_ai.h</span>
  </div>
 </div>
 <div class="SRResult" id="SR_default_5fstream_5fexpire_5finterval">
  <div class="SREntry">
-  <a id="Item14" onkeydown="return searchResults.Nav(event,14)" onkeypress="return searchResults.Nav(event,14)" onkeyup="return searchResults.Nav(event,14)" class="SRSymbol" href="../spp__ai_8h.html#a0f6a189af15ef783fb46ed37c144e031" target="_parent">DEFAULT_STREAM_EXPIRE_INTERVAL</a>
+  <a id="Item16" onkeydown="return searchResults.Nav(event,16)" onkeypress="return searchResults.Nav(event,16)" onkeyup="return searchResults.Nav(event,16)" class="SRSymbol" href="../spp__ai_8h.html#a0f6a189af15ef783fb46ed37c144e031" target="_parent">DEFAULT_STREAM_EXPIRE_INTERVAL</a>
   <span class="SRScope">spp_ai.h</span>
  </div>
 </div>
+<div class="SRResult" id="SR_derived_5falerts">
+ <div class="SREntry">
+  <a id="Item17" onkeydown="return searchResults.Nav(event,17)" onkeypress="return searchResults.Nav(event,17)" onkeyup="return searchResults.Nav(event,17)" class="SRSymbol" href="../struct__AI__snort__alert.html#aac5e4078600ed17532db1f3d78165390" target="_parent">derived_alerts</a>
+  <span class="SRScope">_AI_snort_alert</span>
+ </div>
+</div>
 <div class="SRResult" id="SR_desc">
  <div class="SREntry">
-  <a id="Item15" onkeydown="return searchResults.Nav(event,15)" onkeypress="return searchResults.Nav(event,15)" onkeyup="return searchResults.Nav(event,15)" class="SRSymbol" href="../struct__AI__snort__alert.html#ac0902d7c756ec675fb06347ce4706135" target="_parent">desc</a>
+  <a id="Item18" onkeydown="return searchResults.Nav(event,18)" onkeypress="return searchResults.Nav(event,18)" onkeyup="return searchResults.Nav(event,18)" class="SRSymbol" href="../struct__AI__snort__alert.html#ac0902d7c756ec675fb06347ce4706135" target="_parent">desc</a>
   <span class="SRScope">_AI_snort_alert</span>
  </div>
 </div>
 <div class="SRResult" id="SR_dst_5faddr">
  <div class="SREntry">
-  <a id="Item16" onkeydown="return searchResults.Nav(event,16)" onkeypress="return searchResults.Nav(event,16)" onkeyup="return searchResults.Nav(event,16)" class="SRSymbol" href="../spp__ai_8h.html#ae2ff3c6586aa2ab211a102abfde86640aa000f955ef1374c60cdb16bf43a1593c" target="_parent">dst_addr</a>
+  <a id="Item19" onkeydown="return searchResults.Nav(event,19)" onkeypress="return searchResults.Nav(event,19)" onkeyup="return searchResults.Nav(event,19)" class="SRSymbol" href="../spp__ai_8h.html#ae2ff3c6586aa2ab211a102abfde86640aa000f955ef1374c60cdb16bf43a1593c" target="_parent">dst_addr</a>
   <span class="SRScope">spp_ai.h</span>
  </div>
 </div>
 <div class="SRResult" id="SR_dst_5fport">
  <div class="SREntry">
-  <a id="Item17" onkeydown="return searchResults.Nav(event,17)" onkeypress="return searchResults.Nav(event,17)" onkeyup="return searchResults.Nav(event,17)" class="SRSymbol" href="javascript:searchResults.Toggle('SR_dst_5fport')">dst_port</a>
+  <a id="Item20" onkeydown="return searchResults.Nav(event,20)" onkeypress="return searchResults.Nav(event,20)" onkeyup="return searchResults.Nav(event,20)" class="SRSymbol" href="javascript:searchResults.Toggle('SR_dst_5fport')">dst_port</a>
   <div class="SRChildren">
-    <a id="Item17_c0" onkeydown="return searchResults.NavChild(event,17,0)" onkeypress="return searchResults.NavChild(event,17,0)" onkeyup="return searchResults.NavChild(event,17,0)" class="SRScope" href="../structpkt__key.html#af77f5eb1f4cd88b43fe99fd73553351d" target="_parent">pkt_key::dst_port()</a>
-    <a id="Item17_c1" onkeydown="return searchResults.NavChild(event,17,1)" onkeypress="return searchResults.NavChild(event,17,1)" onkeyup="return searchResults.NavChild(event,17,1)" class="SRScope" href="../spp__ai_8h.html#ae2ff3c6586aa2ab211a102abfde86640abc4f89a184ada44073bd6f54d7fc11c9" target="_parent">dst_port():&nbsp;spp_ai.h</a>
+    <a id="Item20_c0" onkeydown="return searchResults.NavChild(event,20,0)" onkeypress="return searchResults.NavChild(event,20,0)" onkeyup="return searchResults.NavChild(event,20,0)" class="SRScope" href="../structpkt__key.html#af77f5eb1f4cd88b43fe99fd73553351d" target="_parent">pkt_key::dst_port()</a>
+    <a id="Item20_c1" onkeydown="return searchResults.NavChild(event,20,1)" onkeypress="return searchResults.NavChild(event,20,1)" onkeyup="return searchResults.NavChild(event,20,1)" class="SRScope" href="../spp__ai_8h.html#ae2ff3c6586aa2ab211a102abfde86640abc4f89a184ada44073bd6f54d7fc11c9" target="_parent">dst_port():&nbsp;spp_ai.h</a>
   </div>
  </div>
 </div>
 <div class="SRResult" id="SR_dynamic_5fpreproc_5fsetup">
  <div class="SREntry">
-  <a id="Item18" onkeydown="return searchResults.Nav(event,18)" onkeypress="return searchResults.Nav(event,18)" onkeyup="return searchResults.Nav(event,18)" class="SRSymbol" href="../sf__preproc__info_8h.html#aba4c0d0af324a3861e662ed4650aae44" target="_parent">DYNAMIC_PREPROC_SETUP</a>
+  <a id="Item21" onkeydown="return searchResults.Nav(event,21)" onkeypress="return searchResults.Nav(event,21)" onkeyup="return searchResults.Nav(event,21)" class="SRSymbol" href="../sf__preproc__info_8h.html#aba4c0d0af324a3861e662ed4650aae44" target="_parent">DYNAMIC_PREPROC_SETUP</a>
   <span class="SRScope">sf_preproc_info.h</span>
  </div>
 </div>
diff --git a/doc/html/search/all_6b.html b/doc/html/search/all_6b.html
index e263d30..71ed47b 100644
--- a/doc/html/search/all_6b.html
+++ b/doc/html/search/all_6b.html
@@ -12,8 +12,9 @@
   <a id="Item0" onkeydown="return searchResults.Nav(event,0)" onkeypress="return searchResults.Nav(event,0)" onkeyup="return searchResults.Nav(event,0)" class="SRSymbol" href="javascript:searchResults.Toggle('SR_key')">key</a>
   <div class="SRChildren">
     <a id="Item0_c0" onkeydown="return searchResults.NavChild(event,0,0)" onkeypress="return searchResults.NavChild(event,0,0)" onkeyup="return searchResults.NavChild(event,0,0)" class="SRScope" href="../structattribute__value.html#aa8b5ae41c150e4fefb800d3b1924278d" target="_parent">attribute_value::key()</a>
-    <a id="Item0_c1" onkeydown="return searchResults.NavChild(event,0,1)" onkeypress="return searchResults.NavChild(event,0,1)" onkeyup="return searchResults.NavChild(event,0,1)" class="SRScope" href="../structpkt__info.html#a231d4734d3c62292b06eb9ea4b49c339" target="_parent">pkt_info::key()</a>
-    <a id="Item0_c2" onkeydown="return searchResults.NavChild(event,0,2)" onkeypress="return searchResults.NavChild(event,0,2)" onkeyup="return searchResults.NavChild(event,0,2)" class="SRScope" href="../structAI__hyperalert__info.html#a9d461da8f00415ef03b24edb3bbd6cf8" target="_parent">AI_hyperalert_info::key()</a>
+    <a id="Item0_c1" onkeydown="return searchResults.NavChild(event,0,1)" onkeypress="return searchResults.NavChild(event,0,1)" onkeyup="return searchResults.NavChild(event,0,1)" class="SRScope" href="../structAI__alert__correlation.html#a4e27da4922a1d44497634c8e5968d870" target="_parent">AI_alert_correlation::key()</a>
+    <a id="Item0_c2" onkeydown="return searchResults.NavChild(event,0,2)" onkeypress="return searchResults.NavChild(event,0,2)" onkeyup="return searchResults.NavChild(event,0,2)" class="SRScope" href="../structpkt__info.html#a231d4734d3c62292b06eb9ea4b49c339" target="_parent">pkt_info::key()</a>
+    <a id="Item0_c3" onkeydown="return searchResults.NavChild(event,0,3)" onkeypress="return searchResults.NavChild(event,0,3)" onkeyup="return searchResults.NavChild(event,0,3)" class="SRScope" href="../structAI__hyperalert__info.html#a9d461da8f00415ef03b24edb3bbd6cf8" target="_parent">AI_hyperalert_info::key()</a>
   </div>
  </div>
 </div>
diff --git a/doc/html/search/all_6e.html b/doc/html/search/all_6e.html
index 39f8a22..60bba1a 100644
--- a/doc/html/search/all_6e.html
+++ b/doc/html/search/all_6e.html
@@ -7,36 +7,42 @@
 <body class="SRPage">
 <div id="SRIndex">
 <div class="SRStatus" id="Loading">Loading...</div>
+<div class="SRResult" id="SR_n_5fderived_5falerts">
+ <div class="SREntry">
+  <a id="Item0" onkeydown="return searchResults.Nav(event,0)" onkeypress="return searchResults.Nav(event,0)" onkeyup="return searchResults.Nav(event,0)" class="SRSymbol" href="../struct__AI__snort__alert.html#a1f2d5e8cfd0e6321b977173d1e90cb68" target="_parent">n_derived_alerts</a>
+  <span class="SRScope">_AI_snort_alert</span>
+ </div>
+</div>
 <div class="SRResult" id="SR_n_5fpostconds">
  <div class="SREntry">
-  <a id="Item0" onkeydown="return searchResults.Nav(event,0)" onkeypress="return searchResults.Nav(event,0)" onkeyup="return searchResults.Nav(event,0)" class="SRSymbol" href="../structAI__hyperalert__info.html#a73322b6cad3e883abed03b62c6c21719" target="_parent">n_postconds</a>
+  <a id="Item1" onkeydown="return searchResults.Nav(event,1)" onkeypress="return searchResults.Nav(event,1)" onkeyup="return searchResults.Nav(event,1)" class="SRSymbol" href="../structAI__hyperalert__info.html#a73322b6cad3e883abed03b62c6c21719" target="_parent">n_postconds</a>
   <span class="SRScope">AI_hyperalert_info</span>
  </div>
 </div>
 <div class="SRResult" id="SR_n_5fpreconds">
  <div class="SREntry">
-  <a id="Item1" onkeydown="return searchResults.Nav(event,1)" onkeypress="return searchResults.Nav(event,1)" onkeyup="return searchResults.Nav(event,1)" class="SRSymbol" href="../structAI__hyperalert__info.html#a616c16f364dbb2d726e88df6b364ea40" target="_parent">n_preconds</a>
+  <a id="Item2" onkeydown="return searchResults.Nav(event,2)" onkeypress="return searchResults.Nav(event,2)" onkeyup="return searchResults.Nav(event,2)" class="SRSymbol" href="../structAI__hyperalert__info.html#a616c16f364dbb2d726e88df6b364ea40" target="_parent">n_preconds</a>
   <span class="SRScope">AI_hyperalert_info</span>
  </div>
 </div>
 <div class="SRResult" id="SR_nchildren">
  <div class="SREntry">
-  <a id="Item2" onkeydown="return searchResults.Nav(event,2)" onkeypress="return searchResults.Nav(event,2)" onkeyup="return searchResults.Nav(event,2)" class="SRSymbol" href="../struct__hierarchy__node.html#a849256ce1039e2cefaaf64d91171be0a" target="_parent">nchildren</a>
+  <a id="Item3" onkeydown="return searchResults.Nav(event,3)" onkeypress="return searchResults.Nav(event,3)" onkeyup="return searchResults.Nav(event,3)" class="SRSymbol" href="../struct__hierarchy__node.html#a849256ce1039e2cefaaf64d91171be0a" target="_parent">nchildren</a>
   <span class="SRScope">_hierarchy_node</span>
  </div>
 </div>
 <div class="SRResult" id="SR_next">
  <div class="SREntry">
-  <a id="Item3" onkeydown="return searchResults.Nav(event,3)" onkeypress="return searchResults.Nav(event,3)" onkeyup="return searchResults.Nav(event,3)" class="SRSymbol" href="javascript:searchResults.Toggle('SR_next')">next</a>
+  <a id="Item4" onkeydown="return searchResults.Nav(event,4)" onkeypress="return searchResults.Nav(event,4)" onkeyup="return searchResults.Nav(event,4)" class="SRSymbol" href="javascript:searchResults.Toggle('SR_next')">next</a>
   <div class="SRChildren">
-    <a id="Item3_c0" onkeydown="return searchResults.NavChild(event,3,0)" onkeypress="return searchResults.NavChild(event,3,0)" onkeyup="return searchResults.NavChild(event,3,0)" class="SRScope" href="../structpkt__info.html#a5ee3c51f2ca5768b94819182641ef168" target="_parent">pkt_info::next()</a>
-    <a id="Item3_c1" onkeydown="return searchResults.NavChild(event,3,1)" onkeypress="return searchResults.NavChild(event,3,1)" onkeyup="return searchResults.NavChild(event,3,1)" class="SRScope" href="../struct__AI__snort__alert.html#aa8336d4b3359015ed8ea312ca1fd1173" target="_parent">_AI_snort_alert::next()</a>
+    <a id="Item4_c0" onkeydown="return searchResults.NavChild(event,4,0)" onkeypress="return searchResults.NavChild(event,4,0)" onkeyup="return searchResults.NavChild(event,4,0)" class="SRScope" href="../structpkt__info.html#a5ee3c51f2ca5768b94819182641ef168" target="_parent">pkt_info::next()</a>
+    <a id="Item4_c1" onkeydown="return searchResults.NavChild(event,4,1)" onkeypress="return searchResults.NavChild(event,4,1)" onkeyup="return searchResults.NavChild(event,4,1)" class="SRScope" href="../struct__AI__snort__alert.html#aa8336d4b3359015ed8ea312ca1fd1173" target="_parent">_AI_snort_alert::next()</a>
   </div>
  </div>
 </div>
 <div class="SRResult" id="SR_none">
  <div class="SREntry">
-  <a id="Item4" onkeydown="return searchResults.Nav(event,4)" onkeypress="return searchResults.Nav(event,4)" onkeyup="return searchResults.Nav(event,4)" class="SRSymbol" href="../spp__ai_8h.html#ae2ff3c6586aa2ab211a102abfde86640ab7e4e0120a041dbe6528b050c04269e0" target="_parent">none</a>
+  <a id="Item5" onkeydown="return searchResults.Nav(event,5)" onkeypress="return searchResults.Nav(event,5)" onkeyup="return searchResults.Nav(event,5)" class="SRSymbol" href="../spp__ai_8h.html#ae2ff3c6586aa2ab211a102abfde86640ab7e4e0120a041dbe6528b050c04269e0" target="_parent">none</a>
   <span class="SRScope">spp_ai.h</span>
  </div>
 </div>
diff --git a/doc/html/search/all_70.html b/doc/html/search/all_70.html
index f38df16..162e987 100644
--- a/doc/html/search/all_70.html
+++ b/doc/html/search/all_70.html
@@ -56,15 +56,21 @@
   <span class="SRScope">sf_preproc_info.h</span>
  </div>
 </div>
+<div class="SRResult" id="SR_previous_5fcorrelated">
+ <div class="SREntry">
+  <a id="Item8" onkeydown="return searchResults.Nav(event,8)" onkeypress="return searchResults.Nav(event,8)" onkeyup="return searchResults.Nav(event,8)" class="SRSymbol" href="../struct__AI__snort__alert.html#a55a5488c7ee7706ded4c16b1235fd9c7" target="_parent">previous_correlated</a>
+  <span class="SRScope">_AI_snort_alert</span>
+ </div>
+</div>
 <div class="SRResult" id="SR_priority">
  <div class="SREntry">
-  <a id="Item8" onkeydown="return searchResults.Nav(event,8)" onkeypress="return searchResults.Nav(event,8)" onkeyup="return searchResults.Nav(event,8)" class="SRSymbol" href="../struct__AI__snort__alert.html#a25661fa4e212c5e30af5e6a892985ec9" target="_parent">priority</a>
+  <a id="Item9" onkeydown="return searchResults.Nav(event,9)" onkeypress="return searchResults.Nav(event,9)" onkeyup="return searchResults.Nav(event,9)" class="SRSymbol" href="../struct__AI__snort__alert.html#a25661fa4e212c5e30af5e6a892985ec9" target="_parent">priority</a>
   <span class="SRScope">_AI_snort_alert</span>
  </div>
 </div>
 <div class="SRResult" id="SR_private">
  <div class="SREntry">
-  <a id="Item9" onkeydown="return searchResults.Nav(event,9)" onkeypress="return searchResults.Nav(event,9)" onkeyup="return searchResults.Nav(event,9)" class="SRSymbol" href="../spp__ai_8h.html#a5e151c615eda34903514212f05a5ccf8" target="_parent">PRIVATE</a>
+  <a id="Item10" onkeydown="return searchResults.Nav(event,10)" onkeypress="return searchResults.Nav(event,10)" onkeyup="return searchResults.Nav(event,10)" class="SRSymbol" href="../spp__ai_8h.html#a5e151c615eda34903514212f05a5ccf8" target="_parent">PRIVATE</a>
   <span class="SRScope">spp_ai.h</span>
  </div>
 </div>
diff --git a/doc/html/search/classes_61.html b/doc/html/search/classes_61.html
index 76bef2d..08010ad 100644
--- a/doc/html/search/classes_61.html
+++ b/doc/html/search/classes_61.html
@@ -12,29 +12,34 @@
   <a id="Item0" onkeydown="return searchResults.Nav(event,0)" onkeypress="return searchResults.Nav(event,0)" onkeyup="return searchResults.Nav(event,0)" class="SRSymbol" href="../structAI__alert__correlation.html" target="_parent">AI_alert_correlation</a>
  </div>
 </div>
+<div class="SRResult" id="SR_ai_5falert_5fcorrelation_5fkey">
+ <div class="SREntry">
+  <a id="Item1" onkeydown="return searchResults.Nav(event,1)" onkeypress="return searchResults.Nav(event,1)" onkeyup="return searchResults.Nav(event,1)" class="SRSymbol" href="../structAI__alert__correlation__key.html" target="_parent">AI_alert_correlation_key</a>
+ </div>
+</div>
 <div class="SRResult" id="SR_ai_5fconfig">
  <div class="SREntry">
-  <a id="Item1" onkeydown="return searchResults.Nav(event,1)" onkeypress="return searchResults.Nav(event,1)" onkeyup="return searchResults.Nav(event,1)" class="SRSymbol" href="../structAI__config.html" target="_parent">AI_config</a>
+  <a id="Item2" onkeydown="return searchResults.Nav(event,2)" onkeypress="return searchResults.Nav(event,2)" onkeyup="return searchResults.Nav(event,2)" class="SRSymbol" href="../structAI__config.html" target="_parent">AI_config</a>
  </div>
 </div>
 <div class="SRResult" id="SR_ai_5fhyperalert_5finfo">
  <div class="SREntry">
-  <a id="Item2" onkeydown="return searchResults.Nav(event,2)" onkeypress="return searchResults.Nav(event,2)" onkeyup="return searchResults.Nav(event,2)" class="SRSymbol" href="../structAI__hyperalert__info.html" target="_parent">AI_hyperalert_info</a>
+  <a id="Item3" onkeydown="return searchResults.Nav(event,3)" onkeypress="return searchResults.Nav(event,3)" onkeyup="return searchResults.Nav(event,3)" class="SRSymbol" href="../structAI__hyperalert__info.html" target="_parent">AI_hyperalert_info</a>
  </div>
 </div>
 <div class="SRResult" id="SR_ai_5fhyperalert_5fkey">
  <div class="SREntry">
-  <a id="Item3" onkeydown="return searchResults.Nav(event,3)" onkeypress="return searchResults.Nav(event,3)" onkeyup="return searchResults.Nav(event,3)" class="SRSymbol" href="../structAI__hyperalert__key.html" target="_parent">AI_hyperalert_key</a>
+  <a id="Item4" onkeydown="return searchResults.Nav(event,4)" onkeypress="return searchResults.Nav(event,4)" onkeyup="return searchResults.Nav(event,4)" class="SRSymbol" href="../structAI__hyperalert__key.html" target="_parent">AI_hyperalert_key</a>
  </div>
 </div>
 <div class="SRResult" id="SR_attribute_5fkey">
  <div class="SREntry">
-  <a id="Item4" onkeydown="return searchResults.Nav(event,4)" onkeypress="return searchResults.Nav(event,4)" onkeyup="return searchResults.Nav(event,4)" class="SRSymbol" href="../structattribute__key.html" target="_parent">attribute_key</a>
+  <a id="Item5" onkeydown="return searchResults.Nav(event,5)" onkeypress="return searchResults.Nav(event,5)" onkeyup="return searchResults.Nav(event,5)" class="SRSymbol" href="../structattribute__key.html" target="_parent">attribute_key</a>
  </div>
 </div>
 <div class="SRResult" id="SR_attribute_5fvalue">
  <div class="SREntry">
-  <a id="Item5" onkeydown="return searchResults.Nav(event,5)" onkeypress="return searchResults.Nav(event,5)" onkeyup="return searchResults.Nav(event,5)" class="SRSymbol" href="../structattribute__value.html" target="_parent">attribute_value</a>
+  <a id="Item6" onkeydown="return searchResults.Nav(event,6)" onkeypress="return searchResults.Nav(event,6)" onkeyup="return searchResults.Nav(event,6)" class="SRSymbol" href="../structattribute__value.html" target="_parent">attribute_value</a>
  </div>
 </div>
 <div class="SRStatus" id="Searching">Searching...</div>
diff --git a/doc/html/search/defines_64.html b/doc/html/search/defines_64.html
index 1d3cbb6..73b92a4 100644
--- a/doc/html/search/defines_64.html
+++ b/doc/html/search/defines_64.html
@@ -31,33 +31,45 @@
   <span class="SRScope">spp_ai.h</span>
  </div>
 </div>
+<div class="SRResult" id="SR_default_5fcorr_5falerts_5fdir">
+ <div class="SREntry">
+  <a id="Item4" onkeydown="return searchResults.Nav(event,4)" onkeypress="return searchResults.Nav(event,4)" onkeyup="return searchResults.Nav(event,4)" class="SRSymbol" href="../spp__ai_8h.html#a7bbeccba60012abcc98db33d39294829" target="_parent">DEFAULT_CORR_ALERTS_DIR</a>
+  <span class="SRScope">spp_ai.h</span>
+ </div>
+</div>
 <div class="SRResult" id="SR_default_5fcorr_5frules_5fdir">
  <div class="SREntry">
-  <a id="Item4" onkeydown="return searchResults.Nav(event,4)" onkeypress="return searchResults.Nav(event,4)" onkeyup="return searchResults.Nav(event,4)" class="SRSymbol" href="../spp__ai_8h.html#a89448386cad5d5533992ae7ee84f4f1d" target="_parent">DEFAULT_CORR_RULES_DIR</a>
+  <a id="Item5" onkeydown="return searchResults.Nav(event,5)" onkeypress="return searchResults.Nav(event,5)" onkeyup="return searchResults.Nav(event,5)" class="SRSymbol" href="../spp__ai_8h.html#a89448386cad5d5533992ae7ee84f4f1d" target="_parent">DEFAULT_CORR_RULES_DIR</a>
+  <span class="SRScope">spp_ai.h</span>
+ </div>
+</div>
+<div class="SRResult" id="SR_default_5fcorr_5fthreshold">
+ <div class="SREntry">
+  <a id="Item6" onkeydown="return searchResults.Nav(event,6)" onkeypress="return searchResults.Nav(event,6)" onkeyup="return searchResults.Nav(event,6)" class="SRSymbol" href="../spp__ai_8h.html#aaedb0b7dc2bdf8d44d3fee2189a55a19" target="_parent">DEFAULT_CORR_THRESHOLD</a>
   <span class="SRScope">spp_ai.h</span>
  </div>
 </div>
 <div class="SRResult" id="SR_default_5fdatabase_5finterval">
  <div class="SREntry">
-  <a id="Item5" onkeydown="return searchResults.Nav(event,5)" onkeypress="return searchResults.Nav(event,5)" onkeyup="return searchResults.Nav(event,5)" class="SRSymbol" href="../spp__ai_8h.html#a3c4984a0ee515fbc091ac6e33b05e310" target="_parent">DEFAULT_DATABASE_INTERVAL</a>
+  <a id="Item7" onkeydown="return searchResults.Nav(event,7)" onkeypress="return searchResults.Nav(event,7)" onkeyup="return searchResults.Nav(event,7)" class="SRSymbol" href="../spp__ai_8h.html#a3c4984a0ee515fbc091ac6e33b05e310" target="_parent">DEFAULT_DATABASE_INTERVAL</a>
   <span class="SRScope">spp_ai.h</span>
  </div>
 </div>
 <div class="SRResult" id="SR_default_5fhash_5fcleanup_5finterval">
  <div class="SREntry">
-  <a id="Item6" onkeydown="return searchResults.Nav(event,6)" onkeypress="return searchResults.Nav(event,6)" onkeyup="return searchResults.Nav(event,6)" class="SRSymbol" href="../spp__ai_8h.html#a5f555c0ebd29ce2771a3e2dd4f526746" target="_parent">DEFAULT_HASH_CLEANUP_INTERVAL</a>
+  <a id="Item8" onkeydown="return searchResults.Nav(event,8)" onkeypress="return searchResults.Nav(event,8)" onkeyup="return searchResults.Nav(event,8)" class="SRSymbol" href="../spp__ai_8h.html#a5f555c0ebd29ce2771a3e2dd4f526746" target="_parent">DEFAULT_HASH_CLEANUP_INTERVAL</a>
   <span class="SRScope">spp_ai.h</span>
  </div>
 </div>
 <div class="SRResult" id="SR_default_5fstream_5fexpire_5finterval">
  <div class="SREntry">
-  <a id="Item7" onkeydown="return searchResults.Nav(event,7)" onkeypress="return searchResults.Nav(event,7)" onkeyup="return searchResults.Nav(event,7)" class="SRSymbol" href="../spp__ai_8h.html#a0f6a189af15ef783fb46ed37c144e031" target="_parent">DEFAULT_STREAM_EXPIRE_INTERVAL</a>
+  <a id="Item9" onkeydown="return searchResults.Nav(event,9)" onkeypress="return searchResults.Nav(event,9)" onkeyup="return searchResults.Nav(event,9)" class="SRSymbol" href="../spp__ai_8h.html#a0f6a189af15ef783fb46ed37c144e031" target="_parent">DEFAULT_STREAM_EXPIRE_INTERVAL</a>
   <span class="SRScope">spp_ai.h</span>
  </div>
 </div>
 <div class="SRResult" id="SR_dynamic_5fpreproc_5fsetup">
  <div class="SREntry">
-  <a id="Item8" onkeydown="return searchResults.Nav(event,8)" onkeypress="return searchResults.Nav(event,8)" onkeyup="return searchResults.Nav(event,8)" class="SRSymbol" href="../sf__preproc__info_8h.html#aba4c0d0af324a3861e662ed4650aae44" target="_parent">DYNAMIC_PREPROC_SETUP</a>
+  <a id="Item10" onkeydown="return searchResults.Nav(event,10)" onkeypress="return searchResults.Nav(event,10)" onkeyup="return searchResults.Nav(event,10)" class="SRSymbol" href="../sf__preproc__info_8h.html#aba4c0d0af324a3861e662ed4650aae44" target="_parent">DYNAMIC_PREPROC_SETUP</a>
   <span class="SRScope">sf_preproc_info.h</span>
  </div>
 </div>
diff --git a/doc/html/search/functions_5f.html b/doc/html/search/functions_5f.html
index 79b8cdd..694a2c8 100644
--- a/doc/html/search/functions_5f.html
+++ b/doc/html/search/functions_5f.html
@@ -33,67 +33,91 @@
 </div>
 <div class="SRResult" id="SR__5fai_5fcorrelation_5fcoefficient">
  <div class="SREntry">
-  <a id="Item4" onkeydown="return searchResults.Nav(event,4)" onkeypress="return searchResults.Nav(event,4)" onkeyup="return searchResults.Nav(event,4)" class="SRSymbol" href="../group__correlation.html#ga130e82017fc0abcb76b1a7740ae2f4df" target="_parent">_AI_correlation_coefficient</a>
+  <a id="Item4" onkeydown="return searchResults.Nav(event,4)" onkeypress="return searchResults.Nav(event,4)" onkeyup="return searchResults.Nav(event,4)" class="SRSymbol" href="../group__correlation.html#ga9cb283b28a66829574add58a251b93c6" target="_parent">_AI_correlation_coefficient</a>
+  <span class="SRScope">correlation.c</span>
+ </div>
+</div>
+<div class="SRResult" id="SR__5fai_5fcorrelation_5ftable_5fcleanup">
+ <div class="SREntry">
+  <a id="Item5" onkeydown="return searchResults.Nav(event,5)" onkeypress="return searchResults.Nav(event,5)" onkeyup="return searchResults.Nav(event,5)" class="SRSymbol" href="../group__correlation.html#ga9bcb94264ffe30f113f3fb7287b774e3" target="_parent">_AI_correlation_table_cleanup</a>
   <span class="SRScope">correlation.c</span>
  </div>
 </div>
 <div class="SRResult" id="SR__5fai_5fequal_5falarms">
  <div class="SREntry">
-  <a id="Item5" onkeydown="return searchResults.Nav(event,5)" onkeypress="return searchResults.Nav(event,5)" onkeyup="return searchResults.Nav(event,5)" class="SRSymbol" href="../group__cluster.html#ga0f91c8bfc37a3975f5c26b19fd6c5cba" target="_parent">_AI_equal_alarms</a>
+  <a id="Item6" onkeydown="return searchResults.Nav(event,6)" onkeypress="return searchResults.Nav(event,6)" onkeyup="return searchResults.Nav(event,6)" class="SRSymbol" href="../group__cluster.html#ga0f91c8bfc37a3975f5c26b19fd6c5cba" target="_parent">_AI_equal_alarms</a>
   <span class="SRScope">cluster.c</span>
  </div>
 </div>
+<div class="SRResult" id="SR__5fai_5fget_5ffunction_5farguments">
+ <div class="SREntry">
+  <a id="Item7" onkeydown="return searchResults.Nav(event,7)" onkeypress="return searchResults.Nav(event,7)" onkeyup="return searchResults.Nav(event,7)" class="SRSymbol" href="../group__correlation.html#gab716702cd226ab2ad957234a92da6e4a" target="_parent">_AI_get_function_arguments</a>
+  <span class="SRScope">correlation.c</span>
+ </div>
+</div>
+<div class="SRResult" id="SR__5fai_5fget_5ffunction_5fname">
+ <div class="SREntry">
+  <a id="Item8" onkeydown="return searchResults.Nav(event,8)" onkeypress="return searchResults.Nav(event,8)" onkeyup="return searchResults.Nav(event,8)" class="SRSymbol" href="../group__correlation.html#ga7a1b2d01f526f24ea91d7f08bdefd4fe" target="_parent">_AI_get_function_name</a>
+  <span class="SRScope">correlation.c</span>
+ </div>
+</div>
 <div class="SRResult" id="SR__5fai_5fget_5fmin_5fhierarchy_5fnode">
  <div class="SREntry">
-  <a id="Item6" onkeydown="return searchResults.Nav(event,6)" onkeypress="return searchResults.Nav(event,6)" onkeyup="return searchResults.Nav(event,6)" class="SRSymbol" href="../group__cluster.html#ga6ddddcd505b1f763c339e81fc143e079" target="_parent">_AI_get_min_hierarchy_node</a>
+  <a id="Item9" onkeydown="return searchResults.Nav(event,9)" onkeypress="return searchResults.Nav(event,9)" onkeyup="return searchResults.Nav(event,9)" class="SRSymbol" href="../group__cluster.html#ga6ddddcd505b1f763c339e81fc143e079" target="_parent">_AI_get_min_hierarchy_node</a>
   <span class="SRScope">cluster.c</span>
  </div>
 </div>
 <div class="SRResult" id="SR__5fai_5fhyperalert_5ffrom_5fxml">
  <div class="SREntry">
-  <a id="Item7" onkeydown="return searchResults.Nav(event,7)" onkeypress="return searchResults.Nav(event,7)" onkeyup="return searchResults.Nav(event,7)" class="SRSymbol" href="../group__correlation.html#ga929e5c17fdb247a998d83ed6a4ae5a65" target="_parent">_AI_hyperalert_from_XML</a>
+  <a id="Item10" onkeydown="return searchResults.Nav(event,10)" onkeypress="return searchResults.Nav(event,10)" onkeyup="return searchResults.Nav(event,10)" class="SRSymbol" href="../group__correlation.html#ga929e5c17fdb247a998d83ed6a4ae5a65" target="_parent">_AI_hyperalert_from_XML</a>
   <span class="SRScope">correlation.c</span>
  </div>
 </div>
 <div class="SRResult" id="SR__5fai_5fmacro_5fsubst">
  <div class="SREntry">
-  <a id="Item8" onkeydown="return searchResults.Nav(event,8)" onkeypress="return searchResults.Nav(event,8)" onkeyup="return searchResults.Nav(event,8)" class="SRSymbol" href="../group__correlation.html#ga0d094eae1d014d89a2de21263fa747da" target="_parent">_AI_macro_subst</a>
+  <a id="Item11" onkeydown="return searchResults.Nav(event,11)" onkeypress="return searchResults.Nav(event,11)" onkeyup="return searchResults.Nav(event,11)" class="SRSymbol" href="../group__correlation.html#ga70a4aaf8b689472dad62ba7a9bbde1a6" target="_parent">_AI_macro_subst</a>
   <span class="SRScope">correlation.c</span>
  </div>
 </div>
 <div class="SRResult" id="SR__5fai_5fmerge_5falerts">
  <div class="SREntry">
-  <a id="Item9" onkeydown="return searchResults.Nav(event,9)" onkeypress="return searchResults.Nav(event,9)" onkeyup="return searchResults.Nav(event,9)" class="SRSymbol" href="../group__cluster.html#ga8ce8e5a5d8954672297fa2dedb380dcd" target="_parent">_AI_merge_alerts</a>
+  <a id="Item12" onkeydown="return searchResults.Nav(event,12)" onkeypress="return searchResults.Nav(event,12)" onkeyup="return searchResults.Nav(event,12)" class="SRSymbol" href="../group__cluster.html#ga8ce8e5a5d8954672297fa2dedb380dcd" target="_parent">_AI_merge_alerts</a>
   <span class="SRScope">cluster.c</span>
  </div>
 </div>
 <div class="SRResult" id="SR__5fai_5fprint_5fclustered_5falerts">
  <div class="SREntry">
-  <a id="Item10" onkeydown="return searchResults.Nav(event,10)" onkeypress="return searchResults.Nav(event,10)" onkeyup="return searchResults.Nav(event,10)" class="SRSymbol" href="../group__cluster.html#ga7d151880080470b542e99643dc0426a7" target="_parent">_AI_print_clustered_alerts</a>
+  <a id="Item13" onkeydown="return searchResults.Nav(event,13)" onkeypress="return searchResults.Nav(event,13)" onkeyup="return searchResults.Nav(event,13)" class="SRSymbol" href="../group__cluster.html#ga7d151880080470b542e99643dc0426a7" target="_parent">_AI_print_clustered_alerts</a>
   <span class="SRScope">cluster.c</span>
  </div>
 </div>
+<div class="SRResult" id="SR__5fai_5fprint_5fcorrelated_5falerts">
+ <div class="SREntry">
+  <a id="Item14" onkeydown="return searchResults.Nav(event,14)" onkeypress="return searchResults.Nav(event,14)" onkeyup="return searchResults.Nav(event,14)" class="SRSymbol" href="../group__correlation.html#ga4267a39fa1a5ac035015823bca43288e" target="_parent">_AI_print_correlated_alerts</a>
+  <span class="SRScope">correlation.c</span>
+ </div>
+</div>
 <div class="SRResult" id="SR__5fai_5fstream_5ffree">
  <div class="SREntry">
-  <a id="Item11" onkeydown="return searchResults.Nav(event,11)" onkeypress="return searchResults.Nav(event,11)" onkeyup="return searchResults.Nav(event,11)" class="SRSymbol" href="../group__stream.html#ga80016adf701c717a6ebfb5b15b8a5749" target="_parent">_AI_stream_free</a>
+  <a id="Item15" onkeydown="return searchResults.Nav(event,15)" onkeypress="return searchResults.Nav(event,15)" onkeyup="return searchResults.Nav(event,15)" class="SRSymbol" href="../group__stream.html#ga80016adf701c717a6ebfb5b15b8a5749" target="_parent">_AI_stream_free</a>
   <span class="SRScope">stream.c</span>
  </div>
 </div>
 <div class="SRResult" id="SR__5fheuristic_5ffunc">
  <div class="SREntry">
-  <a id="Item12" onkeydown="return searchResults.Nav(event,12)" onkeypress="return searchResults.Nav(event,12)" onkeyup="return searchResults.Nav(event,12)" class="SRSymbol" href="../group__cluster.html#ga81f5fa721719fdb281595a568eef2101" target="_parent">_heuristic_func</a>
+  <a id="Item16" onkeydown="return searchResults.Nav(event,16)" onkeypress="return searchResults.Nav(event,16)" onkeyup="return searchResults.Nav(event,16)" class="SRSymbol" href="../group__cluster.html#ga81f5fa721719fdb281595a568eef2101" target="_parent">_heuristic_func</a>
   <span class="SRScope">cluster.c</span>
  </div>
 </div>
 <div class="SRResult" id="SR__5fhierarchy_5fnode_5fappend">
  <div class="SREntry">
-  <a id="Item13" onkeydown="return searchResults.Nav(event,13)" onkeypress="return searchResults.Nav(event,13)" onkeyup="return searchResults.Nav(event,13)" class="SRSymbol" href="../group__cluster.html#ga5601a1f603d9c870ef6e2df192e30c30" target="_parent">_hierarchy_node_append</a>
+  <a id="Item17" onkeydown="return searchResults.Nav(event,17)" onkeypress="return searchResults.Nav(event,17)" onkeyup="return searchResults.Nav(event,17)" class="SRSymbol" href="../group__cluster.html#ga5601a1f603d9c870ef6e2df192e30c30" target="_parent">_hierarchy_node_append</a>
   <span class="SRScope">cluster.c</span>
  </div>
 </div>
 <div class="SRResult" id="SR__5fhierarchy_5fnode_5fnew">
  <div class="SREntry">
-  <a id="Item14" onkeydown="return searchResults.Nav(event,14)" onkeypress="return searchResults.Nav(event,14)" onkeyup="return searchResults.Nav(event,14)" class="SRSymbol" href="../group__cluster.html#ga2f1a22cfea64e4669da0467620c3e3b3" target="_parent">_hierarchy_node_new</a>
+  <a id="Item18" onkeydown="return searchResults.Nav(event,18)" onkeypress="return searchResults.Nav(event,18)" onkeyup="return searchResults.Nav(event,18)" class="SRSymbol" href="../group__cluster.html#ga2f1a22cfea64e4669da0467620c3e3b3" target="_parent">_hierarchy_node_new</a>
   <span class="SRScope">cluster.c</span>
  </div>
 </div>
diff --git a/doc/html/search/variables_61.html b/doc/html/search/variables_61.html
index b52ce77..1c594f0 100644
--- a/doc/html/search/variables_61.html
+++ b/doc/html/search/variables_61.html
@@ -9,8 +9,8 @@
 <div class="SRStatus" id="Loading">Loading...</div>
 <div class="SRResult" id="SR_a">
  <div class="SREntry">
-  <a id="Item0" onkeydown="return searchResults.Nav(event,0)" onkeypress="return searchResults.Nav(event,0)" onkeyup="return searchResults.Nav(event,0)" class="SRSymbol" href="../structAI__alert__correlation.html#a8737f171e1c1b2305c8fe77101d6aeb7" target="_parent">a</a>
-  <span class="SRScope">AI_alert_correlation</span>
+  <a id="Item0" onkeydown="return searchResults.Nav(event,0)" onkeypress="return searchResults.Nav(event,0)" onkeyup="return searchResults.Nav(event,0)" class="SRSymbol" href="../structAI__alert__correlation__key.html#a774daec9332da25835a0904d853acadb" target="_parent">a</a>
+  <span class="SRScope">AI_alert_correlation_key</span>
  </div>
 </div>
 <div class="SRResult" id="SR_alert_5ffp">
diff --git a/doc/html/search/variables_62.html b/doc/html/search/variables_62.html
index b7f6752..b1a3aac 100644
--- a/doc/html/search/variables_62.html
+++ b/doc/html/search/variables_62.html
@@ -9,8 +9,8 @@
 <div class="SRStatus" id="Loading">Loading...</div>
 <div class="SRResult" id="SR_b">
  <div class="SREntry">
-  <a id="Item0" onkeydown="return searchResults.Nav(event,0)" onkeypress="return searchResults.Nav(event,0)" onkeyup="return searchResults.Nav(event,0)" class="SRSymbol" href="../structAI__alert__correlation.html#a478f1a6f18f9c083b203efdf776379cd" target="_parent">b</a>
-  <span class="SRScope">AI_alert_correlation</span>
+  <a id="Item0" onkeydown="return searchResults.Nav(event,0)" onkeypress="return searchResults.Nav(event,0)" onkeyup="return searchResults.Nav(event,0)" class="SRSymbol" href="../structAI__alert__correlation__key.html#a5805dec6499a83b818091b4f21c715dc" target="_parent">b</a>
+  <span class="SRScope">AI_alert_correlation_key</span>
  </div>
 </div>
 <div class="SRStatus" id="Searching">Searching...</div>
diff --git a/doc/html/search/variables_63.html b/doc/html/search/variables_63.html
index 1458d07..ce9d637 100644
--- a/doc/html/search/variables_63.html
+++ b/doc/html/search/variables_63.html
@@ -31,33 +31,45 @@
   <span class="SRScope">correlation.c</span>
  </div>
 </div>
+<div class="SRResult" id="SR_corr_5falerts_5fdir">
+ <div class="SREntry">
+  <a id="Item4" onkeydown="return searchResults.Nav(event,4)" onkeypress="return searchResults.Nav(event,4)" onkeyup="return searchResults.Nav(event,4)" class="SRSymbol" href="../structAI__config.html#ae68f5489e2ec9ea1408f98fe36d050c9" target="_parent">corr_alerts_dir</a>
+  <span class="SRScope">AI_config</span>
+ </div>
+</div>
 <div class="SRResult" id="SR_corr_5frules_5fdir">
  <div class="SREntry">
-  <a id="Item4" onkeydown="return searchResults.Nav(event,4)" onkeypress="return searchResults.Nav(event,4)" onkeyup="return searchResults.Nav(event,4)" class="SRSymbol" href="../structAI__config.html#ab7ea93bbe72b85c4019b4f5656ad62fc" target="_parent">corr_rules_dir</a>
+  <a id="Item5" onkeydown="return searchResults.Nav(event,5)" onkeypress="return searchResults.Nav(event,5)" onkeyup="return searchResults.Nav(event,5)" class="SRSymbol" href="../structAI__config.html#ab7ea93bbe72b85c4019b4f5656ad62fc" target="_parent">corr_rules_dir</a>
   <span class="SRScope">AI_config</span>
  </div>
 </div>
 <div class="SRResult" id="SR_correlation">
  <div class="SREntry">
-  <a id="Item5" onkeydown="return searchResults.Nav(event,5)" onkeypress="return searchResults.Nav(event,5)" onkeyup="return searchResults.Nav(event,5)" class="SRSymbol" href="../structAI__alert__correlation.html#aad417b2126ae26d7576f006a3dbcdc81" target="_parent">correlation</a>
+  <a id="Item6" onkeydown="return searchResults.Nav(event,6)" onkeypress="return searchResults.Nav(event,6)" onkeyup="return searchResults.Nav(event,6)" class="SRSymbol" href="../structAI__alert__correlation.html#aad417b2126ae26d7576f006a3dbcdc81" target="_parent">correlation</a>
   <span class="SRScope">AI_alert_correlation</span>
  </div>
 </div>
 <div class="SRResult" id="SR_correlation_5ftable">
  <div class="SREntry">
-  <a id="Item6" onkeydown="return searchResults.Nav(event,6)" onkeypress="return searchResults.Nav(event,6)" onkeyup="return searchResults.Nav(event,6)" class="SRSymbol" href="../group__correlation.html#ga701934a296c51f2397d24e8bf4a9f021" target="_parent">correlation_table</a>
+  <a id="Item7" onkeydown="return searchResults.Nav(event,7)" onkeypress="return searchResults.Nav(event,7)" onkeyup="return searchResults.Nav(event,7)" class="SRSymbol" href="../group__correlation.html#ga701934a296c51f2397d24e8bf4a9f021" target="_parent">correlation_table</a>
   <span class="SRScope">correlation.c</span>
  </div>
 </div>
 <div class="SRResult" id="SR_correlationgraphinterval">
  <div class="SREntry">
-  <a id="Item7" onkeydown="return searchResults.Nav(event,7)" onkeypress="return searchResults.Nav(event,7)" onkeyup="return searchResults.Nav(event,7)" class="SRSymbol" href="../structAI__config.html#aa736375e57a59936e2e782b7cd200e41" target="_parent">correlationGraphInterval</a>
+  <a id="Item8" onkeydown="return searchResults.Nav(event,8)" onkeypress="return searchResults.Nav(event,8)" onkeyup="return searchResults.Nav(event,8)" class="SRSymbol" href="../structAI__config.html#aa736375e57a59936e2e782b7cd200e41" target="_parent">correlationGraphInterval</a>
+  <span class="SRScope">AI_config</span>
+ </div>
+</div>
+<div class="SRResult" id="SR_correlationthresholdcoefficient">
+ <div class="SREntry">
+  <a id="Item9" onkeydown="return searchResults.Nav(event,9)" onkeypress="return searchResults.Nav(event,9)" onkeyup="return searchResults.Nav(event,9)" class="SRSymbol" href="../structAI__config.html#adf6ef0faedfb4dea0a1353e781b14883" target="_parent">correlationThresholdCoefficient</a>
   <span class="SRScope">AI_config</span>
  </div>
 </div>
 <div class="SRResult" id="SR_count">
  <div class="SREntry">
-  <a id="Item8" onkeydown="return searchResults.Nav(event,8)" onkeypress="return searchResults.Nav(event,8)" onkeyup="return searchResults.Nav(event,8)" class="SRSymbol" href="../structattribute__value.html#a5579c0304c2e9ab488ac94905b385045" target="_parent">count</a>
+  <a id="Item10" onkeydown="return searchResults.Nav(event,10)" onkeypress="return searchResults.Nav(event,10)" onkeyup="return searchResults.Nav(event,10)" class="SRSymbol" href="../structattribute__value.html#a5579c0304c2e9ab488ac94905b385045" target="_parent">count</a>
   <span class="SRScope">attribute_value</span>
  </div>
 </div>
diff --git a/doc/html/search/variables_64.html b/doc/html/search/variables_64.html
index dc21036..c697762 100644
--- a/doc/html/search/variables_64.html
+++ b/doc/html/search/variables_64.html
@@ -37,15 +37,21 @@
   <span class="SRScope">AI_config</span>
  </div>
 </div>
+<div class="SRResult" id="SR_derived_5falerts">
+ <div class="SREntry">
+  <a id="Item5" onkeydown="return searchResults.Nav(event,5)" onkeypress="return searchResults.Nav(event,5)" onkeyup="return searchResults.Nav(event,5)" class="SRSymbol" href="../struct__AI__snort__alert.html#aac5e4078600ed17532db1f3d78165390" target="_parent">derived_alerts</a>
+  <span class="SRScope">_AI_snort_alert</span>
+ </div>
+</div>
 <div class="SRResult" id="SR_desc">
  <div class="SREntry">
-  <a id="Item5" onkeydown="return searchResults.Nav(event,5)" onkeypress="return searchResults.Nav(event,5)" onkeyup="return searchResults.Nav(event,5)" class="SRSymbol" href="../struct__AI__snort__alert.html#ac0902d7c756ec675fb06347ce4706135" target="_parent">desc</a>
+  <a id="Item6" onkeydown="return searchResults.Nav(event,6)" onkeypress="return searchResults.Nav(event,6)" onkeyup="return searchResults.Nav(event,6)" class="SRSymbol" href="../struct__AI__snort__alert.html#ac0902d7c756ec675fb06347ce4706135" target="_parent">desc</a>
   <span class="SRScope">_AI_snort_alert</span>
  </div>
 </div>
 <div class="SRResult" id="SR_dst_5fport">
  <div class="SREntry">
-  <a id="Item6" onkeydown="return searchResults.Nav(event,6)" onkeypress="return searchResults.Nav(event,6)" onkeyup="return searchResults.Nav(event,6)" class="SRSymbol" href="../structpkt__key.html#af77f5eb1f4cd88b43fe99fd73553351d" target="_parent">dst_port</a>
+  <a id="Item7" onkeydown="return searchResults.Nav(event,7)" onkeypress="return searchResults.Nav(event,7)" onkeyup="return searchResults.Nav(event,7)" class="SRSymbol" href="../structpkt__key.html#af77f5eb1f4cd88b43fe99fd73553351d" target="_parent">dst_port</a>
   <span class="SRScope">pkt_key</span>
  </div>
 </div>
diff --git a/doc/html/search/variables_6b.html b/doc/html/search/variables_6b.html
index e263d30..71ed47b 100644
--- a/doc/html/search/variables_6b.html
+++ b/doc/html/search/variables_6b.html
@@ -12,8 +12,9 @@
   <a id="Item0" onkeydown="return searchResults.Nav(event,0)" onkeypress="return searchResults.Nav(event,0)" onkeyup="return searchResults.Nav(event,0)" class="SRSymbol" href="javascript:searchResults.Toggle('SR_key')">key</a>
   <div class="SRChildren">
     <a id="Item0_c0" onkeydown="return searchResults.NavChild(event,0,0)" onkeypress="return searchResults.NavChild(event,0,0)" onkeyup="return searchResults.NavChild(event,0,0)" class="SRScope" href="../structattribute__value.html#aa8b5ae41c150e4fefb800d3b1924278d" target="_parent">attribute_value::key()</a>
-    <a id="Item0_c1" onkeydown="return searchResults.NavChild(event,0,1)" onkeypress="return searchResults.NavChild(event,0,1)" onkeyup="return searchResults.NavChild(event,0,1)" class="SRScope" href="../structpkt__info.html#a231d4734d3c62292b06eb9ea4b49c339" target="_parent">pkt_info::key()</a>
-    <a id="Item0_c2" onkeydown="return searchResults.NavChild(event,0,2)" onkeypress="return searchResults.NavChild(event,0,2)" onkeyup="return searchResults.NavChild(event,0,2)" class="SRScope" href="../structAI__hyperalert__info.html#a9d461da8f00415ef03b24edb3bbd6cf8" target="_parent">AI_hyperalert_info::key()</a>
+    <a id="Item0_c1" onkeydown="return searchResults.NavChild(event,0,1)" onkeypress="return searchResults.NavChild(event,0,1)" onkeyup="return searchResults.NavChild(event,0,1)" class="SRScope" href="../structAI__alert__correlation.html#a4e27da4922a1d44497634c8e5968d870" target="_parent">AI_alert_correlation::key()</a>
+    <a id="Item0_c2" onkeydown="return searchResults.NavChild(event,0,2)" onkeypress="return searchResults.NavChild(event,0,2)" onkeyup="return searchResults.NavChild(event,0,2)" class="SRScope" href="../structpkt__info.html#a231d4734d3c62292b06eb9ea4b49c339" target="_parent">pkt_info::key()</a>
+    <a id="Item0_c3" onkeydown="return searchResults.NavChild(event,0,3)" onkeypress="return searchResults.NavChild(event,0,3)" onkeyup="return searchResults.NavChild(event,0,3)" class="SRScope" href="../structAI__hyperalert__info.html#a9d461da8f00415ef03b24edb3bbd6cf8" target="_parent">AI_hyperalert_info::key()</a>
   </div>
  </div>
 </div>
diff --git a/doc/html/search/variables_6e.html b/doc/html/search/variables_6e.html
index 7cecfd9..52ae779 100644
--- a/doc/html/search/variables_6e.html
+++ b/doc/html/search/variables_6e.html
@@ -7,30 +7,36 @@
 <body class="SRPage">
 <div id="SRIndex">
 <div class="SRStatus" id="Loading">Loading...</div>
+<div class="SRResult" id="SR_n_5fderived_5falerts">
+ <div class="SREntry">
+  <a id="Item0" onkeydown="return searchResults.Nav(event,0)" onkeypress="return searchResults.Nav(event,0)" onkeyup="return searchResults.Nav(event,0)" class="SRSymbol" href="../struct__AI__snort__alert.html#a1f2d5e8cfd0e6321b977173d1e90cb68" target="_parent">n_derived_alerts</a>
+  <span class="SRScope">_AI_snort_alert</span>
+ </div>
+</div>
 <div class="SRResult" id="SR_n_5fpostconds">
  <div class="SREntry">
-  <a id="Item0" onkeydown="return searchResults.Nav(event,0)" onkeypress="return searchResults.Nav(event,0)" onkeyup="return searchResults.Nav(event,0)" class="SRSymbol" href="../structAI__hyperalert__info.html#a73322b6cad3e883abed03b62c6c21719" target="_parent">n_postconds</a>
+  <a id="Item1" onkeydown="return searchResults.Nav(event,1)" onkeypress="return searchResults.Nav(event,1)" onkeyup="return searchResults.Nav(event,1)" class="SRSymbol" href="../structAI__hyperalert__info.html#a73322b6cad3e883abed03b62c6c21719" target="_parent">n_postconds</a>
   <span class="SRScope">AI_hyperalert_info</span>
  </div>
 </div>
 <div class="SRResult" id="SR_n_5fpreconds">
  <div class="SREntry">
-  <a id="Item1" onkeydown="return searchResults.Nav(event,1)" onkeypress="return searchResults.Nav(event,1)" onkeyup="return searchResults.Nav(event,1)" class="SRSymbol" href="../structAI__hyperalert__info.html#a616c16f364dbb2d726e88df6b364ea40" target="_parent">n_preconds</a>
+  <a id="Item2" onkeydown="return searchResults.Nav(event,2)" onkeypress="return searchResults.Nav(event,2)" onkeyup="return searchResults.Nav(event,2)" class="SRSymbol" href="../structAI__hyperalert__info.html#a616c16f364dbb2d726e88df6b364ea40" target="_parent">n_preconds</a>
   <span class="SRScope">AI_hyperalert_info</span>
  </div>
 </div>
 <div class="SRResult" id="SR_nchildren">
  <div class="SREntry">
-  <a id="Item2" onkeydown="return searchResults.Nav(event,2)" onkeypress="return searchResults.Nav(event,2)" onkeyup="return searchResults.Nav(event,2)" class="SRSymbol" href="../struct__hierarchy__node.html#a849256ce1039e2cefaaf64d91171be0a" target="_parent">nchildren</a>
+  <a id="Item3" onkeydown="return searchResults.Nav(event,3)" onkeypress="return searchResults.Nav(event,3)" onkeyup="return searchResults.Nav(event,3)" class="SRSymbol" href="../struct__hierarchy__node.html#a849256ce1039e2cefaaf64d91171be0a" target="_parent">nchildren</a>
   <span class="SRScope">_hierarchy_node</span>
  </div>
 </div>
 <div class="SRResult" id="SR_next">
  <div class="SREntry">
-  <a id="Item3" onkeydown="return searchResults.Nav(event,3)" onkeypress="return searchResults.Nav(event,3)" onkeyup="return searchResults.Nav(event,3)" class="SRSymbol" href="javascript:searchResults.Toggle('SR_next')">next</a>
+  <a id="Item4" onkeydown="return searchResults.Nav(event,4)" onkeypress="return searchResults.Nav(event,4)" onkeyup="return searchResults.Nav(event,4)" class="SRSymbol" href="javascript:searchResults.Toggle('SR_next')">next</a>
   <div class="SRChildren">
-    <a id="Item3_c0" onkeydown="return searchResults.NavChild(event,3,0)" onkeypress="return searchResults.NavChild(event,3,0)" onkeyup="return searchResults.NavChild(event,3,0)" class="SRScope" href="../structpkt__info.html#a5ee3c51f2ca5768b94819182641ef168" target="_parent">pkt_info::next()</a>
-    <a id="Item3_c1" onkeydown="return searchResults.NavChild(event,3,1)" onkeypress="return searchResults.NavChild(event,3,1)" onkeyup="return searchResults.NavChild(event,3,1)" class="SRScope" href="../struct__AI__snort__alert.html#aa8336d4b3359015ed8ea312ca1fd1173" target="_parent">_AI_snort_alert::next()</a>
+    <a id="Item4_c0" onkeydown="return searchResults.NavChild(event,4,0)" onkeypress="return searchResults.NavChild(event,4,0)" onkeyup="return searchResults.NavChild(event,4,0)" class="SRScope" href="../structpkt__info.html#a5ee3c51f2ca5768b94819182641ef168" target="_parent">pkt_info::next()</a>
+    <a id="Item4_c1" onkeydown="return searchResults.NavChild(event,4,1)" onkeypress="return searchResults.NavChild(event,4,1)" onkeyup="return searchResults.NavChild(event,4,1)" class="SRScope" href="../struct__AI__snort__alert.html#aa8336d4b3359015ed8ea312ca1fd1173" target="_parent">_AI_snort_alert::next()</a>
   </div>
  </div>
 </div>
diff --git a/doc/html/search/variables_70.html b/doc/html/search/variables_70.html
index 83b5a59..7b48efc 100644
--- a/doc/html/search/variables_70.html
+++ b/doc/html/search/variables_70.html
@@ -31,9 +31,15 @@
   <span class="SRScope">AI_hyperalert_info</span>
  </div>
 </div>
+<div class="SRResult" id="SR_previous_5fcorrelated">
+ <div class="SREntry">
+  <a id="Item4" onkeydown="return searchResults.Nav(event,4)" onkeypress="return searchResults.Nav(event,4)" onkeyup="return searchResults.Nav(event,4)" class="SRSymbol" href="../struct__AI__snort__alert.html#a55a5488c7ee7706ded4c16b1235fd9c7" target="_parent">previous_correlated</a>
+  <span class="SRScope">_AI_snort_alert</span>
+ </div>
+</div>
 <div class="SRResult" id="SR_priority">
  <div class="SREntry">
-  <a id="Item4" onkeydown="return searchResults.Nav(event,4)" onkeypress="return searchResults.Nav(event,4)" onkeyup="return searchResults.Nav(event,4)" class="SRSymbol" href="../struct__AI__snort__alert.html#a25661fa4e212c5e30af5e6a892985ec9" target="_parent">priority</a>
+  <a id="Item5" onkeydown="return searchResults.Nav(event,5)" onkeypress="return searchResults.Nav(event,5)" onkeyup="return searchResults.Nav(event,5)" class="SRSymbol" href="../struct__AI__snort__alert.html#a25661fa4e212c5e30af5e6a892985ec9" target="_parent">priority</a>
   <span class="SRScope">_AI_snort_alert</span>
  </div>
 </div>
diff --git a/doc/html/sf__preproc__info_8h.html b/doc/html/sf__preproc__info_8h.html
index df44d6b..6934244 100644
--- a/doc/html/sf__preproc__info_8h.html
+++ b/doc/html/sf__preproc__info_8h.html
@@ -149,7 +149,7 @@ Functions</h2></td></tr>
 </iframe>
 </div>
 
-<hr class="footer"/><address class="footer"><small>Generated on Sat Sep 11 2010 12:45:18 for Snort AI preprocessor module by&nbsp;
+<hr class="footer"/><address class="footer"><small>Generated on Tue Sep 14 2010 19:23:42 for Snort AI preprocessor module by&nbsp;
 <a href="http://www.doxygen.org/index.html">
 <img class="footer" src="doxygen.png" alt="doxygen"/></a> 1.7.1 </small></address>
 </body>
diff --git a/doc/html/sf__preproc__info_8h_source.html b/doc/html/sf__preproc__info_8h_source.html
index fc9c0d4..831d80b 100644
--- a/doc/html/sf__preproc__info_8h_source.html
+++ b/doc/html/sf__preproc__info_8h_source.html
@@ -78,7 +78,7 @@ var searchBox = new SearchBox("searchBox", "search",false,'Search');
 </iframe>
 </div>
 
-<hr class="footer"/><address class="footer"><small>Generated on Sat Sep 11 2010 12:45:18 for Snort AI preprocessor module by&nbsp;
+<hr class="footer"/><address class="footer"><small>Generated on Tue Sep 14 2010 19:23:42 for Snort AI preprocessor module by&nbsp;
 <a href="http://www.doxygen.org/index.html">
 <img class="footer" src="doxygen.png" alt="doxygen"/></a> 1.7.1 </small></address>
 </body>
diff --git a/doc/html/spp__ai_8c.html b/doc/html/spp__ai_8c.html
index 1e37f99..a2e0601 100644
--- a/doc/html/spp__ai_8c.html
+++ b/doc/html/spp__ai_8c.html
@@ -89,7 +89,7 @@ Variables</h2></td></tr>
 </iframe>
 </div>
 
-<hr class="footer"/><address class="footer"><small>Generated on Sat Sep 11 2010 12:45:18 for Snort AI preprocessor module by&nbsp;
+<hr class="footer"/><address class="footer"><small>Generated on Tue Sep 14 2010 19:23:42 for Snort AI preprocessor module by&nbsp;
 <a href="http://www.doxygen.org/index.html">
 <img class="footer" src="doxygen.png" alt="doxygen"/></a> 1.7.1 </small></address>
 </body>
diff --git a/doc/html/spp__ai_8h.html b/doc/html/spp__ai_8h.html
index f8963b8..4caf302 100644
--- a/doc/html/spp__ai_8h.html
+++ b/doc/html/spp__ai_8h.html
@@ -83,6 +83,8 @@ Defines</h2></td></tr>
 <tr><td class="memItemLeft" align="right" valign="top">#define&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="spp__ai_8h.html#a6d9bf552c32371e0144dc6a6209c7e4a">DEFAULT_ALERT_LOG_FILE</a>&nbsp;&nbsp;&nbsp;&quot;/var/log/snort/alert&quot;</td></tr>
 <tr><td class="memItemLeft" align="right" valign="top">#define&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="spp__ai_8h.html#a803dc913297ccdace9e604dbfecda97d">DEFAULT_CLUSTER_LOG_FILE</a>&nbsp;&nbsp;&nbsp;&quot;/var/log/snort/cluster_alert&quot;</td></tr>
 <tr><td class="memItemLeft" align="right" valign="top">#define&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="spp__ai_8h.html#a89448386cad5d5533992ae7ee84f4f1d">DEFAULT_CORR_RULES_DIR</a>&nbsp;&nbsp;&nbsp;&quot;/etc/snort/corr_rules&quot;</td></tr>
+<tr><td class="memItemLeft" align="right" valign="top">#define&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="spp__ai_8h.html#a7bbeccba60012abcc98db33d39294829">DEFAULT_CORR_ALERTS_DIR</a>&nbsp;&nbsp;&nbsp;&quot;/var/log/snort/correlated_alerts&quot;</td></tr>
+<tr><td class="memItemLeft" align="right" valign="top">#define&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="spp__ai_8h.html#aaedb0b7dc2bdf8d44d3fee2189a55a19">DEFAULT_CORR_THRESHOLD</a>&nbsp;&nbsp;&nbsp;0.5</td></tr>
 <tr><td colspan="2"><h2><a name="typedef-members"></a>
 Typedefs</h2></td></tr>
 <tr><td class="memItemLeft" align="right" valign="top">typedef unsigned char&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="spp__ai_8h.html#aba7bc1797add20fe3efdf37ced1182c5">uint8_t</a></td></tr>
@@ -193,6 +195,20 @@ Variables</h2></td></tr>
 <div class="memdoc">
 <p>Default path to Snort's clustered alerts file </p>
 
+</div>
+</div>
+<a class="anchor" id="a7bbeccba60012abcc98db33d39294829"></a><!-- doxytag: member="spp_ai.h::DEFAULT_CORR_ALERTS_DIR" ref="a7bbeccba60012abcc98db33d39294829" args="" -->
+<div class="memitem">
+<div class="memproto">
+      <table class="memname">
+        <tr>
+          <td class="memname">#define DEFAULT_CORR_ALERTS_DIR&nbsp;&nbsp;&nbsp;&quot;/var/log/snort/correlated_alerts&quot;</td>
+        </tr>
+      </table>
+</div>
+<div class="memdoc">
+<p>Default directory for placing correlated alerts information (.dot and possibly .png files) </p>
+
 </div>
 </div>
 <a class="anchor" id="a89448386cad5d5533992ae7ee84f4f1d"></a><!-- doxytag: member="spp_ai.h::DEFAULT_CORR_RULES_DIR" ref="a89448386cad5d5533992ae7ee84f4f1d" args="" -->
@@ -207,6 +223,20 @@ Variables</h2></td></tr>
 <div class="memdoc">
 <p>Default path to alert correlation rules directory </p>
 
+</div>
+</div>
+<a class="anchor" id="aaedb0b7dc2bdf8d44d3fee2189a55a19"></a><!-- doxytag: member="spp_ai.h::DEFAULT_CORR_THRESHOLD" ref="aaedb0b7dc2bdf8d44d3fee2189a55a19" args="" -->
+<div class="memitem">
+<div class="memproto">
+      <table class="memname">
+        <tr>
+          <td class="memname">#define DEFAULT_CORR_THRESHOLD&nbsp;&nbsp;&nbsp;0.5</td>
+        </tr>
+      </table>
+</div>
+<div class="memdoc">
+<p>Default correlation threshold coefficient for correlating two hyperalerts </p>
+
 </div>
 </div>
 <a class="anchor" id="a3c4984a0ee515fbc091ac6e33b05e310"></a><!-- doxytag: member="spp_ai.h::DEFAULT_DATABASE_INTERVAL" ref="a3c4984a0ee515fbc091ac6e33b05e310" args="" -->
@@ -427,7 +457,7 @@ Variables</h2></td></tr>
 </iframe>
 </div>
 
-<hr class="footer"/><address class="footer"><small>Generated on Sat Sep 11 2010 12:45:18 for Snort AI preprocessor module by&nbsp;
+<hr class="footer"/><address class="footer"><small>Generated on Tue Sep 14 2010 19:23:42 for Snort AI preprocessor module by&nbsp;
 <a href="http://www.doxygen.org/index.html">
 <img class="footer" src="doxygen.png" alt="doxygen"/></a> 1.7.1 </small></address>
 </body>
diff --git a/doc/html/spp__ai_8h_source.html b/doc/html/spp__ai_8h_source.html
index 6558be1..5dc2853 100644
--- a/doc/html/spp__ai_8h_source.html
+++ b/doc/html/spp__ai_8h_source.html
@@ -97,171 +97,187 @@ var searchBox = new SearchBox("searchBox", "search",false,'Search');
 <a name="l00053"></a>00053 <span class="preprocessor"></span>
 <a name="l00055"></a><a class="code" href="spp__ai_8h.html#a89448386cad5d5533992ae7ee84f4f1d">00055</a> <span class="preprocessor">#define         DEFAULT_CORR_RULES_DIR                          &quot;/etc/snort/corr_rules&quot;</span>
 <a name="l00056"></a>00056 <span class="preprocessor"></span>
-<a name="l00057"></a>00057 <span class="keyword">extern</span> DynamicPreprocessorData <a class="code" href="spp__ai_8h.html#ab46420126c43c1aac5eabc5db266a71c">_dpd</a>;
-<a name="l00058"></a><a class="code" href="spp__ai_8h.html#aba7bc1797add20fe3efdf37ced1182c5">00058</a> <span class="keyword">typedef</span> <span class="keywordtype">unsigned</span> <span class="keywordtype">char</span>   uint8_t;
-<a name="l00059"></a><a class="code" href="spp__ai_8h.html#a273cf69d639a59973b6019625df33e30">00059</a> <span class="keyword">typedef</span> <span class="keywordtype">unsigned</span> <span class="keywordtype">short</span>  uint16_t;
-<a name="l00060"></a><a class="code" href="spp__ai_8h.html#a435d1572bf3f880d55459d9805097f62">00060</a> <span class="keyword">typedef</span> <span class="keywordtype">unsigned</span> <span class="keywordtype">int</span>    uint32_t;
-<a name="l00061"></a>00061 
-<a name="l00062"></a><a class="code" href="spp__ai_8h.html#a3e5b8192e7d9ffaf3542f1210aec18dda08f175a5505a10b9ed657defeb050e4b">00062</a> <span class="keyword">typedef</span> <span class="keyword">enum</span> { <span class="keyword">false</span>, <span class="keyword">true</span> } BOOL;
-<a name="l00063"></a>00063 
-<a name="l00064"></a>00064 <span class="comment">/*****************************************************************/</span>
-<a name="l00066"></a><a class="code" href="spp__ai_8h.html#ae2ff3c6586aa2ab211a102abfde86640">00066</a> <span class="keyword">typedef</span> <span class="keyword">enum</span> {
-<a name="l00067"></a><a class="code" href="spp__ai_8h.html#ae2ff3c6586aa2ab211a102abfde86640ac1335c508143eb06843af2ce5ff3027b">00067</a>         none, src_addr, dst_addr, src_port, dst_port, <a class="code" href="spp__ai_8h.html#ae2ff3c6586aa2ab211a102abfde86640ab16bb5c4b330d5db02e2d852cd2ba451">CLUSTER_TYPES</a>
-<a name="l00068"></a>00068 } cluster_type;
-<a name="l00069"></a>00069 <span class="comment">/*****************************************************************/</span>
-<a name="l00071"></a><a class="code" href="structpkt__key.html">00071</a> <span class="keyword">struct </span><a class="code" href="structpkt__key.html">pkt_key</a>
-<a name="l00072"></a>00072 {
-<a name="l00073"></a><a class="code" href="structpkt__key.html#a3a091c20dafb8b3f689db00c5b2f8ddb">00073</a>         <a class="code" href="spp__ai_8h.html#a435d1572bf3f880d55459d9805097f62">uint32_t</a> <a class="code" href="structpkt__key.html#a3a091c20dafb8b3f689db00c5b2f8ddb">src_ip</a>;
-<a name="l00074"></a><a class="code" href="structpkt__key.html#af77f5eb1f4cd88b43fe99fd73553351d">00074</a>         <a class="code" href="spp__ai_8h.html#a273cf69d639a59973b6019625df33e30">uint16_t</a> <a class="code" href="structpkt__key.html#af77f5eb1f4cd88b43fe99fd73553351d">dst_port</a>;
-<a name="l00075"></a>00075 };
-<a name="l00076"></a>00076 <span class="comment">/*****************************************************************/</span>
-<a name="l00078"></a><a class="code" href="structpkt__info.html">00078</a> <span class="keyword">struct </span><a class="code" href="structpkt__info.html">pkt_info</a>
-<a name="l00079"></a>00079 {
-<a name="l00081"></a><a class="code" href="structpkt__info.html#a231d4734d3c62292b06eb9ea4b49c339">00081</a>         <span class="keyword">struct </span><a class="code" href="structpkt__key.html">pkt_key</a>    <a class="code" href="structpkt__info.html#a231d4734d3c62292b06eb9ea4b49c339">key</a>;
-<a name="l00082"></a>00082 
-<a name="l00084"></a><a class="code" href="structpkt__info.html#a7f5090443f21e6290f0439f1bb872e92">00084</a>         time_t            <a class="code" href="structpkt__info.html#a7f5090443f21e6290f0439f1bb872e92">timestamp</a>;
-<a name="l00085"></a>00085 
-<a name="l00087"></a><a class="code" href="structpkt__info.html#a8d5ebd04a32067b05387e5c5056fe168">00087</a>         SFSnortPacket*    <a class="code" href="structpkt__info.html#a8d5ebd04a32067b05387e5c5056fe168">pkt</a>;
+<a name="l00058"></a><a class="code" href="spp__ai_8h.html#a7bbeccba60012abcc98db33d39294829">00058</a> <span class="preprocessor">#define         DEFAULT_CORR_ALERTS_DIR                                 &quot;/var/log/snort/correlated_alerts&quot;</span>
+<a name="l00059"></a>00059 <span class="preprocessor"></span>
+<a name="l00061"></a><a class="code" href="spp__ai_8h.html#aaedb0b7dc2bdf8d44d3fee2189a55a19">00061</a> <span class="preprocessor">#define         DEFAULT_CORR_THRESHOLD                          0.5</span>
+<a name="l00062"></a>00062 <span class="preprocessor"></span>
+<a name="l00063"></a>00063 <span class="keyword">extern</span> DynamicPreprocessorData <a class="code" href="spp__ai_8h.html#ab46420126c43c1aac5eabc5db266a71c">_dpd</a>;
+<a name="l00064"></a><a class="code" href="spp__ai_8h.html#aba7bc1797add20fe3efdf37ced1182c5">00064</a> <span class="keyword">typedef</span> <span class="keywordtype">unsigned</span> <span class="keywordtype">char</span>   uint8_t;
+<a name="l00065"></a><a class="code" href="spp__ai_8h.html#a273cf69d639a59973b6019625df33e30">00065</a> <span class="keyword">typedef</span> <span class="keywordtype">unsigned</span> <span class="keywordtype">short</span>  uint16_t;
+<a name="l00066"></a><a class="code" href="spp__ai_8h.html#a435d1572bf3f880d55459d9805097f62">00066</a> <span class="keyword">typedef</span> <span class="keywordtype">unsigned</span> <span class="keywordtype">int</span>    uint32_t;
+<a name="l00067"></a>00067 
+<a name="l00068"></a><a class="code" href="spp__ai_8h.html#a3e5b8192e7d9ffaf3542f1210aec18dda08f175a5505a10b9ed657defeb050e4b">00068</a> <span class="keyword">typedef</span> <span class="keyword">enum</span> { <span class="keyword">false</span>, <span class="keyword">true</span> } BOOL;
+<a name="l00069"></a>00069 
+<a name="l00070"></a>00070 <span class="comment">/*****************************************************************/</span>
+<a name="l00072"></a><a class="code" href="spp__ai_8h.html#ae2ff3c6586aa2ab211a102abfde86640">00072</a> <span class="keyword">typedef</span> <span class="keyword">enum</span> {
+<a name="l00073"></a><a class="code" href="spp__ai_8h.html#ae2ff3c6586aa2ab211a102abfde86640ac1335c508143eb06843af2ce5ff3027b">00073</a>         none, src_addr, dst_addr, src_port, dst_port, <a class="code" href="spp__ai_8h.html#ae2ff3c6586aa2ab211a102abfde86640ab16bb5c4b330d5db02e2d852cd2ba451">CLUSTER_TYPES</a>
+<a name="l00074"></a>00074 } cluster_type;
+<a name="l00075"></a>00075 <span class="comment">/*****************************************************************/</span>
+<a name="l00077"></a><a class="code" href="structpkt__key.html">00077</a> <span class="keyword">struct </span><a class="code" href="structpkt__key.html">pkt_key</a>
+<a name="l00078"></a>00078 {
+<a name="l00079"></a><a class="code" href="structpkt__key.html#a3a091c20dafb8b3f689db00c5b2f8ddb">00079</a>         <a class="code" href="spp__ai_8h.html#a435d1572bf3f880d55459d9805097f62">uint32_t</a> <a class="code" href="structpkt__key.html#a3a091c20dafb8b3f689db00c5b2f8ddb">src_ip</a>;
+<a name="l00080"></a><a class="code" href="structpkt__key.html#af77f5eb1f4cd88b43fe99fd73553351d">00080</a>         <a class="code" href="spp__ai_8h.html#a273cf69d639a59973b6019625df33e30">uint16_t</a> <a class="code" href="structpkt__key.html#af77f5eb1f4cd88b43fe99fd73553351d">dst_port</a>;
+<a name="l00081"></a>00081 };
+<a name="l00082"></a>00082 <span class="comment">/*****************************************************************/</span>
+<a name="l00084"></a><a class="code" href="structpkt__info.html">00084</a> <span class="keyword">struct </span><a class="code" href="structpkt__info.html">pkt_info</a>
+<a name="l00085"></a>00085 {
+<a name="l00087"></a><a class="code" href="structpkt__info.html#a231d4734d3c62292b06eb9ea4b49c339">00087</a>         <span class="keyword">struct </span><a class="code" href="structpkt__key.html">pkt_key</a>    <a class="code" href="structpkt__info.html#a231d4734d3c62292b06eb9ea4b49c339">key</a>;
 <a name="l00088"></a>00088 
-<a name="l00090"></a><a class="code" href="structpkt__info.html#a5ee3c51f2ca5768b94819182641ef168">00090</a>         <span class="keyword">struct </span><a class="code" href="structpkt__info.html">pkt_info</a>*  <a class="code" href="structpkt__info.html#a5ee3c51f2ca5768b94819182641ef168">next</a>;
+<a name="l00090"></a><a class="code" href="structpkt__info.html#a7f5090443f21e6290f0439f1bb872e92">00090</a>         time_t            <a class="code" href="structpkt__info.html#a7f5090443f21e6290f0439f1bb872e92">timestamp</a>;
 <a name="l00091"></a>00091 
-<a name="l00093"></a><a class="code" href="structpkt__info.html#ac7ff78ea5faf333fc91f92e3085ea7c9">00093</a>         <a class="code" href="spp__ai_8h.html#a3e5b8192e7d9ffaf3542f1210aec18dd">BOOL</a>              <a class="code" href="structpkt__info.html#ac7ff78ea5faf333fc91f92e3085ea7c9">observed</a>;
+<a name="l00093"></a><a class="code" href="structpkt__info.html#a8d5ebd04a32067b05387e5c5056fe168">00093</a>         SFSnortPacket*    <a class="code" href="structpkt__info.html#a8d5ebd04a32067b05387e5c5056fe168">pkt</a>;
 <a name="l00094"></a>00094 
-<a name="l00096"></a><a class="code" href="structpkt__info.html#a264e90d4b5d490de040f38c1072e142f">00096</a>         UT_hash_handle    <a class="code" href="structpkt__info.html#a264e90d4b5d490de040f38c1072e142f">hh</a>;
-<a name="l00097"></a>00097 };
-<a name="l00098"></a>00098 <span class="comment">/*****************************************************************/</span>
-<a name="l00099"></a>00099 <span class="comment">/* Data type containing the configuration of the module */</span>
-<a name="l00100"></a><a class="code" href="structAI__config.html">00100</a> <span class="keyword">typedef</span> <span class="keyword">struct</span>
-<a name="l00101"></a>00101 {
-<a name="l00103"></a><a class="code" href="structAI__config.html#a9f7680615027d4fb74b4aa144a7028a4">00103</a>         <span class="keywordtype">unsigned</span> <span class="keywordtype">long</span> hashCleanupInterval;
-<a name="l00104"></a>00104 
-<a name="l00106"></a><a class="code" href="structAI__config.html#abbe77d5f94b8c5164bea47acba09c98b">00106</a>         <span class="keywordtype">unsigned</span> <span class="keywordtype">long</span> streamExpireInterval;
-<a name="l00107"></a>00107 
-<a name="l00109"></a><a class="code" href="structAI__config.html#a7d0d098b8263aa3d8415b11d1ec7f93d">00109</a>         <span class="keywordtype">unsigned</span> <span class="keywordtype">long</span> alertClusteringInterval;
+<a name="l00096"></a><a class="code" href="structpkt__info.html#a5ee3c51f2ca5768b94819182641ef168">00096</a>         <span class="keyword">struct </span><a class="code" href="structpkt__info.html">pkt_info</a>*  <a class="code" href="structpkt__info.html#a5ee3c51f2ca5768b94819182641ef168">next</a>;
+<a name="l00097"></a>00097 
+<a name="l00099"></a><a class="code" href="structpkt__info.html#ac7ff78ea5faf333fc91f92e3085ea7c9">00099</a>         <a class="code" href="spp__ai_8h.html#a3e5b8192e7d9ffaf3542f1210aec18dd">BOOL</a>              <a class="code" href="structpkt__info.html#ac7ff78ea5faf333fc91f92e3085ea7c9">observed</a>;
+<a name="l00100"></a>00100 
+<a name="l00102"></a><a class="code" href="structpkt__info.html#a264e90d4b5d490de040f38c1072e142f">00102</a>         UT_hash_handle    <a class="code" href="structpkt__info.html#a264e90d4b5d490de040f38c1072e142f">hh</a>;
+<a name="l00103"></a>00103 };
+<a name="l00104"></a>00104 <span class="comment">/*****************************************************************/</span>
+<a name="l00105"></a>00105 <span class="comment">/* Data type containing the configuration of the module */</span>
+<a name="l00106"></a><a class="code" href="structAI__config.html">00106</a> <span class="keyword">typedef</span> <span class="keyword">struct</span>
+<a name="l00107"></a>00107 {
+<a name="l00109"></a><a class="code" href="structAI__config.html#a9f7680615027d4fb74b4aa144a7028a4">00109</a>         <span class="keywordtype">unsigned</span> <span class="keywordtype">long</span> hashCleanupInterval;
 <a name="l00110"></a>00110 
-<a name="l00112"></a><a class="code" href="structAI__config.html#ae6ca715cab1d90b70c3aad443133c263">00112</a>         <span class="keywordtype">unsigned</span> <span class="keywordtype">long</span> databaseParsingInterval;
+<a name="l00112"></a><a class="code" href="structAI__config.html#abbe77d5f94b8c5164bea47acba09c98b">00112</a>         <span class="keywordtype">unsigned</span> <span class="keywordtype">long</span> streamExpireInterval;
 <a name="l00113"></a>00113 
-<a name="l00115"></a><a class="code" href="structAI__config.html#aa736375e57a59936e2e782b7cd200e41">00115</a>         <span class="keywordtype">unsigned</span> <span class="keywordtype">long</span> correlationGraphInterval;
+<a name="l00115"></a><a class="code" href="structAI__config.html#a7d0d098b8263aa3d8415b11d1ec7f93d">00115</a>         <span class="keywordtype">unsigned</span> <span class="keywordtype">long</span> alertClusteringInterval;
 <a name="l00116"></a>00116 
-<a name="l00118"></a><a class="code" href="structAI__config.html#a2efa9590d7eea6dce8b5dd9aa76ed8ca">00118</a>         <span class="keywordtype">char</span>          alertfile[1024];
+<a name="l00118"></a><a class="code" href="structAI__config.html#ae6ca715cab1d90b70c3aad443133c263">00118</a>         <span class="keywordtype">unsigned</span> <span class="keywordtype">long</span> databaseParsingInterval;
 <a name="l00119"></a>00119 
-<a name="l00121"></a><a class="code" href="structAI__config.html#a6da02a3f7116fd3810a41b738e8883a3">00121</a>         <span class="keywordtype">char</span>          clusterfile[1024];
+<a name="l00121"></a><a class="code" href="structAI__config.html#aa736375e57a59936e2e782b7cd200e41">00121</a>         <span class="keywordtype">unsigned</span> <span class="keywordtype">long</span> correlationGraphInterval;
 <a name="l00122"></a>00122 
-<a name="l00124"></a><a class="code" href="structAI__config.html#ab7ea93bbe72b85c4019b4f5656ad62fc">00124</a>         <span class="keywordtype">char</span>          corr_rules_dir[1024];
-<a name="l00125"></a>00125 
-<a name="l00127"></a><a class="code" href="structAI__config.html#ac8a93607f12106e2f5c9b43af27107da">00127</a>         <span class="keywordtype">char</span>          dbname[256];
-<a name="l00128"></a>00128 
-<a name="l00130"></a><a class="code" href="structAI__config.html#aa004adebfdafb6d14092aecd7f4912b0">00130</a>         <span class="keywordtype">char</span>          dbuser[256];
-<a name="l00131"></a>00131 
-<a name="l00133"></a><a class="code" href="structAI__config.html#aa1cda349763faf60b2ebdbf2d187ae7d">00133</a>         <span class="keywordtype">char</span>          dbpass[256];
-<a name="l00134"></a>00134 
-<a name="l00136"></a><a class="code" href="structAI__config.html#a8e56f1a1b2095d3d329c8068ea0f3aab">00136</a>         <span class="keywordtype">char</span>          dbhost[256];
-<a name="l00137"></a>00137 } <a class="code" href="structAI__config.html">AI_config</a>;
-<a name="l00138"></a>00138 <span class="comment">/*****************************************************************/</span>
-<a name="l00140"></a><a class="code" href="struct__hierarchy__node.html">00140</a> <span class="keyword">typedef</span> <span class="keyword">struct </span><a class="code" href="struct__hierarchy__node.html">_hierarchy_node</a>
-<a name="l00141"></a>00141 {
-<a name="l00142"></a><a class="code" href="struct__hierarchy__node.html#a3b18e3ddfa2212c5e4ff9c0b4bde4296">00142</a>         <a class="code" href="spp__ai_8h.html#ae2ff3c6586aa2ab211a102abfde86640">cluster_type</a>            <a class="code" href="struct__hierarchy__node.html#a3b18e3ddfa2212c5e4ff9c0b4bde4296">type</a>;
-<a name="l00143"></a><a class="code" href="struct__hierarchy__node.html#ae498f6fd14ca058a3ae0a95d5425451a">00143</a>         <span class="keywordtype">char</span>                    <a class="code" href="struct__hierarchy__node.html#ae498f6fd14ca058a3ae0a95d5425451a">label</a>[256];
-<a name="l00144"></a><a class="code" href="struct__hierarchy__node.html#a13ceebd7b435b9ef347fb90d9e6bbfe4">00144</a>         <span class="keywordtype">int</span>                     <a class="code" href="struct__hierarchy__node.html#a13ceebd7b435b9ef347fb90d9e6bbfe4">min_val</a>;
-<a name="l00145"></a><a class="code" href="struct__hierarchy__node.html#a79ea88029938dc30ab8f159405d12c87">00145</a>         <span class="keywordtype">int</span>                     <a class="code" href="struct__hierarchy__node.html#a79ea88029938dc30ab8f159405d12c87">max_val</a>;
-<a name="l00146"></a><a class="code" href="struct__hierarchy__node.html#a849256ce1039e2cefaaf64d91171be0a">00146</a>         <span class="keywordtype">int</span>                     <a class="code" href="struct__hierarchy__node.html#a849256ce1039e2cefaaf64d91171be0a">nchildren</a>;
-<a name="l00147"></a><a class="code" href="struct__hierarchy__node.html#a5c94c89d7e2aea393f1c550afb766bbe">00147</a>         <span class="keyword">struct </span><a class="code" href="struct__hierarchy__node.html">_hierarchy_node</a>  *<a class="code" href="struct__hierarchy__node.html#a5c94c89d7e2aea393f1c550afb766bbe">parent</a>;
-<a name="l00148"></a><a class="code" href="struct__hierarchy__node.html#afc23d4fe6426873164cdaab2f3d4f0cd">00148</a>         <span class="keyword">struct </span><a class="code" href="struct__hierarchy__node.html">_hierarchy_node</a>  **<a class="code" href="struct__hierarchy__node.html#afc23d4fe6426873164cdaab2f3d4f0cd">children</a>;
-<a name="l00149"></a>00149 } <a class="code" href="struct__hierarchy__node.html">hierarchy_node</a>;
-<a name="l00150"></a>00150 <span class="comment">/*****************************************************************/</span>
-<a name="l00152"></a><a class="code" href="structAI__hyperalert__key.html">00152</a> <span class="keyword">typedef</span> <span class="keyword">struct</span>
-<a name="l00153"></a>00153 {
-<a name="l00154"></a><a class="code" href="structAI__hyperalert__key.html#a711afeb45b534480e85bf9abe569a602">00154</a>         <span class="keywordtype">unsigned</span> <span class="keywordtype">int</span> gid;
-<a name="l00155"></a><a class="code" href="structAI__hyperalert__key.html#a854676c9125ae0aeaeaef2b201ce542f">00155</a>         <span class="keywordtype">unsigned</span> <span class="keywordtype">int</span> sid;
-<a name="l00156"></a><a class="code" href="structAI__hyperalert__key.html#a3aa6fed74469f1f2c08573c5d7298670">00156</a>         <span class="keywordtype">unsigned</span> <span class="keywordtype">int</span> rev;
-<a name="l00157"></a>00157 } <a class="code" href="structAI__hyperalert__key.html">AI_hyperalert_key</a>;
-<a name="l00158"></a>00158 <span class="comment">/*****************************************************************/</span>
-<a name="l00160"></a><a class="code" href="structAI__hyperalert__info.html">00160</a> <span class="keyword">typedef</span> <span class="keyword">struct</span>
-<a name="l00161"></a>00161 {
-<a name="l00163"></a><a class="code" href="structAI__hyperalert__info.html#a9d461da8f00415ef03b24edb3bbd6cf8">00163</a>         <a class="code" href="structAI__hyperalert__key.html">AI_hyperalert_key</a>  key;
-<a name="l00164"></a>00164 
-<a name="l00166"></a><a class="code" href="structAI__hyperalert__info.html#a8ac4e028c47a98a8be5afd4363164031">00166</a>         <span class="keywordtype">char</span>               **preconds;
-<a name="l00167"></a>00167 
-<a name="l00169"></a><a class="code" href="structAI__hyperalert__info.html#a616c16f364dbb2d726e88df6b364ea40">00169</a>         <span class="keywordtype">unsigned</span> <span class="keywordtype">int</span>       n_preconds;
-<a name="l00170"></a>00170 
-<a name="l00172"></a><a class="code" href="structAI__hyperalert__info.html#a6a63385397bf814153d7bb20b52840d9">00172</a>         <span class="keywordtype">char</span>               **postconds;
-<a name="l00173"></a>00173 
-<a name="l00175"></a><a class="code" href="structAI__hyperalert__info.html#a73322b6cad3e883abed03b62c6c21719">00175</a>         <span class="keywordtype">unsigned</span> <span class="keywordtype">int</span>       n_postconds;
-<a name="l00176"></a>00176 
-<a name="l00178"></a><a class="code" href="structAI__hyperalert__info.html#a6915bec67d383f374e758b44f50b48ff">00178</a>         UT_hash_handle     hh;
-<a name="l00179"></a>00179 } <a class="code" href="structAI__hyperalert__info.html">AI_hyperalert_info</a>;
-<a name="l00180"></a>00180 <span class="comment">/*****************************************************************/</span>
-<a name="l00182"></a><a class="code" href="struct__AI__snort__alert.html">00182</a> <span class="keyword">typedef</span> <span class="keyword">struct </span><a class="code" href="struct__AI__snort__alert.html">_AI_snort_alert</a>  {
-<a name="l00183"></a>00183         <span class="comment">/* Identifiers of the alert */</span>
-<a name="l00184"></a><a class="code" href="struct__AI__snort__alert.html#af8408be5da59cda853442dd13465c0f6">00184</a>         <span class="keywordtype">unsigned</span> <span class="keywordtype">int</span>    <a class="code" href="struct__AI__snort__alert.html#af8408be5da59cda853442dd13465c0f6">gid</a>;
-<a name="l00185"></a><a class="code" href="struct__AI__snort__alert.html#a3349aa68d2234f8ffd897367c3a8a137">00185</a>         <span class="keywordtype">unsigned</span> <span class="keywordtype">int</span>    <a class="code" href="struct__AI__snort__alert.html#a3349aa68d2234f8ffd897367c3a8a137">sid</a>;
-<a name="l00186"></a><a class="code" href="struct__AI__snort__alert.html#a864d3baa48586d6a31639f4cd27d9d37">00186</a>         <span class="keywordtype">unsigned</span> <span class="keywordtype">int</span>    <a class="code" href="struct__AI__snort__alert.html#a864d3baa48586d6a31639f4cd27d9d37">rev</a>;
-<a name="l00187"></a>00187 
-<a name="l00188"></a>00188         <span class="comment">/* Snort priority, description,</span>
-<a name="l00189"></a>00189 <span class="comment">         * classification and timestamp</span>
-<a name="l00190"></a>00190 <span class="comment">         * of the alert */</span>
-<a name="l00191"></a><a class="code" href="struct__AI__snort__alert.html#a25661fa4e212c5e30af5e6a892985ec9">00191</a>         <span class="keywordtype">unsigned</span> <span class="keywordtype">short</span>  <a class="code" href="struct__AI__snort__alert.html#a25661fa4e212c5e30af5e6a892985ec9">priority</a>;
-<a name="l00192"></a><a class="code" href="struct__AI__snort__alert.html#ac0902d7c756ec675fb06347ce4706135">00192</a>         <span class="keywordtype">char</span>            *<a class="code" href="struct__AI__snort__alert.html#ac0902d7c756ec675fb06347ce4706135">desc</a>;
-<a name="l00193"></a><a class="code" href="struct__AI__snort__alert.html#aa89585e14acb2c4e684a1552d322632f">00193</a>         <span class="keywordtype">char</span>            *<a class="code" href="struct__AI__snort__alert.html#aa89585e14acb2c4e684a1552d322632f">classification</a>;
-<a name="l00194"></a><a class="code" href="struct__AI__snort__alert.html#a10a67f60ca3da339a2104849a0b2ac19">00194</a>         time_t          <a class="code" href="struct__AI__snort__alert.html#a10a67f60ca3da339a2104849a0b2ac19">timestamp</a>;
+<a name="l00131"></a><a class="code" href="structAI__config.html#adf6ef0faedfb4dea0a1353e781b14883">00131</a>         <span class="keywordtype">double</span>        correlationThresholdCoefficient;
+<a name="l00132"></a>00132 
+<a name="l00134"></a><a class="code" href="structAI__config.html#a2efa9590d7eea6dce8b5dd9aa76ed8ca">00134</a>         <span class="keywordtype">char</span>          alertfile[1024];
+<a name="l00135"></a>00135 
+<a name="l00137"></a><a class="code" href="structAI__config.html#a6da02a3f7116fd3810a41b738e8883a3">00137</a>         <span class="keywordtype">char</span>          clusterfile[1024];
+<a name="l00138"></a>00138 
+<a name="l00140"></a><a class="code" href="structAI__config.html#ab7ea93bbe72b85c4019b4f5656ad62fc">00140</a>         <span class="keywordtype">char</span>          corr_rules_dir[1024];
+<a name="l00141"></a>00141 
+<a name="l00143"></a><a class="code" href="structAI__config.html#ae68f5489e2ec9ea1408f98fe36d050c9">00143</a>         <span class="keywordtype">char</span>          corr_alerts_dir[1024];
+<a name="l00144"></a>00144 
+<a name="l00146"></a><a class="code" href="structAI__config.html#ac8a93607f12106e2f5c9b43af27107da">00146</a>         <span class="keywordtype">char</span>          dbname[256];
+<a name="l00147"></a>00147 
+<a name="l00149"></a><a class="code" href="structAI__config.html#aa004adebfdafb6d14092aecd7f4912b0">00149</a>         <span class="keywordtype">char</span>          dbuser[256];
+<a name="l00150"></a>00150 
+<a name="l00152"></a><a class="code" href="structAI__config.html#aa1cda349763faf60b2ebdbf2d187ae7d">00152</a>         <span class="keywordtype">char</span>          dbpass[256];
+<a name="l00153"></a>00153 
+<a name="l00155"></a><a class="code" href="structAI__config.html#a8e56f1a1b2095d3d329c8068ea0f3aab">00155</a>         <span class="keywordtype">char</span>          dbhost[256];
+<a name="l00156"></a>00156 } <a class="code" href="structAI__config.html">AI_config</a>;
+<a name="l00157"></a>00157 <span class="comment">/*****************************************************************/</span>
+<a name="l00159"></a><a class="code" href="struct__hierarchy__node.html">00159</a> <span class="keyword">typedef</span> <span class="keyword">struct </span><a class="code" href="struct__hierarchy__node.html">_hierarchy_node</a>
+<a name="l00160"></a>00160 {
+<a name="l00161"></a><a class="code" href="struct__hierarchy__node.html#a3b18e3ddfa2212c5e4ff9c0b4bde4296">00161</a>         <a class="code" href="spp__ai_8h.html#ae2ff3c6586aa2ab211a102abfde86640">cluster_type</a>            <a class="code" href="struct__hierarchy__node.html#a3b18e3ddfa2212c5e4ff9c0b4bde4296">type</a>;
+<a name="l00162"></a><a class="code" href="struct__hierarchy__node.html#ae498f6fd14ca058a3ae0a95d5425451a">00162</a>         <span class="keywordtype">char</span>                    <a class="code" href="struct__hierarchy__node.html#ae498f6fd14ca058a3ae0a95d5425451a">label</a>[256];
+<a name="l00163"></a><a class="code" href="struct__hierarchy__node.html#a13ceebd7b435b9ef347fb90d9e6bbfe4">00163</a>         <span class="keywordtype">int</span>                     <a class="code" href="struct__hierarchy__node.html#a13ceebd7b435b9ef347fb90d9e6bbfe4">min_val</a>;
+<a name="l00164"></a><a class="code" href="struct__hierarchy__node.html#a79ea88029938dc30ab8f159405d12c87">00164</a>         <span class="keywordtype">int</span>                     <a class="code" href="struct__hierarchy__node.html#a79ea88029938dc30ab8f159405d12c87">max_val</a>;
+<a name="l00165"></a><a class="code" href="struct__hierarchy__node.html#a849256ce1039e2cefaaf64d91171be0a">00165</a>         <span class="keywordtype">int</span>                     <a class="code" href="struct__hierarchy__node.html#a849256ce1039e2cefaaf64d91171be0a">nchildren</a>;
+<a name="l00166"></a><a class="code" href="struct__hierarchy__node.html#a5c94c89d7e2aea393f1c550afb766bbe">00166</a>         <span class="keyword">struct </span><a class="code" href="struct__hierarchy__node.html">_hierarchy_node</a>  *<a class="code" href="struct__hierarchy__node.html#a5c94c89d7e2aea393f1c550afb766bbe">parent</a>;
+<a name="l00167"></a><a class="code" href="struct__hierarchy__node.html#afc23d4fe6426873164cdaab2f3d4f0cd">00167</a>         <span class="keyword">struct </span><a class="code" href="struct__hierarchy__node.html">_hierarchy_node</a>  **<a class="code" href="struct__hierarchy__node.html#afc23d4fe6426873164cdaab2f3d4f0cd">children</a>;
+<a name="l00168"></a>00168 } <a class="code" href="struct__hierarchy__node.html">hierarchy_node</a>;
+<a name="l00169"></a>00169 <span class="comment">/*****************************************************************/</span>
+<a name="l00171"></a><a class="code" href="structAI__hyperalert__key.html">00171</a> <span class="keyword">typedef</span> <span class="keyword">struct</span>
+<a name="l00172"></a>00172 {
+<a name="l00173"></a><a class="code" href="structAI__hyperalert__key.html#a711afeb45b534480e85bf9abe569a602">00173</a>         <span class="keywordtype">unsigned</span> <span class="keywordtype">int</span> gid;
+<a name="l00174"></a><a class="code" href="structAI__hyperalert__key.html#a854676c9125ae0aeaeaef2b201ce542f">00174</a>         <span class="keywordtype">unsigned</span> <span class="keywordtype">int</span> sid;
+<a name="l00175"></a><a class="code" href="structAI__hyperalert__key.html#a3aa6fed74469f1f2c08573c5d7298670">00175</a>         <span class="keywordtype">unsigned</span> <span class="keywordtype">int</span> rev;
+<a name="l00176"></a>00176 } <a class="code" href="structAI__hyperalert__key.html">AI_hyperalert_key</a>;
+<a name="l00177"></a>00177 <span class="comment">/*****************************************************************/</span>
+<a name="l00179"></a><a class="code" href="structAI__hyperalert__info.html">00179</a> <span class="keyword">typedef</span> <span class="keyword">struct</span>
+<a name="l00180"></a>00180 {
+<a name="l00182"></a><a class="code" href="structAI__hyperalert__info.html#a9d461da8f00415ef03b24edb3bbd6cf8">00182</a>         <a class="code" href="structAI__hyperalert__key.html">AI_hyperalert_key</a>  key;
+<a name="l00183"></a>00183 
+<a name="l00185"></a><a class="code" href="structAI__hyperalert__info.html#a8ac4e028c47a98a8be5afd4363164031">00185</a>         <span class="keywordtype">char</span>               **preconds;
+<a name="l00186"></a>00186 
+<a name="l00188"></a><a class="code" href="structAI__hyperalert__info.html#a616c16f364dbb2d726e88df6b364ea40">00188</a>         <span class="keywordtype">unsigned</span> <span class="keywordtype">int</span>       n_preconds;
+<a name="l00189"></a>00189 
+<a name="l00191"></a><a class="code" href="structAI__hyperalert__info.html#a6a63385397bf814153d7bb20b52840d9">00191</a>         <span class="keywordtype">char</span>               **postconds;
+<a name="l00192"></a>00192 
+<a name="l00194"></a><a class="code" href="structAI__hyperalert__info.html#a73322b6cad3e883abed03b62c6c21719">00194</a>         <span class="keywordtype">unsigned</span> <span class="keywordtype">int</span>       n_postconds;
 <a name="l00195"></a>00195 
-<a name="l00196"></a>00196         <span class="comment">/* IP header information */</span>
-<a name="l00197"></a><a class="code" href="struct__AI__snort__alert.html#a3f3c47f9baf3229d067504a85873b416">00197</a>         <a class="code" href="spp__ai_8h.html#aba7bc1797add20fe3efdf37ced1182c5">uint8_t</a>         <a class="code" href="struct__AI__snort__alert.html#a3f3c47f9baf3229d067504a85873b416">ip_tos</a>;
-<a name="l00198"></a><a class="code" href="struct__AI__snort__alert.html#ad3ffe99036513d5f33b94d22fb84f8f1">00198</a>         <a class="code" href="spp__ai_8h.html#a273cf69d639a59973b6019625df33e30">uint16_t</a>        <a class="code" href="struct__AI__snort__alert.html#ad3ffe99036513d5f33b94d22fb84f8f1">ip_len</a>;
-<a name="l00199"></a><a class="code" href="struct__AI__snort__alert.html#a2fc673dec85a7b49dd16ac7c0bb1bb78">00199</a>         <a class="code" href="spp__ai_8h.html#a273cf69d639a59973b6019625df33e30">uint16_t</a>        <a class="code" href="struct__AI__snort__alert.html#a2fc673dec85a7b49dd16ac7c0bb1bb78">ip_id</a>;
-<a name="l00200"></a><a class="code" href="struct__AI__snort__alert.html#a3c9bbe84ec696cd58668a45799a66600">00200</a>         <a class="code" href="spp__ai_8h.html#aba7bc1797add20fe3efdf37ced1182c5">uint8_t</a>         <a class="code" href="struct__AI__snort__alert.html#a3c9bbe84ec696cd58668a45799a66600">ip_ttl</a>;
-<a name="l00201"></a><a class="code" href="struct__AI__snort__alert.html#a5ea7b250ac1c472f3ab57565b6df2536">00201</a>         <a class="code" href="spp__ai_8h.html#aba7bc1797add20fe3efdf37ced1182c5">uint8_t</a>         <a class="code" href="struct__AI__snort__alert.html#a5ea7b250ac1c472f3ab57565b6df2536">ip_proto</a>;
-<a name="l00202"></a><a class="code" href="struct__AI__snort__alert.html#a194117c57a52933d16a97838562bb611">00202</a>         <a class="code" href="spp__ai_8h.html#a435d1572bf3f880d55459d9805097f62">uint32_t</a>        <a class="code" href="struct__AI__snort__alert.html#a194117c57a52933d16a97838562bb611">ip_src_addr</a>;
-<a name="l00203"></a><a class="code" href="struct__AI__snort__alert.html#a754ca683593c838e4032fa8c13b1512b">00203</a>         <a class="code" href="spp__ai_8h.html#a435d1572bf3f880d55459d9805097f62">uint32_t</a>        <a class="code" href="struct__AI__snort__alert.html#a754ca683593c838e4032fa8c13b1512b">ip_dst_addr</a>;
-<a name="l00204"></a>00204 
-<a name="l00205"></a>00205         <span class="comment">/* TCP header information */</span>
-<a name="l00206"></a><a class="code" href="struct__AI__snort__alert.html#a4d4cbdbd9675f4c43545547f55174cb7">00206</a>         <a class="code" href="spp__ai_8h.html#a273cf69d639a59973b6019625df33e30">uint16_t</a>        <a class="code" href="struct__AI__snort__alert.html#a4d4cbdbd9675f4c43545547f55174cb7">tcp_src_port</a>;
-<a name="l00207"></a><a class="code" href="struct__AI__snort__alert.html#aaca31cb67d48ffc3bfd1227686d5f5a4">00207</a>         <a class="code" href="spp__ai_8h.html#a273cf69d639a59973b6019625df33e30">uint16_t</a>        <a class="code" href="struct__AI__snort__alert.html#aaca31cb67d48ffc3bfd1227686d5f5a4">tcp_dst_port</a>;
-<a name="l00208"></a><a class="code" href="struct__AI__snort__alert.html#ad6edf59fccea55bf5f940bf36117020b">00208</a>         <a class="code" href="spp__ai_8h.html#a435d1572bf3f880d55459d9805097f62">uint32_t</a>        <a class="code" href="struct__AI__snort__alert.html#ad6edf59fccea55bf5f940bf36117020b">tcp_seq</a>;
-<a name="l00209"></a><a class="code" href="struct__AI__snort__alert.html#a8aac577224a4325ec50511c6d79b4b79">00209</a>         <a class="code" href="spp__ai_8h.html#a435d1572bf3f880d55459d9805097f62">uint32_t</a>        <a class="code" href="struct__AI__snort__alert.html#a8aac577224a4325ec50511c6d79b4b79">tcp_ack</a>;
-<a name="l00210"></a><a class="code" href="struct__AI__snort__alert.html#aa643f11db93b70242b57f0a04775e507">00210</a>         <a class="code" href="spp__ai_8h.html#aba7bc1797add20fe3efdf37ced1182c5">uint8_t</a>         <a class="code" href="struct__AI__snort__alert.html#aa643f11db93b70242b57f0a04775e507">tcp_flags</a>;
-<a name="l00211"></a><a class="code" href="struct__AI__snort__alert.html#a1687fccc26bb211591db8b36ffec5348">00211</a>         <a class="code" href="spp__ai_8h.html#a273cf69d639a59973b6019625df33e30">uint16_t</a>        <a class="code" href="struct__AI__snort__alert.html#a1687fccc26bb211591db8b36ffec5348">tcp_window</a>;
-<a name="l00212"></a><a class="code" href="struct__AI__snort__alert.html#ab7e0507050b8e475fea7a4b26c768857">00212</a>         <a class="code" href="spp__ai_8h.html#a273cf69d639a59973b6019625df33e30">uint16_t</a>        <a class="code" href="struct__AI__snort__alert.html#ab7e0507050b8e475fea7a4b26c768857">tcp_len</a>;
-<a name="l00213"></a>00213 
-<a name="l00216"></a><a class="code" href="struct__AI__snort__alert.html#a09dfe0a841fd3912ec78060d4547cb31">00216</a>         <span class="keyword">struct </span><a class="code" href="structpkt__info.html">pkt_info</a> *<a class="code" href="struct__AI__snort__alert.html#a09dfe0a841fd3912ec78060d4547cb31">stream</a>;
-<a name="l00217"></a>00217 
-<a name="l00220"></a><a class="code" href="struct__AI__snort__alert.html#aa8336d4b3359015ed8ea312ca1fd1173">00220</a>         <span class="keyword">struct </span><a class="code" href="struct__AI__snort__alert.html">_AI_snort_alert</a> *<a class="code" href="struct__AI__snort__alert.html#aa8336d4b3359015ed8ea312ca1fd1173">next</a>;
-<a name="l00221"></a>00221 
-<a name="l00224"></a><a class="code" href="struct__AI__snort__alert.html#ac53765584296ead1328eabfaba8a3aed">00224</a>         <a class="code" href="struct__hierarchy__node.html">hierarchy_node</a>  *<a class="code" href="struct__AI__snort__alert.html#ac53765584296ead1328eabfaba8a3aed">h_node</a>[CLUSTER_TYPES];
-<a name="l00225"></a>00225 
-<a name="l00229"></a><a class="code" href="struct__AI__snort__alert.html#a285aff12d6bac03c316ccc5305d28e53">00229</a>         <span class="keywordtype">unsigned</span> <span class="keywordtype">int</span>    <a class="code" href="struct__AI__snort__alert.html#a285aff12d6bac03c316ccc5305d28e53">grouped_alarms_count</a>;
-<a name="l00230"></a>00230 
-<a name="l00233"></a><a class="code" href="struct__AI__snort__alert.html#ac101de15b4f9451f235b82122f77b62a">00233</a>         <a class="code" href="structAI__hyperalert__info.html">AI_hyperalert_info</a>  *<a class="code" href="struct__AI__snort__alert.html#ac101de15b4f9451f235b82122f77b62a">hyperalert</a>;
-<a name="l00234"></a>00234 } <a class="code" href="struct__AI__snort__alert.html">AI_snort_alert</a>;
-<a name="l00235"></a>00235 <span class="comment">/*****************************************************************/</span>
+<a name="l00197"></a><a class="code" href="structAI__hyperalert__info.html#a6915bec67d383f374e758b44f50b48ff">00197</a>         UT_hash_handle     hh;
+<a name="l00198"></a>00198 } <a class="code" href="structAI__hyperalert__info.html">AI_hyperalert_info</a>;
+<a name="l00199"></a>00199 <span class="comment">/*****************************************************************/</span>
+<a name="l00201"></a><a class="code" href="struct__AI__snort__alert.html">00201</a> <span class="keyword">typedef</span> <span class="keyword">struct </span><a class="code" href="struct__AI__snort__alert.html">_AI_snort_alert</a>  {
+<a name="l00202"></a>00202         <span class="comment">/* Identifiers of the alert */</span>
+<a name="l00203"></a><a class="code" href="struct__AI__snort__alert.html#af8408be5da59cda853442dd13465c0f6">00203</a>         <span class="keywordtype">unsigned</span> <span class="keywordtype">int</span>    <a class="code" href="struct__AI__snort__alert.html#af8408be5da59cda853442dd13465c0f6">gid</a>;
+<a name="l00204"></a><a class="code" href="struct__AI__snort__alert.html#a3349aa68d2234f8ffd897367c3a8a137">00204</a>         <span class="keywordtype">unsigned</span> <span class="keywordtype">int</span>    <a class="code" href="struct__AI__snort__alert.html#a3349aa68d2234f8ffd897367c3a8a137">sid</a>;
+<a name="l00205"></a><a class="code" href="struct__AI__snort__alert.html#a864d3baa48586d6a31639f4cd27d9d37">00205</a>         <span class="keywordtype">unsigned</span> <span class="keywordtype">int</span>    <a class="code" href="struct__AI__snort__alert.html#a864d3baa48586d6a31639f4cd27d9d37">rev</a>;
+<a name="l00206"></a>00206 
+<a name="l00207"></a>00207         <span class="comment">/* Snort priority, description,</span>
+<a name="l00208"></a>00208 <span class="comment">         * classification and timestamp</span>
+<a name="l00209"></a>00209 <span class="comment">         * of the alert */</span>
+<a name="l00210"></a><a class="code" href="struct__AI__snort__alert.html#a25661fa4e212c5e30af5e6a892985ec9">00210</a>         <span class="keywordtype">unsigned</span> <span class="keywordtype">short</span>  <a class="code" href="struct__AI__snort__alert.html#a25661fa4e212c5e30af5e6a892985ec9">priority</a>;
+<a name="l00211"></a><a class="code" href="struct__AI__snort__alert.html#ac0902d7c756ec675fb06347ce4706135">00211</a>         <span class="keywordtype">char</span>            *<a class="code" href="struct__AI__snort__alert.html#ac0902d7c756ec675fb06347ce4706135">desc</a>;
+<a name="l00212"></a><a class="code" href="struct__AI__snort__alert.html#aa89585e14acb2c4e684a1552d322632f">00212</a>         <span class="keywordtype">char</span>            *<a class="code" href="struct__AI__snort__alert.html#aa89585e14acb2c4e684a1552d322632f">classification</a>;
+<a name="l00213"></a><a class="code" href="struct__AI__snort__alert.html#a10a67f60ca3da339a2104849a0b2ac19">00213</a>         time_t          <a class="code" href="struct__AI__snort__alert.html#a10a67f60ca3da339a2104849a0b2ac19">timestamp</a>;
+<a name="l00214"></a>00214 
+<a name="l00215"></a>00215         <span class="comment">/* IP header information */</span>
+<a name="l00216"></a><a class="code" href="struct__AI__snort__alert.html#a3f3c47f9baf3229d067504a85873b416">00216</a>         <a class="code" href="spp__ai_8h.html#aba7bc1797add20fe3efdf37ced1182c5">uint8_t</a>         <a class="code" href="struct__AI__snort__alert.html#a3f3c47f9baf3229d067504a85873b416">ip_tos</a>;
+<a name="l00217"></a><a class="code" href="struct__AI__snort__alert.html#ad3ffe99036513d5f33b94d22fb84f8f1">00217</a>         <a class="code" href="spp__ai_8h.html#a273cf69d639a59973b6019625df33e30">uint16_t</a>        <a class="code" href="struct__AI__snort__alert.html#ad3ffe99036513d5f33b94d22fb84f8f1">ip_len</a>;
+<a name="l00218"></a><a class="code" href="struct__AI__snort__alert.html#a2fc673dec85a7b49dd16ac7c0bb1bb78">00218</a>         <a class="code" href="spp__ai_8h.html#a273cf69d639a59973b6019625df33e30">uint16_t</a>        <a class="code" href="struct__AI__snort__alert.html#a2fc673dec85a7b49dd16ac7c0bb1bb78">ip_id</a>;
+<a name="l00219"></a><a class="code" href="struct__AI__snort__alert.html#a3c9bbe84ec696cd58668a45799a66600">00219</a>         <a class="code" href="spp__ai_8h.html#aba7bc1797add20fe3efdf37ced1182c5">uint8_t</a>         <a class="code" href="struct__AI__snort__alert.html#a3c9bbe84ec696cd58668a45799a66600">ip_ttl</a>;
+<a name="l00220"></a><a class="code" href="struct__AI__snort__alert.html#a5ea7b250ac1c472f3ab57565b6df2536">00220</a>         <a class="code" href="spp__ai_8h.html#aba7bc1797add20fe3efdf37ced1182c5">uint8_t</a>         <a class="code" href="struct__AI__snort__alert.html#a5ea7b250ac1c472f3ab57565b6df2536">ip_proto</a>;
+<a name="l00221"></a><a class="code" href="struct__AI__snort__alert.html#a194117c57a52933d16a97838562bb611">00221</a>         <a class="code" href="spp__ai_8h.html#a435d1572bf3f880d55459d9805097f62">uint32_t</a>        <a class="code" href="struct__AI__snort__alert.html#a194117c57a52933d16a97838562bb611">ip_src_addr</a>;
+<a name="l00222"></a><a class="code" href="struct__AI__snort__alert.html#a754ca683593c838e4032fa8c13b1512b">00222</a>         <a class="code" href="spp__ai_8h.html#a435d1572bf3f880d55459d9805097f62">uint32_t</a>        <a class="code" href="struct__AI__snort__alert.html#a754ca683593c838e4032fa8c13b1512b">ip_dst_addr</a>;
+<a name="l00223"></a>00223 
+<a name="l00224"></a>00224         <span class="comment">/* TCP header information */</span>
+<a name="l00225"></a><a class="code" href="struct__AI__snort__alert.html#a4d4cbdbd9675f4c43545547f55174cb7">00225</a>         <a class="code" href="spp__ai_8h.html#a273cf69d639a59973b6019625df33e30">uint16_t</a>        <a class="code" href="struct__AI__snort__alert.html#a4d4cbdbd9675f4c43545547f55174cb7">tcp_src_port</a>;
+<a name="l00226"></a><a class="code" href="struct__AI__snort__alert.html#aaca31cb67d48ffc3bfd1227686d5f5a4">00226</a>         <a class="code" href="spp__ai_8h.html#a273cf69d639a59973b6019625df33e30">uint16_t</a>        <a class="code" href="struct__AI__snort__alert.html#aaca31cb67d48ffc3bfd1227686d5f5a4">tcp_dst_port</a>;
+<a name="l00227"></a><a class="code" href="struct__AI__snort__alert.html#ad6edf59fccea55bf5f940bf36117020b">00227</a>         <a class="code" href="spp__ai_8h.html#a435d1572bf3f880d55459d9805097f62">uint32_t</a>        <a class="code" href="struct__AI__snort__alert.html#ad6edf59fccea55bf5f940bf36117020b">tcp_seq</a>;
+<a name="l00228"></a><a class="code" href="struct__AI__snort__alert.html#a8aac577224a4325ec50511c6d79b4b79">00228</a>         <a class="code" href="spp__ai_8h.html#a435d1572bf3f880d55459d9805097f62">uint32_t</a>        <a class="code" href="struct__AI__snort__alert.html#a8aac577224a4325ec50511c6d79b4b79">tcp_ack</a>;
+<a name="l00229"></a><a class="code" href="struct__AI__snort__alert.html#aa643f11db93b70242b57f0a04775e507">00229</a>         <a class="code" href="spp__ai_8h.html#aba7bc1797add20fe3efdf37ced1182c5">uint8_t</a>         <a class="code" href="struct__AI__snort__alert.html#aa643f11db93b70242b57f0a04775e507">tcp_flags</a>;
+<a name="l00230"></a><a class="code" href="struct__AI__snort__alert.html#a1687fccc26bb211591db8b36ffec5348">00230</a>         <a class="code" href="spp__ai_8h.html#a273cf69d639a59973b6019625df33e30">uint16_t</a>        <a class="code" href="struct__AI__snort__alert.html#a1687fccc26bb211591db8b36ffec5348">tcp_window</a>;
+<a name="l00231"></a><a class="code" href="struct__AI__snort__alert.html#ab7e0507050b8e475fea7a4b26c768857">00231</a>         <a class="code" href="spp__ai_8h.html#a273cf69d639a59973b6019625df33e30">uint16_t</a>        <a class="code" href="struct__AI__snort__alert.html#ab7e0507050b8e475fea7a4b26c768857">tcp_len</a>;
+<a name="l00232"></a>00232 
+<a name="l00235"></a><a class="code" href="struct__AI__snort__alert.html#a09dfe0a841fd3912ec78060d4547cb31">00235</a>         <span class="keyword">struct </span><a class="code" href="structpkt__info.html">pkt_info</a> *<a class="code" href="struct__AI__snort__alert.html#a09dfe0a841fd3912ec78060d4547cb31">stream</a>;
 <a name="l00236"></a>00236 
-<a name="l00237"></a>00237 <span class="keywordtype">int</span>                <a class="code" href="group__regex.html#ga35f57c052a7de1ded54b67a1f7819791" title="Check if a string matches a regular expression.">preg_match</a> ( <span class="keyword">const</span> <span class="keywordtype">char</span>*, <span class="keywordtype">char</span>*, <span class="keywordtype">char</span>***, <span class="keywordtype">int</span>* );
-<a name="l00238"></a>00238 <span class="keywordtype">char</span>*              <a class="code" href="group__regex.html#ga736ba1abdc4938cbb1bf5861e7dbfd50" title="Replace the content of &amp;#39;orig&amp;#39; in &amp;#39;str&amp;#39; with &amp;#39;rep&amp;#39;.">str_replace</a> ( <span class="keywordtype">char</span> *str, <span class="keywordtype">char</span> *orig, <span class="keywordtype">char</span> *rep );
-<a name="l00239"></a>00239 <span class="keywordtype">char</span>*              <a class="code" href="group__regex.html#gaff6c55cd04fc08dd582e244590dc25a4" title="Replace all of the occurrences of &amp;#39;orig&amp;#39; in &amp;#39;str&amp;#39; with &amp;#39;rep&amp;#39;.">str_replace_all</a> ( <span class="keywordtype">char</span> *str, <span class="keywordtype">char</span> *orig, <span class="keywordtype">char</span> *rep );
+<a name="l00239"></a><a class="code" href="struct__AI__snort__alert.html#aa8336d4b3359015ed8ea312ca1fd1173">00239</a>         <span class="keyword">struct </span><a class="code" href="struct__AI__snort__alert.html">_AI_snort_alert</a> *<a class="code" href="struct__AI__snort__alert.html#aa8336d4b3359015ed8ea312ca1fd1173">next</a>;
 <a name="l00240"></a>00240 
-<a name="l00241"></a>00241 <span class="keywordtype">void</span>*              <a class="code" href="group__stream.html#ga24b1131374e5059564b8a12380c4eb75" title="Thread called for cleaning up the hash table from the traffic streams older than a certain threshold...">AI_hashcleanup_thread</a> ( <span class="keywordtype">void</span>* );
-<a name="l00242"></a>00242 <span class="keywordtype">void</span>*              <a class="code" href="group__alert__parser.html#ga5aab8d9bdf0e92a51731442fd787f61f" title="Thread for parsing Snort&amp;#39;s alert file.">AI_file_alertparser_thread</a> ( <span class="keywordtype">void</span>* );
-<a name="l00243"></a>00243 <span class="keywordtype">void</span>*              <a class="code" href="group__correlation.html#ga939353a4e15de7a8f4145ab986f584be" title="Thread for correlating clustered alerts.">AI_alert_correlation_thread</a> ( <span class="keywordtype">void</span>* );
+<a name="l00243"></a><a class="code" href="struct__AI__snort__alert.html#ac53765584296ead1328eabfaba8a3aed">00243</a>         <a class="code" href="struct__hierarchy__node.html">hierarchy_node</a>  *<a class="code" href="struct__AI__snort__alert.html#ac53765584296ead1328eabfaba8a3aed">h_node</a>[CLUSTER_TYPES];
 <a name="l00244"></a>00244 
-<a name="l00245"></a>00245 <span class="preprocessor">#ifdef  ENABLE_DB</span>
-<a name="l00246"></a>00246 <span class="preprocessor"></span><a class="code" href="struct__AI__snort__alert.html">AI_snort_alert</a>*    AI_db_get_alerts ( <span class="keywordtype">void</span> );
-<a name="l00247"></a>00247 <span class="keywordtype">void</span>               AI_db_free_alerts ( <a class="code" href="struct__AI__snort__alert.html">AI_snort_alert</a> *node );
-<a name="l00248"></a>00248 <span class="keywordtype">void</span>*              AI_db_alertparser_thread ( <span class="keywordtype">void</span>* );
-<a name="l00249"></a>00249 <span class="preprocessor">#endif</span>
-<a name="l00250"></a>00250 <span class="preprocessor"></span>
-<a name="l00251"></a>00251 <span class="keywordtype">void</span>               <a class="code" href="group__stream.html#ga7d71c5645b9baff7b6c4b9a181bf80c5" title="Function called for appending a new packet to the hash table, creating a new stream or appending it t...">AI_pkt_enqueue</a> ( SFSnortPacket* );
-<a name="l00252"></a>00252 <span class="keywordtype">void</span>               <a class="code" href="group__stream.html#ga8749989cee2ac05a7de058faac280c02" title="Set the flag &amp;quot;observed&amp;quot; on a stream associated to a security alert, so that it won&amp;#39;t be...">AI_set_stream_observed</a> ( <span class="keyword">struct</span> <a class="code" href="structpkt__key.html">pkt_key</a> key );
-<a name="l00253"></a>00253 <span class="keywordtype">void</span>               <a class="code" href="group__cluster.html#ga1445818b37483f78cc3fb2890155842c" title="Build the clustering hierarchy trees.">AI_hierarchies_build</a> ( <a class="code" href="structAI__config.html">AI_config</a>*, <a class="code" href="struct__hierarchy__node.html">hierarchy_node</a>**, <span class="keywordtype">int</span> );
-<a name="l00254"></a>00254 <span class="keywordtype">void</span>               <a class="code" href="group__alert__parser.html#ga270e86669a0aa64a8da37bc16cda645b" title="Deallocate the memory of a log alert linked list.">AI_free_alerts</a> ( <a class="code" href="struct__AI__snort__alert.html">AI_snort_alert</a> *node );
-<a name="l00255"></a>00255 
-<a name="l00256"></a>00256 <span class="keyword">struct </span><a class="code" href="structpkt__info.html">pkt_info</a>*   <a class="code" href="group__stream.html#ga2efedcabbfd12c5345f0c93a3dd4735c" title="Get a TCP stream by key.">AI_get_stream_by_key</a> ( <span class="keyword">struct</span> <a class="code" href="structpkt__key.html">pkt_key</a> );
-<a name="l00257"></a>00257 <a class="code" href="struct__AI__snort__alert.html">AI_snort_alert</a>*    <a class="code" href="group__alert__parser.html#ga99474495643197b3075ac22ec6f6c70f" title="Return the alerts parsed so far as a linked list.">AI_get_alerts</a> ( <span class="keywordtype">void</span> );
-<a name="l00258"></a>00258 <a class="code" href="struct__AI__snort__alert.html">AI_snort_alert</a>*    <a class="code" href="group__cluster.html#ga2553c678eeb83282c230d649a0e8fcd4" title="Return the alerts parsed so far as a linked list.">AI_get_clustered_alerts</a> ( <span class="keywordtype">void</span> );
-<a name="l00259"></a>00259 
-<a name="l00261"></a><a class="code" href="spp__ai_8h.html#ab184b676360ce03035801284a2bd1ea7">00261</a> <a class="code" href="struct__AI__snort__alert.html">AI_snort_alert</a>* (*get_alerts)(void);
-<a name="l00262"></a>00262 
-<a name="l00263"></a>00263 <span class="preprocessor">#endif  </span><span class="comment">/* _SPP_AI_H */</span>
-<a name="l00264"></a>00264 
+<a name="l00248"></a><a class="code" href="struct__AI__snort__alert.html#a285aff12d6bac03c316ccc5305d28e53">00248</a>         <span class="keywordtype">unsigned</span> <span class="keywordtype">int</span>    <a class="code" href="struct__AI__snort__alert.html#a285aff12d6bac03c316ccc5305d28e53">grouped_alarms_count</a>;
+<a name="l00249"></a>00249 
+<a name="l00252"></a><a class="code" href="struct__AI__snort__alert.html#ac101de15b4f9451f235b82122f77b62a">00252</a>         <a class="code" href="structAI__hyperalert__info.html">AI_hyperalert_info</a>  *<a class="code" href="struct__AI__snort__alert.html#ac101de15b4f9451f235b82122f77b62a">hyperalert</a>;
+<a name="l00253"></a>00253 
+<a name="l00254"></a>00254         <span class="comment">/* &#39;Parent&#39; correlated alert in the chain,</span>
+<a name="l00255"></a>00255 <span class="comment">         * if any*/</span>
+<a name="l00256"></a><a class="code" href="struct__AI__snort__alert.html#a55a5488c7ee7706ded4c16b1235fd9c7">00256</a>         <span class="keyword">struct </span><a class="code" href="struct__AI__snort__alert.html">_AI_snort_alert</a>  *<a class="code" href="struct__AI__snort__alert.html#a55a5488c7ee7706ded4c16b1235fd9c7">previous_correlated</a>;
+<a name="l00257"></a>00257 
+<a name="l00260"></a><a class="code" href="struct__AI__snort__alert.html#aac5e4078600ed17532db1f3d78165390">00260</a>         <span class="keyword">struct </span><a class="code" href="struct__AI__snort__alert.html">_AI_snort_alert</a>  **<a class="code" href="struct__AI__snort__alert.html#aac5e4078600ed17532db1f3d78165390">derived_alerts</a>;
+<a name="l00261"></a>00261 
+<a name="l00263"></a><a class="code" href="struct__AI__snort__alert.html#a1f2d5e8cfd0e6321b977173d1e90cb68">00263</a>         <span class="keywordtype">unsigned</span> <span class="keywordtype">int</span>        <a class="code" href="struct__AI__snort__alert.html#a1f2d5e8cfd0e6321b977173d1e90cb68">n_derived_alerts</a>;
+<a name="l00264"></a>00264 } <a class="code" href="struct__AI__snort__alert.html">AI_snort_alert</a>;
+<a name="l00265"></a>00265 <span class="comment">/*****************************************************************/</span>
+<a name="l00266"></a>00266 
+<a name="l00267"></a>00267 <span class="keywordtype">int</span>                <a class="code" href="group__regex.html#ga35f57c052a7de1ded54b67a1f7819791" title="Check if a string matches a regular expression.">preg_match</a> ( <span class="keyword">const</span> <span class="keywordtype">char</span>*, <span class="keywordtype">char</span>*, <span class="keywordtype">char</span>***, <span class="keywordtype">int</span>* );
+<a name="l00268"></a>00268 <span class="keywordtype">char</span>*              <a class="code" href="group__regex.html#ga736ba1abdc4938cbb1bf5861e7dbfd50" title="Replace the content of &amp;#39;orig&amp;#39; in &amp;#39;str&amp;#39; with &amp;#39;rep&amp;#39;.">str_replace</a> ( <span class="keywordtype">char</span> *str, <span class="keywordtype">char</span> *orig, <span class="keywordtype">char</span> *rep );
+<a name="l00269"></a>00269 <span class="keywordtype">char</span>*              <a class="code" href="group__regex.html#gaff6c55cd04fc08dd582e244590dc25a4" title="Replace all of the occurrences of &amp;#39;orig&amp;#39; in &amp;#39;str&amp;#39; with &amp;#39;rep&amp;#39;.">str_replace_all</a> ( <span class="keywordtype">char</span> *str, <span class="keywordtype">char</span> *orig, <span class="keywordtype">char</span> *rep );
+<a name="l00270"></a>00270 
+<a name="l00271"></a>00271 <span class="keywordtype">void</span>*              <a class="code" href="group__stream.html#ga24b1131374e5059564b8a12380c4eb75" title="Thread called for cleaning up the hash table from the traffic streams older than a certain threshold...">AI_hashcleanup_thread</a> ( <span class="keywordtype">void</span>* );
+<a name="l00272"></a>00272 <span class="keywordtype">void</span>*              <a class="code" href="group__alert__parser.html#ga5aab8d9bdf0e92a51731442fd787f61f" title="Thread for parsing Snort&amp;#39;s alert file.">AI_file_alertparser_thread</a> ( <span class="keywordtype">void</span>* );
+<a name="l00273"></a>00273 <span class="keywordtype">void</span>*              <a class="code" href="group__correlation.html#ga939353a4e15de7a8f4145ab986f584be" title="Thread for correlating clustered alerts.">AI_alert_correlation_thread</a> ( <span class="keywordtype">void</span>* );
+<a name="l00274"></a>00274 
+<a name="l00275"></a>00275 <span class="preprocessor">#ifdef  HAVE_LIBMYSQLCLIENT</span>
+<a name="l00276"></a>00276 <span class="preprocessor"></span><a class="code" href="struct__AI__snort__alert.html">AI_snort_alert</a>*    AI_db_get_alerts ( <span class="keywordtype">void</span> );
+<a name="l00277"></a>00277 <span class="keywordtype">void</span>               AI_db_free_alerts ( <a class="code" href="struct__AI__snort__alert.html">AI_snort_alert</a> *node );
+<a name="l00278"></a>00278 <span class="keywordtype">void</span>*              AI_db_alertparser_thread ( <span class="keywordtype">void</span>* );
+<a name="l00279"></a>00279 <span class="preprocessor">#endif</span>
+<a name="l00280"></a>00280 <span class="preprocessor"></span>
+<a name="l00281"></a>00281 <span class="keywordtype">void</span>               <a class="code" href="group__stream.html#ga7d71c5645b9baff7b6c4b9a181bf80c5" title="Function called for appending a new packet to the hash table, creating a new stream or appending it t...">AI_pkt_enqueue</a> ( SFSnortPacket* );
+<a name="l00282"></a>00282 <span class="keywordtype">void</span>               <a class="code" href="group__stream.html#ga8749989cee2ac05a7de058faac280c02" title="Set the flag &amp;quot;observed&amp;quot; on a stream associated to a security alert, so that it won&amp;#39;t be...">AI_set_stream_observed</a> ( <span class="keyword">struct</span> <a class="code" href="structpkt__key.html">pkt_key</a> key );
+<a name="l00283"></a>00283 <span class="keywordtype">void</span>               <a class="code" href="group__cluster.html#ga1445818b37483f78cc3fb2890155842c" title="Build the clustering hierarchy trees.">AI_hierarchies_build</a> ( <a class="code" href="structAI__config.html">AI_config</a>*, <a class="code" href="struct__hierarchy__node.html">hierarchy_node</a>**, <span class="keywordtype">int</span> );
+<a name="l00284"></a>00284 <span class="keywordtype">void</span>               <a class="code" href="group__alert__parser.html#ga270e86669a0aa64a8da37bc16cda645b" title="Deallocate the memory of a log alert linked list.">AI_free_alerts</a> ( <a class="code" href="struct__AI__snort__alert.html">AI_snort_alert</a> *node );
+<a name="l00285"></a>00285 
+<a name="l00286"></a>00286 <span class="keyword">struct </span><a class="code" href="structpkt__info.html">pkt_info</a>*   <a class="code" href="group__stream.html#ga2efedcabbfd12c5345f0c93a3dd4735c" title="Get a TCP stream by key.">AI_get_stream_by_key</a> ( <span class="keyword">struct</span> <a class="code" href="structpkt__key.html">pkt_key</a> );
+<a name="l00287"></a>00287 <a class="code" href="struct__AI__snort__alert.html">AI_snort_alert</a>*    <a class="code" href="group__alert__parser.html#ga99474495643197b3075ac22ec6f6c70f" title="Return the alerts parsed so far as a linked list.">AI_get_alerts</a> ( <span class="keywordtype">void</span> );
+<a name="l00288"></a>00288 <a class="code" href="struct__AI__snort__alert.html">AI_snort_alert</a>*    <a class="code" href="group__cluster.html#ga2553c678eeb83282c230d649a0e8fcd4" title="Return the alerts parsed so far as a linked list.">AI_get_clustered_alerts</a> ( <span class="keywordtype">void</span> );
+<a name="l00289"></a>00289 
+<a name="l00291"></a><a class="code" href="spp__ai_8h.html#ab184b676360ce03035801284a2bd1ea7">00291</a> <a class="code" href="struct__AI__snort__alert.html">AI_snort_alert</a>* (*get_alerts)(void);
+<a name="l00292"></a>00292 
+<a name="l00293"></a>00293 <span class="preprocessor">#endif  </span><span class="comment">/* _SPP_AI_H */</span>
+<a name="l00294"></a>00294 
 </pre></div></div>
 </div>
 <!--- window showing the filter options -->
@@ -278,7 +294,7 @@ var searchBox = new SearchBox("searchBox", "search",false,'Search');
 </iframe>
 </div>
 
-<hr class="footer"/><address class="footer"><small>Generated on Sat Sep 11 2010 12:45:18 for Snort AI preprocessor module by&nbsp;
+<hr class="footer"/><address class="footer"><small>Generated on Tue Sep 14 2010 19:23:42 for Snort AI preprocessor module by&nbsp;
 <a href="http://www.doxygen.org/index.html">
 <img class="footer" src="doxygen.png" alt="doxygen"/></a> 1.7.1 </small></address>
 </body>
diff --git a/doc/html/stream_8c.html b/doc/html/stream_8c.html
index ec6e5aa..a0aff10 100644
--- a/doc/html/stream_8c.html
+++ b/doc/html/stream_8c.html
@@ -134,7 +134,7 @@ Variables</h2></td></tr>
 </iframe>
 </div>
 
-<hr class="footer"/><address class="footer"><small>Generated on Sat Sep 11 2010 12:45:18 for Snort AI preprocessor module by&nbsp;
+<hr class="footer"/><address class="footer"><small>Generated on Tue Sep 14 2010 19:23:42 for Snort AI preprocessor module by&nbsp;
 <a href="http://www.doxygen.org/index.html">
 <img class="footer" src="doxygen.png" alt="doxygen"/></a> 1.7.1 </small></address>
 </body>
diff --git a/doc/html/structAI__alert__correlation.html b/doc/html/structAI__alert__correlation.html
index 8db8af8..dd452c0 100644
--- a/doc/html/structAI__alert__correlation.html
+++ b/doc/html/structAI__alert__correlation.html
@@ -59,42 +59,13 @@ var searchBox = new SearchBox("searchBox", "search",false,'Search');
 <!-- doxytag: class="AI_alert_correlation" --><table class="memberdecls">
 <tr><td colspan="2"><h2><a name="pub-attribs"></a>
 Data Fields</h2></td></tr>
-<tr><td class="memItemLeft" align="right" valign="top"><a class="el" href="struct__AI__snort__alert.html">AI_snort_alert</a> *&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="structAI__alert__correlation.html#a8737f171e1c1b2305c8fe77101d6aeb7">a</a></td></tr>
-<tr><td class="memItemLeft" align="right" valign="top"><a class="el" href="struct__AI__snort__alert.html">AI_snort_alert</a> *&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="structAI__alert__correlation.html#a478f1a6f18f9c083b203efdf776379cd">b</a></td></tr>
+<tr><td class="memItemLeft" align="right" valign="top"><a class="el" href="structAI__alert__correlation__key.html">AI_alert_correlation_key</a>&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="structAI__alert__correlation.html#a4e27da4922a1d44497634c8e5968d870">key</a></td></tr>
 <tr><td class="memItemLeft" align="right" valign="top">double&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="structAI__alert__correlation.html#aad417b2126ae26d7576f006a3dbcdc81">correlation</a></td></tr>
 <tr><td class="memItemLeft" align="right" valign="top">UT_hash_handle&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="structAI__alert__correlation.html#ad3020a87936a2193a92f09331401ad42">hh</a></td></tr>
 </table>
 <hr/><a name="_details"></a><h2>Detailed Description</h2>
 <p>Struct representing the correlation between all the couples of alerts </p>
 <hr/><h2>Field Documentation</h2>
-<a class="anchor" id="a8737f171e1c1b2305c8fe77101d6aeb7"></a><!-- doxytag: member="AI_alert_correlation::a" ref="a8737f171e1c1b2305c8fe77101d6aeb7" args="" -->
-<div class="memitem">
-<div class="memproto">
-      <table class="memname">
-        <tr>
-          <td class="memname"><a class="el" href="struct__AI__snort__alert.html">AI_snort_alert</a>* <a class="el" href="structAI__alert__correlation.html#a8737f171e1c1b2305c8fe77101d6aeb7">AI_alert_correlation::a</a></td>
-        </tr>
-      </table>
-</div>
-<div class="memdoc">
-<p>First alert </p>
-
-</div>
-</div>
-<a class="anchor" id="a478f1a6f18f9c083b203efdf776379cd"></a><!-- doxytag: member="AI_alert_correlation::b" ref="a478f1a6f18f9c083b203efdf776379cd" args="" -->
-<div class="memitem">
-<div class="memproto">
-      <table class="memname">
-        <tr>
-          <td class="memname"><a class="el" href="struct__AI__snort__alert.html">AI_snort_alert</a>* <a class="el" href="structAI__alert__correlation.html#a478f1a6f18f9c083b203efdf776379cd">AI_alert_correlation::b</a></td>
-        </tr>
-      </table>
-</div>
-<div class="memdoc">
-<p>Second alert </p>
-
-</div>
-</div>
 <a class="anchor" id="aad417b2126ae26d7576f006a3dbcdc81"></a><!-- doxytag: member="AI_alert_correlation::correlation" ref="aad417b2126ae26d7576f006a3dbcdc81" args="" -->
 <div class="memitem">
 <div class="memproto">
@@ -121,6 +92,20 @@ Data Fields</h2></td></tr>
 <div class="memdoc">
 <p>Make the struct 'hashable' </p>
 
+</div>
+</div>
+<a class="anchor" id="a4e27da4922a1d44497634c8e5968d870"></a><!-- doxytag: member="AI_alert_correlation::key" ref="a4e27da4922a1d44497634c8e5968d870" args="" -->
+<div class="memitem">
+<div class="memproto">
+      <table class="memname">
+        <tr>
+          <td class="memname"><a class="el" href="structAI__alert__correlation__key.html">AI_alert_correlation_key</a> <a class="el" href="structAI__alert__correlation.html#a4e27da4922a1d44497634c8e5968d870">AI_alert_correlation::key</a></td>
+        </tr>
+      </table>
+</div>
+<div class="memdoc">
+<p>Hash key </p>
+
 </div>
 </div>
 <hr/>The documentation for this struct was generated from the following file:<ul>
@@ -141,7 +126,7 @@ Data Fields</h2></td></tr>
 </iframe>
 </div>
 
-<hr class="footer"/><address class="footer"><small>Generated on Sat Sep 11 2010 12:45:18 for Snort AI preprocessor module by&nbsp;
+<hr class="footer"/><address class="footer"><small>Generated on Tue Sep 14 2010 19:23:42 for Snort AI preprocessor module by&nbsp;
 <a href="http://www.doxygen.org/index.html">
 <img class="footer" src="doxygen.png" alt="doxygen"/></a> 1.7.1 </small></address>
 </body>
diff --git a/doc/html/structAI__alert__correlation__key.html b/doc/html/structAI__alert__correlation__key.html
new file mode 100644
index 0000000..2053ffc
--- /dev/null
+++ b/doc/html/structAI__alert__correlation__key.html
@@ -0,0 +1,118 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+<head>
+<meta http-equiv="Content-Type" content="text/xhtml;charset=UTF-8"/>
+<title>Snort AI preprocessor module: AI_alert_correlation_key Struct Reference</title>
+<link href="tabs.css" rel="stylesheet" type="text/css"/>
+<link href="search/search.css" rel="stylesheet" type="text/css"/>
+<script type="text/javaScript" src="search/search.js"></script>
+<link href="doxygen.css" rel="stylesheet" type="text/css"/>
+</head>
+<body onload='searchBox.OnSelectItem(0);'>
+<!-- Generated by Doxygen 1.7.1 -->
+<script type="text/javascript"><!--
+var searchBox = new SearchBox("searchBox", "search",false,'Search');
+--></script>
+<div class="navigation" id="top">
+  <div class="tabs">
+    <ul class="tablist">
+      <li><a href="index.html"><span>Main&nbsp;Page</span></a></li>
+      <li><a href="modules.html"><span>Modules</span></a></li>
+      <li class="current"><a href="annotated.html"><span>Data&nbsp;Structures</span></a></li>
+      <li><a href="files.html"><span>Files</span></a></li>
+      <li id="searchli">
+        <div id="MSearchBox" class="MSearchBoxInactive">
+        <span class="left">
+          <img id="MSearchSelect" src="search/mag_sel.png"
+               onmouseover="return searchBox.OnSearchSelectShow()"
+               onmouseout="return searchBox.OnSearchSelectHide()"
+               alt=""/>
+          <input type="text" id="MSearchField" value="Search" accesskey="S"
+               onfocus="searchBox.OnSearchFieldFocus(true)" 
+               onblur="searchBox.OnSearchFieldFocus(false)" 
+               onkeyup="searchBox.OnSearchFieldChange(event)"/>
+          </span><span class="right">
+            <a id="MSearchClose" href="javascript:searchBox.CloseResultsWindow()"><img id="MSearchCloseImg" border="0" src="search/close.png" alt=""/></a>
+          </span>
+        </div>
+      </li>
+    </ul>
+  </div>
+  <div class="tabs2">
+    <ul class="tablist">
+      <li><a href="annotated.html"><span>Data&nbsp;Structures</span></a></li>
+      <li><a href="classes.html"><span>Data&nbsp;Structure&nbsp;Index</span></a></li>
+      <li><a href="functions.html"><span>Data&nbsp;Fields</span></a></li>
+    </ul>
+  </div>
+</div>
+<div class="header">
+  <div class="summary">
+<a href="#pub-attribs">Data Fields</a>  </div>
+  <div class="headertitle">
+<h1>AI_alert_correlation_key Struct Reference<br/>
+<small>
+[<a class="el" href="group__correlation.html">Module for the correlation of hyperalerts</a>]</small>
+</h1>  </div>
+</div>
+<div class="contents">
+<!-- doxytag: class="AI_alert_correlation_key" --><table class="memberdecls">
+<tr><td colspan="2"><h2><a name="pub-attribs"></a>
+Data Fields</h2></td></tr>
+<tr><td class="memItemLeft" align="right" valign="top"><a class="el" href="struct__AI__snort__alert.html">AI_snort_alert</a> *&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="structAI__alert__correlation__key.html#a774daec9332da25835a0904d853acadb">a</a></td></tr>
+<tr><td class="memItemLeft" align="right" valign="top"><a class="el" href="struct__AI__snort__alert.html">AI_snort_alert</a> *&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="structAI__alert__correlation__key.html#a5805dec6499a83b818091b4f21c715dc">b</a></td></tr>
+</table>
+<hr/><a name="_details"></a><h2>Detailed Description</h2>
+<p>Key for the correlation hash table </p>
+<hr/><h2>Field Documentation</h2>
+<a class="anchor" id="a774daec9332da25835a0904d853acadb"></a><!-- doxytag: member="AI_alert_correlation_key::a" ref="a774daec9332da25835a0904d853acadb" args="" -->
+<div class="memitem">
+<div class="memproto">
+      <table class="memname">
+        <tr>
+          <td class="memname"><a class="el" href="struct__AI__snort__alert.html">AI_snort_alert</a>* <a class="el" href="structAI__alert__correlation__key.html#a774daec9332da25835a0904d853acadb">AI_alert_correlation_key::a</a></td>
+        </tr>
+      </table>
+</div>
+<div class="memdoc">
+<p>First alert </p>
+
+</div>
+</div>
+<a class="anchor" id="a5805dec6499a83b818091b4f21c715dc"></a><!-- doxytag: member="AI_alert_correlation_key::b" ref="a5805dec6499a83b818091b4f21c715dc" args="" -->
+<div class="memitem">
+<div class="memproto">
+      <table class="memname">
+        <tr>
+          <td class="memname"><a class="el" href="struct__AI__snort__alert.html">AI_snort_alert</a>* <a class="el" href="structAI__alert__correlation__key.html#a5805dec6499a83b818091b4f21c715dc">AI_alert_correlation_key::b</a></td>
+        </tr>
+      </table>
+</div>
+<div class="memdoc">
+<p>Second alert </p>
+
+</div>
+</div>
+<hr/>The documentation for this struct was generated from the following file:<ul>
+<li><a class="el" href="correlation_8c.html">correlation.c</a></li>
+</ul>
+</div>
+<!--- window showing the filter options -->
+<div id="MSearchSelectWindow"
+     onmouseover="return searchBox.OnSearchSelectShow()"
+     onmouseout="return searchBox.OnSearchSelectHide()"
+     onkeydown="return searchBox.OnSearchSelectKey(event)">
+<a class="SelectItem" href="javascript:void(0)" onclick="searchBox.OnSelectItem(0)"><span class="SelectionMark">&nbsp;</span>All</a><a class="SelectItem" href="javascript:void(0)" onclick="searchBox.OnSelectItem(1)"><span class="SelectionMark">&nbsp;</span>Data Structures</a><a class="SelectItem" href="javascript:void(0)" onclick="searchBox.OnSelectItem(2)"><span class="SelectionMark">&nbsp;</span>Files</a><a class="SelectItem" href="javascript:void(0)" onclick="searchBox.OnSelectItem(3)"><span class="SelectionMark">&nbsp;</span>Functions</a><a class="SelectItem" href="javascript:void(0)" onclick="searchBox.OnSelectItem(4)"><span class="SelectionMark">&nbsp;</span>Variables</a><a class="SelectItem" href="javascript:void(0)" onclick="searchBox.OnSelectItem(5)"><span class="SelectionMark">&nbsp;</span>Typedefs</a><a class="SelectItem" href="javascript:void(0)" onclick="searchBox.OnSelectItem(6)"><span class="SelectionMark">&nbsp;</span>Enumerations</a><a class="SelectItem" href="javascript:void(0)" onclick="searchBox.OnSelectItem(7)"><span class="SelectionMark">&nbsp;</span>Enumerator</a><a class="SelectItem" href="javascript:void(0)" onclick="searchBox.OnSelectItem(8)"><span class="SelectionMark">&nbsp;</span>Defines</a></div>
+
+<!-- iframe showing the search results (closed by default) -->
+<div id="MSearchResultsWindow">
+<iframe src="" frameborder="0" 
+        name="MSearchResults" id="MSearchResults">
+</iframe>
+</div>
+
+<hr class="footer"/><address class="footer"><small>Generated on Tue Sep 14 2010 19:23:42 for Snort AI preprocessor module by&nbsp;
+<a href="http://www.doxygen.org/index.html">
+<img class="footer" src="doxygen.png" alt="doxygen"/></a> 1.7.1 </small></address>
+</body>
+</html>
diff --git a/doc/html/structAI__config.html b/doc/html/structAI__config.html
index b03cf4a..55531f4 100644
--- a/doc/html/structAI__config.html
+++ b/doc/html/structAI__config.html
@@ -63,9 +63,11 @@ Data Fields</h2></td></tr>
 <tr><td class="memItemLeft" align="right" valign="top">unsigned long&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="structAI__config.html#a7d0d098b8263aa3d8415b11d1ec7f93d">alertClusteringInterval</a></td></tr>
 <tr><td class="memItemLeft" align="right" valign="top">unsigned long&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="structAI__config.html#ae6ca715cab1d90b70c3aad443133c263">databaseParsingInterval</a></td></tr>
 <tr><td class="memItemLeft" align="right" valign="top">unsigned long&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="structAI__config.html#aa736375e57a59936e2e782b7cd200e41">correlationGraphInterval</a></td></tr>
+<tr><td class="memItemLeft" align="right" valign="top">double&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="structAI__config.html#adf6ef0faedfb4dea0a1353e781b14883">correlationThresholdCoefficient</a></td></tr>
 <tr><td class="memItemLeft" align="right" valign="top">char&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="structAI__config.html#a2efa9590d7eea6dce8b5dd9aa76ed8ca">alertfile</a> [1024]</td></tr>
 <tr><td class="memItemLeft" align="right" valign="top">char&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="structAI__config.html#a6da02a3f7116fd3810a41b738e8883a3">clusterfile</a> [1024]</td></tr>
 <tr><td class="memItemLeft" align="right" valign="top">char&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="structAI__config.html#ab7ea93bbe72b85c4019b4f5656ad62fc">corr_rules_dir</a> [1024]</td></tr>
+<tr><td class="memItemLeft" align="right" valign="top">char&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="structAI__config.html#ae68f5489e2ec9ea1408f98fe36d050c9">corr_alerts_dir</a> [1024]</td></tr>
 <tr><td class="memItemLeft" align="right" valign="top">char&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="structAI__config.html#ac8a93607f12106e2f5c9b43af27107da">dbname</a> [256]</td></tr>
 <tr><td class="memItemLeft" align="right" valign="top">char&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="structAI__config.html#aa004adebfdafb6d14092aecd7f4912b0">dbuser</a> [256]</td></tr>
 <tr><td class="memItemLeft" align="right" valign="top">char&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="structAI__config.html#aa1cda349763faf60b2ebdbf2d187ae7d">dbpass</a> [256]</td></tr>
@@ -112,6 +114,20 @@ Data Fields</h2></td></tr>
 <div class="memdoc">
 <p>Clustered alerts file </p>
 
+</div>
+</div>
+<a class="anchor" id="ae68f5489e2ec9ea1408f98fe36d050c9"></a><!-- doxytag: member="AI_config::corr_alerts_dir" ref="ae68f5489e2ec9ea1408f98fe36d050c9" args="[1024]" -->
+<div class="memitem">
+<div class="memproto">
+      <table class="memname">
+        <tr>
+          <td class="memname">char <a class="el" href="structAI__config.html#ae68f5489e2ec9ea1408f98fe36d050c9">AI_config::corr_alerts_dir</a>[1024]</td>
+        </tr>
+      </table>
+</div>
+<div class="memdoc">
+<p>Directory where the correlated alerts' information will be placed </p>
+
 </div>
 </div>
 <a class="anchor" id="ab7ea93bbe72b85c4019b4f5656ad62fc"></a><!-- doxytag: member="AI_config::corr_rules_dir" ref="ab7ea93bbe72b85c4019b4f5656ad62fc" args="[1024]" -->
@@ -140,6 +156,20 @@ Data Fields</h2></td></tr>
 <div class="memdoc">
 <p>Interval in seconds for running the thread for building alert correlation graphs </p>
 
+</div>
+</div>
+<a class="anchor" id="adf6ef0faedfb4dea0a1353e781b14883"></a><!-- doxytag: member="AI_config::correlationThresholdCoefficient" ref="adf6ef0faedfb4dea0a1353e781b14883" args="" -->
+<div class="memitem">
+<div class="memproto">
+      <table class="memname">
+        <tr>
+          <td class="memname">double <a class="el" href="structAI__config.html#adf6ef0faedfb4dea0a1353e781b14883">AI_config::correlationThresholdCoefficient</a></td>
+        </tr>
+      </table>
+</div>
+<div class="memdoc">
+<p>Correlation threshold coefficient for correlating two hyperalerts. Two hyperalerts are 'correlated' to each other in a multi-step attack graph if and only if their correlation value is &gt;= m + ks, where m is the average correlation coefficient, s is the standard deviation over this coefficient, and k is this threshold coefficient. Its value can be &gt;= 0. A value in [0,1] is strongly suggested, but this value mostly depends on how accurate the correlation rules where defined. Be careful, defining a correlation coefficient &gt; or &gt;&gt; 1 no correlation may occur at all! </p>
+
 </div>
 </div>
 <a class="anchor" id="ae6ca715cab1d90b70c3aad443133c263"></a><!-- doxytag: member="AI_config::databaseParsingInterval" ref="ae6ca715cab1d90b70c3aad443133c263" args="" -->
@@ -258,7 +288,7 @@ Data Fields</h2></td></tr>
 </iframe>
 </div>
 
-<hr class="footer"/><address class="footer"><small>Generated on Sat Sep 11 2010 12:45:18 for Snort AI preprocessor module by&nbsp;
+<hr class="footer"/><address class="footer"><small>Generated on Tue Sep 14 2010 19:23:42 for Snort AI preprocessor module by&nbsp;
 <a href="http://www.doxygen.org/index.html">
 <img class="footer" src="doxygen.png" alt="doxygen"/></a> 1.7.1 </small></address>
 </body>
diff --git a/doc/html/structAI__hyperalert__info.html b/doc/html/structAI__hyperalert__info.html
index 6eab09a..9c13db1 100644
--- a/doc/html/structAI__hyperalert__info.html
+++ b/doc/html/structAI__hyperalert__info.html
@@ -170,7 +170,7 @@ Data Fields</h2></td></tr>
 </iframe>
 </div>
 
-<hr class="footer"/><address class="footer"><small>Generated on Sat Sep 11 2010 12:45:18 for Snort AI preprocessor module by&nbsp;
+<hr class="footer"/><address class="footer"><small>Generated on Tue Sep 14 2010 19:23:42 for Snort AI preprocessor module by&nbsp;
 <a href="http://www.doxygen.org/index.html">
 <img class="footer" src="doxygen.png" alt="doxygen"/></a> 1.7.1 </small></address>
 </body>
diff --git a/doc/html/structAI__hyperalert__key.html b/doc/html/structAI__hyperalert__key.html
index 71d4419..b8fefcd 100644
--- a/doc/html/structAI__hyperalert__key.html
+++ b/doc/html/structAI__hyperalert__key.html
@@ -122,7 +122,7 @@ Data Fields</h2></td></tr>
 </iframe>
 </div>
 
-<hr class="footer"/><address class="footer"><small>Generated on Sat Sep 11 2010 12:45:18 for Snort AI preprocessor module by&nbsp;
+<hr class="footer"/><address class="footer"><small>Generated on Tue Sep 14 2010 19:23:42 for Snort AI preprocessor module by&nbsp;
 <a href="http://www.doxygen.org/index.html">
 <img class="footer" src="doxygen.png" alt="doxygen"/></a> 1.7.1 </small></address>
 </body>
diff --git a/doc/html/struct__AI__snort__alert.html b/doc/html/struct__AI__snort__alert.html
index 3bf60a1..dbbb393 100644
--- a/doc/html/struct__AI__snort__alert.html
+++ b/doc/html/struct__AI__snort__alert.html
@@ -84,6 +84,9 @@ Data Fields</h2></td></tr>
 <tr><td class="memItemLeft" align="right" valign="top"><a class="el" href="struct__hierarchy__node.html">hierarchy_node</a> *&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="struct__AI__snort__alert.html#ac53765584296ead1328eabfaba8a3aed">h_node</a> [CLUSTER_TYPES]</td></tr>
 <tr><td class="memItemLeft" align="right" valign="top">unsigned int&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="struct__AI__snort__alert.html#a285aff12d6bac03c316ccc5305d28e53">grouped_alarms_count</a></td></tr>
 <tr><td class="memItemLeft" align="right" valign="top"><a class="el" href="structAI__hyperalert__info.html">AI_hyperalert_info</a> *&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="struct__AI__snort__alert.html#ac101de15b4f9451f235b82122f77b62a">hyperalert</a></td></tr>
+<tr><td class="memItemLeft" align="right" valign="top">struct <a class="el" href="struct__AI__snort__alert.html">_AI_snort_alert</a> *&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="struct__AI__snort__alert.html#a55a5488c7ee7706ded4c16b1235fd9c7">previous_correlated</a></td></tr>
+<tr><td class="memItemLeft" align="right" valign="top">struct <a class="el" href="struct__AI__snort__alert.html">_AI_snort_alert</a> **&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="struct__AI__snort__alert.html#aac5e4078600ed17532db1f3d78165390">derived_alerts</a></td></tr>
+<tr><td class="memItemLeft" align="right" valign="top">unsigned int&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="struct__AI__snort__alert.html#a1f2d5e8cfd0e6321b977173d1e90cb68">n_derived_alerts</a></td></tr>
 </table>
 <hr/><a name="_details"></a><h2>Detailed Description</h2>
 <p>Data type for Snort alerts </p>
@@ -99,6 +102,20 @@ Data Fields</h2></td></tr>
 </div>
 <div class="memdoc">
 
+</div>
+</div>
+<a class="anchor" id="aac5e4078600ed17532db1f3d78165390"></a><!-- doxytag: member="_AI_snort_alert::derived_alerts" ref="aac5e4078600ed17532db1f3d78165390" args="" -->
+<div class="memitem">
+<div class="memproto">
+      <table class="memname">
+        <tr>
+          <td class="memname">struct <a class="el" href="struct__AI__snort__alert.html">_AI_snort_alert</a>** <a class="el" href="struct__AI__snort__alert.html#aac5e4078600ed17532db1f3d78165390">_AI_snort_alert::derived_alerts</a></td>
+        </tr>
+      </table>
+</div>
+<div class="memdoc">
+<p>Array of directly correlated 'derived' alerts from the current one, if any </p>
+
 </div>
 </div>
 <a class="anchor" id="ac0902d7c756ec675fb06347ce4706135"></a><!-- doxytag: member="_AI_snort_alert::desc" ref="ac0902d7c756ec675fb06347ce4706135" args="" -->
@@ -258,6 +275,20 @@ Data Fields</h2></td></tr>
 </div>
 <div class="memdoc">
 
+</div>
+</div>
+<a class="anchor" id="a1f2d5e8cfd0e6321b977173d1e90cb68"></a><!-- doxytag: member="_AI_snort_alert::n_derived_alerts" ref="a1f2d5e8cfd0e6321b977173d1e90cb68" args="" -->
+<div class="memitem">
+<div class="memproto">
+      <table class="memname">
+        <tr>
+          <td class="memname">unsigned int <a class="el" href="struct__AI__snort__alert.html#a1f2d5e8cfd0e6321b977173d1e90cb68">_AI_snort_alert::n_derived_alerts</a></td>
+        </tr>
+      </table>
+</div>
+<div class="memdoc">
+<p>Number of derived alerts </p>
+
 </div>
 </div>
 <a class="anchor" id="aa8336d4b3359015ed8ea312ca1fd1173"></a><!-- doxytag: member="_AI_snort_alert::next" ref="aa8336d4b3359015ed8ea312ca1fd1173" args="" -->
@@ -272,6 +303,19 @@ Data Fields</h2></td></tr>
 <div class="memdoc">
 <p>Pointer to the next alert in the log, if any </p>
 
+</div>
+</div>
+<a class="anchor" id="a55a5488c7ee7706ded4c16b1235fd9c7"></a><!-- doxytag: member="_AI_snort_alert::previous_correlated" ref="a55a5488c7ee7706ded4c16b1235fd9c7" args="" -->
+<div class="memitem">
+<div class="memproto">
+      <table class="memname">
+        <tr>
+          <td class="memname">struct <a class="el" href="struct__AI__snort__alert.html">_AI_snort_alert</a>* <a class="el" href="struct__AI__snort__alert.html#a55a5488c7ee7706ded4c16b1235fd9c7">_AI_snort_alert::previous_correlated</a></td>
+        </tr>
+      </table>
+</div>
+<div class="memdoc">
+
 </div>
 </div>
 <a class="anchor" id="a25661fa4e212c5e30af5e6a892985ec9"></a><!-- doxytag: member="_AI_snort_alert::priority" ref="a25661fa4e212c5e30af5e6a892985ec9" args="" -->
@@ -449,7 +493,7 @@ Data Fields</h2></td></tr>
 </iframe>
 </div>
 
-<hr class="footer"/><address class="footer"><small>Generated on Sat Sep 11 2010 12:45:18 for Snort AI preprocessor module by&nbsp;
+<hr class="footer"/><address class="footer"><small>Generated on Tue Sep 14 2010 19:23:42 for Snort AI preprocessor module by&nbsp;
 <a href="http://www.doxygen.org/index.html">
 <img class="footer" src="doxygen.png" alt="doxygen"/></a> 1.7.1 </small></address>
 </body>
diff --git a/doc/html/struct__hierarchy__node.html b/doc/html/struct__hierarchy__node.html
index 4430635..ecc9c4f 100644
--- a/doc/html/struct__hierarchy__node.html
+++ b/doc/html/struct__hierarchy__node.html
@@ -178,7 +178,7 @@ Data Fields</h2></td></tr>
 </iframe>
 </div>
 
-<hr class="footer"/><address class="footer"><small>Generated on Sat Sep 11 2010 12:45:18 for Snort AI preprocessor module by&nbsp;
+<hr class="footer"/><address class="footer"><small>Generated on Tue Sep 14 2010 19:23:42 for Snort AI preprocessor module by&nbsp;
 <a href="http://www.doxygen.org/index.html">
 <img class="footer" src="doxygen.png" alt="doxygen"/></a> 1.7.1 </small></address>
 </body>
diff --git a/doc/html/structattribute__key.html b/doc/html/structattribute__key.html
index d319b89..2387c43 100644
--- a/doc/html/structattribute__key.html
+++ b/doc/html/structattribute__key.html
@@ -109,7 +109,7 @@ Data Fields</h2></td></tr>
 </iframe>
 </div>
 
-<hr class="footer"/><address class="footer"><small>Generated on Sat Sep 11 2010 12:45:18 for Snort AI preprocessor module by&nbsp;
+<hr class="footer"/><address class="footer"><small>Generated on Tue Sep 14 2010 19:23:42 for Snort AI preprocessor module by&nbsp;
 <a href="http://www.doxygen.org/index.html">
 <img class="footer" src="doxygen.png" alt="doxygen"/></a> 1.7.1 </small></address>
 </body>
diff --git a/doc/html/structattribute__value.html b/doc/html/structattribute__value.html
index fa515e2..935e6fe 100644
--- a/doc/html/structattribute__value.html
+++ b/doc/html/structattribute__value.html
@@ -137,7 +137,7 @@ Data Fields</h2></td></tr>
 </iframe>
 </div>
 
-<hr class="footer"/><address class="footer"><small>Generated on Sat Sep 11 2010 12:45:18 for Snort AI preprocessor module by&nbsp;
+<hr class="footer"/><address class="footer"><small>Generated on Tue Sep 14 2010 19:23:42 for Snort AI preprocessor module by&nbsp;
 <a href="http://www.doxygen.org/index.html">
 <img class="footer" src="doxygen.png" alt="doxygen"/></a> 1.7.1 </small></address>
 </body>
diff --git a/doc/html/structpkt__info.html b/doc/html/structpkt__info.html
index cd76f93..dc809f8 100644
--- a/doc/html/structpkt__info.html
+++ b/doc/html/structpkt__info.html
@@ -170,7 +170,7 @@ Data Fields</h2></td></tr>
 </iframe>
 </div>
 
-<hr class="footer"/><address class="footer"><small>Generated on Sat Sep 11 2010 12:45:18 for Snort AI preprocessor module by&nbsp;
+<hr class="footer"/><address class="footer"><small>Generated on Tue Sep 14 2010 19:23:42 for Snort AI preprocessor module by&nbsp;
 <a href="http://www.doxygen.org/index.html">
 <img class="footer" src="doxygen.png" alt="doxygen"/></a> 1.7.1 </small></address>
 </body>
diff --git a/doc/html/structpkt__key.html b/doc/html/structpkt__key.html
index 3088d2d..4c3faf5 100644
--- a/doc/html/structpkt__key.html
+++ b/doc/html/structpkt__key.html
@@ -108,7 +108,7 @@ Data Fields</h2></td></tr>
 </iframe>
 </div>
 
-<hr class="footer"/><address class="footer"><small>Generated on Sat Sep 11 2010 12:45:18 for Snort AI preprocessor module by&nbsp;
+<hr class="footer"/><address class="footer"><small>Generated on Tue Sep 14 2010 19:23:42 for Snort AI preprocessor module by&nbsp;
 <a href="http://www.doxygen.org/index.html">
 <img class="footer" src="doxygen.png" alt="doxygen"/></a> 1.7.1 </small></address>
 </body>
diff --git a/doc/latex/annotated.tex b/doc/latex/annotated.tex
index 04e27ab..5850f6d 100644
--- a/doc/latex/annotated.tex
+++ b/doc/latex/annotated.tex
@@ -3,6 +3,7 @@ Here are the data structures with brief descriptions:\begin{DoxyCompactList}
 \item\contentsline{section}{\hyperlink{struct__AI__snort__alert}{\_\-AI\_\-snort\_\-alert} }{\pageref{struct__AI__snort__alert}}{}
 \item\contentsline{section}{\hyperlink{struct__hierarchy__node}{\_\-hierarchy\_\-node} }{\pageref{struct__hierarchy__node}}{}
 \item\contentsline{section}{\hyperlink{structAI__alert__correlation}{AI\_\-alert\_\-correlation} }{\pageref{structAI__alert__correlation}}{}
+\item\contentsline{section}{\hyperlink{structAI__alert__correlation__key}{AI\_\-alert\_\-correlation\_\-key} }{\pageref{structAI__alert__correlation__key}}{}
 \item\contentsline{section}{\hyperlink{structAI__config}{AI\_\-config} }{\pageref{structAI__config}}{}
 \item\contentsline{section}{\hyperlink{structAI__hyperalert__info}{AI\_\-hyperalert\_\-info} }{\pageref{structAI__hyperalert__info}}{}
 \item\contentsline{section}{\hyperlink{structAI__hyperalert__key}{AI\_\-hyperalert\_\-key} }{\pageref{structAI__hyperalert__key}}{}
diff --git a/doc/latex/correlation_8c.tex b/doc/latex/correlation_8c.tex
index 8416742..36ca14f 100644
--- a/doc/latex/correlation_8c.tex
+++ b/doc/latex/correlation_8c.tex
@@ -3,13 +3,21 @@
 \label{correlation_8c}\index{correlation.c@{correlation.c}}
 }
 {\ttfamily \#include \char`\"{}spp\_\-ai.h\char`\"{}}\par
+{\ttfamily \#include $<$stdio.h$>$}\par
+{\ttfamily \#include $<$stdlib.h$>$}\par
+{\ttfamily \#include $<$string.h$>$}\par
 {\ttfamily \#include $<$unistd.h$>$}\par
+{\ttfamily \#include $<$time.h$>$}\par
+{\ttfamily \#include $<$math.h$>$}\par
+{\ttfamily \#include $<$alloca.h$>$}\par
 {\ttfamily \#include $<$sys/stat.h$>$}\par
 {\ttfamily \#include $<$pthread.h$>$}\par
 {\ttfamily \#include $<$libxml/xmlreader.h$>$}\par
 \subsection*{Data Structures}
 \begin{DoxyCompactItemize}
 \item 
+struct \hyperlink{structAI__alert__correlation__key}{AI\_\-alert\_\-correlation\_\-key}
+\item 
 struct \hyperlink{structAI__alert__correlation}{AI\_\-alert\_\-correlation}
 \end{DoxyCompactItemize}
 \subsection*{Enumerations}
@@ -27,9 +35,17 @@ enum \{ \par
 \subsection*{Functions}
 \begin{DoxyCompactItemize}
 \item 
-double \hyperlink{group__correlation_ga130e82017fc0abcb76b1a7740ae2f4df}{\_\-AI\_\-correlation\_\-coefficient} (\hyperlink{struct__AI__snort__alert}{AI\_\-snort\_\-alert} $\ast$a, \hyperlink{struct__AI__snort__alert}{AI\_\-snort\_\-alert} $\ast$b)
+PRIVATE void \hyperlink{group__correlation_ga9bcb94264ffe30f113f3fb7287b774e3}{\_\-AI\_\-correlation\_\-table\_\-cleanup} ()
+\begin{DoxyCompactList}\small\item\em Clean up the correlation hash table. \item\end{DoxyCompactList}\item 
+PRIVATE void \hyperlink{group__correlation_ga4267a39fa1a5ac035015823bca43288e}{\_\-AI\_\-print\_\-correlated\_\-alerts} (\hyperlink{structAI__alert__correlation}{AI\_\-alert\_\-correlation} $\ast$corr, FILE $\ast$fp)
+\begin{DoxyCompactList}\small\item\em Recursively write a flow of correlated alerts to a .dot file, ready for being rendered as graph. \item\end{DoxyCompactList}\item 
+PRIVATE char $\ast$ \hyperlink{group__correlation_ga7a1b2d01f526f24ea91d7f08bdefd4fe}{\_\-AI\_\-get\_\-function\_\-name} (const char $\ast$orig\_\-stmt)
+\begin{DoxyCompactList}\small\item\em Get the name of the function called by a pre-\/condition or post-\/condition predicate. \item\end{DoxyCompactList}\item 
+PRIVATE char $\ast$$\ast$ \hyperlink{group__correlation_gab716702cd226ab2ad957234a92da6e4a}{\_\-AI\_\-get\_\-function\_\-arguments} (char $\ast$orig\_\-stmt, int $\ast$n\_\-args)
+\begin{DoxyCompactList}\small\item\em Get the arguments passed to a function predicate in a pre-\/condition or post-\/condition (comma-\/separated values). \item\end{DoxyCompactList}\item 
+PRIVATE double \hyperlink{group__correlation_ga9cb283b28a66829574add58a251b93c6}{\_\-AI\_\-correlation\_\-coefficient} (\hyperlink{struct__AI__snort__alert}{AI\_\-snort\_\-alert} $\ast$a, \hyperlink{struct__AI__snort__alert}{AI\_\-snort\_\-alert} $\ast$b)
 \begin{DoxyCompactList}\small\item\em Compute the correlation coefficient between two alerts, as INTERSECTION(pre(B), post(A) / UNION(pre(B), post(A)). \item\end{DoxyCompactList}\item 
-void \hyperlink{group__correlation_ga0d094eae1d014d89a2de21263fa747da}{\_\-AI\_\-macro\_\-subst} (\hyperlink{struct__AI__snort__alert}{AI\_\-snort\_\-alert} $\ast$$\ast$alert)
+PRIVATE void \hyperlink{group__correlation_ga70a4aaf8b689472dad62ba7a9bbde1a6}{\_\-AI\_\-macro\_\-subst} (\hyperlink{struct__AI__snort__alert}{AI\_\-snort\_\-alert} $\ast$$\ast$alert)
 \begin{DoxyCompactList}\small\item\em Substitute the macros in hyperalert pre-\/conditions and post-\/conditions with their associated values. \item\end{DoxyCompactList}\item 
 PRIVATE \hyperlink{structAI__hyperalert__info}{AI\_\-hyperalert\_\-info} $\ast$ \hyperlink{group__correlation_ga929e5c17fdb247a998d83ed6a4ae5a65}{\_\-AI\_\-hyperalert\_\-from\_\-XML} (\hyperlink{structAI__hyperalert__key}{AI\_\-hyperalert\_\-key} key)
 \begin{DoxyCompactList}\small\item\em Parse info about a hyperalert from a correlation XML file, if it exists. \item\end{DoxyCompactList}\item 
diff --git a/doc/latex/doxygen.sty b/doc/latex/doxygen.sty
index 98a04a0..9270da4 100644
--- a/doc/latex/doxygen.sty
+++ b/doc/latex/doxygen.sty
@@ -27,9 +27,9 @@
   \fancyplain{}{\bfseries\thepage}%
 }
 \rfoot[\fancyplain{}{\bfseries\scriptsize%
-  Generated on Sat Sep 11 2010 12:45:18 for Snort AI preprocessor module by Doxygen }]{}
+  Generated on Tue Sep 14 2010 19:23:42 for Snort AI preprocessor module by Doxygen }]{}
 \lfoot[]{\fancyplain{}{\bfseries\scriptsize%
-  Generated on Sat Sep 11 2010 12:45:18 for Snort AI preprocessor module by Doxygen }}
+  Generated on Tue Sep 14 2010 19:23:42 for Snort AI preprocessor module by Doxygen }}
 \cfoot{}
 
 %---------- Internal commands used in this style file ----------------
diff --git a/doc/latex/group__correlation.tex b/doc/latex/group__correlation.tex
index b490929..c16c210 100644
--- a/doc/latex/group__correlation.tex
+++ b/doc/latex/group__correlation.tex
@@ -5,6 +5,8 @@
 \subsection*{Data Structures}
 \begin{DoxyCompactItemize}
 \item 
+struct \hyperlink{structAI__alert__correlation__key}{AI\_\-alert\_\-correlation\_\-key}
+\item 
 struct \hyperlink{structAI__alert__correlation}{AI\_\-alert\_\-correlation}
 \end{DoxyCompactItemize}
 \subsection*{Enumerations}
@@ -22,9 +24,17 @@ enum \{ \par
 \subsection*{Functions}
 \begin{DoxyCompactItemize}
 \item 
-double \hyperlink{group__correlation_ga130e82017fc0abcb76b1a7740ae2f4df}{\_\-AI\_\-correlation\_\-coefficient} (\hyperlink{struct__AI__snort__alert}{AI\_\-snort\_\-alert} $\ast$a, \hyperlink{struct__AI__snort__alert}{AI\_\-snort\_\-alert} $\ast$b)
+PRIVATE void \hyperlink{group__correlation_ga9bcb94264ffe30f113f3fb7287b774e3}{\_\-AI\_\-correlation\_\-table\_\-cleanup} ()
+\begin{DoxyCompactList}\small\item\em Clean up the correlation hash table. \item\end{DoxyCompactList}\item 
+PRIVATE void \hyperlink{group__correlation_ga4267a39fa1a5ac035015823bca43288e}{\_\-AI\_\-print\_\-correlated\_\-alerts} (\hyperlink{structAI__alert__correlation}{AI\_\-alert\_\-correlation} $\ast$corr, FILE $\ast$fp)
+\begin{DoxyCompactList}\small\item\em Recursively write a flow of correlated alerts to a .dot file, ready for being rendered as graph. \item\end{DoxyCompactList}\item 
+PRIVATE char $\ast$ \hyperlink{group__correlation_ga7a1b2d01f526f24ea91d7f08bdefd4fe}{\_\-AI\_\-get\_\-function\_\-name} (const char $\ast$orig\_\-stmt)
+\begin{DoxyCompactList}\small\item\em Get the name of the function called by a pre-\/condition or post-\/condition predicate. \item\end{DoxyCompactList}\item 
+PRIVATE char $\ast$$\ast$ \hyperlink{group__correlation_gab716702cd226ab2ad957234a92da6e4a}{\_\-AI\_\-get\_\-function\_\-arguments} (char $\ast$orig\_\-stmt, int $\ast$n\_\-args)
+\begin{DoxyCompactList}\small\item\em Get the arguments passed to a function predicate in a pre-\/condition or post-\/condition (comma-\/separated values). \item\end{DoxyCompactList}\item 
+PRIVATE double \hyperlink{group__correlation_ga9cb283b28a66829574add58a251b93c6}{\_\-AI\_\-correlation\_\-coefficient} (\hyperlink{struct__AI__snort__alert}{AI\_\-snort\_\-alert} $\ast$a, \hyperlink{struct__AI__snort__alert}{AI\_\-snort\_\-alert} $\ast$b)
 \begin{DoxyCompactList}\small\item\em Compute the correlation coefficient between two alerts, as INTERSECTION(pre(B), post(A) / UNION(pre(B), post(A)). \item\end{DoxyCompactList}\item 
-void \hyperlink{group__correlation_ga0d094eae1d014d89a2de21263fa747da}{\_\-AI\_\-macro\_\-subst} (\hyperlink{struct__AI__snort__alert}{AI\_\-snort\_\-alert} $\ast$$\ast$alert)
+PRIVATE void \hyperlink{group__correlation_ga70a4aaf8b689472dad62ba7a9bbde1a6}{\_\-AI\_\-macro\_\-subst} (\hyperlink{struct__AI__snort__alert}{AI\_\-snort\_\-alert} $\ast$$\ast$alert)
 \begin{DoxyCompactList}\small\item\em Substitute the macros in hyperalert pre-\/conditions and post-\/conditions with their associated values. \item\end{DoxyCompactList}\item 
 PRIVATE \hyperlink{structAI__hyperalert__info}{AI\_\-hyperalert\_\-info} $\ast$ \hyperlink{group__correlation_ga929e5c17fdb247a998d83ed6a4ae5a65}{\_\-AI\_\-hyperalert\_\-from\_\-XML} (\hyperlink{structAI__hyperalert__key}{AI\_\-hyperalert\_\-key} key)
 \begin{DoxyCompactList}\small\item\em Parse info about a hyperalert from a correlation XML file, if it exists. \item\end{DoxyCompactList}\item 
@@ -78,16 +88,16 @@ TAG\_\-NUM}
 
 
 \subsection{Function Documentation}
-\hypertarget{group__correlation_ga130e82017fc0abcb76b1a7740ae2f4df}{
+\hypertarget{group__correlation_ga9cb283b28a66829574add58a251b93c6}{
 \index{correlation@{correlation}!\_\-AI\_\-correlation\_\-coefficient@{\_\-AI\_\-correlation\_\-coefficient}}
 \index{\_\-AI\_\-correlation\_\-coefficient@{\_\-AI\_\-correlation\_\-coefficient}!correlation@{correlation}}
-\subsubsection[{\_\-AI\_\-correlation\_\-coefficient}]{\setlength{\rightskip}{0pt plus 5cm}double \_\-AI\_\-correlation\_\-coefficient (
+\subsubsection[{\_\-AI\_\-correlation\_\-coefficient}]{\setlength{\rightskip}{0pt plus 5cm}PRIVATE double \_\-AI\_\-correlation\_\-coefficient (
 \begin{DoxyParamCaption}
 \item[{{\bf AI\_\-snort\_\-alert} $\ast$}]{ a, }
 \item[{{\bf AI\_\-snort\_\-alert} $\ast$}]{ b}
 \end{DoxyParamCaption}
 )}}
-\label{group__correlation_ga130e82017fc0abcb76b1a7740ae2f4df}
+\label{group__correlation_ga9cb283b28a66829574add58a251b93c6}
 
 
 Compute the correlation coefficient between two alerts, as INTERSECTION(pre(B), post(A) / UNION(pre(B), post(A)). 
@@ -98,6 +108,58 @@ Compute the correlation coefficient between two alerts, as INTERSECTION(pre(B),
 \begin{DoxyReturn}{Returns}
 The correlation coefficient between A and B as coefficient in \mbox{[}0,1\mbox{]} 
 \end{DoxyReturn}
+\hypertarget{group__correlation_ga9bcb94264ffe30f113f3fb7287b774e3}{
+\index{correlation@{correlation}!\_\-AI\_\-correlation\_\-table\_\-cleanup@{\_\-AI\_\-correlation\_\-table\_\-cleanup}}
+\index{\_\-AI\_\-correlation\_\-table\_\-cleanup@{\_\-AI\_\-correlation\_\-table\_\-cleanup}!correlation@{correlation}}
+\subsubsection[{\_\-AI\_\-correlation\_\-table\_\-cleanup}]{\setlength{\rightskip}{0pt plus 5cm}PRIVATE void \_\-AI\_\-correlation\_\-table\_\-cleanup (
+\begin{DoxyParamCaption}
+{}
+\end{DoxyParamCaption}
+)}}
+\label{group__correlation_ga9bcb94264ffe30f113f3fb7287b774e3}
+
+
+Clean up the correlation hash table. 
+
+\hypertarget{group__correlation_gab716702cd226ab2ad957234a92da6e4a}{
+\index{correlation@{correlation}!\_\-AI\_\-get\_\-function\_\-arguments@{\_\-AI\_\-get\_\-function\_\-arguments}}
+\index{\_\-AI\_\-get\_\-function\_\-arguments@{\_\-AI\_\-get\_\-function\_\-arguments}!correlation@{correlation}}
+\subsubsection[{\_\-AI\_\-get\_\-function\_\-arguments}]{\setlength{\rightskip}{0pt plus 5cm}PRIVATE char$\ast$$\ast$ \_\-AI\_\-get\_\-function\_\-arguments (
+\begin{DoxyParamCaption}
+\item[{char $\ast$}]{ orig\_\-stmt, }
+\item[{int $\ast$}]{ n\_\-args}
+\end{DoxyParamCaption}
+)}}
+\label{group__correlation_gab716702cd226ab2ad957234a92da6e4a}
+
+
+Get the arguments passed to a function predicate in a pre-\/condition or post-\/condition (comma-\/separated values). 
+
+FUNCTION: \_\-AI\_\-get\_\-function\_\-arguments 
+\begin{DoxyParams}{Parameters}
+\item[{\em origstmt}]Statement representing a pre-\/condition or post-\/condition \item[{\em n\_\-args}]Reference to an integer that will contain the number of arguments read \end{DoxyParams}
+\begin{DoxyReturn}{Returns}
+An array of strings containing the arguments of the function 
+\end{DoxyReturn}
+\hypertarget{group__correlation_ga7a1b2d01f526f24ea91d7f08bdefd4fe}{
+\index{correlation@{correlation}!\_\-AI\_\-get\_\-function\_\-name@{\_\-AI\_\-get\_\-function\_\-name}}
+\index{\_\-AI\_\-get\_\-function\_\-name@{\_\-AI\_\-get\_\-function\_\-name}!correlation@{correlation}}
+\subsubsection[{\_\-AI\_\-get\_\-function\_\-name}]{\setlength{\rightskip}{0pt plus 5cm}PRIVATE char$\ast$ \_\-AI\_\-get\_\-function\_\-name (
+\begin{DoxyParamCaption}
+\item[{const char $\ast$}]{ orig\_\-stmt}
+\end{DoxyParamCaption}
+)}}
+\label{group__correlation_ga7a1b2d01f526f24ea91d7f08bdefd4fe}
+
+
+Get the name of the function called by a pre-\/condition or post-\/condition predicate. 
+
+
+\begin{DoxyParams}{Parameters}
+\item[{\em orig\_\-stmt}]Statement representing a pre-\/condition or post-\/condition \end{DoxyParams}
+\begin{DoxyReturn}{Returns}
+The name of the function called by that statement 
+\end{DoxyReturn}
 \hypertarget{group__correlation_ga929e5c17fdb247a998d83ed6a4ae5a65}{
 \index{correlation@{correlation}!\_\-AI\_\-hyperalert\_\-from\_\-XML@{\_\-AI\_\-hyperalert\_\-from\_\-XML}}
 \index{\_\-AI\_\-hyperalert\_\-from\_\-XML@{\_\-AI\_\-hyperalert\_\-from\_\-XML}!correlation@{correlation}}
@@ -117,15 +179,15 @@ Parse info about a hyperalert from a correlation XML file, if it exists.
 \begin{DoxyReturn}{Returns}
 A hyperalert structure containing the info about the current alert, if the XML file was found 
 \end{DoxyReturn}
-\hypertarget{group__correlation_ga0d094eae1d014d89a2de21263fa747da}{
+\hypertarget{group__correlation_ga70a4aaf8b689472dad62ba7a9bbde1a6}{
 \index{correlation@{correlation}!\_\-AI\_\-macro\_\-subst@{\_\-AI\_\-macro\_\-subst}}
 \index{\_\-AI\_\-macro\_\-subst@{\_\-AI\_\-macro\_\-subst}!correlation@{correlation}}
-\subsubsection[{\_\-AI\_\-macro\_\-subst}]{\setlength{\rightskip}{0pt plus 5cm}void \_\-AI\_\-macro\_\-subst (
+\subsubsection[{\_\-AI\_\-macro\_\-subst}]{\setlength{\rightskip}{0pt plus 5cm}PRIVATE void \_\-AI\_\-macro\_\-subst (
 \begin{DoxyParamCaption}
 \item[{{\bf AI\_\-snort\_\-alert} $\ast$$\ast$}]{ alert}
 \end{DoxyParamCaption}
 )}}
-\label{group__correlation_ga0d094eae1d014d89a2de21263fa747da}
+\label{group__correlation_ga70a4aaf8b689472dad62ba7a9bbde1a6}
 
 
 Substitute the macros in hyperalert pre-\/conditions and post-\/conditions with their associated values. 
@@ -133,6 +195,23 @@ Substitute the macros in hyperalert pre-\/conditions and post-\/conditions with
 
 \begin{DoxyParams}{Parameters}
 \item[{\em alert}]Reference to the hyperalert to work on \end{DoxyParams}
+\hypertarget{group__correlation_ga4267a39fa1a5ac035015823bca43288e}{
+\index{correlation@{correlation}!\_\-AI\_\-print\_\-correlated\_\-alerts@{\_\-AI\_\-print\_\-correlated\_\-alerts}}
+\index{\_\-AI\_\-print\_\-correlated\_\-alerts@{\_\-AI\_\-print\_\-correlated\_\-alerts}!correlation@{correlation}}
+\subsubsection[{\_\-AI\_\-print\_\-correlated\_\-alerts}]{\setlength{\rightskip}{0pt plus 5cm}PRIVATE void \_\-AI\_\-print\_\-correlated\_\-alerts (
+\begin{DoxyParamCaption}
+\item[{{\bf AI\_\-alert\_\-correlation} $\ast$}]{ corr, }
+\item[{FILE $\ast$}]{ fp}
+\end{DoxyParamCaption}
+)}}
+\label{group__correlation_ga4267a39fa1a5ac035015823bca43288e}
+
+
+Recursively write a flow of correlated alerts to a .dot file, ready for being rendered as graph. 
+
+
+\begin{DoxyParams}{Parameters}
+\item[{\em corr\_\-alerts}]Correlated alerts \item[{\em fp}]File pointer \end{DoxyParams}
 \hypertarget{group__correlation_ga939353a4e15de7a8f4145ab986f584be}{
 \index{correlation@{correlation}!AI\_\-alert\_\-correlation\_\-thread@{AI\_\-alert\_\-correlation\_\-thread}}
 \index{AI\_\-alert\_\-correlation\_\-thread@{AI\_\-alert\_\-correlation\_\-thread}!correlation@{correlation}}
diff --git a/doc/latex/refman.tex b/doc/latex/refman.tex
index dbe8904..63831a9 100644
--- a/doc/latex/refman.tex
+++ b/doc/latex/refman.tex
@@ -41,7 +41,7 @@
 \vspace*{1cm}
 {\large Generated by Doxygen 1.7.1}\\
 \vspace*{0.5cm}
-{\small Sat Sep 11 2010 12:45:18}\\
+{\small Tue Sep 14 2010 19:23:42}\\
 \end{center}
 \end{titlepage}
 \clearemptydoublepage
@@ -67,6 +67,7 @@
 \input{struct__AI__snort__alert}
 \input{struct__hierarchy__node}
 \input{structAI__alert__correlation}
+\input{structAI__alert__correlation__key}
 \input{structAI__config}
 \input{structAI__hyperalert__info}
 \input{structAI__hyperalert__key}
diff --git a/doc/latex/spp__ai_8h.tex b/doc/latex/spp__ai_8h.tex
index 2fdf940..dfd9298 100644
--- a/doc/latex/spp__ai_8h.tex
+++ b/doc/latex/spp__ai_8h.tex
@@ -42,6 +42,10 @@ struct \hyperlink{struct__AI__snort__alert}{\_\-AI\_\-snort\_\-alert}
 \#define \hyperlink{spp__ai_8h_a803dc913297ccdace9e604dbfecda97d}{DEFAULT\_\-CLUSTER\_\-LOG\_\-FILE}~\char`\"{}/var/log/snort/cluster\_\-alert\char`\"{}
 \item 
 \#define \hyperlink{spp__ai_8h_a89448386cad5d5533992ae7ee84f4f1d}{DEFAULT\_\-CORR\_\-RULES\_\-DIR}~\char`\"{}/etc/snort/corr\_\-rules\char`\"{}
+\item 
+\#define \hyperlink{spp__ai_8h_a7bbeccba60012abcc98db33d39294829}{DEFAULT\_\-CORR\_\-ALERTS\_\-DIR}~\char`\"{}/var/log/snort/correlated\_\-alerts\char`\"{}
+\item 
+\#define \hyperlink{spp__ai_8h_aaedb0b7dc2bdf8d44d3fee2189a55a19}{DEFAULT\_\-CORR\_\-THRESHOLD}~0.5
 \end{DoxyCompactItemize}
 \subsection*{Typedefs}
 \begin{DoxyCompactItemize}
@@ -132,12 +136,22 @@ Default path to Snort's log file \hypertarget{spp__ai_8h_a803dc913297ccdace9e604
 \index{DEFAULT\_\-CLUSTER\_\-LOG\_\-FILE@{DEFAULT\_\-CLUSTER\_\-LOG\_\-FILE}!spp_ai.h@{spp\_\-ai.h}}
 \subsubsection[{DEFAULT\_\-CLUSTER\_\-LOG\_\-FILE}]{\setlength{\rightskip}{0pt plus 5cm}\#define DEFAULT\_\-CLUSTER\_\-LOG\_\-FILE~\char`\"{}/var/log/snort/cluster\_\-alert\char`\"{}}}
 \label{spp__ai_8h_a803dc913297ccdace9e604dbfecda97d}
-Default path to Snort's clustered alerts file \hypertarget{spp__ai_8h_a89448386cad5d5533992ae7ee84f4f1d}{
+Default path to Snort's clustered alerts file \hypertarget{spp__ai_8h_a7bbeccba60012abcc98db33d39294829}{
+\index{spp\_\-ai.h@{spp\_\-ai.h}!DEFAULT\_\-CORR\_\-ALERTS\_\-DIR@{DEFAULT\_\-CORR\_\-ALERTS\_\-DIR}}
+\index{DEFAULT\_\-CORR\_\-ALERTS\_\-DIR@{DEFAULT\_\-CORR\_\-ALERTS\_\-DIR}!spp_ai.h@{spp\_\-ai.h}}
+\subsubsection[{DEFAULT\_\-CORR\_\-ALERTS\_\-DIR}]{\setlength{\rightskip}{0pt plus 5cm}\#define DEFAULT\_\-CORR\_\-ALERTS\_\-DIR~\char`\"{}/var/log/snort/correlated\_\-alerts\char`\"{}}}
+\label{spp__ai_8h_a7bbeccba60012abcc98db33d39294829}
+Default directory for placing correlated alerts information (.dot and possibly .png files) \hypertarget{spp__ai_8h_a89448386cad5d5533992ae7ee84f4f1d}{
 \index{spp\_\-ai.h@{spp\_\-ai.h}!DEFAULT\_\-CORR\_\-RULES\_\-DIR@{DEFAULT\_\-CORR\_\-RULES\_\-DIR}}
 \index{DEFAULT\_\-CORR\_\-RULES\_\-DIR@{DEFAULT\_\-CORR\_\-RULES\_\-DIR}!spp_ai.h@{spp\_\-ai.h}}
 \subsubsection[{DEFAULT\_\-CORR\_\-RULES\_\-DIR}]{\setlength{\rightskip}{0pt plus 5cm}\#define DEFAULT\_\-CORR\_\-RULES\_\-DIR~\char`\"{}/etc/snort/corr\_\-rules\char`\"{}}}
 \label{spp__ai_8h_a89448386cad5d5533992ae7ee84f4f1d}
-Default path to alert correlation rules directory \hypertarget{spp__ai_8h_a3c4984a0ee515fbc091ac6e33b05e310}{
+Default path to alert correlation rules directory \hypertarget{spp__ai_8h_aaedb0b7dc2bdf8d44d3fee2189a55a19}{
+\index{spp\_\-ai.h@{spp\_\-ai.h}!DEFAULT\_\-CORR\_\-THRESHOLD@{DEFAULT\_\-CORR\_\-THRESHOLD}}
+\index{DEFAULT\_\-CORR\_\-THRESHOLD@{DEFAULT\_\-CORR\_\-THRESHOLD}!spp_ai.h@{spp\_\-ai.h}}
+\subsubsection[{DEFAULT\_\-CORR\_\-THRESHOLD}]{\setlength{\rightskip}{0pt plus 5cm}\#define DEFAULT\_\-CORR\_\-THRESHOLD~0.5}}
+\label{spp__ai_8h_aaedb0b7dc2bdf8d44d3fee2189a55a19}
+Default correlation threshold coefficient for correlating two hyperalerts \hypertarget{spp__ai_8h_a3c4984a0ee515fbc091ac6e33b05e310}{
 \index{spp\_\-ai.h@{spp\_\-ai.h}!DEFAULT\_\-DATABASE\_\-INTERVAL@{DEFAULT\_\-DATABASE\_\-INTERVAL}}
 \index{DEFAULT\_\-DATABASE\_\-INTERVAL@{DEFAULT\_\-DATABASE\_\-INTERVAL}!spp_ai.h@{spp\_\-ai.h}}
 \subsubsection[{DEFAULT\_\-DATABASE\_\-INTERVAL}]{\setlength{\rightskip}{0pt plus 5cm}\#define DEFAULT\_\-DATABASE\_\-INTERVAL~30}}
diff --git a/doc/latex/structAI__alert__correlation.tex b/doc/latex/structAI__alert__correlation.tex
index a210236..4b7ea52 100644
--- a/doc/latex/structAI__alert__correlation.tex
+++ b/doc/latex/structAI__alert__correlation.tex
@@ -5,9 +5,7 @@
 \subsection*{Data Fields}
 \begin{DoxyCompactItemize}
 \item 
-\hyperlink{struct__AI__snort__alert}{AI\_\-snort\_\-alert} $\ast$ \hyperlink{structAI__alert__correlation_a8737f171e1c1b2305c8fe77101d6aeb7}{a}
-\item 
-\hyperlink{struct__AI__snort__alert}{AI\_\-snort\_\-alert} $\ast$ \hyperlink{structAI__alert__correlation_a478f1a6f18f9c083b203efdf776379cd}{b}
+\hyperlink{structAI__alert__correlation__key}{AI\_\-alert\_\-correlation\_\-key} \hyperlink{structAI__alert__correlation_a4e27da4922a1d44497634c8e5968d870}{key}
 \item 
 double \hyperlink{structAI__alert__correlation_aad417b2126ae26d7576f006a3dbcdc81}{correlation}
 \item 
@@ -19,17 +17,7 @@ UT\_\-hash\_\-handle \hyperlink{structAI__alert__correlation_ad3020a87936a2193a9
 Struct representing the correlation between all the couples of alerts 
 
 \subsection{Field Documentation}
-\hypertarget{structAI__alert__correlation_a8737f171e1c1b2305c8fe77101d6aeb7}{
-\index{AI\_\-alert\_\-correlation@{AI\_\-alert\_\-correlation}!a@{a}}
-\index{a@{a}!AI_alert_correlation@{AI\_\-alert\_\-correlation}}
-\subsubsection[{a}]{\setlength{\rightskip}{0pt plus 5cm}{\bf AI\_\-snort\_\-alert}$\ast$ {\bf AI\_\-alert\_\-correlation::a}}}
-\label{structAI__alert__correlation_a8737f171e1c1b2305c8fe77101d6aeb7}
-First alert \hypertarget{structAI__alert__correlation_a478f1a6f18f9c083b203efdf776379cd}{
-\index{AI\_\-alert\_\-correlation@{AI\_\-alert\_\-correlation}!b@{b}}
-\index{b@{b}!AI_alert_correlation@{AI\_\-alert\_\-correlation}}
-\subsubsection[{b}]{\setlength{\rightskip}{0pt plus 5cm}{\bf AI\_\-snort\_\-alert}$\ast$ {\bf AI\_\-alert\_\-correlation::b}}}
-\label{structAI__alert__correlation_a478f1a6f18f9c083b203efdf776379cd}
-Second alert \hypertarget{structAI__alert__correlation_aad417b2126ae26d7576f006a3dbcdc81}{
+\hypertarget{structAI__alert__correlation_aad417b2126ae26d7576f006a3dbcdc81}{
 \index{AI\_\-alert\_\-correlation@{AI\_\-alert\_\-correlation}!correlation@{correlation}}
 \index{correlation@{correlation}!AI_alert_correlation@{AI\_\-alert\_\-correlation}}
 \subsubsection[{correlation}]{\setlength{\rightskip}{0pt plus 5cm}double {\bf AI\_\-alert\_\-correlation::correlation}}}
@@ -39,7 +27,12 @@ Correlation coefficient \hypertarget{structAI__alert__correlation_ad3020a87936a2
 \index{hh@{hh}!AI_alert_correlation@{AI\_\-alert\_\-correlation}}
 \subsubsection[{hh}]{\setlength{\rightskip}{0pt plus 5cm}UT\_\-hash\_\-handle {\bf AI\_\-alert\_\-correlation::hh}}}
 \label{structAI__alert__correlation_ad3020a87936a2193a92f09331401ad42}
-Make the struct 'hashable' 
+Make the struct 'hashable' \hypertarget{structAI__alert__correlation_a4e27da4922a1d44497634c8e5968d870}{
+\index{AI\_\-alert\_\-correlation@{AI\_\-alert\_\-correlation}!key@{key}}
+\index{key@{key}!AI_alert_correlation@{AI\_\-alert\_\-correlation}}
+\subsubsection[{key}]{\setlength{\rightskip}{0pt plus 5cm}{\bf AI\_\-alert\_\-correlation\_\-key} {\bf AI\_\-alert\_\-correlation::key}}}
+\label{structAI__alert__correlation_a4e27da4922a1d44497634c8e5968d870}
+Hash key 
 
 The documentation for this struct was generated from the following file:\begin{DoxyCompactItemize}
 \item 
diff --git a/doc/latex/structAI__alert__correlation__key.tex b/doc/latex/structAI__alert__correlation__key.tex
new file mode 100644
index 0000000..b9d1ccf
--- /dev/null
+++ b/doc/latex/structAI__alert__correlation__key.tex
@@ -0,0 +1,32 @@
+\hypertarget{structAI__alert__correlation__key}{
+\section{AI\_\-alert\_\-correlation\_\-key Struct Reference}
+\label{structAI__alert__correlation__key}\index{AI\_\-alert\_\-correlation\_\-key@{AI\_\-alert\_\-correlation\_\-key}}
+}
+\subsection*{Data Fields}
+\begin{DoxyCompactItemize}
+\item 
+\hyperlink{struct__AI__snort__alert}{AI\_\-snort\_\-alert} $\ast$ \hyperlink{structAI__alert__correlation__key_a774daec9332da25835a0904d853acadb}{a}
+\item 
+\hyperlink{struct__AI__snort__alert}{AI\_\-snort\_\-alert} $\ast$ \hyperlink{structAI__alert__correlation__key_a5805dec6499a83b818091b4f21c715dc}{b}
+\end{DoxyCompactItemize}
+
+
+\subsection{Detailed Description}
+Key for the correlation hash table 
+
+\subsection{Field Documentation}
+\hypertarget{structAI__alert__correlation__key_a774daec9332da25835a0904d853acadb}{
+\index{AI\_\-alert\_\-correlation\_\-key@{AI\_\-alert\_\-correlation\_\-key}!a@{a}}
+\index{a@{a}!AI_alert_correlation_key@{AI\_\-alert\_\-correlation\_\-key}}
+\subsubsection[{a}]{\setlength{\rightskip}{0pt plus 5cm}{\bf AI\_\-snort\_\-alert}$\ast$ {\bf AI\_\-alert\_\-correlation\_\-key::a}}}
+\label{structAI__alert__correlation__key_a774daec9332da25835a0904d853acadb}
+First alert \hypertarget{structAI__alert__correlation__key_a5805dec6499a83b818091b4f21c715dc}{
+\index{AI\_\-alert\_\-correlation\_\-key@{AI\_\-alert\_\-correlation\_\-key}!b@{b}}
+\index{b@{b}!AI_alert_correlation_key@{AI\_\-alert\_\-correlation\_\-key}}
+\subsubsection[{b}]{\setlength{\rightskip}{0pt plus 5cm}{\bf AI\_\-snort\_\-alert}$\ast$ {\bf AI\_\-alert\_\-correlation\_\-key::b}}}
+\label{structAI__alert__correlation__key_a5805dec6499a83b818091b4f21c715dc}
+Second alert 
+
+The documentation for this struct was generated from the following file:\begin{DoxyCompactItemize}
+\item 
+\hyperlink{correlation_8c}{correlation.c}\end{DoxyCompactItemize}
diff --git a/doc/latex/structAI__config.tex b/doc/latex/structAI__config.tex
index 18a0e55..82f978f 100644
--- a/doc/latex/structAI__config.tex
+++ b/doc/latex/structAI__config.tex
@@ -19,12 +19,16 @@ unsigned long \hyperlink{structAI__config_ae6ca715cab1d90b70c3aad443133c263}{dat
 \item 
 unsigned long \hyperlink{structAI__config_aa736375e57a59936e2e782b7cd200e41}{correlationGraphInterval}
 \item 
+double \hyperlink{structAI__config_adf6ef0faedfb4dea0a1353e781b14883}{correlationThresholdCoefficient}
+\item 
 char \hyperlink{structAI__config_a2efa9590d7eea6dce8b5dd9aa76ed8ca}{alertfile} \mbox{[}1024\mbox{]}
 \item 
 char \hyperlink{structAI__config_a6da02a3f7116fd3810a41b738e8883a3}{clusterfile} \mbox{[}1024\mbox{]}
 \item 
 char \hyperlink{structAI__config_ab7ea93bbe72b85c4019b4f5656ad62fc}{corr\_\-rules\_\-dir} \mbox{[}1024\mbox{]}
 \item 
+char \hyperlink{structAI__config_ae68f5489e2ec9ea1408f98fe36d050c9}{corr\_\-alerts\_\-dir} \mbox{[}1024\mbox{]}
+\item 
 char \hyperlink{structAI__config_ac8a93607f12106e2f5c9b43af27107da}{dbname} \mbox{[}256\mbox{]}
 \item 
 char \hyperlink{structAI__config_aa004adebfdafb6d14092aecd7f4912b0}{dbuser} \mbox{[}256\mbox{]}
@@ -51,7 +55,12 @@ Alert file \hypertarget{structAI__config_a6da02a3f7116fd3810a41b738e8883a3}{
 \index{clusterfile@{clusterfile}!AI_config@{AI\_\-config}}
 \subsubsection[{clusterfile}]{\setlength{\rightskip}{0pt plus 5cm}char {\bf AI\_\-config::clusterfile}\mbox{[}1024\mbox{]}}}
 \label{structAI__config_a6da02a3f7116fd3810a41b738e8883a3}
-Clustered alerts file \hypertarget{structAI__config_ab7ea93bbe72b85c4019b4f5656ad62fc}{
+Clustered alerts file \hypertarget{structAI__config_ae68f5489e2ec9ea1408f98fe36d050c9}{
+\index{AI\_\-config@{AI\_\-config}!corr\_\-alerts\_\-dir@{corr\_\-alerts\_\-dir}}
+\index{corr\_\-alerts\_\-dir@{corr\_\-alerts\_\-dir}!AI_config@{AI\_\-config}}
+\subsubsection[{corr\_\-alerts\_\-dir}]{\setlength{\rightskip}{0pt plus 5cm}char {\bf AI\_\-config::corr\_\-alerts\_\-dir}\mbox{[}1024\mbox{]}}}
+\label{structAI__config_ae68f5489e2ec9ea1408f98fe36d050c9}
+Directory where the correlated alerts' information will be placed \hypertarget{structAI__config_ab7ea93bbe72b85c4019b4f5656ad62fc}{
 \index{AI\_\-config@{AI\_\-config}!corr\_\-rules\_\-dir@{corr\_\-rules\_\-dir}}
 \index{corr\_\-rules\_\-dir@{corr\_\-rules\_\-dir}!AI_config@{AI\_\-config}}
 \subsubsection[{corr\_\-rules\_\-dir}]{\setlength{\rightskip}{0pt plus 5cm}char {\bf AI\_\-config::corr\_\-rules\_\-dir}\mbox{[}1024\mbox{]}}}
@@ -61,7 +70,12 @@ Correlation rules path \hypertarget{structAI__config_aa736375e57a59936e2e782b7cd
 \index{correlationGraphInterval@{correlationGraphInterval}!AI_config@{AI\_\-config}}
 \subsubsection[{correlationGraphInterval}]{\setlength{\rightskip}{0pt plus 5cm}unsigned long {\bf AI\_\-config::correlationGraphInterval}}}
 \label{structAI__config_aa736375e57a59936e2e782b7cd200e41}
-Interval in seconds for running the thread for building alert correlation graphs \hypertarget{structAI__config_ae6ca715cab1d90b70c3aad443133c263}{
+Interval in seconds for running the thread for building alert correlation graphs \hypertarget{structAI__config_adf6ef0faedfb4dea0a1353e781b14883}{
+\index{AI\_\-config@{AI\_\-config}!correlationThresholdCoefficient@{correlationThresholdCoefficient}}
+\index{correlationThresholdCoefficient@{correlationThresholdCoefficient}!AI_config@{AI\_\-config}}
+\subsubsection[{correlationThresholdCoefficient}]{\setlength{\rightskip}{0pt plus 5cm}double {\bf AI\_\-config::correlationThresholdCoefficient}}}
+\label{structAI__config_adf6ef0faedfb4dea0a1353e781b14883}
+Correlation threshold coefficient for correlating two hyperalerts. Two hyperalerts are 'correlated' to each other in a multi-\/step attack graph if and only if their correlation value is $>$= m + ks, where m is the average correlation coefficient, s is the standard deviation over this coefficient, and k is this threshold coefficient. Its value can be $>$= 0. A value in \mbox{[}0,1\mbox{]} is strongly suggested, but this value mostly depends on how accurate the correlation rules where defined. Be careful, defining a correlation coefficient $>$ or $>$$>$ 1 no correlation may occur at all! \hypertarget{structAI__config_ae6ca715cab1d90b70c3aad443133c263}{
 \index{AI\_\-config@{AI\_\-config}!databaseParsingInterval@{databaseParsingInterval}}
 \index{databaseParsingInterval@{databaseParsingInterval}!AI_config@{AI\_\-config}}
 \subsubsection[{databaseParsingInterval}]{\setlength{\rightskip}{0pt plus 5cm}unsigned long {\bf AI\_\-config::databaseParsingInterval}}}
diff --git a/doc/latex/struct__AI__snort__alert.tex b/doc/latex/struct__AI__snort__alert.tex
index 1f775d3..904583d 100644
--- a/doc/latex/struct__AI__snort__alert.tex
+++ b/doc/latex/struct__AI__snort__alert.tex
@@ -60,6 +60,12 @@ struct \hyperlink{struct__AI__snort__alert}{\_\-AI\_\-snort\_\-alert} $\ast$ \hy
 unsigned int \hyperlink{struct__AI__snort__alert_a285aff12d6bac03c316ccc5305d28e53}{grouped\_\-alarms\_\-count}
 \item 
 \hyperlink{structAI__hyperalert__info}{AI\_\-hyperalert\_\-info} $\ast$ \hyperlink{struct__AI__snort__alert_ac101de15b4f9451f235b82122f77b62a}{hyperalert}
+\item 
+struct \hyperlink{struct__AI__snort__alert}{\_\-AI\_\-snort\_\-alert} $\ast$ \hyperlink{struct__AI__snort__alert_a55a5488c7ee7706ded4c16b1235fd9c7}{previous\_\-correlated}
+\item 
+struct \hyperlink{struct__AI__snort__alert}{\_\-AI\_\-snort\_\-alert} $\ast$$\ast$ \hyperlink{struct__AI__snort__alert_aac5e4078600ed17532db1f3d78165390}{derived\_\-alerts}
+\item 
+unsigned int \hyperlink{struct__AI__snort__alert_a1f2d5e8cfd0e6321b977173d1e90cb68}{n\_\-derived\_\-alerts}
 \end{DoxyCompactItemize}
 
 
@@ -72,7 +78,12 @@ Data type for Snort alerts
 \index{classification@{classification}!_AI_snort_alert@{\_\-AI\_\-snort\_\-alert}}
 \subsubsection[{classification}]{\setlength{\rightskip}{0pt plus 5cm}char$\ast$ {\bf \_\-AI\_\-snort\_\-alert::classification}}}
 \label{struct__AI__snort__alert_aa89585e14acb2c4e684a1552d322632f}
-\hypertarget{struct__AI__snort__alert_ac0902d7c756ec675fb06347ce4706135}{
+\hypertarget{struct__AI__snort__alert_aac5e4078600ed17532db1f3d78165390}{
+\index{\_\-AI\_\-snort\_\-alert@{\_\-AI\_\-snort\_\-alert}!derived\_\-alerts@{derived\_\-alerts}}
+\index{derived\_\-alerts@{derived\_\-alerts}!_AI_snort_alert@{\_\-AI\_\-snort\_\-alert}}
+\subsubsection[{derived\_\-alerts}]{\setlength{\rightskip}{0pt plus 5cm}struct {\bf \_\-AI\_\-snort\_\-alert}$\ast$$\ast$ {\bf \_\-AI\_\-snort\_\-alert::derived\_\-alerts}}}
+\label{struct__AI__snort__alert_aac5e4078600ed17532db1f3d78165390}
+Array of directly correlated 'derived' alerts from the current one, if any \hypertarget{struct__AI__snort__alert_ac0902d7c756ec675fb06347ce4706135}{
 \index{\_\-AI\_\-snort\_\-alert@{\_\-AI\_\-snort\_\-alert}!desc@{desc}}
 \index{desc@{desc}!_AI_snort_alert@{\_\-AI\_\-snort\_\-alert}}
 \subsubsection[{desc}]{\setlength{\rightskip}{0pt plus 5cm}char$\ast$ {\bf \_\-AI\_\-snort\_\-alert::desc}}}
@@ -132,12 +143,22 @@ Hyperalert information, pre-\/conditions and post-\/conditions \hypertarget{stru
 \index{ip\_\-ttl@{ip\_\-ttl}!_AI_snort_alert@{\_\-AI\_\-snort\_\-alert}}
 \subsubsection[{ip\_\-ttl}]{\setlength{\rightskip}{0pt plus 5cm}{\bf uint8\_\-t} {\bf \_\-AI\_\-snort\_\-alert::ip\_\-ttl}}}
 \label{struct__AI__snort__alert_a3c9bbe84ec696cd58668a45799a66600}
-\hypertarget{struct__AI__snort__alert_aa8336d4b3359015ed8ea312ca1fd1173}{
+\hypertarget{struct__AI__snort__alert_a1f2d5e8cfd0e6321b977173d1e90cb68}{
+\index{\_\-AI\_\-snort\_\-alert@{\_\-AI\_\-snort\_\-alert}!n\_\-derived\_\-alerts@{n\_\-derived\_\-alerts}}
+\index{n\_\-derived\_\-alerts@{n\_\-derived\_\-alerts}!_AI_snort_alert@{\_\-AI\_\-snort\_\-alert}}
+\subsubsection[{n\_\-derived\_\-alerts}]{\setlength{\rightskip}{0pt plus 5cm}unsigned int {\bf \_\-AI\_\-snort\_\-alert::n\_\-derived\_\-alerts}}}
+\label{struct__AI__snort__alert_a1f2d5e8cfd0e6321b977173d1e90cb68}
+Number of derived alerts \hypertarget{struct__AI__snort__alert_aa8336d4b3359015ed8ea312ca1fd1173}{
 \index{\_\-AI\_\-snort\_\-alert@{\_\-AI\_\-snort\_\-alert}!next@{next}}
 \index{next@{next}!_AI_snort_alert@{\_\-AI\_\-snort\_\-alert}}
 \subsubsection[{next}]{\setlength{\rightskip}{0pt plus 5cm}struct {\bf \_\-AI\_\-snort\_\-alert}$\ast$ {\bf \_\-AI\_\-snort\_\-alert::next}}}
 \label{struct__AI__snort__alert_aa8336d4b3359015ed8ea312ca1fd1173}
-Pointer to the next alert in the log, if any \hypertarget{struct__AI__snort__alert_a25661fa4e212c5e30af5e6a892985ec9}{
+Pointer to the next alert in the log, if any \hypertarget{struct__AI__snort__alert_a55a5488c7ee7706ded4c16b1235fd9c7}{
+\index{\_\-AI\_\-snort\_\-alert@{\_\-AI\_\-snort\_\-alert}!previous\_\-correlated@{previous\_\-correlated}}
+\index{previous\_\-correlated@{previous\_\-correlated}!_AI_snort_alert@{\_\-AI\_\-snort\_\-alert}}
+\subsubsection[{previous\_\-correlated}]{\setlength{\rightskip}{0pt plus 5cm}struct {\bf \_\-AI\_\-snort\_\-alert}$\ast$ {\bf \_\-AI\_\-snort\_\-alert::previous\_\-correlated}}}
+\label{struct__AI__snort__alert_a55a5488c7ee7706ded4c16b1235fd9c7}
+\hypertarget{struct__AI__snort__alert_a25661fa4e212c5e30af5e6a892985ec9}{
 \index{\_\-AI\_\-snort\_\-alert@{\_\-AI\_\-snort\_\-alert}!priority@{priority}}
 \index{priority@{priority}!_AI_snort_alert@{\_\-AI\_\-snort\_\-alert}}
 \subsubsection[{priority}]{\setlength{\rightskip}{0pt plus 5cm}unsigned short {\bf \_\-AI\_\-snort\_\-alert::priority}}}
diff --git a/include/sfrt_trie.h b/include/sfrt_trie.h
index 3b4063e..bad0506 100644
--- a/include/sfrt_trie.h
+++ b/include/sfrt_trie.h
@@ -68,7 +68,7 @@ typedef unsigned long word;
 /* The trie is represented by an array and each node in
    the trie is compactly represented using only 32 bits:
    5 + 5 + 22 = branch + skip + adr */
-typedef word node_t;
+typedef word trie_node_t;
 
 #define NOPRE -1          /* an empty prefix pointer */
 
@@ -137,7 +137,7 @@ typedef struct { /* compact version of above */
 
 typedef struct routtablerec *routtable_t;
 struct routtablerec {
-   node_t *trie;         /* the main trie search structure */
+   trie_node_t *trie;         /* the main trie search structure */
    int triesize;
    comp_base_t *base;    /* the base vector */
    int basesize;
diff --git a/mysql.c b/mysql.c
index 6eca31d..0ff1e60 100644
--- a/mysql.c
+++ b/mysql.c
@@ -18,7 +18,7 @@
  */
 
 #include	"spp_ai.h"
-#ifdef 	ENABLE_MYSQL
+#ifdef 	HAVE_LIBMYSQLCLIENT
 
 #include	<mysql/mysql.h>
 
diff --git a/spp_ai.c b/spp_ai.c
index 2187e46..6b5ed08 100644
--- a/spp_ai.c
+++ b/spp_ai.c
@@ -133,22 +133,24 @@ static AI_config * AI_parse(char *args)
 {
 	char *arg;
 	char *match;
-	char alertfile[1024]      = { 0 };
-	char clusterfile[1024]    = { 0 };
-	char corr_rules_dir[1024] = { 0 };
+	char alertfile[1024]       = { 0 };
+	char clusterfile[1024]     = { 0 };
+	char corr_rules_dir[1024]  = { 0 };
+	char corr_alerts_dir[1024] = { 0 };
 
 	char **matches       = NULL;
 	int  nmatches        = 0;
 
-	int  i;
-	int  offset;
-	int  len;
+	int      i;
+	int      offset;
+	int      len;
+	double   corr_threshold_coefficient = DEFAULT_CORR_THRESHOLD;
 	uint32_t netmask;
 
-	int  min_val;
-	int  max_val;
-	char label[256];
-	cluster_type   type;
+	int           min_val;
+	int           max_val;
+	char          label[256];
+	cluster_type  type;
 
 	hierarchy_node **hierarchy_nodes = NULL;
 	int            n_hierarchy_nodes = 0;
@@ -158,21 +160,23 @@ static AI_config * AI_parse(char *args)
 			    alertfile_len              = 0,
 			    clusterfile_len            = 0,
 			    corr_rules_dir_len         = 0,
+			    corr_alerts_dir_len        = 0,
 			    alert_clustering_interval  = 0,
 			    database_parsing_interval  = 0,
 			    correlation_graph_interval = 0;
 
-	BOOL has_cleanup_interval       = false,
-		has_stream_expire_interval = false,
-		has_correlation_interval   = false,
-		has_database_interval      = false,
-		has_alertfile              = false,
-		has_clusterfile            = false,
-		has_corr_rules_dir         = false,
-		has_clustering             = false,
-		has_database_log           = false;
+	BOOL has_cleanup_interval        = false,
+		has_stream_expire_interval  = false,
+		has_correlation_interval    = false,
+		has_corr_alerts_dir         = false,
+		has_database_interval       = false,
+		has_alertfile               = false,
+		has_clusterfile             = false,
+		has_corr_rules_dir          = false,
+		has_clustering              = false,
+		has_database_log            = false;
 
-	AI_config *config               = NULL;
+	AI_config *config                = NULL;
 
 	if ( !( config = ( AI_config* ) malloc ( sizeof( AI_config )) ))
 		_dpd.fatalMsg("Could not allocate configuration struct.\n");
@@ -276,6 +280,27 @@ static AI_config * AI_parse(char *args)
 		_dpd.logMsg("    Correlation graph thread interval: %d\n", config->correlationGraphInterval);
 	}
 
+	/* Parsing the correlation_threshold_coefficient option */
+	if (( arg = (char*) strcasestr( args, "correlation_threshold_coefficient" ) ))
+	{
+		/* has_stream_expire_interval = true; */
+
+		for ( arg += strlen("correlation_threshold_coefficient");
+				*arg && (*arg < '0' || *arg > '9');
+				arg++ );
+
+		if ( !(*arg) )
+		{
+			_dpd.fatalMsg("AIPreproc: correlation_threshold_coefficient option used but "
+				"no value specified\n");
+		}
+
+		corr_threshold_coefficient = strtod ( arg, NULL );
+		_dpd.logMsg( "    Correlation threshold coefficient: %d\n", corr_threshold_coefficient );
+	}
+
+	config->correlationThresholdCoefficient = corr_threshold_coefficient;
+
 	/* Parsing the alertfile option */
 	if (( arg = (char*) strcasestr( args, "alertfile" ) ))
 	{
@@ -373,6 +398,38 @@ static AI_config * AI_parse(char *args)
 		}
 	}
 
+	/* Parsing the correlated_alerts_dir option */
+	if (( arg = (char*) strcasestr( args, "correlated_alerts_dir" ) ))
+	{
+		for ( arg += strlen("correlated_alerts_dir");
+				*arg && *arg != '"';
+				arg++ );
+
+		if ( !(*(arg++)) )
+		{
+			_dpd.fatalMsg("AIPreproc: correlated_alerts_dir option used but no filename specified\n");
+		}
+
+		for ( corr_alerts_dir[ (++corr_alerts_dir_len)-1 ] = *arg;
+				*arg && *arg != '"' && corr_alerts_dir_len < 1024;
+				arg++, corr_alerts_dir[ (++corr_alerts_dir_len)-1 ] = *arg );
+
+		if ( corr_alerts_dir[0] == 0 || corr_alerts_dir_len <= 1 )  {
+			has_corr_alerts_dir = false;
+		} else {
+			if ( corr_alerts_dir_len >= 1024 )  {
+				_dpd.fatalMsg("AIPreproc: correlated_alerts_dir path too long ( >= 1024 )\n");
+			} else if ( strlen( corr_alerts_dir ) == 0 ) {
+				has_corr_alerts_dir = false;
+			} else {
+				has_corr_alerts_dir = true;
+				corr_alerts_dir[ corr_alerts_dir_len-1 ] = 0;
+				strncpy ( config->corr_alerts_dir, corr_alerts_dir, corr_alerts_dir_len );
+				_dpd.logMsg("    correlated_alerts_dir: %s\n", config->corr_alerts_dir);
+			}
+		}
+	}
+
 	/* Parsing database option */
 	if ( preg_match ( "\\s*database\\s*\\(\\s*([^\\)]+)\\)", args, &matches, &nmatches ) > 0 )
 	{
@@ -699,8 +756,8 @@ static AI_config * AI_parse(char *args)
 	} else if ( has_database_log )  {
 		has_alertfile = false;
 
-		#ifdef 	ENABLE_DB
-		alertparser_thread = AI_db_alertparser_thread;
+		#ifdef 	HAVE_LIBMYSQLCLIENT
+			alertparser_thread = AI_db_alertparser_thread;
 		#else
 		_dpd.fatalMsg ( "AIPreproc: database logging enabled in config file, but the module was not compiled "
 				"with database support (recompile, i.e., with ./configure --with-mysql)\n" );
@@ -745,9 +802,16 @@ static AI_config * AI_parse(char *args)
 
 	_dpd.logMsg ( "Using correlation rules from directory %s\n", config->corr_rules_dir );
 
+	if ( ! has_corr_alerts_dir )
+	{
+		strncpy ( config->corr_alerts_dir, DEFAULT_CORR_ALERTS_DIR, sizeof ( DEFAULT_CORR_ALERTS_DIR ));
+	}
+
+	_dpd.logMsg ( "Saving correlated alerts information in %s\n", config->corr_alerts_dir );
+
 	if ( has_database_log )
 	{
-		#ifdef 	ENABLE_DB
+		#ifdef 	HAVE_LIBMYSQLCLIENT
 			get_alerts = AI_db_get_alerts;
 		#else
 			_dpd.fatalMsg ( "AIPreproc: Using database alert log, but the module was not compiled with database support\n" );
diff --git a/spp_ai.h b/spp_ai.h
index a28549a..7b81467 100644
--- a/spp_ai.h
+++ b/spp_ai.h
@@ -54,6 +54,12 @@
 /** Default path to alert correlation rules directory */
 #define 	DEFAULT_CORR_RULES_DIR 				"/etc/snort/corr_rules"
 
+/** Default directory for placing correlated alerts information (.dot and possibly .png files) */
+#define 	DEFAULT_CORR_ALERTS_DIR 				"/var/log/snort/correlated_alerts"
+
+/** Default correlation threshold coefficient for correlating two hyperalerts */
+#define 	DEFAULT_CORR_THRESHOLD 				0.5
+
 extern DynamicPreprocessorData _dpd;
 typedef unsigned char   uint8_t;
 typedef unsigned short  uint16_t;
@@ -114,6 +120,16 @@ typedef struct
 	/** Interval in seconds for running the thread for building alert correlation graphs */
 	unsigned long correlationGraphInterval;
 
+	/** Correlation threshold coefficient for correlating two hyperalerts. Two hyperalerts
+	 * are 'correlated' to each other in a multi-step attack graph if and only if their
+	 * correlation value is >= m + ks, where m is the average correlation coefficient,
+	 * s is the standard deviation over this coefficient, and k is this threshold
+	 * coefficient. Its value can be >= 0. A value in [0,1] is strongly suggested,
+	 * but this value mostly depends on how accurate the correlation rules where
+	 * defined. Be careful, defining a correlation coefficient > or >> 1 no correlation
+	 * may occur at all! */
+	double        correlationThresholdCoefficient;
+
 	/** Alert file */
 	char          alertfile[1024];
 
@@ -123,6 +139,9 @@ typedef struct
 	/** Correlation rules path */
 	char          corr_rules_dir[1024];
 
+	/** Directory where the correlated alerts' information will be placed */
+	char          corr_alerts_dir[1024];
+
 	/** Database name, if database logging is used */
 	char          dbname[256];
 
@@ -231,6 +250,17 @@ typedef struct _AI_snort_alert  {
 	/** Hyperalert information, pre-conditions
 	 * and post-conditions*/
 	AI_hyperalert_info  *hyperalert;
+
+	/* 'Parent' correlated alert in the chain,
+	 * if any*/
+	struct _AI_snort_alert  *previous_correlated;
+
+	/** Array of directly correlated 'derived'
+	 * alerts from the current one, if any */
+	struct _AI_snort_alert  **derived_alerts;
+
+	/** Number of derived alerts */
+	unsigned int        n_derived_alerts;
 } AI_snort_alert;
 /*****************************************************************/
 
@@ -242,7 +272,7 @@ void*              AI_hashcleanup_thread ( void* );
 void*              AI_file_alertparser_thread ( void* );
 void*              AI_alert_correlation_thread ( void* );
 
-#ifdef 	ENABLE_DB
+#ifdef 	HAVE_LIBMYSQLCLIENT
 AI_snort_alert*    AI_db_get_alerts ( void );
 void               AI_db_free_alerts ( AI_snort_alert *node );
 void*              AI_db_alertparser_thread ( void* );