Correlation graphs, macro substitution improved

This commit is contained in:
BlackLight 2010-09-14 19:24:03 +02:00
parent 997ebcbcd8
commit f5356f4dde
95 changed files with 2766 additions and 932 deletions

View file

@ -5,10 +5,10 @@
2010-09-09 Fabio "BlackLight" Manganiello <blacklight@autistici.org> 2010-09-09 Fabio "BlackLight" Manganiello <blacklight@autistici.org>
* Makefile.am: Complete support for make dist * Makefile.am: Complete support for make dist
2010-09-05 Fabio "BlackLight" Manganiello <blacklight@autistici.org> 2010-05-09 Fabio "BlackLight" Manganiello <blacklight@autistici.org>
* all: Using autotools now * all: Using autotools now
2010-09-04 Fabio "BlackLight" Manganiello <blacklight@autistici.org> 2010-04-04 Fabio "BlackLight" Manganiello <blacklight@autistici.org>
* mysql.c: This file now only contains the functions for managing MySQL * mysql.c: This file now only contains the functions for managing MySQL
connections in the database wrapper connections in the database wrapper
* db.c: Renamed from 'mysql.c' to 'db.c', now it should be abstract * db.c: Renamed from 'mysql.c' to 'db.c', now it should be abstract

View file

@ -4,7 +4,7 @@ AUTOMAKE_OPTIONS=foreign no-dependencies
libdir = ${exec_prefix}/lib/snort_dynamicpreprocessor libdir = ${exec_prefix}/lib/snort_dynamicpreprocessor
lib_LTLIBRARIES = libsf_ai_preproc.la lib_LTLIBRARIES = libsf_ai_preproc.la
libsf_ai_preproc_la_CFLAGS = -I./uthash -I./include ${LIBXML2_INCLUDES} -DDYNAMIC_PLUGIN -D_XOPEN_SOURCE -D_GNU_SOURCE -fvisibility=hidden -fno-strict-aliasing -Wall -pedantic -pedantic-errors -fstack-protector libsf_ai_preproc_la_CFLAGS = -I./uthash -I./include ${LIBXML2_INCLUDES} ${LIBGRAPH_INCLUDES} -DDYNAMIC_PLUGIN -D_XOPEN_SOURCE -D_GNU_SOURCE -fvisibility=hidden -fno-strict-aliasing -Wall -pedantic -pedantic-errors -fstack-protector
libsf_ai_preproc_la_LDFLAGS = -module -export-dynamic libsf_ai_preproc_la_LDFLAGS = -module -export-dynamic
BUILT_SOURCES = \ BUILT_SOURCES = \

View file

@ -150,6 +150,7 @@ INSTALL_SCRIPT = @INSTALL_SCRIPT@
INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
LD = @LD@ LD = @LD@
LDFLAGS = @LDFLAGS@ LDFLAGS = @LDFLAGS@
LIBGRAPH_INCLUDES = @LIBGRAPH_INCLUDES@
LIBOBJS = @LIBOBJS@ LIBOBJS = @LIBOBJS@
LIBS = @LIBS@ LIBS = @LIBS@
LIBTOOL = @LIBTOOL@ LIBTOOL = @LIBTOOL@
@ -159,7 +160,6 @@ LN_S = @LN_S@
LTLIBOBJS = @LTLIBOBJS@ LTLIBOBJS = @LTLIBOBJS@
MAKEINFO = @MAKEINFO@ MAKEINFO = @MAKEINFO@
MKDIR_P = @MKDIR_P@ MKDIR_P = @MKDIR_P@
MYSQL = @MYSQL@
NM = @NM@ NM = @NM@
NMEDIT = @NMEDIT@ NMEDIT = @NMEDIT@
OBJDUMP = @OBJDUMP@ OBJDUMP = @OBJDUMP@
@ -235,7 +235,7 @@ top_builddir = @top_builddir@
top_srcdir = @top_srcdir@ top_srcdir = @top_srcdir@
AUTOMAKE_OPTIONS = foreign no-dependencies AUTOMAKE_OPTIONS = foreign no-dependencies
lib_LTLIBRARIES = libsf_ai_preproc.la lib_LTLIBRARIES = libsf_ai_preproc.la
libsf_ai_preproc_la_CFLAGS = -I./uthash -I./include ${LIBXML2_INCLUDES} -DDYNAMIC_PLUGIN -D_XOPEN_SOURCE -D_GNU_SOURCE -fvisibility=hidden -fno-strict-aliasing -Wall -pedantic -pedantic-errors -fstack-protector libsf_ai_preproc_la_CFLAGS = -I./uthash -I./include ${LIBXML2_INCLUDES} ${LIBGRAPH_INCLUDES} -DDYNAMIC_PLUGIN -D_XOPEN_SOURCE -D_GNU_SOURCE -fvisibility=hidden -fno-strict-aliasing -Wall -pedantic -pedantic-errors -fstack-protector
libsf_ai_preproc_la_LDFLAGS = -module -export-dynamic libsf_ai_preproc_la_LDFLAGS = -module -export-dynamic
BUILT_SOURCES = \ BUILT_SOURCES = \
include/sf_dynamic_preproc_lib.c \ include/sf_dynamic_preproc_lib.c \

1
TODO
View file

@ -1,5 +1,6 @@
- Correlation macros valid also for hierarchies flags - Correlation macros valid also for hierarchies flags
- Bayesian learning among alerts in alert log - Bayesian learning among alerts in alert log
- libgc support
- Managing clusters for addresses, timestamps (and more?) - Managing clusters for addresses, timestamps (and more?)
- Dynamic cluster_min_size algorithm - Dynamic cluster_min_size algorithm

View file

@ -385,6 +385,9 @@ AI_free_alerts ( AI_snort_alert *node )
node->hyperalert = NULL; node->hyperalert = NULL;
} }
if ( node->derived_alerts )
free ( node->derived_alerts );
free ( node ); free ( node );
node = NULL; node = NULL;
} /* ----- end of function AI_free_alerts ----- */ } /* ----- end of function AI_free_alerts ----- */

View file

@ -743,6 +743,7 @@ ac_includes_default="\
# include <unistd.h> # include <unistd.h>
#endif" #endif"
ac_default_prefix=/usr
ac_header_list= ac_header_list=
ac_func_list= ac_func_list=
ac_subst_vars='am__EXEEXT_FALSE ac_subst_vars='am__EXEEXT_FALSE
@ -750,7 +751,9 @@ am__EXEEXT_TRUE
LTLIBOBJS LTLIBOBJS
LIB@&t@OBJS LIB@&t@OBJS
ALLOCA ALLOCA
MYSQL LIBGRAPH_INCLUDES
LIBXML2_INCLUDES
CORR_RULES_PREFIX
extra_incl extra_incl
CPP CPP
OTOOL64 OTOOL64
@ -868,6 +871,7 @@ enable_dependency_tracking
with_gnu_ld with_gnu_ld
enable_libtool_lock enable_libtool_lock
with_mysql with_mysql
with_graphviz
' '
ac_precious_vars='build_alias ac_precious_vars='build_alias
host_alias host_alias
@ -1514,6 +1518,8 @@ Optional Packages:
both@:>@ both@:>@
--with-gnu-ld assume the C compiler uses GNU ld @<:@default=no@:>@ --with-gnu-ld assume the C compiler uses GNU ld @<:@default=no@:>@
--with-mysql Enable support for MySQL alert logs @<:@default=no@:>@ --with-mysql Enable support for MySQL alert logs @<:@default=no@:>@
--without-graphviz Disable Graphviz support for rendering correlated
alerts as a PNG graph @<:@default=yes@:>@
Some influential environment variables: Some influential environment variables:
CC C compiler command CC C compiler command
@ -10527,6 +10533,9 @@ CC="$lt_save_CC"
test "$prefix" = "NONE" && prefix=/usr
case "$host" in case "$host" in
*-openbsd2.6|*-openbsd2.5|*-openbsd2.4|*-openbsd2.3*) *-openbsd2.6|*-openbsd2.5|*-openbsd2.4|*-openbsd2.3*)
@ -11367,6 +11376,15 @@ else
fi fi
@%:@ Check whether --with-graphviz was given.
if test "${with_graphviz+set}" = set; then :
withval=$with_graphviz;
else
with_graphviz=yes
fi
# Checks for libraries. # Checks for libraries.
if test "x$with_mysql" != xno; then : if test "x$with_mysql" != xno; then :
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for mysql_query in -lmysqlclient" >&5 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for mysql_query in -lmysqlclient" >&5
@ -11375,7 +11393,7 @@ if test "${ac_cv_lib_mysqlclient_mysql_query+set}" = set; then :
$as_echo_n "(cached) " >&6 $as_echo_n "(cached) " >&6
else else
ac_check_lib_save_LIBS=$LIBS ac_check_lib_save_LIBS=$LIBS
LIBS="-lmysqlclient -lmysqlclient $LIBS" LIBS="-lmysqlclient $LIBS"
cat confdefs.h - <<_ACEOF >conftest.$ac_ext cat confdefs.h - <<_ACEOF >conftest.$ac_ext
/* end confdefs.h. */ /* end confdefs.h. */
@ -11406,15 +11424,12 @@ fi
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_mysqlclient_mysql_query" >&5 { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_mysqlclient_mysql_query" >&5
$as_echo "$ac_cv_lib_mysqlclient_mysql_query" >&6; } $as_echo "$ac_cv_lib_mysqlclient_mysql_query" >&6; }
if test "x$ac_cv_lib_mysqlclient_mysql_query" = x""yes; then : if test "x$ac_cv_lib_mysqlclient_mysql_query" = x""yes; then :
MYSQL="-lmysqlclient"
$as_echo "@%:@define ENABLE_MYSQL 1" >>confdefs.h $as_echo "@%:@define ENABLE_MYSQL 1" >>confdefs.h
$as_echo "@%:@define ENABLE_DB 1" >>confdefs.h $as_echo "@%:@define ENABLE_DB 1" >>confdefs.h
else else
if test "x$with_mysql" != xno; then if test "x$with_mysql" != xno; then
{ { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
@ -11426,7 +11441,63 @@ fi
fi fi
#AC_CHECK_LIB([mysqlclient], [mysql_query]) #AS_IF([test "x$with_graphviz" != xno],
# [AC_CHECK_LIB([gvc], [agread],
# [AC_DEFINE(ENABLE_GRAPHVIZ, 1, [Define if you want to use libgraphviz for rendering the correlated alerts graph as a PNG image])],
# [if test "x$with_graphviz" != xno; then
# AC_MSG_FAILURE([libgraphviz support required but the library was not found (use --without-graphviz if you do not want to enable the support for it)])
# fi])])
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for xmlReaderForFile in -lxml2" >&5
$as_echo_n "checking for xmlReaderForFile in -lxml2... " >&6; }
if test "${ac_cv_lib_xml2_xmlReaderForFile+set}" = set; then :
$as_echo_n "(cached) " >&6
else
ac_check_lib_save_LIBS=$LIBS
LIBS="-lxml2 $LIBS"
cat confdefs.h - <<_ACEOF >conftest.$ac_ext
/* end confdefs.h. */
/* Override any GCC internal prototype to avoid an error.
Use char because int might match the return type of a GCC
builtin and then its argument prototype would still apply. */
#ifdef __cplusplus
extern "C"
#endif
char xmlReaderForFile ();
int
main ()
{
return xmlReaderForFile ();
;
return 0;
}
_ACEOF
if ac_fn_c_try_link "$LINENO"; then :
ac_cv_lib_xml2_xmlReaderForFile=yes
else
ac_cv_lib_xml2_xmlReaderForFile=no
fi
rm -f core conftest.err conftest.$ac_objext \
conftest$ac_exeext conftest.$ac_ext
LIBS=$ac_check_lib_save_LIBS
fi
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_xml2_xmlReaderForFile" >&5
$as_echo "$ac_cv_lib_xml2_xmlReaderForFile" >&6; }
if test "x$ac_cv_lib_xml2_xmlReaderForFile" = x""yes; then :
cat >>confdefs.h <<_ACEOF
@%:@define HAVE_LIBXML2 1
_ACEOF
LIBS="-lxml2 $LIBS"
else
{ { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
as_fn_error $? "libxml2 not found on the system
See \`config.log' for more details" "$LINENO" 5 ; }
fi
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for pthread_create in -lpthread" >&5 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for pthread_create in -lpthread" >&5
$as_echo_n "checking for pthread_create in -lpthread... " >&6; } $as_echo_n "checking for pthread_create in -lpthread... " >&6; }
if test "${ac_cv_lib_pthread_pthread_create+set}" = set; then : if test "${ac_cv_lib_pthread_pthread_create+set}" = set; then :
@ -11470,10 +11541,151 @@ _ACEOF
LIBS="-lpthread $LIBS" LIBS="-lpthread $LIBS"
else
{ { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
as_fn_error $? "libpthread not found on the system
See \`config.log' for more details" "$LINENO" 5 ; }
fi fi
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for sqrt in -lm" >&5
$as_echo_n "checking for sqrt in -lm... " >&6; }
if test "${ac_cv_lib_m_sqrt+set}" = set; then :
$as_echo_n "(cached) " >&6
else
ac_check_lib_save_LIBS=$LIBS
LIBS="-lm $LIBS"
cat confdefs.h - <<_ACEOF >conftest.$ac_ext
/* end confdefs.h. */
/* Override any GCC internal prototype to avoid an error.
Use char because int might match the return type of a GCC
builtin and then its argument prototype would still apply. */
#ifdef __cplusplus
extern "C"
#endif
char sqrt ();
int
main ()
{
return sqrt ();
;
return 0;
}
_ACEOF
if ac_fn_c_try_link "$LINENO"; then :
ac_cv_lib_m_sqrt=yes
else
ac_cv_lib_m_sqrt=no
fi
rm -f core conftest.err conftest.$ac_objext \
conftest$ac_exeext conftest.$ac_ext
LIBS=$ac_check_lib_save_LIBS
fi
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_m_sqrt" >&5
$as_echo "$ac_cv_lib_m_sqrt" >&6; }
if test "x$ac_cv_lib_m_sqrt" = x""yes; then :
cat >>confdefs.h <<_ACEOF
@%:@define HAVE_LIBM 1
_ACEOF
LIBS="-lm $LIBS"
else
{ { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
as_fn_error $? "libm not found on the system
See \`config.log' for more details" "$LINENO" 5 ; }
fi
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for agread in -lgvc" >&5
$as_echo_n "checking for agread in -lgvc... " >&6; }
if test "${ac_cv_lib_gvc_agread+set}" = set; then :
$as_echo_n "(cached) " >&6
else
ac_check_lib_save_LIBS=$LIBS
LIBS="-lgvc $LIBS"
cat confdefs.h - <<_ACEOF >conftest.$ac_ext
/* end confdefs.h. */
/* Override any GCC internal prototype to avoid an error.
Use char because int might match the return type of a GCC
builtin and then its argument prototype would still apply. */
#ifdef __cplusplus
extern "C"
#endif
char agread ();
int
main ()
{
return agread ();
;
return 0;
}
_ACEOF
if ac_fn_c_try_link "$LINENO"; then :
ac_cv_lib_gvc_agread=yes
else
ac_cv_lib_gvc_agread=no
fi
rm -f core conftest.err conftest.$ac_objext \
conftest$ac_exeext conftest.$ac_ext
LIBS=$ac_check_lib_save_LIBS
fi
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_gvc_agread" >&5
$as_echo "$ac_cv_lib_gvc_agread" >&6; }
if test "x$ac_cv_lib_gvc_agread" = x""yes; then :
cat >>confdefs.h <<_ACEOF
@%:@define HAVE_LIBGVC 1
_ACEOF
LIBS="-lgvc $LIBS"
fi
#AC_CHECK_LIB([gvc], [agread], [AC_DEFINE(ENABLE_GRAPHVIZ, 1, [Define if you want to use libgraphviz for rendering the correlated alerts graph as a PNG image])],[])
#[if test "x$with_graphviz" != xno; then
# AC_MSG_FAILURE([libgraphviz support required but the library was not found (use --without-graphviz if you do not want to enable the support for it or, on a Debian-based system, install libgraphviz-dev)])
#fi])
if test "x$prefix" == x/usr; then :
CORR_RULES_PREFIX="/etc/snort/corr_rules"
else
CORR_RULES_PREFIX="${prefix}/etc/corr_rules"
fi
# Checks for header files. # Checks for header files.
if test ! -z "`pkg-config --cflags libxml-2.0 2> /dev/null`"; then :
LIBXML2_INCLUDES="$(pkg-config --cflags libxml-2.0 2> /dev/null)"
else
{ { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
as_fn_error $? "libxml2 not found, okr pkg-config not working
See \`config.log' for more details" "$LINENO" 5 ; }
fi
if test "x$with_graphviz" != xno; then :
if test ! -z "`pkg-config --cflags libgraph 2> /dev/null`"; then :
LIBGRAPH_INCLUDES="$(pkg-config --cflags libgraph 2> /dev/null)"
else
{ { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
as_fn_error $? "libgraphviz support enabled, but the library was not found or pkg-config is not working
See \`config.log' for more details" "$LINENO" 5 ; }
fi
fi
if test "x$with_graphviz" != xno; then :
$as_echo "@%:@define HAVE_BOOLEAN 1" >>confdefs.h
fi
# The Ultrix 4.2 mips builtin alloca declared by alloca.h only works # The Ultrix 4.2 mips builtin alloca declared by alloca.h only works
# for constant arguments. Useless! # for constant arguments. Useless!
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for working alloca.h" >&5 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for working alloca.h" >&5
@ -11663,7 +11875,7 @@ _ACEOF
fi fi
for ac_header in inttypes.h limits.h stddef.h stdlib.h string.h unistd.h wchar.h for ac_header in inttypes.h limits.h stddef.h stdlib.h string.h unistd.h wchar.h math.h
do : do :
as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh` as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh`
ac_fn_c_check_header_mongrel "$LINENO" "$ac_header" "$as_ac_Header" "$ac_includes_default" ac_fn_c_check_header_mongrel "$LINENO" "$ac_header" "$as_ac_Header" "$ac_includes_default"
@ -11672,6 +11884,8 @@ if eval test \"x\$"$as_ac_Header"\" = x"yes"; then :
@%:@define `$as_echo "HAVE_$ac_header" | $as_tr_cpp` 1 @%:@define `$as_echo "HAVE_$ac_header" | $as_tr_cpp` 1
_ACEOF _ACEOF
else
as_fn_error $? "At least one of the required headers was not found" "$LINENO" 5
fi fi
done done
@ -11786,6 +12000,15 @@ cat >>confdefs.h <<_ACEOF
_ACEOF _ACEOF
fi
ac_fn_c_check_type "$LINENO" "boolean" "ac_cv_type_boolean" "$ac_includes_default"
if test "x$ac_cv_type_boolean" = x""yes; then :
cat >>confdefs.h <<_ACEOF
@%:@define HAVE_BOOLEAN 1
_ACEOF
fi fi
@ -12404,6 +12627,8 @@ if eval test \"x\$"$as_ac_var"\" = x"yes"; then :
@%:@define `$as_echo "HAVE_$ac_func" | $as_tr_cpp` 1 @%:@define `$as_echo "HAVE_$ac_func" | $as_tr_cpp` 1
_ACEOF _ACEOF
else
as_fn_error $? "At least one of the required functions was not found" "$LINENO" 5
fi fi
done done
@ -12424,7 +12649,7 @@ $as_echo "@%:@define PACKAGE_NAME \"sf_ai_preprocessor\"" >>confdefs.h
$as_echo "@%:@define PACKAGE_STRING \"Snort AI preprocessor\"" >>confdefs.h $as_echo "@%:@define PACKAGE_STRING \"Snort AI preprocessor\"" >>confdefs.h
$as_echo "@%:@define PACKAGE_TARNAME \"sf_ai_preprocessor\"" >>confdefs.h $as_echo "@%:@define PACKAGE_TARNAME \"snort_ai_preproc\"" >>confdefs.h
$as_echo "@%:@define PACKAGE_VERSION \"0.1.0\"" >>confdefs.h $as_echo "@%:@define PACKAGE_VERSION \"0.1.0\"" >>confdefs.h
@ -12437,6 +12662,11 @@ $as_echo "@%:@define SUP_IP6 /**/" >>confdefs.h
$as_echo "@%:@define HAVE_VISIBILITY 1" >>confdefs.h $as_echo "@%:@define HAVE_VISIBILITY 1" >>confdefs.h
cat >>confdefs.h <<_ACEOF
@%:@define PREFIX "${prefix}"
_ACEOF
ac_config_files="$ac_config_files Makefile" ac_config_files="$ac_config_files Makefile"
cat >confcache <<\_ACEOF cat >confcache <<\_ACEOF

View file

@ -751,9 +751,9 @@ am__EXEEXT_TRUE
LTLIBOBJS LTLIBOBJS
LIB@&t@OBJS LIB@&t@OBJS
ALLOCA ALLOCA
LIBGRAPH_INCLUDES
LIBXML2_INCLUDES LIBXML2_INCLUDES
CORR_RULES_PREFIX CORR_RULES_PREFIX
MYSQL
extra_incl extra_incl
CPP CPP
OTOOL64 OTOOL64
@ -871,6 +871,7 @@ enable_dependency_tracking
with_gnu_ld with_gnu_ld
enable_libtool_lock enable_libtool_lock
with_mysql with_mysql
with_graphviz
' '
ac_precious_vars='build_alias ac_precious_vars='build_alias
host_alias host_alias
@ -1517,6 +1518,8 @@ Optional Packages:
both@:>@ both@:>@
--with-gnu-ld assume the C compiler uses GNU ld @<:@default=no@:>@ --with-gnu-ld assume the C compiler uses GNU ld @<:@default=no@:>@
--with-mysql Enable support for MySQL alert logs @<:@default=no@:>@ --with-mysql Enable support for MySQL alert logs @<:@default=no@:>@
--without-graphviz Disable Graphviz support for rendering correlated
alerts as a PNG graph @<:@default=yes@:>@
Some influential environment variables: Some influential environment variables:
CC C compiler command CC C compiler command
@ -11369,6 +11372,15 @@ else
fi fi
@%:@ Check whether --with-graphviz was given.
if test "${with_graphviz+set}" = set; then :
withval=$with_graphviz;
else
with_graphviz=yes
fi
# Checks for libraries. # Checks for libraries.
if test "x$with_mysql" != xno; then : if test "x$with_mysql" != xno; then :
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for mysql_query in -lmysqlclient" >&5 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for mysql_query in -lmysqlclient" >&5
@ -11377,7 +11389,7 @@ if test "${ac_cv_lib_mysqlclient_mysql_query+set}" = set; then :
$as_echo_n "(cached) " >&6 $as_echo_n "(cached) " >&6
else else
ac_check_lib_save_LIBS=$LIBS ac_check_lib_save_LIBS=$LIBS
LIBS="-lmysqlclient -lmysqlclient $LIBS" LIBS="-lmysqlclient $LIBS"
cat confdefs.h - <<_ACEOF >conftest.$ac_ext cat confdefs.h - <<_ACEOF >conftest.$ac_ext
/* end confdefs.h. */ /* end confdefs.h. */
@ -11408,22 +11420,70 @@ fi
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_mysqlclient_mysql_query" >&5 { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_mysqlclient_mysql_query" >&5
$as_echo "$ac_cv_lib_mysqlclient_mysql_query" >&6; } $as_echo "$ac_cv_lib_mysqlclient_mysql_query" >&6; }
if test "x$ac_cv_lib_mysqlclient_mysql_query" = x""yes; then : if test "x$ac_cv_lib_mysqlclient_mysql_query" = x""yes; then :
MYSQL="-lmysqlclient" cat >>confdefs.h <<_ACEOF
@%:@define HAVE_LIBMYSQLCLIENT 1
_ACEOF
LIBS="-lmysqlclient $LIBS"
$as_echo "@%:@define ENABLE_MYSQL 1" >>confdefs.h
$as_echo "@%:@define ENABLE_DB 1" >>confdefs.h
else else
if test "x$with_mysql" != xno; then { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
{ { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} $as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
as_fn_error $? "--with-mysql option used, but libmysqlclient was not found as_fn_error $? "--with-mysql option used, but libmysqlclient was not found - do not use --with-mysql, or, on a Debian-based system, install libmysqlclient-dev
See \`config.log' for more details" "$LINENO" 5 ; }
fi
fi
if test "x$with_graphviz" != xno; then :
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for agread in -lgvc" >&5
$as_echo_n "checking for agread in -lgvc... " >&6; }
if test "${ac_cv_lib_gvc_agread+set}" = set; then :
$as_echo_n "(cached) " >&6
else
ac_check_lib_save_LIBS=$LIBS
LIBS="-lgvc $LIBS"
cat confdefs.h - <<_ACEOF >conftest.$ac_ext
/* end confdefs.h. */
/* Override any GCC internal prototype to avoid an error.
Use char because int might match the return type of a GCC
builtin and then its argument prototype would still apply. */
#ifdef __cplusplus
extern "C"
#endif
char agread ();
int
main ()
{
return agread ();
;
return 0;
}
_ACEOF
if ac_fn_c_try_link "$LINENO"; then :
ac_cv_lib_gvc_agread=yes
else
ac_cv_lib_gvc_agread=no
fi
rm -f core conftest.err conftest.$ac_objext \
conftest$ac_exeext conftest.$ac_ext
LIBS=$ac_check_lib_save_LIBS
fi
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_gvc_agread" >&5
$as_echo "$ac_cv_lib_gvc_agread" >&6; }
if test "x$ac_cv_lib_gvc_agread" = x""yes; then :
cat >>confdefs.h <<_ACEOF
@%:@define HAVE_LIBGVC 1
_ACEOF
LIBS="-lgvc $LIBS"
else
{ { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
as_fn_error $? "libgraphviz support required but the library was not found - use --without-graphviz if you do not want to enable the support for it, or, on a Debian-based system, install libgraphviz-dev
See \`config.log' for more details" "$LINENO" 5 ; } See \`config.log' for more details" "$LINENO" 5 ; }
fi
fi fi
fi fi
@ -11471,6 +11531,11 @@ _ACEOF
LIBS="-lxml2 $LIBS" LIBS="-lxml2 $LIBS"
else
{ { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
as_fn_error $? "libxml2 not found on the system
See \`config.log' for more details" "$LINENO" 5 ; }
fi fi
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for pthread_create in -lpthread" >&5 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for pthread_create in -lpthread" >&5
@ -11516,6 +11581,61 @@ _ACEOF
LIBS="-lpthread $LIBS" LIBS="-lpthread $LIBS"
else
{ { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
as_fn_error $? "libpthread not found on the system
See \`config.log' for more details" "$LINENO" 5 ; }
fi
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for sqrt in -lm" >&5
$as_echo_n "checking for sqrt in -lm... " >&6; }
if test "${ac_cv_lib_m_sqrt+set}" = set; then :
$as_echo_n "(cached) " >&6
else
ac_check_lib_save_LIBS=$LIBS
LIBS="-lm $LIBS"
cat confdefs.h - <<_ACEOF >conftest.$ac_ext
/* end confdefs.h. */
/* Override any GCC internal prototype to avoid an error.
Use char because int might match the return type of a GCC
builtin and then its argument prototype would still apply. */
#ifdef __cplusplus
extern "C"
#endif
char sqrt ();
int
main ()
{
return sqrt ();
;
return 0;
}
_ACEOF
if ac_fn_c_try_link "$LINENO"; then :
ac_cv_lib_m_sqrt=yes
else
ac_cv_lib_m_sqrt=no
fi
rm -f core conftest.err conftest.$ac_objext \
conftest$ac_exeext conftest.$ac_ext
LIBS=$ac_check_lib_save_LIBS
fi
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_m_sqrt" >&5
$as_echo "$ac_cv_lib_m_sqrt" >&6; }
if test "x$ac_cv_lib_m_sqrt" = x""yes; then :
cat >>confdefs.h <<_ACEOF
@%:@define HAVE_LIBM 1
_ACEOF
LIBS="-lm $LIBS"
else
{ { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
as_fn_error $? "libm not found on the system
See \`config.log' for more details" "$LINENO" 5 ; }
fi fi
@ -11539,6 +11659,24 @@ as_fn_error $? "libxml2 not found, okr pkg-config not working
See \`config.log' for more details" "$LINENO" 5 ; } See \`config.log' for more details" "$LINENO" 5 ; }
fi fi
if test "x$with_graphviz" != xno; then :
if test ! -z "`pkg-config --cflags libgraph 2> /dev/null`"; then :
LIBGRAPH_INCLUDES="$(pkg-config --cflags libgraph 2> /dev/null)"
else
{ { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
as_fn_error $? "libgraphviz support enabled, but the library was not found or pkg-config is not working
See \`config.log' for more details" "$LINENO" 5 ; }
fi
fi
if test "x$with_graphviz" != xno; then :
$as_echo "@%:@define HAVE_BOOLEAN 1" >>confdefs.h
fi
# The Ultrix 4.2 mips builtin alloca declared by alloca.h only works # The Ultrix 4.2 mips builtin alloca declared by alloca.h only works
# for constant arguments. Useless! # for constant arguments. Useless!
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for working alloca.h" >&5 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for working alloca.h" >&5
@ -11728,7 +11866,7 @@ _ACEOF
fi fi
for ac_header in inttypes.h limits.h stddef.h stdlib.h string.h unistd.h wchar.h for ac_header in inttypes.h limits.h stddef.h stdlib.h string.h unistd.h wchar.h math.h
do : do :
as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh` as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh`
ac_fn_c_check_header_mongrel "$LINENO" "$ac_header" "$as_ac_Header" "$ac_includes_default" ac_fn_c_check_header_mongrel "$LINENO" "$ac_header" "$as_ac_Header" "$ac_includes_default"
@ -11853,6 +11991,15 @@ cat >>confdefs.h <<_ACEOF
_ACEOF _ACEOF
fi
ac_fn_c_check_type "$LINENO" "boolean" "ac_cv_type_boolean" "$ac_includes_default"
if test "x$ac_cv_type_boolean" = x""yes; then :
cat >>confdefs.h <<_ACEOF
@%:@define HAVE_BOOLEAN 1
_ACEOF
fi fi

View file

@ -2304,113 +2304,122 @@ m4trace:configure.ac:10: -1- m4_pattern_allow([^CPPFLAGS$])
m4trace:configure.ac:10: -1- m4_pattern_allow([^CPP$]) m4trace:configure.ac:10: -1- m4_pattern_allow([^CPP$])
m4trace:configure.ac:10: -1- m4_pattern_allow([^STDC_HEADERS$]) m4trace:configure.ac:10: -1- m4_pattern_allow([^STDC_HEADERS$])
m4trace:configure.ac:10: -1- m4_pattern_allow([^HAVE_DLFCN_H$]) m4trace:configure.ac:10: -1- m4_pattern_allow([^HAVE_DLFCN_H$])
m4trace:configure.ac:14: -1- m4_pattern_allow([^OPENBSD$]) m4trace:configure.ac:17: -1- m4_pattern_allow([^OPENBSD$])
m4trace:configure.ac:15: -1- m4_pattern_allow([^BROKEN_SIOCGIFMTU$]) m4trace:configure.ac:18: -1- m4_pattern_allow([^BROKEN_SIOCGIFMTU$])
m4trace:configure.ac:19: -1- m4_pattern_allow([^OPENBSD$]) m4trace:configure.ac:22: -1- m4_pattern_allow([^OPENBSD$])
m4trace:configure.ac:23: -1- m4_pattern_allow([^IRIX$]) m4trace:configure.ac:26: -1- m4_pattern_allow([^IRIX$])
m4trace:configure.ac:33: -1- m4_pattern_allow([^IRIX$]) m4trace:configure.ac:36: -1- m4_pattern_allow([^IRIX$])
m4trace:configure.ac:43: -1- m4_pattern_allow([^SOLARIS$]) m4trace:configure.ac:46: -1- m4_pattern_allow([^SOLARIS$])
m4trace:configure.ac:48: -1- m4_pattern_allow([^SUNOS$]) m4trace:configure.ac:51: -1- m4_pattern_allow([^SUNOS$])
m4trace:configure.ac:53: -1- m4_pattern_allow([^LINUX$]) m4trace:configure.ac:56: -1- m4_pattern_allow([^LINUX$])
m4trace:configure.ac:55: -1- m4_pattern_allow([^PCAP_TIMEOUT_IGNORED$]) m4trace:configure.ac:58: -1- m4_pattern_allow([^PCAP_TIMEOUT_IGNORED$])
m4trace:configure.ac:56: -1- m4_pattern_allow([^extra_incl$]) m4trace:configure.ac:59: -1- m4_pattern_allow([^extra_incl$])
m4trace:configure.ac:60: -1- m4_pattern_allow([^HPUX$]) m4trace:configure.ac:63: -1- m4_pattern_allow([^HPUX$])
m4trace:configure.ac:61: -1- m4_pattern_allow([^WORDS_BIGENDIAN$]) m4trace:configure.ac:64: -1- m4_pattern_allow([^WORDS_BIGENDIAN$])
m4trace:configure.ac:62: -1- m4_pattern_allow([^extra_incl$]) m4trace:configure.ac:65: -1- m4_pattern_allow([^extra_incl$])
m4trace:configure.ac:67: -1- m4_pattern_allow([^FREEBSD$]) m4trace:configure.ac:70: -1- m4_pattern_allow([^FREEBSD$])
m4trace:configure.ac:71: -1- m4_pattern_allow([^BSDI$]) m4trace:configure.ac:74: -1- m4_pattern_allow([^BSDI$])
m4trace:configure.ac:74: -1- m4_pattern_allow([^AIX$]) m4trace:configure.ac:77: -1- m4_pattern_allow([^AIX$])
m4trace:configure.ac:77: -1- m4_pattern_allow([^OSF1$])
m4trace:configure.ac:80: -1- m4_pattern_allow([^OSF1$]) m4trace:configure.ac:80: -1- m4_pattern_allow([^OSF1$])
m4trace:configure.ac:83: -1- m4_pattern_allow([^OSF1$]) m4trace:configure.ac:83: -1- m4_pattern_allow([^OSF1$])
m4trace:configure.ac:87: -1- m4_pattern_allow([^MACOS$]) m4trace:configure.ac:86: -1- m4_pattern_allow([^OSF1$])
m4trace:configure.ac:88: -1- m4_pattern_allow([^BROKEN_SIOCGIFMTU$]) m4trace:configure.ac:90: -1- m4_pattern_allow([^MACOS$])
m4trace:configure.ac:94: -1- m4_pattern_allow([^CC$]) m4trace:configure.ac:91: -1- m4_pattern_allow([^BROKEN_SIOCGIFMTU$])
m4trace:configure.ac:94: -1- m4_pattern_allow([^CFLAGS$]) m4trace:configure.ac:97: -1- m4_pattern_allow([^CC$])
m4trace:configure.ac:94: -1- m4_pattern_allow([^LDFLAGS$]) m4trace:configure.ac:97: -1- m4_pattern_allow([^CFLAGS$])
m4trace:configure.ac:94: -1- m4_pattern_allow([^LIBS$]) m4trace:configure.ac:97: -1- m4_pattern_allow([^LDFLAGS$])
m4trace:configure.ac:94: -1- m4_pattern_allow([^CPPFLAGS$]) m4trace:configure.ac:97: -1- m4_pattern_allow([^LIBS$])
m4trace:configure.ac:94: -1- m4_pattern_allow([^CC$]) m4trace:configure.ac:97: -1- m4_pattern_allow([^CPPFLAGS$])
m4trace:configure.ac:94: -1- m4_pattern_allow([^CC$]) m4trace:configure.ac:97: -1- m4_pattern_allow([^CC$])
m4trace:configure.ac:94: -1- m4_pattern_allow([^CC$]) m4trace:configure.ac:97: -1- m4_pattern_allow([^CC$])
m4trace:configure.ac:94: -1- m4_pattern_allow([^CC$]) m4trace:configure.ac:97: -1- m4_pattern_allow([^CC$])
m4trace:configure.ac:94: -1- m4_pattern_allow([^ac_ct_CC$]) m4trace:configure.ac:97: -1- m4_pattern_allow([^CC$])
m4trace:configure.ac:94: -1- _AM_DEPENDENCIES([CC]) m4trace:configure.ac:97: -1- m4_pattern_allow([^ac_ct_CC$])
m4trace:configure.ac:94: -1- m4_pattern_allow([^CCDEPMODE$]) m4trace:configure.ac:97: -1- _AM_DEPENDENCIES([CC])
m4trace:configure.ac:94: -1- AM_CONDITIONAL([am__fastdepCC], [ m4trace:configure.ac:97: -1- m4_pattern_allow([^CCDEPMODE$])
m4trace:configure.ac:97: -1- AM_CONDITIONAL([am__fastdepCC], [
test "x$enable_dependency_tracking" != xno \ test "x$enable_dependency_tracking" != xno \
&& test "$am_cv_CC_dependencies_compiler_type" = gcc3]) && test "$am_cv_CC_dependencies_compiler_type" = gcc3])
m4trace:configure.ac:94: -1- m4_pattern_allow([^am__fastdepCC_TRUE$]) m4trace:configure.ac:97: -1- m4_pattern_allow([^am__fastdepCC_TRUE$])
m4trace:configure.ac:94: -1- m4_pattern_allow([^am__fastdepCC_FALSE$]) m4trace:configure.ac:97: -1- m4_pattern_allow([^am__fastdepCC_FALSE$])
m4trace:configure.ac:94: -1- _AM_SUBST_NOTMAKE([am__fastdepCC_TRUE]) m4trace:configure.ac:97: -1- _AM_SUBST_NOTMAKE([am__fastdepCC_TRUE])
m4trace:configure.ac:94: -1- _AM_SUBST_NOTMAKE([am__fastdepCC_FALSE]) m4trace:configure.ac:97: -1- _AM_SUBST_NOTMAKE([am__fastdepCC_FALSE])
m4trace:configure.ac:95: -1- m4_pattern_allow([^LN_S$]) m4trace:configure.ac:98: -1- m4_pattern_allow([^LN_S$])
m4trace:configure.ac:96: -1- m4_pattern_allow([^SET_MAKE$]) m4trace:configure.ac:99: -1- m4_pattern_allow([^SET_MAKE$])
m4trace:configure.ac:106: -1- m4_pattern_allow([^MYSQL$]) m4trace:configure.ac:115: -1- m4_pattern_allow([^ENABLE_MYSQL$])
m4trace:configure.ac:106: -1- m4_pattern_allow([^ENABLE_MYSQL$]) m4trace:configure.ac:115: -1- m4_pattern_allow([^ENABLE_DB$])
m4trace:configure.ac:106: -1- m4_pattern_allow([^ENABLE_DB$]) m4trace:configure.ac:130: -1- m4_pattern_allow([^HAVE_LIBXML2$])
m4trace:configure.ac:118: -1- m4_pattern_allow([^HAVE_LIBPTHREAD$]) m4trace:configure.ac:131: -1- m4_pattern_allow([^HAVE_LIBPTHREAD$])
m4trace:configure.ac:121: -1- m4_pattern_allow([^HAVE_ALLOCA_H$]) m4trace:configure.ac:132: -1- m4_pattern_allow([^HAVE_LIBM$])
m4trace:configure.ac:121: -1- m4_pattern_allow([^HAVE_ALLOCA$]) m4trace:configure.ac:133: -1- m4_pattern_allow([^HAVE_LIBGVC$])
m4trace:configure.ac:121: -1- m4_pattern_allow([^ALLOCA$]) m4trace:configure.ac:139: -1- m4_pattern_allow([^CORR_RULES_PREFIX$])
m4trace:configure.ac:121: -1- m4_pattern_allow([^C_ALLOCA$]) m4trace:configure.ac:139: -1- m4_pattern_allow([^CORR_RULES_PREFIX$])
m4trace:configure.ac:121: -1- m4_pattern_allow([^CRAY_STACKSEG_END$]) m4trace:configure.ac:145: -1- m4_pattern_allow([^LIBXML2_INCLUDES$])
m4trace:configure.ac:121: -1- m4_pattern_allow([^STACK_DIRECTION$]) m4trace:configure.ac:149: -1- m4_pattern_allow([^LIBGRAPH_INCLUDES$])
m4trace:configure.ac:125: -1- m4_pattern_allow([^HAVE_U_INT8_T$]) m4trace:configure.ac:154: -1- m4_pattern_allow([^HAVE_BOOLEAN$])
m4trace:configure.ac:125: -1- m4_pattern_allow([^HAVE_U_INT16_T$]) m4trace:configure.ac:157: -1- m4_pattern_allow([^HAVE_ALLOCA_H$])
m4trace:configure.ac:125: -1- m4_pattern_allow([^HAVE_U_INT32_T$]) m4trace:configure.ac:157: -1- m4_pattern_allow([^HAVE_ALLOCA$])
m4trace:configure.ac:125: -1- m4_pattern_allow([^HAVE_U_INT64_T$]) m4trace:configure.ac:157: -1- m4_pattern_allow([^ALLOCA$])
m4trace:configure.ac:125: -1- m4_pattern_allow([^HAVE_UINT8_T$]) m4trace:configure.ac:157: -1- m4_pattern_allow([^C_ALLOCA$])
m4trace:configure.ac:125: -1- m4_pattern_allow([^HAVE_UINT16_T$]) m4trace:configure.ac:157: -1- m4_pattern_allow([^CRAY_STACKSEG_END$])
m4trace:configure.ac:125: -1- m4_pattern_allow([^HAVE_UINT32_T$]) m4trace:configure.ac:157: -1- m4_pattern_allow([^STACK_DIRECTION$])
m4trace:configure.ac:125: -1- m4_pattern_allow([^HAVE_UINT64_T$]) m4trace:configure.ac:161: -1- m4_pattern_allow([^HAVE_U_INT8_T$])
m4trace:configure.ac:126: -1- m4_pattern_allow([^HAVE_INT8_T$]) m4trace:configure.ac:161: -1- m4_pattern_allow([^HAVE_U_INT16_T$])
m4trace:configure.ac:126: -1- m4_pattern_allow([^HAVE_INT16_T$]) m4trace:configure.ac:161: -1- m4_pattern_allow([^HAVE_U_INT32_T$])
m4trace:configure.ac:126: -1- m4_pattern_allow([^HAVE_INT32_T$]) m4trace:configure.ac:161: -1- m4_pattern_allow([^HAVE_U_INT64_T$])
m4trace:configure.ac:126: -1- m4_pattern_allow([^HAVE_INT64_T$]) m4trace:configure.ac:161: -1- m4_pattern_allow([^HAVE_UINT8_T$])
m4trace:configure.ac:129: -1- m4_pattern_allow([^HAVE__BOOL$]) m4trace:configure.ac:161: -1- m4_pattern_allow([^HAVE_UINT16_T$])
m4trace:configure.ac:129: -1- m4_pattern_allow([^HAVE_STDBOOL_H$]) m4trace:configure.ac:161: -1- m4_pattern_allow([^HAVE_UINT32_T$])
m4trace:configure.ac:130: -1- m4_pattern_allow([^size_t$]) m4trace:configure.ac:161: -1- m4_pattern_allow([^HAVE_UINT64_T$])
m4trace:configure.ac:131: -1- m4_pattern_allow([^uint16_t$]) m4trace:configure.ac:162: -1- m4_pattern_allow([^HAVE_INT8_T$])
m4trace:configure.ac:132: -1- m4_pattern_allow([^_UINT32_T$]) m4trace:configure.ac:162: -1- m4_pattern_allow([^HAVE_INT16_T$])
m4trace:configure.ac:132: -1- m4_pattern_allow([^uint32_t$]) m4trace:configure.ac:162: -1- m4_pattern_allow([^HAVE_INT32_T$])
m4trace:configure.ac:133: -1- m4_pattern_allow([^_UINT8_T$]) m4trace:configure.ac:162: -1- m4_pattern_allow([^HAVE_INT64_T$])
m4trace:configure.ac:133: -1- m4_pattern_allow([^uint8_t$]) m4trace:configure.ac:162: -1- m4_pattern_allow([^HAVE_BOOLEAN$])
m4trace:configure.ac:134: -1- m4_pattern_allow([^HAVE_PTRDIFF_T$]) m4trace:configure.ac:165: -1- m4_pattern_allow([^HAVE__BOOL$])
m4trace:configure.ac:137: -1- m4_pattern_allow([^HAVE_STDLIB_H$]) m4trace:configure.ac:165: -1- m4_pattern_allow([^HAVE_STDBOOL_H$])
m4trace:configure.ac:137: -1- m4_pattern_allow([^HAVE_MALLOC$]) m4trace:configure.ac:166: -1- m4_pattern_allow([^size_t$])
m4trace:configure.ac:137: -1- m4_pattern_allow([^HAVE_MALLOC$]) m4trace:configure.ac:167: -1- m4_pattern_allow([^uint16_t$])
m4trace:configure.ac:137: -1- m4_pattern_allow([^LIB@&t@OBJS$]) m4trace:configure.ac:168: -1- m4_pattern_allow([^_UINT32_T$])
m4trace:configure.ac:137: -1- m4_pattern_allow([^malloc$]) m4trace:configure.ac:168: -1- m4_pattern_allow([^uint32_t$])
m4trace:configure.ac:138: -1- m4_pattern_allow([^TIME_WITH_SYS_TIME$]) m4trace:configure.ac:169: -1- m4_pattern_allow([^_UINT8_T$])
m4trace:configure.ac:138: -1- AC_DEFUN([_AC_Header_sys_time_h], [m4_divert_text([INIT_PREPARE], [AS_VAR_APPEND([ac_header_list], [" sys/time.h"])]) m4trace:configure.ac:169: -1- m4_pattern_allow([^uint8_t$])
m4trace:configure.ac:170: -1- m4_pattern_allow([^HAVE_PTRDIFF_T$])
m4trace:configure.ac:173: -1- m4_pattern_allow([^HAVE_STDLIB_H$])
m4trace:configure.ac:173: -1- m4_pattern_allow([^HAVE_MALLOC$])
m4trace:configure.ac:173: -1- m4_pattern_allow([^HAVE_MALLOC$])
m4trace:configure.ac:173: -1- m4_pattern_allow([^LIB@&t@OBJS$])
m4trace:configure.ac:173: -1- m4_pattern_allow([^malloc$])
m4trace:configure.ac:174: -1- m4_pattern_allow([^TIME_WITH_SYS_TIME$])
m4trace:configure.ac:174: -1- AC_DEFUN([_AC_Header_sys_time_h], [m4_divert_text([INIT_PREPARE], [AS_VAR_APPEND([ac_header_list], [" sys/time.h"])])
_AC_HEADERS_EXPANSION]) _AC_HEADERS_EXPANSION])
m4trace:configure.ac:138: -1- AC_DEFUN([_AC_Header_unistd_h], [m4_divert_text([INIT_PREPARE], [AS_VAR_APPEND([ac_header_list], [" unistd.h"])]) m4trace:configure.ac:174: -1- AC_DEFUN([_AC_Header_unistd_h], [m4_divert_text([INIT_PREPARE], [AS_VAR_APPEND([ac_header_list], [" unistd.h"])])
_AC_HEADERS_EXPANSION]) _AC_HEADERS_EXPANSION])
m4trace:configure.ac:138: -1- AC_DEFUN([_AC_Func_alarm], [m4_divert_text([INIT_PREPARE], [AS_VAR_APPEND([ac_func_list], [" alarm"])]) m4trace:configure.ac:174: -1- AC_DEFUN([_AC_Func_alarm], [m4_divert_text([INIT_PREPARE], [AS_VAR_APPEND([ac_func_list], [" alarm"])])
_AC_FUNCS_EXPANSION]) _AC_FUNCS_EXPANSION])
m4trace:configure.ac:138: -1- m4_pattern_allow([^LIB@&t@OBJS$]) m4trace:configure.ac:174: -1- m4_pattern_allow([^LIB@&t@OBJS$])
m4trace:configure.ac:139: -1- m4_pattern_allow([^HAVE_STDLIB_H$]) m4trace:configure.ac:175: -1- m4_pattern_allow([^HAVE_STDLIB_H$])
m4trace:configure.ac:139: -1- m4_pattern_allow([^HAVE_REALLOC$]) m4trace:configure.ac:175: -1- m4_pattern_allow([^HAVE_REALLOC$])
m4trace:configure.ac:139: -1- m4_pattern_allow([^HAVE_REALLOC$]) m4trace:configure.ac:175: -1- m4_pattern_allow([^HAVE_REALLOC$])
m4trace:configure.ac:139: -1- m4_pattern_allow([^LIB@&t@OBJS$]) m4trace:configure.ac:175: -1- m4_pattern_allow([^LIB@&t@OBJS$])
m4trace:configure.ac:139: -1- m4_pattern_allow([^realloc$]) m4trace:configure.ac:175: -1- m4_pattern_allow([^realloc$])
m4trace:configure.ac:142: -1- m4_pattern_allow([^VERSION$]) m4trace:configure.ac:178: -1- m4_pattern_allow([^VERSION$])
m4trace:configure.ac:143: -1- m4_pattern_allow([^PACKAGE$]) m4trace:configure.ac:179: -1- m4_pattern_allow([^PACKAGE$])
m4trace:configure.ac:144: -1- m4_pattern_allow([^PACKAGE_BUGREPORT$]) m4trace:configure.ac:180: -1- m4_pattern_allow([^PACKAGE_BUGREPORT$])
m4trace:configure.ac:145: -1- m4_pattern_allow([^PACKAGE_NAME$]) m4trace:configure.ac:181: -1- m4_pattern_allow([^PACKAGE_NAME$])
m4trace:configure.ac:146: -1- m4_pattern_allow([^PACKAGE_STRING$]) m4trace:configure.ac:182: -1- m4_pattern_allow([^PACKAGE_STRING$])
m4trace:configure.ac:147: -1- m4_pattern_allow([^PACKAGE_TARNAME$]) m4trace:configure.ac:183: -1- m4_pattern_allow([^PACKAGE_TARNAME$])
m4trace:configure.ac:148: -1- m4_pattern_allow([^PACKAGE_VERSION$]) m4trace:configure.ac:184: -1- m4_pattern_allow([^PACKAGE_VERSION$])
m4trace:configure.ac:149: -1- m4_pattern_allow([^SUP_IP6$]) m4trace:configure.ac:185: -1- m4_pattern_allow([^SUP_IP6$])
m4trace:configure.ac:151: -1- m4_pattern_allow([^HAVE_VISIBILITY$]) m4trace:configure.ac:187: -1- m4_pattern_allow([^HAVE_VISIBILITY$])
m4trace:configure.ac:154: -1- m4_pattern_allow([^LIB@&t@OBJS$]) m4trace:configure.ac:188: -1- m4_pattern_allow([^PREFIX$])
m4trace:configure.ac:154: -1- m4_pattern_allow([^LTLIBOBJS$]) m4trace:configure.ac:191: -1- m4_pattern_allow([^LIB@&t@OBJS$])
m4trace:configure.ac:154: -1- AM_CONDITIONAL([am__EXEEXT], [test -n "$EXEEXT"]) m4trace:configure.ac:191: -1- m4_pattern_allow([^LTLIBOBJS$])
m4trace:configure.ac:154: -1- m4_pattern_allow([^am__EXEEXT_TRUE$]) m4trace:configure.ac:191: -1- AM_CONDITIONAL([am__EXEEXT], [test -n "$EXEEXT"])
m4trace:configure.ac:154: -1- m4_pattern_allow([^am__EXEEXT_FALSE$]) m4trace:configure.ac:191: -1- m4_pattern_allow([^am__EXEEXT_TRUE$])
m4trace:configure.ac:154: -1- _AM_SUBST_NOTMAKE([am__EXEEXT_TRUE]) m4trace:configure.ac:191: -1- m4_pattern_allow([^am__EXEEXT_FALSE$])
m4trace:configure.ac:154: -1- _AM_SUBST_NOTMAKE([am__EXEEXT_FALSE]) m4trace:configure.ac:191: -1- _AM_SUBST_NOTMAKE([am__EXEEXT_TRUE])
m4trace:configure.ac:154: -1- _AC_AM_CONFIG_HEADER_HOOK(["$ac_file"]) m4trace:configure.ac:191: -1- _AM_SUBST_NOTMAKE([am__EXEEXT_FALSE])
m4trace:configure.ac:154: -1- _AM_OUTPUT_DEPENDENCY_COMMANDS m4trace:configure.ac:191: -1- _AC_AM_CONFIG_HEADER_HOOK(["$ac_file"])
m4trace:configure.ac:154: -1- _LT_PROG_LTMAIN m4trace:configure.ac:191: -1- _AM_OUTPUT_DEPENDENCY_COMMANDS
m4trace:configure.ac:191: -1- _LT_PROG_LTMAIN

View file

@ -570,304 +570,318 @@ m4trace:configure.ac:98: -1- m4_pattern_allow([^LN_S$])
m4trace:configure.ac:99: -1- AC_SUBST([SET_MAKE]) m4trace:configure.ac:99: -1- AC_SUBST([SET_MAKE])
m4trace:configure.ac:99: -1- AC_SUBST_TRACE([SET_MAKE]) m4trace:configure.ac:99: -1- AC_SUBST_TRACE([SET_MAKE])
m4trace:configure.ac:99: -1- m4_pattern_allow([^SET_MAKE$]) m4trace:configure.ac:99: -1- m4_pattern_allow([^SET_MAKE$])
m4trace:configure.ac:109: -1- AC_SUBST([MYSQL], ["-lmysqlclient"]) m4trace:configure.ac:115: -1- AH_OUTPUT([HAVE_LIBMYSQLCLIENT], [/* Define to 1 if you have the `mysqlclient\' library (-lmysqlclient). */
m4trace:configure.ac:109: -1- AC_SUBST_TRACE([MYSQL]) @%:@undef HAVE_LIBMYSQLCLIENT])
m4trace:configure.ac:109: -1- m4_pattern_allow([^MYSQL$]) m4trace:configure.ac:115: -1- AC_DEFINE_TRACE_LITERAL([HAVE_LIBMYSQLCLIENT])
m4trace:configure.ac:109: -1- AC_DEFINE_TRACE_LITERAL([ENABLE_MYSQL]) m4trace:configure.ac:115: -1- m4_pattern_allow([^HAVE_LIBMYSQLCLIENT$])
m4trace:configure.ac:109: -1- m4_pattern_allow([^ENABLE_MYSQL$]) m4trace:configure.ac:119: -1- AH_OUTPUT([HAVE_LIBGVC], [/* Define to 1 if you have the `gvc\' library (-lgvc). */
m4trace:configure.ac:109: -1- AH_OUTPUT([ENABLE_MYSQL], [/* Define if you want to use MySQL */ @%:@undef HAVE_LIBGVC])
@%:@undef ENABLE_MYSQL]) m4trace:configure.ac:119: -1- AC_DEFINE_TRACE_LITERAL([HAVE_LIBGVC])
m4trace:configure.ac:109: -1- AC_DEFINE_TRACE_LITERAL([ENABLE_DB]) m4trace:configure.ac:119: -1- m4_pattern_allow([^HAVE_LIBGVC$])
m4trace:configure.ac:109: -1- m4_pattern_allow([^ENABLE_DB$]) m4trace:configure.ac:123: -1- AH_OUTPUT([HAVE_LIBXML2], [/* Define to 1 if you have the `xml2\' library (-lxml2). */
m4trace:configure.ac:109: -1- AH_OUTPUT([ENABLE_DB], [/* Define if you want to enable database support */
@%:@undef ENABLE_DB])
m4trace:configure.ac:120: -1- AH_OUTPUT([HAVE_LIBXML2], [/* Define to 1 if you have the `xml2\' library (-lxml2). */
@%:@undef HAVE_LIBXML2]) @%:@undef HAVE_LIBXML2])
m4trace:configure.ac:120: -1- AC_DEFINE_TRACE_LITERAL([HAVE_LIBXML2]) m4trace:configure.ac:123: -1- AC_DEFINE_TRACE_LITERAL([HAVE_LIBXML2])
m4trace:configure.ac:120: -1- m4_pattern_allow([^HAVE_LIBXML2$]) m4trace:configure.ac:123: -1- m4_pattern_allow([^HAVE_LIBXML2$])
m4trace:configure.ac:121: -1- AH_OUTPUT([HAVE_LIBPTHREAD], [/* Define to 1 if you have the `pthread\' library (-lpthread). */ m4trace:configure.ac:124: -1- AH_OUTPUT([HAVE_LIBPTHREAD], [/* Define to 1 if you have the `pthread\' library (-lpthread). */
@%:@undef HAVE_LIBPTHREAD]) @%:@undef HAVE_LIBPTHREAD])
m4trace:configure.ac:121: -1- AC_DEFINE_TRACE_LITERAL([HAVE_LIBPTHREAD]) m4trace:configure.ac:124: -1- AC_DEFINE_TRACE_LITERAL([HAVE_LIBPTHREAD])
m4trace:configure.ac:121: -1- m4_pattern_allow([^HAVE_LIBPTHREAD$]) m4trace:configure.ac:124: -1- m4_pattern_allow([^HAVE_LIBPTHREAD$])
m4trace:configure.ac:123: -1- AC_SUBST([CORR_RULES_PREFIX], ["/etc/snort/corr_rules"]) m4trace:configure.ac:125: -1- AH_OUTPUT([HAVE_LIBM], [/* Define to 1 if you have the `m\' library (-lm). */
m4trace:configure.ac:123: -1- AC_SUBST_TRACE([CORR_RULES_PREFIX]) @%:@undef HAVE_LIBM])
m4trace:configure.ac:123: -1- m4_pattern_allow([^CORR_RULES_PREFIX$]) m4trace:configure.ac:125: -1- AC_DEFINE_TRACE_LITERAL([HAVE_LIBM])
m4trace:configure.ac:123: -1- AC_SUBST([CORR_RULES_PREFIX], ["${prefix}/etc/corr_rules"]) m4trace:configure.ac:125: -1- m4_pattern_allow([^HAVE_LIBM$])
m4trace:configure.ac:123: -1- AC_SUBST_TRACE([CORR_RULES_PREFIX]) m4trace:configure.ac:127: -1- AC_SUBST([CORR_RULES_PREFIX], ["/etc/snort/corr_rules"])
m4trace:configure.ac:123: -1- m4_pattern_allow([^CORR_RULES_PREFIX$]) m4trace:configure.ac:127: -1- AC_SUBST_TRACE([CORR_RULES_PREFIX])
m4trace:configure.ac:129: -1- AC_SUBST([LIBXML2_INCLUDES], ["$(pkg-config --cflags libxml-2.0 2> /dev/null)"]) m4trace:configure.ac:127: -1- m4_pattern_allow([^CORR_RULES_PREFIX$])
m4trace:configure.ac:129: -1- AC_SUBST_TRACE([LIBXML2_INCLUDES]) m4trace:configure.ac:127: -1- AC_SUBST([CORR_RULES_PREFIX], ["${prefix}/etc/corr_rules"])
m4trace:configure.ac:129: -1- m4_pattern_allow([^LIBXML2_INCLUDES$]) m4trace:configure.ac:127: -1- AC_SUBST_TRACE([CORR_RULES_PREFIX])
m4trace:configure.ac:133: -1- AC_DEFINE_TRACE_LITERAL([HAVE_ALLOCA_H]) m4trace:configure.ac:127: -1- m4_pattern_allow([^CORR_RULES_PREFIX$])
m4trace:configure.ac:133: -1- m4_pattern_allow([^HAVE_ALLOCA_H$]) m4trace:configure.ac:133: -1- AC_SUBST([LIBXML2_INCLUDES], ["$(pkg-config --cflags libxml-2.0 2> /dev/null)"])
m4trace:configure.ac:133: -1- AH_OUTPUT([HAVE_ALLOCA_H], [/* Define to 1 if you have <alloca.h> and it should be used (not on Ultrix). m4trace:configure.ac:133: -1- AC_SUBST_TRACE([LIBXML2_INCLUDES])
m4trace:configure.ac:133: -1- m4_pattern_allow([^LIBXML2_INCLUDES$])
m4trace:configure.ac:137: -1- AC_SUBST([LIBGRAPH_INCLUDES], ["$(pkg-config --cflags libgraph 2> /dev/null)"])
m4trace:configure.ac:137: -1- AC_SUBST_TRACE([LIBGRAPH_INCLUDES])
m4trace:configure.ac:137: -1- m4_pattern_allow([^LIBGRAPH_INCLUDES$])
m4trace:configure.ac:142: -1- AC_DEFINE_TRACE_LITERAL([HAVE_BOOLEAN])
m4trace:configure.ac:142: -1- m4_pattern_allow([^HAVE_BOOLEAN$])
m4trace:configure.ac:142: -1- AH_OUTPUT([HAVE_BOOLEAN], [/* Check if the boolean type is defined */
@%:@undef HAVE_BOOLEAN])
m4trace:configure.ac:145: -1- AC_DEFINE_TRACE_LITERAL([HAVE_ALLOCA_H])
m4trace:configure.ac:145: -1- m4_pattern_allow([^HAVE_ALLOCA_H$])
m4trace:configure.ac:145: -1- AH_OUTPUT([HAVE_ALLOCA_H], [/* Define to 1 if you have <alloca.h> and it should be used (not on Ultrix).
*/ */
@%:@undef HAVE_ALLOCA_H]) @%:@undef HAVE_ALLOCA_H])
m4trace:configure.ac:133: -1- AC_DEFINE_TRACE_LITERAL([HAVE_ALLOCA]) m4trace:configure.ac:145: -1- AC_DEFINE_TRACE_LITERAL([HAVE_ALLOCA])
m4trace:configure.ac:133: -1- m4_pattern_allow([^HAVE_ALLOCA$]) m4trace:configure.ac:145: -1- m4_pattern_allow([^HAVE_ALLOCA$])
m4trace:configure.ac:133: -1- AH_OUTPUT([HAVE_ALLOCA], [/* Define to 1 if you have `alloca\', as a function or macro. */ m4trace:configure.ac:145: -1- AH_OUTPUT([HAVE_ALLOCA], [/* Define to 1 if you have `alloca\', as a function or macro. */
@%:@undef HAVE_ALLOCA]) @%:@undef HAVE_ALLOCA])
m4trace:configure.ac:133: -1- AC_LIBSOURCE([alloca.c]) m4trace:configure.ac:145: -1- AC_LIBSOURCE([alloca.c])
m4trace:configure.ac:133: -1- AC_SUBST([ALLOCA], [\${LIBOBJDIR}alloca.$ac_objext]) m4trace:configure.ac:145: -1- AC_SUBST([ALLOCA], [\${LIBOBJDIR}alloca.$ac_objext])
m4trace:configure.ac:133: -1- AC_SUBST_TRACE([ALLOCA]) m4trace:configure.ac:145: -1- AC_SUBST_TRACE([ALLOCA])
m4trace:configure.ac:133: -1- m4_pattern_allow([^ALLOCA$]) m4trace:configure.ac:145: -1- m4_pattern_allow([^ALLOCA$])
m4trace:configure.ac:133: -1- AC_DEFINE_TRACE_LITERAL([C_ALLOCA]) m4trace:configure.ac:145: -1- AC_DEFINE_TRACE_LITERAL([C_ALLOCA])
m4trace:configure.ac:133: -1- m4_pattern_allow([^C_ALLOCA$]) m4trace:configure.ac:145: -1- m4_pattern_allow([^C_ALLOCA$])
m4trace:configure.ac:133: -1- AH_OUTPUT([C_ALLOCA], [/* Define to 1 if using `alloca.c\'. */ m4trace:configure.ac:145: -1- AH_OUTPUT([C_ALLOCA], [/* Define to 1 if using `alloca.c\'. */
@%:@undef C_ALLOCA]) @%:@undef C_ALLOCA])
m4trace:configure.ac:133: -1- AC_DEFINE_TRACE_LITERAL([CRAY_STACKSEG_END]) m4trace:configure.ac:145: -1- AC_DEFINE_TRACE_LITERAL([CRAY_STACKSEG_END])
m4trace:configure.ac:133: -1- m4_pattern_allow([^CRAY_STACKSEG_END$]) m4trace:configure.ac:145: -1- m4_pattern_allow([^CRAY_STACKSEG_END$])
m4trace:configure.ac:133: -1- AH_OUTPUT([CRAY_STACKSEG_END], [/* Define to one of `_getb67\', `GETB67\', `getb67\' for Cray-2 and Cray-YMP m4trace:configure.ac:145: -1- AH_OUTPUT([CRAY_STACKSEG_END], [/* Define to one of `_getb67\', `GETB67\', `getb67\' for Cray-2 and Cray-YMP
systems. This function is required for `alloca.c\' support on those systems. systems. This function is required for `alloca.c\' support on those systems.
*/ */
@%:@undef CRAY_STACKSEG_END]) @%:@undef CRAY_STACKSEG_END])
m4trace:configure.ac:133: -1- AH_OUTPUT([STACK_DIRECTION], [/* If using the C implementation of alloca, define if you know the m4trace:configure.ac:145: -1- AH_OUTPUT([STACK_DIRECTION], [/* If using the C implementation of alloca, define if you know the
direction of stack growth for your system; otherwise it will be direction of stack growth for your system; otherwise it will be
automatically deduced at runtime. automatically deduced at runtime.
STACK_DIRECTION > 0 => grows toward higher addresses STACK_DIRECTION > 0 => grows toward higher addresses
STACK_DIRECTION < 0 => grows toward lower addresses STACK_DIRECTION < 0 => grows toward lower addresses
STACK_DIRECTION = 0 => direction of growth unknown */ STACK_DIRECTION = 0 => direction of growth unknown */
@%:@undef STACK_DIRECTION]) @%:@undef STACK_DIRECTION])
m4trace:configure.ac:133: -1- AC_DEFINE_TRACE_LITERAL([STACK_DIRECTION]) m4trace:configure.ac:145: -1- AC_DEFINE_TRACE_LITERAL([STACK_DIRECTION])
m4trace:configure.ac:133: -1- m4_pattern_allow([^STACK_DIRECTION$]) m4trace:configure.ac:145: -1- m4_pattern_allow([^STACK_DIRECTION$])
m4trace:configure.ac:134: -1- AH_OUTPUT([HAVE_INTTYPES_H], [/* Define to 1 if you have the <inttypes.h> header file. */ m4trace:configure.ac:146: -1- AH_OUTPUT([HAVE_INTTYPES_H], [/* Define to 1 if you have the <inttypes.h> header file. */
@%:@undef HAVE_INTTYPES_H]) @%:@undef HAVE_INTTYPES_H])
m4trace:configure.ac:134: -1- AH_OUTPUT([HAVE_LIMITS_H], [/* Define to 1 if you have the <limits.h> header file. */ m4trace:configure.ac:146: -1- AH_OUTPUT([HAVE_LIMITS_H], [/* Define to 1 if you have the <limits.h> header file. */
@%:@undef HAVE_LIMITS_H]) @%:@undef HAVE_LIMITS_H])
m4trace:configure.ac:134: -1- AH_OUTPUT([HAVE_STDDEF_H], [/* Define to 1 if you have the <stddef.h> header file. */ m4trace:configure.ac:146: -1- AH_OUTPUT([HAVE_STDDEF_H], [/* Define to 1 if you have the <stddef.h> header file. */
@%:@undef HAVE_STDDEF_H]) @%:@undef HAVE_STDDEF_H])
m4trace:configure.ac:134: -1- AH_OUTPUT([HAVE_STDLIB_H], [/* Define to 1 if you have the <stdlib.h> header file. */ m4trace:configure.ac:146: -1- AH_OUTPUT([HAVE_STDLIB_H], [/* Define to 1 if you have the <stdlib.h> header file. */
@%:@undef HAVE_STDLIB_H]) @%:@undef HAVE_STDLIB_H])
m4trace:configure.ac:134: -1- AH_OUTPUT([HAVE_STRING_H], [/* Define to 1 if you have the <string.h> header file. */ m4trace:configure.ac:146: -1- AH_OUTPUT([HAVE_STRING_H], [/* Define to 1 if you have the <string.h> header file. */
@%:@undef HAVE_STRING_H]) @%:@undef HAVE_STRING_H])
m4trace:configure.ac:134: -1- AH_OUTPUT([HAVE_UNISTD_H], [/* Define to 1 if you have the <unistd.h> header file. */ m4trace:configure.ac:146: -1- AH_OUTPUT([HAVE_UNISTD_H], [/* Define to 1 if you have the <unistd.h> header file. */
@%:@undef HAVE_UNISTD_H]) @%:@undef HAVE_UNISTD_H])
m4trace:configure.ac:134: -1- AH_OUTPUT([HAVE_WCHAR_H], [/* Define to 1 if you have the <wchar.h> header file. */ m4trace:configure.ac:146: -1- AH_OUTPUT([HAVE_WCHAR_H], [/* Define to 1 if you have the <wchar.h> header file. */
@%:@undef HAVE_WCHAR_H]) @%:@undef HAVE_WCHAR_H])
m4trace:configure.ac:137: -1- AC_DEFINE_TRACE_LITERAL([HAVE_U_INT8_T]) m4trace:configure.ac:146: -1- AH_OUTPUT([HAVE_MATH_H], [/* Define to 1 if you have the <math.h> header file. */
m4trace:configure.ac:137: -1- m4_pattern_allow([^HAVE_U_INT8_T$]) @%:@undef HAVE_MATH_H])
m4trace:configure.ac:137: -1- AH_OUTPUT([HAVE_U_INT8_T], [/* Define to 1 if the system has the type `u_int8_t\'. */ m4trace:configure.ac:149: -1- AC_DEFINE_TRACE_LITERAL([HAVE_U_INT8_T])
m4trace:configure.ac:149: -1- m4_pattern_allow([^HAVE_U_INT8_T$])
m4trace:configure.ac:149: -1- AH_OUTPUT([HAVE_U_INT8_T], [/* Define to 1 if the system has the type `u_int8_t\'. */
@%:@undef HAVE_U_INT8_T]) @%:@undef HAVE_U_INT8_T])
m4trace:configure.ac:137: -1- AC_DEFINE_TRACE_LITERAL([HAVE_U_INT16_T]) m4trace:configure.ac:149: -1- AC_DEFINE_TRACE_LITERAL([HAVE_U_INT16_T])
m4trace:configure.ac:137: -1- m4_pattern_allow([^HAVE_U_INT16_T$]) m4trace:configure.ac:149: -1- m4_pattern_allow([^HAVE_U_INT16_T$])
m4trace:configure.ac:137: -1- AH_OUTPUT([HAVE_U_INT16_T], [/* Define to 1 if the system has the type `u_int16_t\'. */ m4trace:configure.ac:149: -1- AH_OUTPUT([HAVE_U_INT16_T], [/* Define to 1 if the system has the type `u_int16_t\'. */
@%:@undef HAVE_U_INT16_T]) @%:@undef HAVE_U_INT16_T])
m4trace:configure.ac:137: -1- AC_DEFINE_TRACE_LITERAL([HAVE_U_INT32_T]) m4trace:configure.ac:149: -1- AC_DEFINE_TRACE_LITERAL([HAVE_U_INT32_T])
m4trace:configure.ac:137: -1- m4_pattern_allow([^HAVE_U_INT32_T$]) m4trace:configure.ac:149: -1- m4_pattern_allow([^HAVE_U_INT32_T$])
m4trace:configure.ac:137: -1- AH_OUTPUT([HAVE_U_INT32_T], [/* Define to 1 if the system has the type `u_int32_t\'. */ m4trace:configure.ac:149: -1- AH_OUTPUT([HAVE_U_INT32_T], [/* Define to 1 if the system has the type `u_int32_t\'. */
@%:@undef HAVE_U_INT32_T]) @%:@undef HAVE_U_INT32_T])
m4trace:configure.ac:137: -1- AC_DEFINE_TRACE_LITERAL([HAVE_U_INT64_T]) m4trace:configure.ac:149: -1- AC_DEFINE_TRACE_LITERAL([HAVE_U_INT64_T])
m4trace:configure.ac:137: -1- m4_pattern_allow([^HAVE_U_INT64_T$]) m4trace:configure.ac:149: -1- m4_pattern_allow([^HAVE_U_INT64_T$])
m4trace:configure.ac:137: -1- AH_OUTPUT([HAVE_U_INT64_T], [/* Define to 1 if the system has the type `u_int64_t\'. */ m4trace:configure.ac:149: -1- AH_OUTPUT([HAVE_U_INT64_T], [/* Define to 1 if the system has the type `u_int64_t\'. */
@%:@undef HAVE_U_INT64_T]) @%:@undef HAVE_U_INT64_T])
m4trace:configure.ac:137: -1- AC_DEFINE_TRACE_LITERAL([HAVE_UINT8_T]) m4trace:configure.ac:149: -1- AC_DEFINE_TRACE_LITERAL([HAVE_UINT8_T])
m4trace:configure.ac:137: -1- m4_pattern_allow([^HAVE_UINT8_T$]) m4trace:configure.ac:149: -1- m4_pattern_allow([^HAVE_UINT8_T$])
m4trace:configure.ac:137: -1- AH_OUTPUT([HAVE_UINT8_T], [/* Define to 1 if the system has the type `uint8_t\'. */ m4trace:configure.ac:149: -1- AH_OUTPUT([HAVE_UINT8_T], [/* Define to 1 if the system has the type `uint8_t\'. */
@%:@undef HAVE_UINT8_T]) @%:@undef HAVE_UINT8_T])
m4trace:configure.ac:137: -1- AC_DEFINE_TRACE_LITERAL([HAVE_UINT16_T]) m4trace:configure.ac:149: -1- AC_DEFINE_TRACE_LITERAL([HAVE_UINT16_T])
m4trace:configure.ac:137: -1- m4_pattern_allow([^HAVE_UINT16_T$]) m4trace:configure.ac:149: -1- m4_pattern_allow([^HAVE_UINT16_T$])
m4trace:configure.ac:137: -1- AH_OUTPUT([HAVE_UINT16_T], [/* Define to 1 if the system has the type `uint16_t\'. */ m4trace:configure.ac:149: -1- AH_OUTPUT([HAVE_UINT16_T], [/* Define to 1 if the system has the type `uint16_t\'. */
@%:@undef HAVE_UINT16_T]) @%:@undef HAVE_UINT16_T])
m4trace:configure.ac:137: -1- AC_DEFINE_TRACE_LITERAL([HAVE_UINT32_T]) m4trace:configure.ac:149: -1- AC_DEFINE_TRACE_LITERAL([HAVE_UINT32_T])
m4trace:configure.ac:137: -1- m4_pattern_allow([^HAVE_UINT32_T$]) m4trace:configure.ac:149: -1- m4_pattern_allow([^HAVE_UINT32_T$])
m4trace:configure.ac:137: -1- AH_OUTPUT([HAVE_UINT32_T], [/* Define to 1 if the system has the type `uint32_t\'. */ m4trace:configure.ac:149: -1- AH_OUTPUT([HAVE_UINT32_T], [/* Define to 1 if the system has the type `uint32_t\'. */
@%:@undef HAVE_UINT32_T]) @%:@undef HAVE_UINT32_T])
m4trace:configure.ac:137: -1- AC_DEFINE_TRACE_LITERAL([HAVE_UINT64_T]) m4trace:configure.ac:149: -1- AC_DEFINE_TRACE_LITERAL([HAVE_UINT64_T])
m4trace:configure.ac:137: -1- m4_pattern_allow([^HAVE_UINT64_T$]) m4trace:configure.ac:149: -1- m4_pattern_allow([^HAVE_UINT64_T$])
m4trace:configure.ac:137: -1- AH_OUTPUT([HAVE_UINT64_T], [/* Define to 1 if the system has the type `uint64_t\'. */ m4trace:configure.ac:149: -1- AH_OUTPUT([HAVE_UINT64_T], [/* Define to 1 if the system has the type `uint64_t\'. */
@%:@undef HAVE_UINT64_T]) @%:@undef HAVE_UINT64_T])
m4trace:configure.ac:138: -1- AC_DEFINE_TRACE_LITERAL([HAVE_INT8_T]) m4trace:configure.ac:150: -1- AC_DEFINE_TRACE_LITERAL([HAVE_INT8_T])
m4trace:configure.ac:138: -1- m4_pattern_allow([^HAVE_INT8_T$]) m4trace:configure.ac:150: -1- m4_pattern_allow([^HAVE_INT8_T$])
m4trace:configure.ac:138: -1- AH_OUTPUT([HAVE_INT8_T], [/* Define to 1 if the system has the type `int8_t\'. */ m4trace:configure.ac:150: -1- AH_OUTPUT([HAVE_INT8_T], [/* Define to 1 if the system has the type `int8_t\'. */
@%:@undef HAVE_INT8_T]) @%:@undef HAVE_INT8_T])
m4trace:configure.ac:138: -1- AC_DEFINE_TRACE_LITERAL([HAVE_INT16_T]) m4trace:configure.ac:150: -1- AC_DEFINE_TRACE_LITERAL([HAVE_INT16_T])
m4trace:configure.ac:138: -1- m4_pattern_allow([^HAVE_INT16_T$]) m4trace:configure.ac:150: -1- m4_pattern_allow([^HAVE_INT16_T$])
m4trace:configure.ac:138: -1- AH_OUTPUT([HAVE_INT16_T], [/* Define to 1 if the system has the type `int16_t\'. */ m4trace:configure.ac:150: -1- AH_OUTPUT([HAVE_INT16_T], [/* Define to 1 if the system has the type `int16_t\'. */
@%:@undef HAVE_INT16_T]) @%:@undef HAVE_INT16_T])
m4trace:configure.ac:138: -1- AC_DEFINE_TRACE_LITERAL([HAVE_INT32_T]) m4trace:configure.ac:150: -1- AC_DEFINE_TRACE_LITERAL([HAVE_INT32_T])
m4trace:configure.ac:138: -1- m4_pattern_allow([^HAVE_INT32_T$]) m4trace:configure.ac:150: -1- m4_pattern_allow([^HAVE_INT32_T$])
m4trace:configure.ac:138: -1- AH_OUTPUT([HAVE_INT32_T], [/* Define to 1 if the system has the type `int32_t\'. */ m4trace:configure.ac:150: -1- AH_OUTPUT([HAVE_INT32_T], [/* Define to 1 if the system has the type `int32_t\'. */
@%:@undef HAVE_INT32_T]) @%:@undef HAVE_INT32_T])
m4trace:configure.ac:138: -1- AC_DEFINE_TRACE_LITERAL([HAVE_INT64_T]) m4trace:configure.ac:150: -1- AC_DEFINE_TRACE_LITERAL([HAVE_INT64_T])
m4trace:configure.ac:138: -1- m4_pattern_allow([^HAVE_INT64_T$]) m4trace:configure.ac:150: -1- m4_pattern_allow([^HAVE_INT64_T$])
m4trace:configure.ac:138: -1- AH_OUTPUT([HAVE_INT64_T], [/* Define to 1 if the system has the type `int64_t\'. */ m4trace:configure.ac:150: -1- AH_OUTPUT([HAVE_INT64_T], [/* Define to 1 if the system has the type `int64_t\'. */
@%:@undef HAVE_INT64_T]) @%:@undef HAVE_INT64_T])
m4trace:configure.ac:141: -1- AC_DEFINE_TRACE_LITERAL([HAVE__BOOL]) m4trace:configure.ac:150: -1- AC_DEFINE_TRACE_LITERAL([HAVE_BOOLEAN])
m4trace:configure.ac:141: -1- m4_pattern_allow([^HAVE__BOOL$]) m4trace:configure.ac:150: -1- m4_pattern_allow([^HAVE_BOOLEAN$])
m4trace:configure.ac:141: -1- AH_OUTPUT([HAVE__BOOL], [/* Define to 1 if the system has the type `_Bool\'. */ m4trace:configure.ac:150: -1- AH_OUTPUT([HAVE_BOOLEAN], [/* Define to 1 if the system has the type `boolean\'. */
@%:@undef HAVE_BOOLEAN])
m4trace:configure.ac:153: -1- AC_DEFINE_TRACE_LITERAL([HAVE__BOOL])
m4trace:configure.ac:153: -1- m4_pattern_allow([^HAVE__BOOL$])
m4trace:configure.ac:153: -1- AH_OUTPUT([HAVE__BOOL], [/* Define to 1 if the system has the type `_Bool\'. */
@%:@undef HAVE__BOOL]) @%:@undef HAVE__BOOL])
m4trace:configure.ac:141: -1- AC_DEFINE_TRACE_LITERAL([HAVE_STDBOOL_H]) m4trace:configure.ac:153: -1- AC_DEFINE_TRACE_LITERAL([HAVE_STDBOOL_H])
m4trace:configure.ac:141: -1- m4_pattern_allow([^HAVE_STDBOOL_H$]) m4trace:configure.ac:153: -1- m4_pattern_allow([^HAVE_STDBOOL_H$])
m4trace:configure.ac:141: -1- AH_OUTPUT([HAVE_STDBOOL_H], [/* Define to 1 if stdbool.h conforms to C99. */ m4trace:configure.ac:153: -1- AH_OUTPUT([HAVE_STDBOOL_H], [/* Define to 1 if stdbool.h conforms to C99. */
@%:@undef HAVE_STDBOOL_H]) @%:@undef HAVE_STDBOOL_H])
m4trace:configure.ac:142: -1- AC_DEFINE_TRACE_LITERAL([size_t]) m4trace:configure.ac:154: -1- AC_DEFINE_TRACE_LITERAL([size_t])
m4trace:configure.ac:142: -1- m4_pattern_allow([^size_t$]) m4trace:configure.ac:154: -1- m4_pattern_allow([^size_t$])
m4trace:configure.ac:142: -1- AH_OUTPUT([size_t], [/* Define to `unsigned int\' if <sys/types.h> does not define. */ m4trace:configure.ac:154: -1- AH_OUTPUT([size_t], [/* Define to `unsigned int\' if <sys/types.h> does not define. */
@%:@undef size_t]) @%:@undef size_t])
m4trace:configure.ac:143: -1- AC_DEFINE_TRACE_LITERAL([uint16_t]) m4trace:configure.ac:155: -1- AC_DEFINE_TRACE_LITERAL([uint16_t])
m4trace:configure.ac:143: -1- m4_pattern_allow([^uint16_t$]) m4trace:configure.ac:155: -1- m4_pattern_allow([^uint16_t$])
m4trace:configure.ac:143: -1- AH_OUTPUT([uint16_t], [/* Define to the type of an unsigned integer type of width exactly 16 bits if m4trace:configure.ac:155: -1- AH_OUTPUT([uint16_t], [/* Define to the type of an unsigned integer type of width exactly 16 bits if
such a type exists and the standard includes do not define it. */ such a type exists and the standard includes do not define it. */
@%:@undef uint16_t]) @%:@undef uint16_t])
m4trace:configure.ac:144: -1- AC_DEFINE_TRACE_LITERAL([_UINT32_T]) m4trace:configure.ac:156: -1- AC_DEFINE_TRACE_LITERAL([_UINT32_T])
m4trace:configure.ac:144: -1- m4_pattern_allow([^_UINT32_T$]) m4trace:configure.ac:156: -1- m4_pattern_allow([^_UINT32_T$])
m4trace:configure.ac:144: -1- AH_OUTPUT([_UINT32_T], [/* Define for Solaris 2.5.1 so the uint32_t typedef from <sys/synch.h>, m4trace:configure.ac:156: -1- AH_OUTPUT([_UINT32_T], [/* Define for Solaris 2.5.1 so the uint32_t typedef from <sys/synch.h>,
<pthread.h>, or <semaphore.h> is not used. If the typedef were allowed, the <pthread.h>, or <semaphore.h> is not used. If the typedef were allowed, the
@%:@define below would cause a syntax error. */ @%:@define below would cause a syntax error. */
@%:@undef _UINT32_T]) @%:@undef _UINT32_T])
m4trace:configure.ac:144: -1- AC_DEFINE_TRACE_LITERAL([uint32_t]) m4trace:configure.ac:156: -1- AC_DEFINE_TRACE_LITERAL([uint32_t])
m4trace:configure.ac:144: -1- m4_pattern_allow([^uint32_t$]) m4trace:configure.ac:156: -1- m4_pattern_allow([^uint32_t$])
m4trace:configure.ac:144: -1- AH_OUTPUT([uint32_t], [/* Define to the type of an unsigned integer type of width exactly 32 bits if m4trace:configure.ac:156: -1- AH_OUTPUT([uint32_t], [/* Define to the type of an unsigned integer type of width exactly 32 bits if
such a type exists and the standard includes do not define it. */ such a type exists and the standard includes do not define it. */
@%:@undef uint32_t]) @%:@undef uint32_t])
m4trace:configure.ac:145: -1- AC_DEFINE_TRACE_LITERAL([_UINT8_T]) m4trace:configure.ac:157: -1- AC_DEFINE_TRACE_LITERAL([_UINT8_T])
m4trace:configure.ac:145: -1- m4_pattern_allow([^_UINT8_T$]) m4trace:configure.ac:157: -1- m4_pattern_allow([^_UINT8_T$])
m4trace:configure.ac:145: -1- AH_OUTPUT([_UINT8_T], [/* Define for Solaris 2.5.1 so the uint8_t typedef from <sys/synch.h>, m4trace:configure.ac:157: -1- AH_OUTPUT([_UINT8_T], [/* Define for Solaris 2.5.1 so the uint8_t typedef from <sys/synch.h>,
<pthread.h>, or <semaphore.h> is not used. If the typedef were allowed, the <pthread.h>, or <semaphore.h> is not used. If the typedef were allowed, the
@%:@define below would cause a syntax error. */ @%:@define below would cause a syntax error. */
@%:@undef _UINT8_T]) @%:@undef _UINT8_T])
m4trace:configure.ac:145: -1- AC_DEFINE_TRACE_LITERAL([uint8_t]) m4trace:configure.ac:157: -1- AC_DEFINE_TRACE_LITERAL([uint8_t])
m4trace:configure.ac:145: -1- m4_pattern_allow([^uint8_t$]) m4trace:configure.ac:157: -1- m4_pattern_allow([^uint8_t$])
m4trace:configure.ac:145: -1- AH_OUTPUT([uint8_t], [/* Define to the type of an unsigned integer type of width exactly 8 bits if m4trace:configure.ac:157: -1- AH_OUTPUT([uint8_t], [/* Define to the type of an unsigned integer type of width exactly 8 bits if
such a type exists and the standard includes do not define it. */ such a type exists and the standard includes do not define it. */
@%:@undef uint8_t]) @%:@undef uint8_t])
m4trace:configure.ac:146: -1- AC_DEFINE_TRACE_LITERAL([HAVE_PTRDIFF_T]) m4trace:configure.ac:158: -1- AC_DEFINE_TRACE_LITERAL([HAVE_PTRDIFF_T])
m4trace:configure.ac:146: -1- m4_pattern_allow([^HAVE_PTRDIFF_T$]) m4trace:configure.ac:158: -1- m4_pattern_allow([^HAVE_PTRDIFF_T$])
m4trace:configure.ac:146: -1- AH_OUTPUT([HAVE_PTRDIFF_T], [/* Define to 1 if the system has the type `ptrdiff_t\'. */ m4trace:configure.ac:158: -1- AH_OUTPUT([HAVE_PTRDIFF_T], [/* Define to 1 if the system has the type `ptrdiff_t\'. */
@%:@undef HAVE_PTRDIFF_T]) @%:@undef HAVE_PTRDIFF_T])
m4trace:configure.ac:149: -1- AH_OUTPUT([HAVE_STDLIB_H], [/* Define to 1 if you have the <stdlib.h> header file. */ m4trace:configure.ac:161: -1- AH_OUTPUT([HAVE_STDLIB_H], [/* Define to 1 if you have the <stdlib.h> header file. */
@%:@undef HAVE_STDLIB_H]) @%:@undef HAVE_STDLIB_H])
m4trace:configure.ac:149: -1- AC_DEFINE_TRACE_LITERAL([HAVE_STDLIB_H]) m4trace:configure.ac:161: -1- AC_DEFINE_TRACE_LITERAL([HAVE_STDLIB_H])
m4trace:configure.ac:149: -1- m4_pattern_allow([^HAVE_STDLIB_H$]) m4trace:configure.ac:161: -1- m4_pattern_allow([^HAVE_STDLIB_H$])
m4trace:configure.ac:149: -1- AC_DEFINE_TRACE_LITERAL([HAVE_MALLOC]) m4trace:configure.ac:161: -1- AC_DEFINE_TRACE_LITERAL([HAVE_MALLOC])
m4trace:configure.ac:149: -1- m4_pattern_allow([^HAVE_MALLOC$]) m4trace:configure.ac:161: -1- m4_pattern_allow([^HAVE_MALLOC$])
m4trace:configure.ac:149: -1- AH_OUTPUT([HAVE_MALLOC], [/* Define to 1 if your system has a GNU libc compatible `malloc\' function, and m4trace:configure.ac:161: -1- AH_OUTPUT([HAVE_MALLOC], [/* Define to 1 if your system has a GNU libc compatible `malloc\' function, and
to 0 otherwise. */ to 0 otherwise. */
@%:@undef HAVE_MALLOC]) @%:@undef HAVE_MALLOC])
m4trace:configure.ac:149: -1- AC_DEFINE_TRACE_LITERAL([HAVE_MALLOC]) m4trace:configure.ac:161: -1- AC_DEFINE_TRACE_LITERAL([HAVE_MALLOC])
m4trace:configure.ac:149: -1- m4_pattern_allow([^HAVE_MALLOC$]) m4trace:configure.ac:161: -1- m4_pattern_allow([^HAVE_MALLOC$])
m4trace:configure.ac:149: -1- AC_LIBSOURCE([malloc.c]) m4trace:configure.ac:161: -1- AC_LIBSOURCE([malloc.c])
m4trace:configure.ac:149: -1- AC_SUBST([LIB@&t@OBJS], ["$LIB@&t@OBJS malloc.$ac_objext"]) m4trace:configure.ac:161: -1- AC_SUBST([LIB@&t@OBJS], ["$LIB@&t@OBJS malloc.$ac_objext"])
m4trace:configure.ac:149: -1- AC_SUBST_TRACE([LIB@&t@OBJS]) m4trace:configure.ac:161: -1- AC_SUBST_TRACE([LIB@&t@OBJS])
m4trace:configure.ac:149: -1- m4_pattern_allow([^LIB@&t@OBJS$]) m4trace:configure.ac:161: -1- m4_pattern_allow([^LIB@&t@OBJS$])
m4trace:configure.ac:149: -1- AC_DEFINE_TRACE_LITERAL([malloc]) m4trace:configure.ac:161: -1- AC_DEFINE_TRACE_LITERAL([malloc])
m4trace:configure.ac:149: -1- m4_pattern_allow([^malloc$]) m4trace:configure.ac:161: -1- m4_pattern_allow([^malloc$])
m4trace:configure.ac:149: -1- AH_OUTPUT([malloc], [/* Define to rpl_malloc if the replacement function should be used. */ m4trace:configure.ac:161: -1- AH_OUTPUT([malloc], [/* Define to rpl_malloc if the replacement function should be used. */
@%:@undef malloc]) @%:@undef malloc])
m4trace:configure.ac:150: -1- AC_DEFINE_TRACE_LITERAL([TIME_WITH_SYS_TIME]) m4trace:configure.ac:162: -1- AC_DEFINE_TRACE_LITERAL([TIME_WITH_SYS_TIME])
m4trace:configure.ac:150: -1- m4_pattern_allow([^TIME_WITH_SYS_TIME$]) m4trace:configure.ac:162: -1- m4_pattern_allow([^TIME_WITH_SYS_TIME$])
m4trace:configure.ac:150: -1- AH_OUTPUT([TIME_WITH_SYS_TIME], [/* Define to 1 if you can safely include both <sys/time.h> and <time.h>. */ m4trace:configure.ac:162: -1- AH_OUTPUT([TIME_WITH_SYS_TIME], [/* Define to 1 if you can safely include both <sys/time.h> and <time.h>. */
@%:@undef TIME_WITH_SYS_TIME]) @%:@undef TIME_WITH_SYS_TIME])
m4trace:configure.ac:150: -1- AH_OUTPUT([HAVE_SYS_TIME_H], [/* Define to 1 if you have the <sys/time.h> header file. */ m4trace:configure.ac:162: -1- AH_OUTPUT([HAVE_SYS_TIME_H], [/* Define to 1 if you have the <sys/time.h> header file. */
@%:@undef HAVE_SYS_TIME_H]) @%:@undef HAVE_SYS_TIME_H])
m4trace:configure.ac:150: -1- AH_OUTPUT([HAVE_UNISTD_H], [/* Define to 1 if you have the <unistd.h> header file. */ m4trace:configure.ac:162: -1- AH_OUTPUT([HAVE_UNISTD_H], [/* Define to 1 if you have the <unistd.h> header file. */
@%:@undef HAVE_UNISTD_H]) @%:@undef HAVE_UNISTD_H])
m4trace:configure.ac:150: -1- AH_OUTPUT([HAVE_ALARM], [/* Define to 1 if you have the `alarm\' function. */ m4trace:configure.ac:162: -1- AH_OUTPUT([HAVE_ALARM], [/* Define to 1 if you have the `alarm\' function. */
@%:@undef HAVE_ALARM]) @%:@undef HAVE_ALARM])
m4trace:configure.ac:150: -1- AC_LIBSOURCE([mktime.c]) m4trace:configure.ac:162: -1- AC_LIBSOURCE([mktime.c])
m4trace:configure.ac:150: -1- AC_SUBST([LIB@&t@OBJS], ["$LIB@&t@OBJS mktime.$ac_objext"]) m4trace:configure.ac:162: -1- AC_SUBST([LIB@&t@OBJS], ["$LIB@&t@OBJS mktime.$ac_objext"])
m4trace:configure.ac:150: -1- AC_SUBST_TRACE([LIB@&t@OBJS]) m4trace:configure.ac:162: -1- AC_SUBST_TRACE([LIB@&t@OBJS])
m4trace:configure.ac:150: -1- m4_pattern_allow([^LIB@&t@OBJS$]) m4trace:configure.ac:162: -1- m4_pattern_allow([^LIB@&t@OBJS$])
m4trace:configure.ac:151: -1- AH_OUTPUT([HAVE_STDLIB_H], [/* Define to 1 if you have the <stdlib.h> header file. */ m4trace:configure.ac:163: -1- AH_OUTPUT([HAVE_STDLIB_H], [/* Define to 1 if you have the <stdlib.h> header file. */
@%:@undef HAVE_STDLIB_H]) @%:@undef HAVE_STDLIB_H])
m4trace:configure.ac:151: -1- AC_DEFINE_TRACE_LITERAL([HAVE_STDLIB_H]) m4trace:configure.ac:163: -1- AC_DEFINE_TRACE_LITERAL([HAVE_STDLIB_H])
m4trace:configure.ac:151: -1- m4_pattern_allow([^HAVE_STDLIB_H$]) m4trace:configure.ac:163: -1- m4_pattern_allow([^HAVE_STDLIB_H$])
m4trace:configure.ac:151: -1- AC_DEFINE_TRACE_LITERAL([HAVE_REALLOC]) m4trace:configure.ac:163: -1- AC_DEFINE_TRACE_LITERAL([HAVE_REALLOC])
m4trace:configure.ac:151: -1- m4_pattern_allow([^HAVE_REALLOC$]) m4trace:configure.ac:163: -1- m4_pattern_allow([^HAVE_REALLOC$])
m4trace:configure.ac:151: -1- AH_OUTPUT([HAVE_REALLOC], [/* Define to 1 if your system has a GNU libc compatible `realloc\' function, m4trace:configure.ac:163: -1- AH_OUTPUT([HAVE_REALLOC], [/* Define to 1 if your system has a GNU libc compatible `realloc\' function,
and to 0 otherwise. */ and to 0 otherwise. */
@%:@undef HAVE_REALLOC]) @%:@undef HAVE_REALLOC])
m4trace:configure.ac:151: -1- AC_DEFINE_TRACE_LITERAL([HAVE_REALLOC]) m4trace:configure.ac:163: -1- AC_DEFINE_TRACE_LITERAL([HAVE_REALLOC])
m4trace:configure.ac:151: -1- m4_pattern_allow([^HAVE_REALLOC$]) m4trace:configure.ac:163: -1- m4_pattern_allow([^HAVE_REALLOC$])
m4trace:configure.ac:151: -1- AC_LIBSOURCE([realloc.c]) m4trace:configure.ac:163: -1- AC_LIBSOURCE([realloc.c])
m4trace:configure.ac:151: -1- AC_SUBST([LIB@&t@OBJS], ["$LIB@&t@OBJS realloc.$ac_objext"]) m4trace:configure.ac:163: -1- AC_SUBST([LIB@&t@OBJS], ["$LIB@&t@OBJS realloc.$ac_objext"])
m4trace:configure.ac:151: -1- AC_SUBST_TRACE([LIB@&t@OBJS]) m4trace:configure.ac:163: -1- AC_SUBST_TRACE([LIB@&t@OBJS])
m4trace:configure.ac:151: -1- m4_pattern_allow([^LIB@&t@OBJS$]) m4trace:configure.ac:163: -1- m4_pattern_allow([^LIB@&t@OBJS$])
m4trace:configure.ac:151: -1- AC_DEFINE_TRACE_LITERAL([realloc]) m4trace:configure.ac:163: -1- AC_DEFINE_TRACE_LITERAL([realloc])
m4trace:configure.ac:151: -1- m4_pattern_allow([^realloc$]) m4trace:configure.ac:163: -1- m4_pattern_allow([^realloc$])
m4trace:configure.ac:151: -1- AH_OUTPUT([realloc], [/* Define to rpl_realloc if the replacement function should be used. */ m4trace:configure.ac:163: -1- AH_OUTPUT([realloc], [/* Define to rpl_realloc if the replacement function should be used. */
@%:@undef realloc]) @%:@undef realloc])
m4trace:configure.ac:152: -1- AH_OUTPUT([HAVE_MEMMOVE], [/* Define to 1 if you have the `memmove\' function. */ m4trace:configure.ac:164: -1- AH_OUTPUT([HAVE_MEMMOVE], [/* Define to 1 if you have the `memmove\' function. */
@%:@undef HAVE_MEMMOVE]) @%:@undef HAVE_MEMMOVE])
m4trace:configure.ac:152: -1- AH_OUTPUT([HAVE_MEMSET], [/* Define to 1 if you have the `memset\' function. */ m4trace:configure.ac:164: -1- AH_OUTPUT([HAVE_MEMSET], [/* Define to 1 if you have the `memset\' function. */
@%:@undef HAVE_MEMSET]) @%:@undef HAVE_MEMSET])
m4trace:configure.ac:152: -1- AH_OUTPUT([HAVE_REGCOMP], [/* Define to 1 if you have the `regcomp\' function. */ m4trace:configure.ac:164: -1- AH_OUTPUT([HAVE_REGCOMP], [/* Define to 1 if you have the `regcomp\' function. */
@%:@undef HAVE_REGCOMP]) @%:@undef HAVE_REGCOMP])
m4trace:configure.ac:152: -1- AH_OUTPUT([HAVE_STRCASECMP], [/* Define to 1 if you have the `strcasecmp\' function. */ m4trace:configure.ac:164: -1- AH_OUTPUT([HAVE_STRCASECMP], [/* Define to 1 if you have the `strcasecmp\' function. */
@%:@undef HAVE_STRCASECMP]) @%:@undef HAVE_STRCASECMP])
m4trace:configure.ac:152: -1- AH_OUTPUT([HAVE_STRDUP], [/* Define to 1 if you have the `strdup\' function. */ m4trace:configure.ac:164: -1- AH_OUTPUT([HAVE_STRDUP], [/* Define to 1 if you have the `strdup\' function. */
@%:@undef HAVE_STRDUP]) @%:@undef HAVE_STRDUP])
m4trace:configure.ac:152: -1- AH_OUTPUT([HAVE_STRSTR], [/* Define to 1 if you have the `strstr\' function. */ m4trace:configure.ac:164: -1- AH_OUTPUT([HAVE_STRSTR], [/* Define to 1 if you have the `strstr\' function. */
@%:@undef HAVE_STRSTR]) @%:@undef HAVE_STRSTR])
m4trace:configure.ac:152: -1- AH_OUTPUT([HAVE_STRTOL], [/* Define to 1 if you have the `strtol\' function. */ m4trace:configure.ac:164: -1- AH_OUTPUT([HAVE_STRTOL], [/* Define to 1 if you have the `strtol\' function. */
@%:@undef HAVE_STRTOL]) @%:@undef HAVE_STRTOL])
m4trace:configure.ac:152: -1- AH_OUTPUT([HAVE_STRTOUL], [/* Define to 1 if you have the `strtoul\' function. */ m4trace:configure.ac:164: -1- AH_OUTPUT([HAVE_STRTOUL], [/* Define to 1 if you have the `strtoul\' function. */
@%:@undef HAVE_STRTOUL]) @%:@undef HAVE_STRTOUL])
m4trace:configure.ac:154: -1- AC_DEFINE_TRACE_LITERAL([VERSION]) m4trace:configure.ac:166: -1- AC_DEFINE_TRACE_LITERAL([VERSION])
m4trace:configure.ac:154: -1- m4_pattern_allow([^VERSION$]) m4trace:configure.ac:166: -1- m4_pattern_allow([^VERSION$])
m4trace:configure.ac:154: -1- AH_OUTPUT([VERSION], [/* Module version */ m4trace:configure.ac:166: -1- AH_OUTPUT([VERSION], [/* Module version */
@%:@undef VERSION]) @%:@undef VERSION])
m4trace:configure.ac:155: -1- AC_DEFINE_TRACE_LITERAL([PACKAGE]) m4trace:configure.ac:167: -1- AC_DEFINE_TRACE_LITERAL([PACKAGE])
m4trace:configure.ac:155: -1- m4_pattern_allow([^PACKAGE$]) m4trace:configure.ac:167: -1- m4_pattern_allow([^PACKAGE$])
m4trace:configure.ac:155: -1- AH_OUTPUT([PACKAGE], [/* Package name */ m4trace:configure.ac:167: -1- AH_OUTPUT([PACKAGE], [/* Package name */
@%:@undef PACKAGE]) @%:@undef PACKAGE])
m4trace:configure.ac:156: -1- AC_DEFINE_TRACE_LITERAL([PACKAGE_BUGREPORT]) m4trace:configure.ac:168: -1- AC_DEFINE_TRACE_LITERAL([PACKAGE_BUGREPORT])
m4trace:configure.ac:156: -1- m4_pattern_allow([^PACKAGE_BUGREPORT$]) m4trace:configure.ac:168: -1- m4_pattern_allow([^PACKAGE_BUGREPORT$])
m4trace:configure.ac:156: -1- AH_OUTPUT([PACKAGE_BUGREPORT], [/* Bug report address */ m4trace:configure.ac:168: -1- AH_OUTPUT([PACKAGE_BUGREPORT], [/* Bug report address */
@%:@undef PACKAGE_BUGREPORT]) @%:@undef PACKAGE_BUGREPORT])
m4trace:configure.ac:157: -1- AC_DEFINE_TRACE_LITERAL([PACKAGE_NAME]) m4trace:configure.ac:169: -1- AC_DEFINE_TRACE_LITERAL([PACKAGE_NAME])
m4trace:configure.ac:157: -1- m4_pattern_allow([^PACKAGE_NAME$]) m4trace:configure.ac:169: -1- m4_pattern_allow([^PACKAGE_NAME$])
m4trace:configure.ac:157: -1- AH_OUTPUT([PACKAGE_NAME], [/* Package full name */ m4trace:configure.ac:169: -1- AH_OUTPUT([PACKAGE_NAME], [/* Package full name */
@%:@undef PACKAGE_NAME]) @%:@undef PACKAGE_NAME])
m4trace:configure.ac:158: -1- AC_DEFINE_TRACE_LITERAL([PACKAGE_STRING]) m4trace:configure.ac:170: -1- AC_DEFINE_TRACE_LITERAL([PACKAGE_STRING])
m4trace:configure.ac:158: -1- m4_pattern_allow([^PACKAGE_STRING$]) m4trace:configure.ac:170: -1- m4_pattern_allow([^PACKAGE_STRING$])
m4trace:configure.ac:158: -1- AH_OUTPUT([PACKAGE_STRING], [/* Package string */ m4trace:configure.ac:170: -1- AH_OUTPUT([PACKAGE_STRING], [/* Package string */
@%:@undef PACKAGE_STRING]) @%:@undef PACKAGE_STRING])
m4trace:configure.ac:159: -1- AC_DEFINE_TRACE_LITERAL([PACKAGE_TARNAME]) m4trace:configure.ac:171: -1- AC_DEFINE_TRACE_LITERAL([PACKAGE_TARNAME])
m4trace:configure.ac:159: -1- m4_pattern_allow([^PACKAGE_TARNAME$]) m4trace:configure.ac:171: -1- m4_pattern_allow([^PACKAGE_TARNAME$])
m4trace:configure.ac:159: -1- AH_OUTPUT([PACKAGE_TARNAME], [/* Package tarname */ m4trace:configure.ac:171: -1- AH_OUTPUT([PACKAGE_TARNAME], [/* Package tarname */
@%:@undef PACKAGE_TARNAME]) @%:@undef PACKAGE_TARNAME])
m4trace:configure.ac:160: -1- AC_DEFINE_TRACE_LITERAL([PACKAGE_VERSION]) m4trace:configure.ac:172: -1- AC_DEFINE_TRACE_LITERAL([PACKAGE_VERSION])
m4trace:configure.ac:160: -1- m4_pattern_allow([^PACKAGE_VERSION$]) m4trace:configure.ac:172: -1- m4_pattern_allow([^PACKAGE_VERSION$])
m4trace:configure.ac:160: -1- AH_OUTPUT([PACKAGE_VERSION], [/* Package version */ m4trace:configure.ac:172: -1- AH_OUTPUT([PACKAGE_VERSION], [/* Package version */
@%:@undef PACKAGE_VERSION]) @%:@undef PACKAGE_VERSION])
m4trace:configure.ac:161: -1- AC_DEFINE_TRACE_LITERAL([SUP_IP6]) m4trace:configure.ac:173: -1- AC_DEFINE_TRACE_LITERAL([SUP_IP6])
m4trace:configure.ac:161: -1- m4_pattern_allow([^SUP_IP6$]) m4trace:configure.ac:173: -1- m4_pattern_allow([^SUP_IP6$])
m4trace:configure.ac:161: -1- AH_OUTPUT([SUP_IP6], [/* Use SUP_IP6 */ m4trace:configure.ac:173: -1- AH_OUTPUT([SUP_IP6], [/* Use SUP_IP6 */
@%:@undef SUP_IP6]) @%:@undef SUP_IP6])
m4trace:configure.ac:163: -1- AC_DEFINE_TRACE_LITERAL([HAVE_VISIBILITY]) m4trace:configure.ac:175: -1- AC_DEFINE_TRACE_LITERAL([HAVE_VISIBILITY])
m4trace:configure.ac:163: -1- m4_pattern_allow([^HAVE_VISIBILITY$]) m4trace:configure.ac:175: -1- m4_pattern_allow([^HAVE_VISIBILITY$])
m4trace:configure.ac:163: -1- AH_OUTPUT([HAVE_VISIBILITY], [/* Check if the compiler supports visibility */ m4trace:configure.ac:175: -1- AH_OUTPUT([HAVE_VISIBILITY], [/* Check if the compiler supports visibility */
@%:@undef HAVE_VISIBILITY]) @%:@undef HAVE_VISIBILITY])
m4trace:configure.ac:164: -1- AC_DEFINE_TRACE_LITERAL([PREFIX]) m4trace:configure.ac:176: -1- AC_DEFINE_TRACE_LITERAL([PREFIX])
m4trace:configure.ac:164: -1- m4_pattern_allow([^PREFIX$]) m4trace:configure.ac:176: -1- m4_pattern_allow([^PREFIX$])
m4trace:configure.ac:164: -1- AH_OUTPUT([PREFIX], [/* Installation prefix */ m4trace:configure.ac:176: -1- AH_OUTPUT([PREFIX], [/* Installation prefix */
@%:@undef PREFIX]) @%:@undef PREFIX])
m4trace:configure.ac:166: -1- AC_CONFIG_FILES([Makefile]) m4trace:configure.ac:178: -1- AC_CONFIG_FILES([Makefile])
m4trace:configure.ac:167: -1- AC_SUBST([LIB@&t@OBJS], [$ac_libobjs]) m4trace:configure.ac:179: -1- AC_SUBST([LIB@&t@OBJS], [$ac_libobjs])
m4trace:configure.ac:167: -1- AC_SUBST_TRACE([LIB@&t@OBJS]) m4trace:configure.ac:179: -1- AC_SUBST_TRACE([LIB@&t@OBJS])
m4trace:configure.ac:167: -1- m4_pattern_allow([^LIB@&t@OBJS$]) m4trace:configure.ac:179: -1- m4_pattern_allow([^LIB@&t@OBJS$])
m4trace:configure.ac:167: -1- AC_SUBST([LTLIBOBJS], [$ac_ltlibobjs]) m4trace:configure.ac:179: -1- AC_SUBST([LTLIBOBJS], [$ac_ltlibobjs])
m4trace:configure.ac:167: -1- AC_SUBST_TRACE([LTLIBOBJS]) m4trace:configure.ac:179: -1- AC_SUBST_TRACE([LTLIBOBJS])
m4trace:configure.ac:167: -1- m4_pattern_allow([^LTLIBOBJS$]) m4trace:configure.ac:179: -1- m4_pattern_allow([^LTLIBOBJS$])
m4trace:configure.ac:167: -1- AM_CONDITIONAL([am__EXEEXT], [test -n "$EXEEXT"]) m4trace:configure.ac:179: -1- AM_CONDITIONAL([am__EXEEXT], [test -n "$EXEEXT"])
m4trace:configure.ac:167: -1- AC_SUBST([am__EXEEXT_TRUE]) m4trace:configure.ac:179: -1- AC_SUBST([am__EXEEXT_TRUE])
m4trace:configure.ac:167: -1- AC_SUBST_TRACE([am__EXEEXT_TRUE]) m4trace:configure.ac:179: -1- AC_SUBST_TRACE([am__EXEEXT_TRUE])
m4trace:configure.ac:167: -1- m4_pattern_allow([^am__EXEEXT_TRUE$]) m4trace:configure.ac:179: -1- m4_pattern_allow([^am__EXEEXT_TRUE$])
m4trace:configure.ac:167: -1- AC_SUBST([am__EXEEXT_FALSE]) m4trace:configure.ac:179: -1- AC_SUBST([am__EXEEXT_FALSE])
m4trace:configure.ac:167: -1- AC_SUBST_TRACE([am__EXEEXT_FALSE]) m4trace:configure.ac:179: -1- AC_SUBST_TRACE([am__EXEEXT_FALSE])
m4trace:configure.ac:167: -1- m4_pattern_allow([^am__EXEEXT_FALSE$]) m4trace:configure.ac:179: -1- m4_pattern_allow([^am__EXEEXT_FALSE$])
m4trace:configure.ac:167: -1- _AM_SUBST_NOTMAKE([am__EXEEXT_TRUE]) m4trace:configure.ac:179: -1- _AM_SUBST_NOTMAKE([am__EXEEXT_TRUE])
m4trace:configure.ac:167: -1- _AM_SUBST_NOTMAKE([am__EXEEXT_FALSE]) m4trace:configure.ac:179: -1- _AM_SUBST_NOTMAKE([am__EXEEXT_FALSE])
m4trace:configure.ac:167: -1- AC_SUBST_TRACE([top_builddir]) m4trace:configure.ac:179: -1- AC_SUBST_TRACE([top_builddir])
m4trace:configure.ac:167: -1- AC_SUBST_TRACE([top_build_prefix]) m4trace:configure.ac:179: -1- AC_SUBST_TRACE([top_build_prefix])
m4trace:configure.ac:167: -1- AC_SUBST_TRACE([srcdir]) m4trace:configure.ac:179: -1- AC_SUBST_TRACE([srcdir])
m4trace:configure.ac:167: -1- AC_SUBST_TRACE([abs_srcdir]) m4trace:configure.ac:179: -1- AC_SUBST_TRACE([abs_srcdir])
m4trace:configure.ac:167: -1- AC_SUBST_TRACE([top_srcdir]) m4trace:configure.ac:179: -1- AC_SUBST_TRACE([top_srcdir])
m4trace:configure.ac:167: -1- AC_SUBST_TRACE([abs_top_srcdir]) m4trace:configure.ac:179: -1- AC_SUBST_TRACE([abs_top_srcdir])
m4trace:configure.ac:167: -1- AC_SUBST_TRACE([builddir]) m4trace:configure.ac:179: -1- AC_SUBST_TRACE([builddir])
m4trace:configure.ac:167: -1- AC_SUBST_TRACE([abs_builddir]) m4trace:configure.ac:179: -1- AC_SUBST_TRACE([abs_builddir])
m4trace:configure.ac:167: -1- AC_SUBST_TRACE([abs_top_builddir]) m4trace:configure.ac:179: -1- AC_SUBST_TRACE([abs_top_builddir])
m4trace:configure.ac:167: -1- AC_SUBST_TRACE([INSTALL]) m4trace:configure.ac:179: -1- AC_SUBST_TRACE([INSTALL])
m4trace:configure.ac:167: -1- AC_SUBST_TRACE([MKDIR_P]) m4trace:configure.ac:179: -1- AC_SUBST_TRACE([MKDIR_P])
m4trace:configure.ac:167: -1- AC_REQUIRE_AUX_FILE([ltmain.sh]) m4trace:configure.ac:179: -1- AC_REQUIRE_AUX_FILE([ltmain.sh])

View file

@ -17,12 +17,6 @@
/* Define to 1 if using `alloca.c'. */ /* Define to 1 if using `alloca.c'. */
#undef C_ALLOCA #undef C_ALLOCA
/* Define if you want to enable database support */
#undef ENABLE_DB
/* Define if you want to use MySQL */
#undef ENABLE_MYSQL
/* Define if FreeBSD */ /* Define if FreeBSD */
#undef FREEBSD #undef FREEBSD
@ -36,6 +30,9 @@
*/ */
#undef HAVE_ALLOCA_H #undef HAVE_ALLOCA_H
/* Define to 1 if the system has the type `boolean'. */
#undef HAVE_BOOLEAN
/* Define to 1 if you have the <dlfcn.h> header file. */ /* Define to 1 if you have the <dlfcn.h> header file. */
#undef HAVE_DLFCN_H #undef HAVE_DLFCN_H
@ -54,6 +51,15 @@
/* Define to 1 if you have the <inttypes.h> header file. */ /* Define to 1 if you have the <inttypes.h> header file. */
#undef HAVE_INTTYPES_H #undef HAVE_INTTYPES_H
/* Define to 1 if you have the `gvc' library (-lgvc). */
#undef HAVE_LIBGVC
/* Define to 1 if you have the `m' library (-lm). */
#undef HAVE_LIBM
/* Define to 1 if you have the `mysqlclient' library (-lmysqlclient). */
#undef HAVE_LIBMYSQLCLIENT
/* Define to 1 if you have the `pthread' library (-lpthread). */ /* Define to 1 if you have the `pthread' library (-lpthread). */
#undef HAVE_LIBPTHREAD #undef HAVE_LIBPTHREAD
@ -67,6 +73,9 @@
to 0 otherwise. */ to 0 otherwise. */
#undef HAVE_MALLOC #undef HAVE_MALLOC
/* Define to 1 if you have the <math.h> header file. */
#undef HAVE_MATH_H
/* Define to 1 if you have the `memmove' function. */ /* Define to 1 if you have the `memmove' function. */
#undef HAVE_MEMMOVE #undef HAVE_MEMMOVE

203
configure vendored
View file

@ -751,9 +751,9 @@ am__EXEEXT_TRUE
LTLIBOBJS LTLIBOBJS
LIBOBJS LIBOBJS
ALLOCA ALLOCA
LIBGRAPH_INCLUDES
LIBXML2_INCLUDES LIBXML2_INCLUDES
CORR_RULES_PREFIX CORR_RULES_PREFIX
MYSQL
extra_incl extra_incl
CPP CPP
OTOOL64 OTOOL64
@ -871,6 +871,7 @@ enable_dependency_tracking
with_gnu_ld with_gnu_ld
enable_libtool_lock enable_libtool_lock
with_mysql with_mysql
with_graphviz
' '
ac_precious_vars='build_alias ac_precious_vars='build_alias
host_alias host_alias
@ -1517,6 +1518,8 @@ Optional Packages:
both] both]
--with-gnu-ld assume the C compiler uses GNU ld [default=no] --with-gnu-ld assume the C compiler uses GNU ld [default=no]
--with-mysql Enable support for MySQL alert logs [default=no] --with-mysql Enable support for MySQL alert logs [default=no]
--without-graphviz Disable Graphviz support for rendering correlated
alerts as a PNG graph [default=yes]
Some influential environment variables: Some influential environment variables:
CC C compiler command CC C compiler command
@ -4582,13 +4585,13 @@ if test "${lt_cv_nm_interface+set}" = set; then :
else else
lt_cv_nm_interface="BSD nm" lt_cv_nm_interface="BSD nm"
echo "int some_variable = 0;" > conftest.$ac_ext echo "int some_variable = 0;" > conftest.$ac_ext
(eval echo "\"\$as_me:4585: $ac_compile\"" >&5) (eval echo "\"\$as_me:4588: $ac_compile\"" >&5)
(eval "$ac_compile" 2>conftest.err) (eval "$ac_compile" 2>conftest.err)
cat conftest.err >&5 cat conftest.err >&5
(eval echo "\"\$as_me:4588: $NM \\\"conftest.$ac_objext\\\"\"" >&5) (eval echo "\"\$as_me:4591: $NM \\\"conftest.$ac_objext\\\"\"" >&5)
(eval "$NM \"conftest.$ac_objext\"" 2>conftest.err > conftest.out) (eval "$NM \"conftest.$ac_objext\"" 2>conftest.err > conftest.out)
cat conftest.err >&5 cat conftest.err >&5
(eval echo "\"\$as_me:4591: output\"" >&5) (eval echo "\"\$as_me:4594: output\"" >&5)
cat conftest.out >&5 cat conftest.out >&5
if $GREP 'External.*some_variable' conftest.out > /dev/null; then if $GREP 'External.*some_variable' conftest.out > /dev/null; then
lt_cv_nm_interface="MS dumpbin" lt_cv_nm_interface="MS dumpbin"
@ -5794,7 +5797,7 @@ ia64-*-hpux*)
;; ;;
*-*-irix6*) *-*-irix6*)
# Find out which ABI we are using. # Find out which ABI we are using.
echo '#line 5797 "configure"' > conftest.$ac_ext echo '#line 5800 "configure"' > conftest.$ac_ext
if { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$ac_compile\""; } >&5 if { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$ac_compile\""; } >&5
(eval $ac_compile) 2>&5 (eval $ac_compile) 2>&5
ac_status=$? ac_status=$?
@ -7319,11 +7322,11 @@ else
-e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
-e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
-e 's:$: $lt_compiler_flag:'` -e 's:$: $lt_compiler_flag:'`
(eval echo "\"\$as_me:7322: $lt_compile\"" >&5) (eval echo "\"\$as_me:7325: $lt_compile\"" >&5)
(eval "$lt_compile" 2>conftest.err) (eval "$lt_compile" 2>conftest.err)
ac_status=$? ac_status=$?
cat conftest.err >&5 cat conftest.err >&5
echo "$as_me:7326: \$? = $ac_status" >&5 echo "$as_me:7329: \$? = $ac_status" >&5
if (exit $ac_status) && test -s "$ac_outfile"; then if (exit $ac_status) && test -s "$ac_outfile"; then
# The compiler can only warn and ignore the option if not recognized # The compiler can only warn and ignore the option if not recognized
# So say no if there are warnings other than the usual output. # So say no if there are warnings other than the usual output.
@ -7658,11 +7661,11 @@ else
-e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
-e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
-e 's:$: $lt_compiler_flag:'` -e 's:$: $lt_compiler_flag:'`
(eval echo "\"\$as_me:7661: $lt_compile\"" >&5) (eval echo "\"\$as_me:7664: $lt_compile\"" >&5)
(eval "$lt_compile" 2>conftest.err) (eval "$lt_compile" 2>conftest.err)
ac_status=$? ac_status=$?
cat conftest.err >&5 cat conftest.err >&5
echo "$as_me:7665: \$? = $ac_status" >&5 echo "$as_me:7668: \$? = $ac_status" >&5
if (exit $ac_status) && test -s "$ac_outfile"; then if (exit $ac_status) && test -s "$ac_outfile"; then
# The compiler can only warn and ignore the option if not recognized # The compiler can only warn and ignore the option if not recognized
# So say no if there are warnings other than the usual output. # So say no if there are warnings other than the usual output.
@ -7763,11 +7766,11 @@ else
-e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
-e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
-e 's:$: $lt_compiler_flag:'` -e 's:$: $lt_compiler_flag:'`
(eval echo "\"\$as_me:7766: $lt_compile\"" >&5) (eval echo "\"\$as_me:7769: $lt_compile\"" >&5)
(eval "$lt_compile" 2>out/conftest.err) (eval "$lt_compile" 2>out/conftest.err)
ac_status=$? ac_status=$?
cat out/conftest.err >&5 cat out/conftest.err >&5
echo "$as_me:7770: \$? = $ac_status" >&5 echo "$as_me:7773: \$? = $ac_status" >&5
if (exit $ac_status) && test -s out/conftest2.$ac_objext if (exit $ac_status) && test -s out/conftest2.$ac_objext
then then
# The compiler can only warn and ignore the option if not recognized # The compiler can only warn and ignore the option if not recognized
@ -7818,11 +7821,11 @@ else
-e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
-e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
-e 's:$: $lt_compiler_flag:'` -e 's:$: $lt_compiler_flag:'`
(eval echo "\"\$as_me:7821: $lt_compile\"" >&5) (eval echo "\"\$as_me:7824: $lt_compile\"" >&5)
(eval "$lt_compile" 2>out/conftest.err) (eval "$lt_compile" 2>out/conftest.err)
ac_status=$? ac_status=$?
cat out/conftest.err >&5 cat out/conftest.err >&5
echo "$as_me:7825: \$? = $ac_status" >&5 echo "$as_me:7828: \$? = $ac_status" >&5
if (exit $ac_status) && test -s out/conftest2.$ac_objext if (exit $ac_status) && test -s out/conftest2.$ac_objext
then then
# The compiler can only warn and ignore the option if not recognized # The compiler can only warn and ignore the option if not recognized
@ -10202,7 +10205,7 @@ else
lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2 lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
lt_status=$lt_dlunknown lt_status=$lt_dlunknown
cat > conftest.$ac_ext <<_LT_EOF cat > conftest.$ac_ext <<_LT_EOF
#line 10205 "configure" #line 10208 "configure"
#include "confdefs.h" #include "confdefs.h"
#if HAVE_DLFCN_H #if HAVE_DLFCN_H
@ -10298,7 +10301,7 @@ else
lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2 lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
lt_status=$lt_dlunknown lt_status=$lt_dlunknown
cat > conftest.$ac_ext <<_LT_EOF cat > conftest.$ac_ext <<_LT_EOF
#line 10301 "configure" #line 10304 "configure"
#include "confdefs.h" #include "confdefs.h"
#if HAVE_DLFCN_H #if HAVE_DLFCN_H
@ -11369,6 +11372,15 @@ else
fi fi
# Check whether --with-graphviz was given.
if test "${with_graphviz+set}" = set; then :
withval=$with_graphviz;
else
with_graphviz=yes
fi
# Checks for libraries. # Checks for libraries.
if test "x$with_mysql" != xno; then : if test "x$with_mysql" != xno; then :
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for mysql_query in -lmysqlclient" >&5 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for mysql_query in -lmysqlclient" >&5
@ -11377,7 +11389,7 @@ if test "${ac_cv_lib_mysqlclient_mysql_query+set}" = set; then :
$as_echo_n "(cached) " >&6 $as_echo_n "(cached) " >&6
else else
ac_check_lib_save_LIBS=$LIBS ac_check_lib_save_LIBS=$LIBS
LIBS="-lmysqlclient -lmysqlclient $LIBS" LIBS="-lmysqlclient $LIBS"
cat confdefs.h - <<_ACEOF >conftest.$ac_ext cat confdefs.h - <<_ACEOF >conftest.$ac_ext
/* end confdefs.h. */ /* end confdefs.h. */
@ -11408,22 +11420,70 @@ fi
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_mysqlclient_mysql_query" >&5 { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_mysqlclient_mysql_query" >&5
$as_echo "$ac_cv_lib_mysqlclient_mysql_query" >&6; } $as_echo "$ac_cv_lib_mysqlclient_mysql_query" >&6; }
if test "x$ac_cv_lib_mysqlclient_mysql_query" = x""yes; then : if test "x$ac_cv_lib_mysqlclient_mysql_query" = x""yes; then :
MYSQL="-lmysqlclient" cat >>confdefs.h <<_ACEOF
#define HAVE_LIBMYSQLCLIENT 1
_ACEOF
$as_echo "#define ENABLE_MYSQL 1" >>confdefs.h
$as_echo "#define ENABLE_DB 1" >>confdefs.h
LIBS="-lmysqlclient $LIBS"
else else
if test "x$with_mysql" != xno; then { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
{ { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} $as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
as_fn_error $? "--with-mysql option used, but libmysqlclient was not found as_fn_error $? "--with-mysql option used, but libmysqlclient was not found - do not use --with-mysql, or, on a Debian-based system, install libmysqlclient-dev
See \`config.log' for more details" "$LINENO" 5 ; }
fi
fi
if test "x$with_graphviz" != xno; then :
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for agread in -lgvc" >&5
$as_echo_n "checking for agread in -lgvc... " >&6; }
if test "${ac_cv_lib_gvc_agread+set}" = set; then :
$as_echo_n "(cached) " >&6
else
ac_check_lib_save_LIBS=$LIBS
LIBS="-lgvc $LIBS"
cat confdefs.h - <<_ACEOF >conftest.$ac_ext
/* end confdefs.h. */
/* Override any GCC internal prototype to avoid an error.
Use char because int might match the return type of a GCC
builtin and then its argument prototype would still apply. */
#ifdef __cplusplus
extern "C"
#endif
char agread ();
int
main ()
{
return agread ();
;
return 0;
}
_ACEOF
if ac_fn_c_try_link "$LINENO"; then :
ac_cv_lib_gvc_agread=yes
else
ac_cv_lib_gvc_agread=no
fi
rm -f core conftest.err conftest.$ac_objext \
conftest$ac_exeext conftest.$ac_ext
LIBS=$ac_check_lib_save_LIBS
fi
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_gvc_agread" >&5
$as_echo "$ac_cv_lib_gvc_agread" >&6; }
if test "x$ac_cv_lib_gvc_agread" = x""yes; then :
cat >>confdefs.h <<_ACEOF
#define HAVE_LIBGVC 1
_ACEOF
LIBS="-lgvc $LIBS"
else
{ { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
as_fn_error $? "libgraphviz support required but the library was not found - use --without-graphviz if you do not want to enable the support for it, or, on a Debian-based system, install libgraphviz-dev
See \`config.log' for more details" "$LINENO" 5 ; } See \`config.log' for more details" "$LINENO" 5 ; }
fi
fi fi
fi fi
@ -11471,6 +11531,11 @@ _ACEOF
LIBS="-lxml2 $LIBS" LIBS="-lxml2 $LIBS"
else
{ { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
as_fn_error $? "libxml2 not found on the system
See \`config.log' for more details" "$LINENO" 5 ; }
fi fi
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for pthread_create in -lpthread" >&5 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for pthread_create in -lpthread" >&5
@ -11516,6 +11581,61 @@ _ACEOF
LIBS="-lpthread $LIBS" LIBS="-lpthread $LIBS"
else
{ { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
as_fn_error $? "libpthread not found on the system
See \`config.log' for more details" "$LINENO" 5 ; }
fi
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for sqrt in -lm" >&5
$as_echo_n "checking for sqrt in -lm... " >&6; }
if test "${ac_cv_lib_m_sqrt+set}" = set; then :
$as_echo_n "(cached) " >&6
else
ac_check_lib_save_LIBS=$LIBS
LIBS="-lm $LIBS"
cat confdefs.h - <<_ACEOF >conftest.$ac_ext
/* end confdefs.h. */
/* Override any GCC internal prototype to avoid an error.
Use char because int might match the return type of a GCC
builtin and then its argument prototype would still apply. */
#ifdef __cplusplus
extern "C"
#endif
char sqrt ();
int
main ()
{
return sqrt ();
;
return 0;
}
_ACEOF
if ac_fn_c_try_link "$LINENO"; then :
ac_cv_lib_m_sqrt=yes
else
ac_cv_lib_m_sqrt=no
fi
rm -f core conftest.err conftest.$ac_objext \
conftest$ac_exeext conftest.$ac_ext
LIBS=$ac_check_lib_save_LIBS
fi
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_m_sqrt" >&5
$as_echo "$ac_cv_lib_m_sqrt" >&6; }
if test "x$ac_cv_lib_m_sqrt" = x""yes; then :
cat >>confdefs.h <<_ACEOF
#define HAVE_LIBM 1
_ACEOF
LIBS="-lm $LIBS"
else
{ { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
as_fn_error $? "libm not found on the system
See \`config.log' for more details" "$LINENO" 5 ; }
fi fi
@ -11539,6 +11659,24 @@ as_fn_error $? "libxml2 not found, okr pkg-config not working
See \`config.log' for more details" "$LINENO" 5 ; } See \`config.log' for more details" "$LINENO" 5 ; }
fi fi
if test "x$with_graphviz" != xno; then :
if test ! -z "`pkg-config --cflags libgraph 2> /dev/null`"; then :
LIBGRAPH_INCLUDES="$(pkg-config --cflags libgraph 2> /dev/null)"
else
{ { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
as_fn_error $? "libgraphviz support enabled, but the library was not found or pkg-config is not working
See \`config.log' for more details" "$LINENO" 5 ; }
fi
fi
if test "x$with_graphviz" != xno; then :
$as_echo "#define HAVE_BOOLEAN 1" >>confdefs.h
fi
# The Ultrix 4.2 mips builtin alloca declared by alloca.h only works # The Ultrix 4.2 mips builtin alloca declared by alloca.h only works
# for constant arguments. Useless! # for constant arguments. Useless!
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for working alloca.h" >&5 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for working alloca.h" >&5
@ -11728,7 +11866,7 @@ _ACEOF
fi fi
for ac_header in inttypes.h limits.h stddef.h stdlib.h string.h unistd.h wchar.h for ac_header in inttypes.h limits.h stddef.h stdlib.h string.h unistd.h wchar.h math.h
do : do :
as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh` as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh`
ac_fn_c_check_header_mongrel "$LINENO" "$ac_header" "$as_ac_Header" "$ac_includes_default" ac_fn_c_check_header_mongrel "$LINENO" "$ac_header" "$as_ac_Header" "$ac_includes_default"
@ -11853,6 +11991,15 @@ cat >>confdefs.h <<_ACEOF
_ACEOF _ACEOF
fi
ac_fn_c_check_type "$LINENO" "boolean" "ac_cv_type_boolean" "$ac_includes_default"
if test "x$ac_cv_type_boolean" = x""yes; then :
cat >>confdefs.h <<_ACEOF
#define HAVE_BOOLEAN 1
_ACEOF
fi fi

View file

@ -105,20 +105,24 @@ AC_ARG_WITH(mysql,
[with_mysql=yes], [with_mysql=yes],
[with_mysql=no]) [with_mysql=no])
AC_ARG_WITH(graphviz,
AS_HELP_STRING([--without-graphviz],
[Disable Graphviz support for rendering correlated alerts as a PNG graph @<:@default=yes@:>@]),
[],
[with_graphviz=yes])
# Checks for libraries. # Checks for libraries.
AS_IF([test "x$with_mysql" != xno], AS_IF([test "x$with_mysql" != xno],
[AC_CHECK_LIB([mysqlclient], [mysql_query], [AC_CHECK_LIB([mysqlclient], [mysql_query],,
[AC_SUBST([MYSQL], ["-lmysqlclient"]) [AC_MSG_FAILURE([--with-mysql option used, but libmysqlclient was not found - do not use --with-mysql, or, on a Debian-based system, install libmysqlclient-dev])])])
AC_DEFINE(ENABLE_MYSQL, 1, [Define if you want to use MySQL])
AC_DEFINE(ENABLE_DB, 1, [Define if you want to enable database support])
],
[if test "x$with_mysql" != xno; then
AC_MSG_FAILURE([--with-mysql option used, but libmysqlclient was not found])
fi],
-lmysqlclient)])
AC_CHECK_LIB([xml2], [xmlReaderForFile]) AS_IF([test "x$with_graphviz" != xno],
AC_CHECK_LIB([pthread], [pthread_create]) [AC_CHECK_LIB([gvc], [agread],,
[AC_MSG_FAILURE([libgraphviz support required but the library was not found - use --without-graphviz if you do not want to enable the support for it, or, on a Debian-based system, install libgraphviz-dev])])])
AC_CHECK_LIB([xml2], [xmlReaderForFile],, AC_MSG_FAILURE(libxml2 not found on the system))
AC_CHECK_LIB([pthread], [pthread_create],, AC_MSG_FAILURE(libpthread not found on the system))
AC_CHECK_LIB([m], [sqrt],, AC_MSG_FAILURE(libm not found on the system))
AS_IF([test "x$prefix" == x/usr], AS_IF([test "x$prefix" == x/usr],
[AC_SUBST([CORR_RULES_PREFIX], ["/etc/snort/corr_rules"])], [AC_SUBST([CORR_RULES_PREFIX], ["/etc/snort/corr_rules"])],
@ -130,12 +134,20 @@ AS_IF([test ! -z "`pkg-config --cflags libxml-2.0 2> /dev/null`"],
[AC_SUBST([LIBXML2_INCLUDES], ["$(pkg-config --cflags libxml-2.0 2> /dev/null)"])], [AC_SUBST([LIBXML2_INCLUDES], ["$(pkg-config --cflags libxml-2.0 2> /dev/null)"])],
[AC_MSG_FAILURE([libxml2 not found, okr pkg-config not working])]) [AC_MSG_FAILURE([libxml2 not found, okr pkg-config not working])])
AS_IF([test "x$with_graphviz" != xno],
[AS_IF([test ! -z "`pkg-config --cflags libgraph 2> /dev/null`"],
[AC_SUBST([LIBGRAPH_INCLUDES], ["$(pkg-config --cflags libgraph 2> /dev/null)"])],
[AC_MSG_FAILURE([libgraphviz support enabled, but the library was not found or pkg-config is not working])])])
AS_IF([test "x$with_graphviz" != xno],
[AC_DEFINE([HAVE_BOOLEAN], [1], [Check if the boolean type is defined])])
AC_FUNC_ALLOCA AC_FUNC_ALLOCA
AC_CHECK_HEADERS([inttypes.h limits.h stddef.h stdlib.h string.h unistd.h wchar.h],,AC_MSG_ERROR(At least one of the required headers was not found)) AC_CHECK_HEADERS([inttypes.h limits.h stddef.h stdlib.h string.h unistd.h wchar.h math.h],,AC_MSG_ERROR(At least one of the required headers was not found))
# Check for int types # Check for int types
AC_CHECK_TYPES([u_int8_t,u_int16_t,u_int32_t,u_int64_t,uint8_t,uint16_t,uint32_t,uint64_t]) AC_CHECK_TYPES([u_int8_t,u_int16_t,u_int32_t,u_int64_t,uint8_t,uint16_t,uint32_t,uint64_t])
AC_CHECK_TYPES([int8_t,int16_t,int32_t,int64_t]) AC_CHECK_TYPES([int8_t,int16_t,int32_t,int64_t,boolean])
# Checks for typedefs, structures, and compiler characteristics. # Checks for typedefs, structures, and compiler characteristics.
AC_HEADER_STDBOOL AC_HEADER_STDBOOL

13
corr_rules/1-1394-12.xml Normal file
View file

@ -0,0 +1,13 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE hyperalert PUBLIC "-//blacklighth//DTD HYPERALERT SNORT MODEL//EN" "http://0x00.ath.cx/hyperalert.dtd">
<hyperalert>
<snort-id>1.1394.12</snort-id>
<desc>Shellcode x86 inc ecx noop</desc>
<pre>HostExists(+DST_ADDR+)</pre>
<pre>HasService(+DST_ADDR+, +DST_PORT+)</pre>
<post>HasLocalAccess(+SRC_ADDR+, +DST_ADDR+)</post>
</hyperalert>

View file

@ -1,8 +1,9 @@
<?xml version="1.0" encoding="UTF-8"?> <?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE hyperalert PUBLIC "-//blacklighth//DTD HYPERALERT SNORT MODEL//EN" "http://devio.us/~blacklight/hyperalert.dtd"> <!DOCTYPE hyperalert PUBLIC "-//blacklighth//DTD HYPERALERT SNORT MODEL//EN" "http://0x00.ath.cx/hyperalert.dtd">
<hyperalert> <hyperalert>
<snort-id>1.469.4</snort-id> <snort-id>1.469.4</snort-id>
<desc>ICMP PING NMAP</desc>
<post>HostExists(+DST_ADDR+)</post> <post>HostExists(+DST_ADDR+)</post>
</hyperalert> </hyperalert>

View file

@ -1,9 +1,11 @@
<?xml version="1.0" encoding="UTF-8"?> <?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE hyperalert PUBLIC "-//blacklighth//DTD HYPERALERT SNORT MODEL//EN" "http://devio.us/~blacklight/hyperalert.dtd"> <!DOCTYPE hyperalert PUBLIC "-//blacklighth//DTD HYPERALERT SNORT MODEL//EN" "http://0x00.ath.cx/hyperalert.dtd">
<hyperalert> <hyperalert>
<snort-id>122.1.0</snort-id> <snort-id>122.1.0</snort-id>
<desc>(portscan) TCP Portscan</desc>
<pre>HostExists(+DST_ADDR+)</pre> <pre>HostExists(+DST_ADDR+)</pre>
<post>HasVulnService(+DST_ADDR+, +ANY_PORT+)</post> <post>HasService(+DST_ADDR+, +ANY_PORT+)</post>
</hyperalert> </hyperalert>

View file

@ -19,34 +19,51 @@
#include "spp_ai.h" #include "spp_ai.h"
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h> #include <unistd.h>
#include <time.h>
#include <math.h>
#include <alloca.h>
#include <sys/stat.h> #include <sys/stat.h>
#include <pthread.h> #include <pthread.h>
#include <libxml/xmlreader.h> #include <libxml/xmlreader.h>
#ifdef HAVE_LIBGVC
#include <gvc.h>
#endif
/** \defgroup correlation Module for the correlation of hyperalerts /** \defgroup correlation Module for the correlation of hyperalerts
* @{ */ * @{ */
#ifndef LIBXML_READER_ENABLED #ifndef LIBXML_READER_ENABLED
#error "libxml reader not enabled\n" #error "libxml2 reader not enabled\n"
#endif #endif
/** Enumeration for the types of XML tags */ /** Enumeration for the types of XML tags */
enum { inHyperAlert, inSnortIdTag, inPreTag, inPostTag, TAG_NUM }; enum { inHyperAlert, inSnortIdTag, inPreTag, inPostTag, TAG_NUM };
/** Struct representing the correlation between all the couples of alerts */ /** Key for the correlation hash table */
typedef struct { typedef struct {
/** First alert */ /** First alert */
AI_snort_alert *a; AI_snort_alert *a;
/** Second alert */ /** Second alert */
AI_snort_alert *b; AI_snort_alert *b;
} AI_alert_correlation_key;
/** Struct representing the correlation between all the couples of alerts */
typedef struct {
/** Hash key */
AI_alert_correlation_key key;
/** Correlation coefficient */ /** Correlation coefficient */
double correlation; double correlation;
/** Make the struct 'hashable' */ /** Make the struct 'hashable' */
UT_hash_handle hh; UT_hash_handle hh;
} AI_alert_correlation; } AI_alert_correlation;
PRIVATE AI_hyperalert_info *hyperalerts = NULL; PRIVATE AI_hyperalert_info *hyperalerts = NULL;
@ -55,6 +72,195 @@ PRIVATE AI_snort_alert *alerts = NULL;
PRIVATE AI_alert_correlation *correlation_table = NULL; PRIVATE AI_alert_correlation *correlation_table = NULL;
PRIVATE BOOL lock_flag = false; PRIVATE BOOL lock_flag = false;
/**
* \brief Clean up the correlation hash table
*/
PRIVATE void
_AI_correlation_table_cleanup ()
{
AI_alert_correlation *current;
while ( correlation_table )
{
current = correlation_table;
HASH_DEL ( correlation_table, current );
free ( current );
}
} /* ----- end of function _AI_correlation_table_cleanup ----- */
/**
* \brief Recursively write a flow of correlated alerts to a .dot file, ready for being rendered as graph
* \param corr_alerts Correlated alerts
* \param fp File pointer
*/
PRIVATE void
_AI_print_correlated_alerts ( AI_alert_correlation *corr, FILE *fp )
{
char src_addr1[INET_ADDRSTRLEN],
dst_addr1[INET_ADDRSTRLEN],
src_addr2[INET_ADDRSTRLEN],
dst_addr2[INET_ADDRSTRLEN],
src_port1[10],
dst_port1[10],
src_port2[10],
dst_port2[10],
timestamp1[40],
timestamp2[40];
struct tm *t1, *t2;
if ( !corr )
return;
inet_ntop ( AF_INET, &(corr->key.a->ip_src_addr), src_addr1, INET_ADDRSTRLEN );
inet_ntop ( AF_INET, &(corr->key.a->ip_dst_addr), dst_addr1, INET_ADDRSTRLEN );
snprintf ( src_port1, sizeof ( src_port1 ), "%d", ntohs ( corr->key.a->tcp_src_port ));
snprintf ( dst_port1, sizeof ( dst_port1 ), "%d", ntohs ( corr->key.a->tcp_dst_port ));
t1 = localtime ( &(corr->key.a->timestamp ));
strftime ( timestamp1, sizeof ( timestamp1 ), "%a %b %d %Y, %H:%M:%S", t1 );
inet_ntop ( AF_INET, &(corr->key.b->ip_src_addr), src_addr2, INET_ADDRSTRLEN );
inet_ntop ( AF_INET, &(corr->key.b->ip_dst_addr), dst_addr2, INET_ADDRSTRLEN );
snprintf ( src_port2, sizeof ( src_port2 ), "%d", ntohs ( corr->key.b->tcp_src_port ));
snprintf ( dst_port2, sizeof ( dst_port2 ), "%d", ntohs ( corr->key.b->tcp_dst_port ));
t2 = localtime ( &(corr->key.b->timestamp ));
strftime ( timestamp2, sizeof ( timestamp2 ), "%a %b %d %Y, %H:%M:%S", t2 );
fprintf ( fp,
"\t\"[%d.%d.%d] %s\\n"
"%s%s%s:%s%s%s -> %s%s%s:%s%s%s\\n"
"%s\\n"
"(%d alerts grouped)\" -> "
"\"[%d.%d.%d] %s\\n"
"%s%s%s:%s%s%s -> %s%s%s:%s%s%s\\n"
"%s\\n"
"(%d alerts grouped)\";\n",
corr->key.a->gid, corr->key.a->sid, corr->key.a->rev, corr->key.a->desc,
( corr->key.a->h_node[src_addr] ) ? "[" : "",
( corr->key.a->h_node[src_addr] ) ? corr->key.a->h_node[src_addr]->label : src_addr1,
( corr->key.a->h_node[src_addr] ) ? "]" : "",
( corr->key.a->h_node[src_port] ) ? "[" : "",
( corr->key.a->h_node[src_port] ) ? corr->key.a->h_node[src_port]->label : src_port1,
( corr->key.a->h_node[src_port] ) ? "]" : "",
( corr->key.a->h_node[dst_addr] ) ? "[" : "",
( corr->key.a->h_node[dst_addr] ) ? corr->key.a->h_node[dst_addr]->label : dst_addr1,
( corr->key.a->h_node[dst_addr] ) ? "]" : "",
( corr->key.a->h_node[dst_port] ) ? "[" : "",
( corr->key.a->h_node[dst_port] ) ? corr->key.a->h_node[dst_port]->label : dst_port1,
( corr->key.a->h_node[dst_port] ) ? "]" : "",
timestamp1,
corr->key.a->grouped_alarms_count,
corr->key.b->gid, corr->key.b->sid, corr->key.b->rev, corr->key.b->desc,
( corr->key.b->h_node[src_addr] ) ? "[" : "",
( corr->key.b->h_node[src_addr] ) ? corr->key.b->h_node[src_addr]->label : src_addr2,
( corr->key.b->h_node[src_addr] ) ? "]" : "",
( corr->key.b->h_node[src_port] ) ? "[" : "",
( corr->key.b->h_node[src_port] ) ? corr->key.b->h_node[src_port]->label : src_port2,
( corr->key.b->h_node[src_port] ) ? "]" : "",
( corr->key.b->h_node[dst_addr] ) ? "[" : "",
( corr->key.b->h_node[dst_addr] ) ? corr->key.b->h_node[dst_addr]->label : dst_addr2,
( corr->key.b->h_node[dst_addr] ) ? "]" : "",
( corr->key.b->h_node[dst_port] ) ? "[" : "",
( corr->key.b->h_node[dst_port] ) ? corr->key.b->h_node[dst_port]->label : dst_port2,
( corr->key.b->h_node[dst_port] ) ? "]" : "",
timestamp2,
corr->key.b->grouped_alarms_count
);
} /* ----- end of function _AI_correlation_flow_to_file ----- */
/**
* \brief Get the name of the function called by a pre-condition or post-condition predicate
* \param orig_stmt Statement representing a pre-condition or post-condition
* \return The name of the function called by that statement
*/
PRIVATE char*
_AI_get_function_name ( const char *orig_stmt )
{
int parenthesis_pos, function_name_len;
char function_name[4096];
char *stmt = NULL;
if ( !( stmt = (char*) alloca ( strlen ( orig_stmt ))))
return NULL;
strcpy ( stmt, orig_stmt );
memset ( function_name, 0, sizeof ( function_name ));
if ( !( parenthesis_pos = (int) strstr ( stmt, "(" )))
return NULL;
parenthesis_pos -= (int) stmt;
function_name_len = ( parenthesis_pos < sizeof ( function_name )) ? parenthesis_pos : sizeof ( function_name );
strncpy ( function_name, stmt, function_name_len );
return strdup(function_name);
} /* ----- end of function _AI_get_function_name ----- */
/**
* FUNCTION: _AI_get_function_arguments
* \brief Get the arguments passed to a function predicate in a pre-condition or post-condition (comma-separated values)
* \param origstmt Statement representing a pre-condition or post-condition
* \param n_args Reference to an integer that will contain the number of arguments read
* \return An array of strings containing the arguments of the function
*/
PRIVATE char**
_AI_get_function_arguments ( char *orig_stmt, int *n_args )
{
char **args = NULL;
char *tok = NULL;
char *stmt = NULL;
int par_pos = 0;
*n_args = 0;
if ( !( stmt = (char*) alloca ( strlen ( orig_stmt ))))
return NULL;
strcpy ( stmt, orig_stmt );
if ( !( par_pos = (int) strstr ( stmt, "(" )))
return NULL;
par_pos -= (int) stmt;
stmt += par_pos + 1;
if ( stmt [ strlen(stmt) - 1 ] == ')' )
stmt[ strlen(stmt) - 1 ] = 0;
tok = (char*) strtok ( stmt, "," );
while ( tok ) {
if ( !( args = (char**) realloc ( args, (++(*n_args)) * sizeof ( char* ))))
_dpd.fatalMsg ( "AIPreproc: Fatal memory allocation error at %s:%d\n", __FILE__, __LINE__ );
args [ (*n_args) - 1 ] = strdup ( tok );
tok = (char*) strtok ( NULL, " " );
}
if ( !(*n_args) )
return NULL;
return args;
} /* ----- end of function _AI_get_function_arguments ----- */
/** /**
* \brief Compute the correlation coefficient between two alerts, as #INTERSECTION(pre(B), post(A) / #UNION(pre(B), post(A)) * \brief Compute the correlation coefficient between two alerts, as #INTERSECTION(pre(B), post(A) / #UNION(pre(B), post(A))
* \param a Alert a * \param a Alert a
@ -62,13 +268,23 @@ PRIVATE BOOL lock_flag = false;
* \return The correlation coefficient between A and B as coefficient in [0,1] * \return The correlation coefficient between A and B as coefficient in [0,1]
*/ */
double PRIVATE double
_AI_correlation_coefficient ( AI_snort_alert *a, AI_snort_alert *b ) _AI_correlation_coefficient ( AI_snort_alert *a, AI_snort_alert *b )
{ {
unsigned int i, j, unsigned int i, j, k,
n_intersection = 0, n_intersection = 0,
n_union = 0; n_union = 0;
char **args1 = NULL,
**args2 = NULL,
*function_name1 = NULL,
*function_name2 = NULL,
new_stmt1[4096] = {0},
new_stmt2[4096] = {0};
int n_args1 = 0,
n_args2 = 0;
if ( !a->hyperalert || !b->hyperalert ) if ( !a->hyperalert || !b->hyperalert )
return 0.0; return 0.0;
@ -84,6 +300,100 @@ _AI_correlation_coefficient ( AI_snort_alert *a, AI_snort_alert *b )
if ( !strcasecmp ( a->hyperalert->postconds[i], b->hyperalert->preconds[j] )) if ( !strcasecmp ( a->hyperalert->postconds[i], b->hyperalert->preconds[j] ))
{ {
n_intersection += 2; n_intersection += 2;
} else {
/* Check if the predicates are the same, have the same number of arguments, and
* substitute possible occurrencies of +ANY_ADDR+ and +ANY_PORT+ */
function_name1 = _AI_get_function_name ( a->hyperalert->postconds[i] );
function_name2 = _AI_get_function_name ( b->hyperalert->preconds[j] );
if ( !strcasecmp ( function_name1, function_name2 ))
{
args1 = _AI_get_function_arguments ( a->hyperalert->postconds[i], &n_args1 );
args2 = _AI_get_function_arguments ( b->hyperalert->preconds[j] , &n_args2 );
if ( args1 && args2 )
{
if ( n_args1 == n_args2 )
{
memset ( new_stmt1, 0, sizeof ( new_stmt1 ));
memset ( new_stmt2, 0, sizeof ( new_stmt2 ));
for ( k=0; k < n_args1; k++ )
{
if ( !strcasecmp ( args1[k], "+ANY_ADDR+" ) || !strcasecmp ( args1[k], "+ANY_PORT+" ))
{
free ( args1[k] );
args1[k] = args2[k];
}
if ( !strcasecmp ( args2[k], "+ANY_ADDR+" ) || !strcasecmp ( args2[k], "+ANY_PORT+" ))
{
free ( args2[k] );
args2[k] = args1[k];
}
}
snprintf ( new_stmt1, sizeof ( new_stmt1 ), "%s(", function_name1 );
snprintf ( new_stmt2, sizeof ( new_stmt2 ), "%s(", function_name2 );
for ( k=0; k < n_args1; k++ )
{
if ( strlen ( new_stmt1 ) + strlen ( args1[k] ) + 1 < sizeof ( new_stmt1 ))
sprintf ( new_stmt1, "%s%s%s", new_stmt1, args1[k], ( k < n_args1 - 1 ) ? "," : ")" );
if ( strlen ( new_stmt2 ) + strlen ( args2[k] ) + 1 < sizeof ( new_stmt2 ))
sprintf ( new_stmt2, "%s%s%s", new_stmt2, args2[k], ( k < n_args2 - 1 ) ? "," : ")" );
}
if ( !strcmp ( new_stmt1, new_stmt2 ))
{
n_intersection += 2;
}
}
for ( k=0; k < n_args1; k++ )
{
if ( args1[k] )
{
free ( args1[k] );
args1[k] = NULL;
}
}
if ( args1 )
{
free ( args1 );
args1 = NULL;
}
for ( k=0; k < n_args2; k++ )
{
if ( args2[k] )
{
/* free ( args2[k] ); */
args2[k] = NULL;
}
}
if ( args2 )
{
free ( args2 );
args2 = NULL;
}
}
}
if ( function_name1 )
{
free ( function_name1 );
function_name1 = NULL;
}
if ( function_name2 )
{
free ( function_name2 );
function_name2 = NULL;
}
} }
} }
} }
@ -91,12 +401,13 @@ _AI_correlation_coefficient ( AI_snort_alert *a, AI_snort_alert *b )
return (double) ((double) n_intersection / (double) n_union ); return (double) ((double) n_intersection / (double) n_union );
} /* ----- end of function _AI_correlation_coefficient ----- */ } /* ----- end of function _AI_correlation_coefficient ----- */
/** /**
* \brief Substitute the macros in hyperalert pre-conditions and post-conditions with their associated values * \brief Substitute the macros in hyperalert pre-conditions and post-conditions with their associated values
* \param alert Reference to the hyperalert to work on * \param alert Reference to the hyperalert to work on
*/ */
void PRIVATE void
_AI_macro_subst ( AI_snort_alert **alert ) _AI_macro_subst ( AI_snort_alert **alert )
{ {
/* /*
@ -130,12 +441,6 @@ _AI_macro_subst ( AI_snort_alert **alert )
free ( tmp ); free ( tmp );
} }
if ( strstr ( (*alert)->hyperalert->preconds[i], "+ANY_ADDR+" )) {
tmp = (*alert)->hyperalert->preconds[i];
(*alert)->hyperalert->preconds[i] = str_replace ( (*alert)->hyperalert->preconds[i], "+ANY_ADDR+", "0.0.0.0" );
free ( tmp );
}
if ( strstr ( (*alert)->hyperalert->preconds[i], "+SRC_PORT+" )) { if ( strstr ( (*alert)->hyperalert->preconds[i], "+SRC_PORT+" )) {
snprintf ( src_port, sizeof ( src_port ), "%d", ntohs ((*alert)->tcp_src_port) ); snprintf ( src_port, sizeof ( src_port ), "%d", ntohs ((*alert)->tcp_src_port) );
tmp = (*alert)->hyperalert->preconds[i]; tmp = (*alert)->hyperalert->preconds[i];
@ -149,12 +454,6 @@ _AI_macro_subst ( AI_snort_alert **alert )
(*alert)->hyperalert->preconds[i] = str_replace ( (*alert)->hyperalert->preconds[i], "+DST_PORT+", dst_port ); (*alert)->hyperalert->preconds[i] = str_replace ( (*alert)->hyperalert->preconds[i], "+DST_PORT+", dst_port );
free ( tmp ); free ( tmp );
} }
if ( strstr ( (*alert)->hyperalert->preconds[i], "+ANY_PORT+" )) {
tmp = (*alert)->hyperalert->preconds[i];
(*alert)->hyperalert->preconds[i] = str_replace ( (*alert)->hyperalert->preconds[i], "+ANY_PORT+", "0" );
free ( tmp );
}
} }
for ( i=0; i < (*alert)->hyperalert->n_postconds; i++ ) for ( i=0; i < (*alert)->hyperalert->n_postconds; i++ )
@ -178,11 +477,11 @@ _AI_macro_subst ( AI_snort_alert **alert )
free ( tmp ); free ( tmp );
} }
if ( strstr ( (*alert)->hyperalert->postconds[i], "+ANY_ADDR+" )) { /* if ( strstr ( (*alert)->hyperalert->postconds[i], "+ANY_ADDR+" )) { */
tmp = (*alert)->hyperalert->postconds[i]; /* tmp = (*alert)->hyperalert->postconds[i]; */
(*alert)->hyperalert->postconds[i] = str_replace ( (*alert)->hyperalert->postconds[i], "+ANY_ADDR+", "0.0.0.0" ); /* (*alert)->hyperalert->postconds[i] = str_replace ( (*alert)->hyperalert->postconds[i], "+ANY_ADDR+", "0.0.0.0" ); */
free ( tmp ); /* free ( tmp ); */
} /* } */
if ( strstr ( (*alert)->hyperalert->postconds[i], "+SRC_PORT+" )) { if ( strstr ( (*alert)->hyperalert->postconds[i], "+SRC_PORT+" )) {
snprintf ( src_port, sizeof ( src_port ), "%d", ntohs ((*alert)->tcp_src_port) ); snprintf ( src_port, sizeof ( src_port ), "%d", ntohs ((*alert)->tcp_src_port) );
@ -198,11 +497,11 @@ _AI_macro_subst ( AI_snort_alert **alert )
free ( tmp ); free ( tmp );
} }
if ( strstr ( (*alert)->hyperalert->postconds[i], "+ANY_PORT+" )) { /* if ( strstr ( (*alert)->hyperalert->postconds[i], "+ANY_PORT+" )) { */
tmp = (*alert)->hyperalert->postconds[i]; /* tmp = (*alert)->hyperalert->postconds[i]; */
(*alert)->hyperalert->postconds[i] = str_replace ( (*alert)->hyperalert->postconds[i], "+ANY_PORT+", "0" ); /* (*alert)->hyperalert->postconds[i] = str_replace ( (*alert)->hyperalert->postconds[i], "+ANY_PORT+", "0" ); */
free ( tmp ); /* free ( tmp ); */
} /* } */
} }
} /* ----- end of function _AI_macro_subst ----- */ } /* ----- end of function _AI_macro_subst ----- */
@ -277,7 +576,8 @@ _AI_hyperalert_from_XML ( AI_hyperalert_key key )
_dpd.fatalMsg ( "AIPreproc: Error in XML file '%s': 'post' tag open outside of 'hyperalert' tag\n", hyperalert_file ); _dpd.fatalMsg ( "AIPreproc: Error in XML file '%s': 'post' tag open outside of 'hyperalert' tag\n", hyperalert_file );
else else
xmlFlags[inPostTag] = true; xmlFlags[inPostTag] = true;
} else { } else if ( !strcasecmp ((const char*) tagname, "desc" )) {}
else {
_dpd.fatalMsg ( "AIPreproc: Unrecognized tag '%s' in XML file '%s'\n", tagname, hyperalert_file ); _dpd.fatalMsg ( "AIPreproc: Unrecognized tag '%s' in XML file '%s'\n", tagname, hyperalert_file );
} }
} else if ( xmlTextReaderNodeType ( xml ) == XML_READER_TYPE_END_ELEMENT ) { } else if ( xmlTextReaderNodeType ( xml ) == XML_READER_TYPE_END_ELEMENT ) {
@ -302,7 +602,8 @@ _AI_hyperalert_from_XML ( AI_hyperalert_key key )
_dpd.fatalMsg ( "AIPreproc: Error in XML file '%s': post tag closed but never opend\n", hyperalert_file ); _dpd.fatalMsg ( "AIPreproc: Error in XML file '%s': post tag closed but never opend\n", hyperalert_file );
else else
xmlFlags[inPostTag] = false; xmlFlags[inPostTag] = false;
} else { } else if ( !strcasecmp ((const char*) tagname, "desc" )) {}
else {
_dpd.fatalMsg ( "AIPreproc: Unrecognized tag '%s' in XML file '%s'\n", tagname, hyperalert_file ); _dpd.fatalMsg ( "AIPreproc: Unrecognized tag '%s' in XML file '%s'\n", tagname, hyperalert_file );
} }
} else if ( xmlTextReaderNodeType ( xml ) == XML_READER_TYPE_TEXT ) { } else if ( xmlTextReaderNodeType ( xml ) == XML_READER_TYPE_TEXT ) {
@ -350,15 +651,30 @@ _AI_hyperalert_from_XML ( AI_hyperalert_key key )
void* void*
AI_alert_correlation_thread ( void *arg ) AI_alert_correlation_thread ( void *arg )
{ {
int i; int i;
struct stat st; struct stat st;
AI_hyperalert_key key; char corr_dot_file[4096] = { 0 };
AI_hyperalert_info *hyp = NULL;
AI_snort_alert *alert_iterator = NULL,
*alert_iterator2 = NULL;
FILE *fp = fopen ( "/home/blacklight/LOG", "w" ); double avg_correlation = 0.0,
fclose ( fp ); std_deviation = 0.0,
corr_threshold = 0.0;
FILE *fp = NULL;
AI_alert_correlation_key corr_key;
AI_alert_correlation *corr = NULL;
AI_hyperalert_key key;
AI_hyperalert_info *hyp = NULL;
AI_snort_alert *alert_iterator = NULL,
*alert_iterator2 = NULL;
#ifdef HAVE_LIBGVC
char corr_png_file[4096] = { 0 };
GVC_t *gvc = NULL;
graph_t *g = NULL;
#endif
conf = (AI_config*) arg; conf = (AI_config*) arg;
@ -431,20 +747,109 @@ AI_alert_correlation_thread ( void *arg )
_AI_macro_subst ( &alert_iterator ); _AI_macro_subst ( &alert_iterator );
} }
_AI_correlation_table_cleanup();
correlation_table = NULL;
for ( alert_iterator = alerts; alert_iterator; alert_iterator = alert_iterator->next ) for ( alert_iterator = alerts; alert_iterator; alert_iterator = alert_iterator->next )
{ {
for ( alert_iterator2 = alerts; alert_iterator2; alert_iterator2 = alert_iterator2->next ) for ( alert_iterator2 = alerts; alert_iterator2; alert_iterator2 = alert_iterator2->next )
{ {
if ( alert_iterator != alert_iterator2 ) if ( alert_iterator != alert_iterator2 && ! (
alert_iterator->gid == alert_iterator2->gid &&
alert_iterator->sid == alert_iterator2->sid &&
alert_iterator->rev == alert_iterator2->rev ))
{ {
fp = fopen ( "/home/blacklight/LOG", "a" ); if ( !( corr = ( AI_alert_correlation* ) malloc ( sizeof ( AI_alert_correlation ))))
fprintf ( fp, "alert1: (%s), alert2: (%s)\n", alert_iterator->desc, alert_iterator2->desc ); _dpd.fatalMsg ( "AIPreproc: Fatal memory allocation error at %s:%d\n", __FILE__, __LINE__ );
fprintf ( fp, "correlation (alert1, alert2): %f\n\n", _AI_correlation_coefficient ( alert_iterator, alert_iterator2 ));
fclose ( fp ); corr_key.a = alert_iterator;
corr_key.b = alert_iterator2;
corr->key = corr_key;
corr->correlation = _AI_correlation_coefficient ( corr_key.a, corr_key.b );
HASH_ADD ( hh, correlation_table, key, sizeof ( AI_alert_correlation_key ), corr );
} }
} }
} }
if ( HASH_COUNT ( correlation_table ) > 0 )
{
avg_correlation = 0.0;
std_deviation = 0.0;
/* Compute the average correlation coefficient */
for ( corr = correlation_table; corr; corr = ( AI_alert_correlation* ) corr->hh.next )
{
avg_correlation += corr->correlation;
}
avg_correlation /= (double) HASH_COUNT ( correlation_table );
/* Compute the standard deviation */
for ( corr = correlation_table; corr; corr = ( AI_alert_correlation* ) corr->hh.next )
{
std_deviation += ( corr->correlation - avg_correlation ) * ( corr->correlation - avg_correlation );
}
std_deviation = sqrt ( std_deviation / (double) HASH_COUNT ( correlation_table ));
corr_threshold = avg_correlation + ( conf->correlationThresholdCoefficient * std_deviation );
snprintf ( corr_dot_file, sizeof ( corr_dot_file ), "%s/correlated_alerts.dot", conf->corr_alerts_dir );
if ( stat ( conf->corr_alerts_dir, &st ) < 0 )
{
if ( mkdir ( conf->corr_alerts_dir, 0755 ) < 0 )
{
_dpd.fatalMsg ( "AIPreproc: Unable to create directory '%s'\n", conf->corr_alerts_dir );
}
}
if ( !( fp = fopen ( corr_dot_file, "w" )))
_dpd.fatalMsg ( "AIPreproc: Could not write on file '%s'\n", corr_dot_file );
fprintf ( fp, "digraph G {\n" );
/* Find correlated alerts */
for ( corr = correlation_table; corr; corr = ( AI_alert_correlation* ) corr->hh.next )
{
if ( corr->correlation >= avg_correlation + std_deviation &&
avg_correlation + std_deviation != 0.0 &&
corr->key.a->timestamp <= corr->key.b->timestamp && ! (
corr->key.a->gid == corr->key.b->gid &&
corr->key.a->sid == corr->key.b->sid &&
corr->key.a->rev == corr->key.b->rev ))
{
if ( !( corr->key.a->derived_alerts = ( AI_snort_alert** ) realloc ( corr->key.a->derived_alerts, (++corr->key.a->n_derived_alerts) * sizeof ( AI_snort_alert* ))))
_dpd.fatalMsg ( "AIPreproc: Fatal memory allocation error at %s:%d\n", __FILE__, __LINE__ );
corr->key.a->derived_alerts[ corr->key.a->n_derived_alerts - 1 ] = corr->key.b;
corr->key.b->previous_correlated = corr->key.a;
_AI_print_correlated_alerts ( corr, fp );
}
}
fprintf ( fp, "}\n" );
fclose ( fp );
#ifdef HAVE_LIBGVC
snprintf ( corr_png_file, sizeof ( corr_png_file ), "%s/correlated_alerts.png", conf->corr_alerts_dir );
if ( !( gvc = gvContext() ))
continue;
if ( !( fp = fopen ( corr_dot_file, "r" )))
continue;
if ( !( g = agread ( fp )))
continue;
gvLayout ( gvc, g, "dot" );
gvRenderFilename ( gvc, g, "png", corr_png_file );
gvFreeLayout ( gvc, g );
agclose ( g );
fclose ( fp );
#endif
}
lock_flag = false; lock_flag = false;
} }

2
db.c
View file

@ -18,7 +18,7 @@
*/ */
#include "spp_ai.h" #include "spp_ai.h"
#ifdef ENABLE_DB #ifdef HAVE_LIBMYSQLCLIENT
#include "db.h" #include "db.h"

22
db.h
View file

@ -17,23 +17,21 @@
* ===================================================================================== * =====================================================================================
*/ */
#ifdef ENABLE_DB #ifdef HAVE_LIBMYSQLCLIENT
#ifndef _AI_DB_H #ifndef _AI_DB_H
#define _AI_DB_H #define _AI_DB_H
#ifdef ENABLE_MYSQL #include <mysql/mysql.h>
#include <mysql/mysql.h>
typedef MYSQL_RES* DB_result; typedef MYSQL_RES* DB_result;
typedef MYSQL_ROW DB_row; typedef MYSQL_ROW DB_row;
#define DB_init mysql_do_init #define DB_init mysql_do_init
#define DB_query mysql_do_query #define DB_query mysql_do_query
#define DB_num_rows mysql_num_rows #define DB_num_rows mysql_num_rows
#define DB_fetch_row mysql_fetch_row #define DB_fetch_row mysql_fetch_row
#define DB_free_result mysql_free_result #define DB_free_result mysql_free_result
#define DB_close mysql_do_close #define DB_close mysql_do_close
#endif
/** Initializer for the database */ /** Initializer for the database */
void* DB_init ( AI_config* ); void* DB_init ( AI_config* );

View file

@ -132,7 +132,7 @@ Variables</h2></td></tr>
</iframe> </iframe>
</div> </div>
<hr class="footer"/><address class="footer"><small>Generated on Sat Sep 11 2010 12:45:18 for Snort AI preprocessor module by&nbsp; <hr class="footer"/><address class="footer"><small>Generated on Tue Sep 14 2010 19:23:42 for Snort AI preprocessor module by&nbsp;
<a href="http://www.doxygen.org/index.html"> <a href="http://www.doxygen.org/index.html">
<img class="footer" src="doxygen.png" alt="doxygen"/></a> 1.7.1 </small></address> <img class="footer" src="doxygen.png" alt="doxygen"/></a> 1.7.1 </small></address>
</body> </body>

View file

@ -55,6 +55,7 @@ Here are the data structures with brief descriptions:<table>
<tr><td class="indexkey"><a class="el" href="struct__AI__snort__alert.html">_AI_snort_alert</a></td><td class="indexvalue"></td></tr> <tr><td class="indexkey"><a class="el" href="struct__AI__snort__alert.html">_AI_snort_alert</a></td><td class="indexvalue"></td></tr>
<tr><td class="indexkey"><a class="el" href="struct__hierarchy__node.html">_hierarchy_node</a></td><td class="indexvalue"></td></tr> <tr><td class="indexkey"><a class="el" href="struct__hierarchy__node.html">_hierarchy_node</a></td><td class="indexvalue"></td></tr>
<tr><td class="indexkey"><a class="el" href="structAI__alert__correlation.html">AI_alert_correlation</a></td><td class="indexvalue"></td></tr> <tr><td class="indexkey"><a class="el" href="structAI__alert__correlation.html">AI_alert_correlation</a></td><td class="indexvalue"></td></tr>
<tr><td class="indexkey"><a class="el" href="structAI__alert__correlation__key.html">AI_alert_correlation_key</a></td><td class="indexvalue"></td></tr>
<tr><td class="indexkey"><a class="el" href="structAI__config.html">AI_config</a></td><td class="indexvalue"></td></tr> <tr><td class="indexkey"><a class="el" href="structAI__config.html">AI_config</a></td><td class="indexvalue"></td></tr>
<tr><td class="indexkey"><a class="el" href="structAI__hyperalert__info.html">AI_hyperalert_info</a></td><td class="indexvalue"></td></tr> <tr><td class="indexkey"><a class="el" href="structAI__hyperalert__info.html">AI_hyperalert_info</a></td><td class="indexvalue"></td></tr>
<tr><td class="indexkey"><a class="el" href="structAI__hyperalert__key.html">AI_hyperalert_key</a></td><td class="indexvalue"></td></tr> <tr><td class="indexkey"><a class="el" href="structAI__hyperalert__key.html">AI_hyperalert_key</a></td><td class="indexvalue"></td></tr>
@ -78,7 +79,7 @@ Here are the data structures with brief descriptions:<table>
</iframe> </iframe>
</div> </div>
<hr class="footer"/><address class="footer"><small>Generated on Sat Sep 11 2010 12:45:18 for Snort AI preprocessor module by&nbsp; <hr class="footer"/><address class="footer"><small>Generated on Tue Sep 14 2010 19:23:42 for Snort AI preprocessor module by&nbsp;
<a href="http://www.doxygen.org/index.html"> <a href="http://www.doxygen.org/index.html">
<img class="footer" src="doxygen.png" alt="doxygen"/></a> 1.7.1 </small></address> <img class="footer" src="doxygen.png" alt="doxygen"/></a> 1.7.1 </small></address>
</body> </body>

View file

@ -54,9 +54,9 @@ var searchBox = new SearchBox("searchBox", "search",false,'Search');
<div class="qindex"><a class="qindex" href="#letter_A">A</a>&nbsp;|&nbsp;<a class="qindex" href="#letter_P">P</a>&nbsp;|&nbsp;<a class="qindex" href="#letter__">_</a></div> <div class="qindex"><a class="qindex" href="#letter_A">A</a>&nbsp;|&nbsp;<a class="qindex" href="#letter_P">P</a>&nbsp;|&nbsp;<a class="qindex" href="#letter__">_</a></div>
<table align="center" width="95%" border="0" cellspacing="0" cellpadding="0"> <table align="center" width="95%" border="0" cellspacing="0" cellpadding="0">
<tr><td><a name="letter_A"></a><table border="0" cellspacing="0" cellpadding="0"><tr><td><div class="ah">&nbsp;&nbsp;A&nbsp;&nbsp;</div></td></tr></table> <tr><td><a name="letter_A"></a><table border="0" cellspacing="0" cellpadding="0"><tr><td><div class="ah">&nbsp;&nbsp;A&nbsp;&nbsp;</div></td></tr></table>
</td><td><a class="el" href="structAI__hyperalert__info.html">AI_hyperalert_info</a>&nbsp;&nbsp;&nbsp;</td><td><a class="el" href="structattribute__value.html">attribute_value</a>&nbsp;&nbsp;&nbsp;</td><td><a class="el" href="structpkt__key.html">pkt_key</a>&nbsp;&nbsp;&nbsp;</td><td><a class="el" href="struct__AI__snort__alert.html">_AI_snort_alert</a>&nbsp;&nbsp;&nbsp;</td></tr><tr><td><a class="el" href="structAI__alert__correlation.html">AI_alert_correlation</a>&nbsp;&nbsp;&nbsp;</td><td><a class="el" href="structAI__hyperalert__key.html">AI_hyperalert_key</a>&nbsp;&nbsp;&nbsp;</td><td><a name="letter_P"></a><table border="0" cellspacing="0" cellpadding="0"><tr><td><div class="ah">&nbsp;&nbsp;P&nbsp;&nbsp;</div></td></tr></table> </td><td><a class="el" href="structAI__config.html">AI_config</a>&nbsp;&nbsp;&nbsp;</td><td><a class="el" href="structattribute__key.html">attribute_key</a>&nbsp;&nbsp;&nbsp;</td><td><a class="el" href="structpkt__info.html">pkt_info</a>&nbsp;&nbsp;&nbsp;</td><td><a class="el" href="struct__AI__snort__alert.html">_AI_snort_alert</a>&nbsp;&nbsp;&nbsp;</td></tr><tr><td><a class="el" href="structAI__alert__correlation.html">AI_alert_correlation</a>&nbsp;&nbsp;&nbsp;</td><td><a class="el" href="structAI__hyperalert__info.html">AI_hyperalert_info</a>&nbsp;&nbsp;&nbsp;</td><td><a class="el" href="structattribute__value.html">attribute_value</a>&nbsp;&nbsp;&nbsp;</td><td><a class="el" href="structpkt__key.html">pkt_key</a>&nbsp;&nbsp;&nbsp;</td><td><a class="el" href="struct__hierarchy__node.html">_hierarchy_node</a>&nbsp;&nbsp;&nbsp;</td></tr><tr><td><a class="el" href="structAI__alert__correlation__key.html">AI_alert_correlation_key</a>&nbsp;&nbsp;&nbsp;</td><td><a class="el" href="structAI__hyperalert__key.html">AI_hyperalert_key</a>&nbsp;&nbsp;&nbsp;</td><td><a name="letter_P"></a><table border="0" cellspacing="0" cellpadding="0"><tr><td><div class="ah">&nbsp;&nbsp;P&nbsp;&nbsp;</div></td></tr></table>
</td><td><a name="letter__"></a><table border="0" cellspacing="0" cellpadding="0"><tr><td><div class="ah">&nbsp;&nbsp;_&nbsp;&nbsp;</div></td></tr></table> </td><td><a name="letter__"></a><table border="0" cellspacing="0" cellpadding="0"><tr><td><div class="ah">&nbsp;&nbsp;_&nbsp;&nbsp;</div></td></tr></table>
</td><td><a class="el" href="struct__hierarchy__node.html">_hierarchy_node</a>&nbsp;&nbsp;&nbsp;</td></tr><tr><td><a class="el" href="structAI__config.html">AI_config</a>&nbsp;&nbsp;&nbsp;</td><td><a class="el" href="structattribute__key.html">attribute_key</a>&nbsp;&nbsp;&nbsp;</td><td><a class="el" href="structpkt__info.html">pkt_info</a>&nbsp;&nbsp;&nbsp;</td></tr></table><div class="qindex"><a class="qindex" href="#letter_A">A</a>&nbsp;|&nbsp;<a class="qindex" href="#letter_P">P</a>&nbsp;|&nbsp;<a class="qindex" href="#letter__">_</a></div> </td></tr></table><div class="qindex"><a class="qindex" href="#letter_A">A</a>&nbsp;|&nbsp;<a class="qindex" href="#letter_P">P</a>&nbsp;|&nbsp;<a class="qindex" href="#letter__">_</a></div>
</div> </div>
<!--- window showing the filter options --> <!--- window showing the filter options -->
<div id="MSearchSelectWindow" <div id="MSearchSelectWindow"
@ -72,7 +72,7 @@ var searchBox = new SearchBox("searchBox", "search",false,'Search');
</iframe> </iframe>
</div> </div>
<hr class="footer"/><address class="footer"><small>Generated on Sat Sep 11 2010 12:45:18 for Snort AI preprocessor module by&nbsp; <hr class="footer"/><address class="footer"><small>Generated on Tue Sep 14 2010 19:23:42 for Snort AI preprocessor module by&nbsp;
<a href="http://www.doxygen.org/index.html"> <a href="http://www.doxygen.org/index.html">
<img class="footer" src="doxygen.png" alt="doxygen"/></a> 1.7.1 </small></address> <img class="footer" src="doxygen.png" alt="doxygen"/></a> 1.7.1 </small></address>
</body> </body>

View file

@ -112,7 +112,7 @@ Variables</h2></td></tr>
</iframe> </iframe>
</div> </div>
<hr class="footer"/><address class="footer"><small>Generated on Sat Sep 11 2010 12:45:18 for Snort AI preprocessor module by&nbsp; <hr class="footer"/><address class="footer"><small>Generated on Tue Sep 14 2010 19:23:42 for Snort AI preprocessor module by&nbsp;
<a href="http://www.doxygen.org/index.html"> <a href="http://www.doxygen.org/index.html">
<img class="footer" src="doxygen.png" alt="doxygen"/></a> 1.7.1 </small></address> <img class="footer" src="doxygen.png" alt="doxygen"/></a> 1.7.1 </small></address>
</body> </body>

View file

@ -56,13 +56,20 @@ var searchBox = new SearchBox("searchBox", "search",false,'Search');
</div> </div>
<div class="contents"> <div class="contents">
<code>#include &quot;<a class="el" href="spp__ai_8h_source.html">spp_ai.h</a>&quot;</code><br/> <code>#include &quot;<a class="el" href="spp__ai_8h_source.html">spp_ai.h</a>&quot;</code><br/>
<code>#include &lt;stdio.h&gt;</code><br/>
<code>#include &lt;stdlib.h&gt;</code><br/>
<code>#include &lt;string.h&gt;</code><br/>
<code>#include &lt;unistd.h&gt;</code><br/> <code>#include &lt;unistd.h&gt;</code><br/>
<code>#include &lt;time.h&gt;</code><br/>
<code>#include &lt;math.h&gt;</code><br/>
<code>#include &lt;alloca.h&gt;</code><br/>
<code>#include &lt;sys/stat.h&gt;</code><br/> <code>#include &lt;sys/stat.h&gt;</code><br/>
<code>#include &lt;pthread.h&gt;</code><br/> <code>#include &lt;pthread.h&gt;</code><br/>
<code>#include &lt;libxml/xmlreader.h&gt;</code><br/> <code>#include &lt;libxml/xmlreader.h&gt;</code><br/>
<table class="memberdecls"> <table class="memberdecls">
<tr><td colspan="2"><h2><a name="nested-classes"></a> <tr><td colspan="2"><h2><a name="nested-classes"></a>
Data Structures</h2></td></tr> Data Structures</h2></td></tr>
<tr><td class="memItemLeft" align="right" valign="top">struct &nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="structAI__alert__correlation__key.html">AI_alert_correlation_key</a></td></tr>
<tr><td class="memItemLeft" align="right" valign="top">struct &nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="structAI__alert__correlation.html">AI_alert_correlation</a></td></tr> <tr><td class="memItemLeft" align="right" valign="top">struct &nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="structAI__alert__correlation.html">AI_alert_correlation</a></td></tr>
<tr><td colspan="2"><h2><a name="enum-members"></a> <tr><td colspan="2"><h2><a name="enum-members"></a>
Enumerations</h2></td></tr> Enumerations</h2></td></tr>
@ -77,10 +84,18 @@ Enumerations</h2></td></tr>
}</td></tr> }</td></tr>
<tr><td colspan="2"><h2><a name="func-members"></a> <tr><td colspan="2"><h2><a name="func-members"></a>
Functions</h2></td></tr> Functions</h2></td></tr>
<tr><td class="memItemLeft" align="right" valign="top">double&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="group__correlation.html#ga130e82017fc0abcb76b1a7740ae2f4df">_AI_correlation_coefficient</a> (<a class="el" href="struct__AI__snort__alert.html">AI_snort_alert</a> *a, <a class="el" href="struct__AI__snort__alert.html">AI_snort_alert</a> *b)</td></tr> <tr><td class="memItemLeft" align="right" valign="top">PRIVATE void&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="group__correlation.html#ga9bcb94264ffe30f113f3fb7287b774e3">_AI_correlation_table_cleanup</a> ()</td></tr>
<tr><td class="mdescLeft">&nbsp;</td><td class="mdescRight">Compute the correlation coefficient between two alerts, as INTERSECTION(pre(B), post(A) / UNION(pre(B), post(A)). <a href="group__correlation.html#ga130e82017fc0abcb76b1a7740ae2f4df"></a><br/></td></tr> <tr><td class="mdescLeft">&nbsp;</td><td class="mdescRight">Clean up the correlation hash table. <a href="group__correlation.html#ga9bcb94264ffe30f113f3fb7287b774e3"></a><br/></td></tr>
<tr><td class="memItemLeft" align="right" valign="top">void&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="group__correlation.html#ga0d094eae1d014d89a2de21263fa747da">_AI_macro_subst</a> (<a class="el" href="struct__AI__snort__alert.html">AI_snort_alert</a> **alert)</td></tr> <tr><td class="memItemLeft" align="right" valign="top">PRIVATE void&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="group__correlation.html#ga4267a39fa1a5ac035015823bca43288e">_AI_print_correlated_alerts</a> (<a class="el" href="structAI__alert__correlation.html">AI_alert_correlation</a> *corr, FILE *fp)</td></tr>
<tr><td class="mdescLeft">&nbsp;</td><td class="mdescRight">Substitute the macros in hyperalert pre-conditions and post-conditions with their associated values. <a href="group__correlation.html#ga0d094eae1d014d89a2de21263fa747da"></a><br/></td></tr> <tr><td class="mdescLeft">&nbsp;</td><td class="mdescRight">Recursively write a flow of correlated alerts to a .dot file, ready for being rendered as graph. <a href="group__correlation.html#ga4267a39fa1a5ac035015823bca43288e"></a><br/></td></tr>
<tr><td class="memItemLeft" align="right" valign="top">PRIVATE char *&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="group__correlation.html#ga7a1b2d01f526f24ea91d7f08bdefd4fe">_AI_get_function_name</a> (const char *orig_stmt)</td></tr>
<tr><td class="mdescLeft">&nbsp;</td><td class="mdescRight">Get the name of the function called by a pre-condition or post-condition predicate. <a href="group__correlation.html#ga7a1b2d01f526f24ea91d7f08bdefd4fe"></a><br/></td></tr>
<tr><td class="memItemLeft" align="right" valign="top">PRIVATE char **&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="group__correlation.html#gab716702cd226ab2ad957234a92da6e4a">_AI_get_function_arguments</a> (char *orig_stmt, int *n_args)</td></tr>
<tr><td class="mdescLeft">&nbsp;</td><td class="mdescRight">Get the arguments passed to a function predicate in a pre-condition or post-condition (comma-separated values). <a href="group__correlation.html#gab716702cd226ab2ad957234a92da6e4a"></a><br/></td></tr>
<tr><td class="memItemLeft" align="right" valign="top">PRIVATE double&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="group__correlation.html#ga9cb283b28a66829574add58a251b93c6">_AI_correlation_coefficient</a> (<a class="el" href="struct__AI__snort__alert.html">AI_snort_alert</a> *a, <a class="el" href="struct__AI__snort__alert.html">AI_snort_alert</a> *b)</td></tr>
<tr><td class="mdescLeft">&nbsp;</td><td class="mdescRight">Compute the correlation coefficient between two alerts, as INTERSECTION(pre(B), post(A) / UNION(pre(B), post(A)). <a href="group__correlation.html#ga9cb283b28a66829574add58a251b93c6"></a><br/></td></tr>
<tr><td class="memItemLeft" align="right" valign="top">PRIVATE void&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="group__correlation.html#ga70a4aaf8b689472dad62ba7a9bbde1a6">_AI_macro_subst</a> (<a class="el" href="struct__AI__snort__alert.html">AI_snort_alert</a> **alert)</td></tr>
<tr><td class="mdescLeft">&nbsp;</td><td class="mdescRight">Substitute the macros in hyperalert pre-conditions and post-conditions with their associated values. <a href="group__correlation.html#ga70a4aaf8b689472dad62ba7a9bbde1a6"></a><br/></td></tr>
<tr><td class="memItemLeft" align="right" valign="top">PRIVATE <a class="el" href="structAI__hyperalert__info.html">AI_hyperalert_info</a> *&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="group__correlation.html#ga929e5c17fdb247a998d83ed6a4ae5a65">_AI_hyperalert_from_XML</a> (<a class="el" href="structAI__hyperalert__key.html">AI_hyperalert_key</a> key)</td></tr> <tr><td class="memItemLeft" align="right" valign="top">PRIVATE <a class="el" href="structAI__hyperalert__info.html">AI_hyperalert_info</a> *&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="group__correlation.html#ga929e5c17fdb247a998d83ed6a4ae5a65">_AI_hyperalert_from_XML</a> (<a class="el" href="structAI__hyperalert__key.html">AI_hyperalert_key</a> key)</td></tr>
<tr><td class="mdescLeft">&nbsp;</td><td class="mdescRight">Parse info about a hyperalert from a correlation XML file, if it exists. <a href="group__correlation.html#ga929e5c17fdb247a998d83ed6a4ae5a65"></a><br/></td></tr> <tr><td class="mdescLeft">&nbsp;</td><td class="mdescRight">Parse info about a hyperalert from a correlation XML file, if it exists. <a href="group__correlation.html#ga929e5c17fdb247a998d83ed6a4ae5a65"></a><br/></td></tr>
<tr><td class="memItemLeft" align="right" valign="top">void *&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="group__correlation.html#ga939353a4e15de7a8f4145ab986f584be">AI_alert_correlation_thread</a> (void *arg)</td></tr> <tr><td class="memItemLeft" align="right" valign="top">void *&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="group__correlation.html#ga939353a4e15de7a8f4145ab986f584be">AI_alert_correlation_thread</a> (void *arg)</td></tr>
@ -108,7 +123,7 @@ Variables</h2></td></tr>
</iframe> </iframe>
</div> </div>
<hr class="footer"/><address class="footer"><small>Generated on Sat Sep 11 2010 12:45:18 for Snort AI preprocessor module by&nbsp; <hr class="footer"/><address class="footer"><small>Generated on Tue Sep 14 2010 19:23:42 for Snort AI preprocessor module by&nbsp;
<a href="http://www.doxygen.org/index.html"> <a href="http://www.doxygen.org/index.html">
<img class="footer" src="doxygen.png" alt="doxygen"/></a> 1.7.1 </small></address> <img class="footer" src="doxygen.png" alt="doxygen"/></a> 1.7.1 </small></address>
</body> </body>

View file

@ -68,7 +68,7 @@ var searchBox = new SearchBox("searchBox", "search",false,'Search');
</iframe> </iframe>
</div> </div>
<hr class="footer"/><address class="footer"><small>Generated on Sat Sep 11 2010 12:45:18 for Snort AI preprocessor module by&nbsp; <hr class="footer"/><address class="footer"><small>Generated on Tue Sep 14 2010 19:23:42 for Snort AI preprocessor module by&nbsp;
<a href="http://www.doxygen.org/index.html"> <a href="http://www.doxygen.org/index.html">
<img class="footer" src="doxygen.png" alt="doxygen"/></a> 1.7.1 </small></address> <img class="footer" src="doxygen.png" alt="doxygen"/></a> 1.7.1 </small></address>
</body> </body>

View file

@ -69,7 +69,7 @@ var searchBox = new SearchBox("searchBox", "search",false,'Search');
</iframe> </iframe>
</div> </div>
<hr class="footer"/><address class="footer"><small>Generated on Sat Sep 11 2010 12:45:18 for Snort AI preprocessor module by&nbsp; <hr class="footer"/><address class="footer"><small>Generated on Tue Sep 14 2010 19:23:42 for Snort AI preprocessor module by&nbsp;
<a href="http://www.doxygen.org/index.html"> <a href="http://www.doxygen.org/index.html">
<img class="footer" src="doxygen.png" alt="doxygen"/></a> 1.7.1 </small></address> <img class="footer" src="doxygen.png" alt="doxygen"/></a> 1.7.1 </small></address>
</body> </body>

View file

@ -68,33 +68,31 @@ var searchBox = new SearchBox("searchBox", "search",false,'Search');
<a name="l00017"></a>00017 <span class="comment"> * =====================================================================================</span> <a name="l00017"></a>00017 <span class="comment"> * =====================================================================================</span>
<a name="l00018"></a>00018 <span class="comment"> */</span> <a name="l00018"></a>00018 <span class="comment"> */</span>
<a name="l00019"></a>00019 <a name="l00019"></a>00019
<a name="l00020"></a>00020 <span class="preprocessor">#ifdef ENABLE_DB</span> <a name="l00020"></a>00020 <span class="preprocessor">#ifdef HAVE_LIBMYSQLCLIENT</span>
<a name="l00021"></a>00021 <span class="preprocessor"></span><span class="preprocessor"> #ifndef _AI_DB_H</span> <a name="l00021"></a>00021 <span class="preprocessor"></span><span class="preprocessor"> #ifndef _AI_DB_H</span>
<a name="l00022"></a>00022 <span class="preprocessor"></span><span class="preprocessor"> #define _AI_DB_H</span> <a name="l00022"></a>00022 <span class="preprocessor"></span><span class="preprocessor"> #define _AI_DB_H</span>
<a name="l00023"></a>00023 <span class="preprocessor"></span> <a name="l00023"></a>00023 <span class="preprocessor"></span>
<a name="l00024"></a>00024 <span class="preprocessor"> #ifdef ENABLE_MYSQL</span> <a name="l00024"></a>00024 <span class="preprocessor"> #include &lt;mysql/mysql.h&gt;</span>
<a name="l00025"></a>00025 <span class="preprocessor"></span><span class="preprocessor"> #include &lt;mysql/mysql.h&gt;</span> <a name="l00025"></a>00025
<a name="l00026"></a>00026 <a name="l00026"></a>00026 <span class="keyword">typedef</span> MYSQL_RES* DB_result;
<a name="l00027"></a>00027 <span class="keyword">typedef</span> MYSQL_RES* DB_result; <a name="l00027"></a>00027 <span class="keyword">typedef</span> MYSQL_ROW DB_row;
<a name="l00028"></a>00028 <span class="keyword">typedef</span> MYSQL_ROW DB_row; <a name="l00028"></a>00028
<a name="l00029"></a>00029 <a name="l00029"></a>00029 <span class="preprocessor"> #define DB_init mysql_do_init</span>
<a name="l00030"></a>00030 <span class="preprocessor"> #define DB_init mysql_do_init</span> <a name="l00030"></a>00030 <span class="preprocessor"></span><span class="preprocessor"> #define DB_query mysql_do_query</span>
<a name="l00031"></a>00031 <span class="preprocessor"></span><span class="preprocessor"> #define DB_query mysql_do_query</span> <a name="l00031"></a>00031 <span class="preprocessor"></span><span class="preprocessor"> #define DB_num_rows mysql_num_rows</span>
<a name="l00032"></a>00032 <span class="preprocessor"></span><span class="preprocessor"> #define DB_num_rows mysql_num_rows</span> <a name="l00032"></a>00032 <span class="preprocessor"></span><span class="preprocessor"> #define DB_fetch_row mysql_fetch_row</span>
<a name="l00033"></a>00033 <span class="preprocessor"></span><span class="preprocessor"> #define DB_fetch_row mysql_fetch_row</span> <a name="l00033"></a>00033 <span class="preprocessor"></span><span class="preprocessor"> #define DB_free_result mysql_free_result</span>
<a name="l00034"></a>00034 <span class="preprocessor"></span><span class="preprocessor"> #define DB_free_result mysql_free_result</span> <a name="l00034"></a>00034 <span class="preprocessor"></span><span class="preprocessor"> #define DB_close mysql_do_close</span>
<a name="l00035"></a>00035 <span class="preprocessor"></span><span class="preprocessor"> #define DB_close mysql_do_close</span> <a name="l00035"></a>00035 <span class="preprocessor"></span>
<a name="l00036"></a>00036 <span class="preprocessor"></span><span class="preprocessor"> #endif</span> <a name="l00037"></a>00037 <span class="keywordtype">void</span>* DB_init ( <a class="code" href="structAI__config.html">AI_config</a>* );
<a name="l00037"></a>00037 <span class="preprocessor"></span> <a name="l00038"></a>00038
<a name="l00039"></a>00039 <span class="keywordtype">void</span>* DB_init ( <a class="code" href="structAI__config.html">AI_config</a>* ); <a name="l00040"></a>00040 DB_result* DB_query ( <span class="keyword">const</span> <span class="keywordtype">char</span>* );
<a name="l00040"></a>00040 <a name="l00041"></a>00041
<a name="l00042"></a>00042 DB_result* DB_query ( <span class="keyword">const</span> <span class="keywordtype">char</span>* ); <a name="l00043"></a>00043 <span class="keywordtype">void</span> DB_close();
<a name="l00043"></a>00043 <a name="l00044"></a>00044
<a name="l00045"></a>00045 <span class="keywordtype">void</span> DB_close(); <a name="l00045"></a>00045 <span class="preprocessor"> #endif</span>
<a name="l00046"></a>00046 <a name="l00046"></a>00046 <span class="preprocessor"></span><span class="preprocessor">#endif</span>
<a name="l00047"></a>00047 <span class="preprocessor"> #endif</span> <a name="l00047"></a>00047 <span class="preprocessor"></span>
<a name="l00048"></a>00048 <span class="preprocessor"></span><span class="preprocessor">#endif</span>
<a name="l00049"></a>00049 <span class="preprocessor"></span>
</pre></div></div> </pre></div></div>
</div> </div>
<!--- window showing the filter options --> <!--- window showing the filter options -->
@ -111,7 +109,7 @@ var searchBox = new SearchBox("searchBox", "search",false,'Search');
</iframe> </iframe>
</div> </div>
<hr class="footer"/><address class="footer"><small>Generated on Sat Sep 11 2010 12:45:18 for Snort AI preprocessor module by&nbsp; <hr class="footer"/><address class="footer"><small>Generated on Tue Sep 14 2010 19:23:42 for Snort AI preprocessor module by&nbsp;
<a href="http://www.doxygen.org/index.html"> <a href="http://www.doxygen.org/index.html">
<img class="footer" src="doxygen.png" alt="doxygen"/></a> 1.7.1 </small></address> <img class="footer" src="doxygen.png" alt="doxygen"/></a> 1.7.1 </small></address>
</body> </body>

View file

@ -78,7 +78,7 @@ Here is a list of all files with brief descriptions:<table>
</iframe> </iframe>
</div> </div>
<hr class="footer"/><address class="footer"><small>Generated on Sat Sep 11 2010 12:45:18 for Snort AI preprocessor module by&nbsp; <hr class="footer"/><address class="footer"><small>Generated on Tue Sep 14 2010 19:23:42 for Snort AI preprocessor module by&nbsp;
<a href="http://www.doxygen.org/index.html"> <a href="http://www.doxygen.org/index.html">
<img class="footer" src="doxygen.png" alt="doxygen"/></a> 1.7.1 </small></address> <img class="footer" src="doxygen.png" alt="doxygen"/></a> 1.7.1 </small></address>
</body> </body>

View file

@ -77,7 +77,7 @@ Here is a list of all struct and union fields with links to the structures/union
<h3><a class="anchor" id="index_a"></a>- a -</h3><ul> <h3><a class="anchor" id="index_a"></a>- a -</h3><ul>
<li>a <li>a
: <a class="el" href="structAI__alert__correlation.html#a8737f171e1c1b2305c8fe77101d6aeb7">AI_alert_correlation</a> : <a class="el" href="structAI__alert__correlation__key.html#a774daec9332da25835a0904d853acadb">AI_alert_correlation_key</a>
</li> </li>
<li>alertClusteringInterval <li>alertClusteringInterval
: <a class="el" href="structAI__config.html#a7d0d098b8263aa3d8415b11d1ec7f93d">AI_config</a> : <a class="el" href="structAI__config.html#a7d0d098b8263aa3d8415b11d1ec7f93d">AI_config</a>
@ -90,7 +90,7 @@ Here is a list of all struct and union fields with links to the structures/union
<h3><a class="anchor" id="index_b"></a>- b -</h3><ul> <h3><a class="anchor" id="index_b"></a>- b -</h3><ul>
<li>b <li>b
: <a class="el" href="structAI__alert__correlation.html#a478f1a6f18f9c083b203efdf776379cd">AI_alert_correlation</a> : <a class="el" href="structAI__alert__correlation__key.html#a5805dec6499a83b818091b4f21c715dc">AI_alert_correlation_key</a>
</li> </li>
</ul> </ul>
@ -105,6 +105,9 @@ Here is a list of all struct and union fields with links to the structures/union
<li>clusterfile <li>clusterfile
: <a class="el" href="structAI__config.html#a6da02a3f7116fd3810a41b738e8883a3">AI_config</a> : <a class="el" href="structAI__config.html#a6da02a3f7116fd3810a41b738e8883a3">AI_config</a>
</li> </li>
<li>corr_alerts_dir
: <a class="el" href="structAI__config.html#ae68f5489e2ec9ea1408f98fe36d050c9">AI_config</a>
</li>
<li>corr_rules_dir <li>corr_rules_dir
: <a class="el" href="structAI__config.html#ab7ea93bbe72b85c4019b4f5656ad62fc">AI_config</a> : <a class="el" href="structAI__config.html#ab7ea93bbe72b85c4019b4f5656ad62fc">AI_config</a>
</li> </li>
@ -114,6 +117,9 @@ Here is a list of all struct and union fields with links to the structures/union
<li>correlationGraphInterval <li>correlationGraphInterval
: <a class="el" href="structAI__config.html#aa736375e57a59936e2e782b7cd200e41">AI_config</a> : <a class="el" href="structAI__config.html#aa736375e57a59936e2e782b7cd200e41">AI_config</a>
</li> </li>
<li>correlationThresholdCoefficient
: <a class="el" href="structAI__config.html#adf6ef0faedfb4dea0a1353e781b14883">AI_config</a>
</li>
<li>count <li>count
: <a class="el" href="structattribute__value.html#a5579c0304c2e9ab488ac94905b385045">attribute_value</a> : <a class="el" href="structattribute__value.html#a5579c0304c2e9ab488ac94905b385045">attribute_value</a>
</li> </li>
@ -136,6 +142,9 @@ Here is a list of all struct and union fields with links to the structures/union
<li>dbuser <li>dbuser
: <a class="el" href="structAI__config.html#aa004adebfdafb6d14092aecd7f4912b0">AI_config</a> : <a class="el" href="structAI__config.html#aa004adebfdafb6d14092aecd7f4912b0">AI_config</a>
</li> </li>
<li>derived_alerts
: <a class="el" href="struct__AI__snort__alert.html#aac5e4078600ed17532db1f3d78165390">_AI_snort_alert</a>
</li>
<li>desc <li>desc
: <a class="el" href="struct__AI__snort__alert.html#ac0902d7c756ec675fb06347ce4706135">_AI_snort_alert</a> : <a class="el" href="struct__AI__snort__alert.html#ac0902d7c756ec675fb06347ce4706135">_AI_snort_alert</a>
</li> </li>
@ -205,6 +214,7 @@ Here is a list of all struct and union fields with links to the structures/union
: <a class="el" href="structattribute__value.html#aa8b5ae41c150e4fefb800d3b1924278d">attribute_value</a> : <a class="el" href="structattribute__value.html#aa8b5ae41c150e4fefb800d3b1924278d">attribute_value</a>
, <a class="el" href="structAI__hyperalert__info.html#a9d461da8f00415ef03b24edb3bbd6cf8">AI_hyperalert_info</a> , <a class="el" href="structAI__hyperalert__info.html#a9d461da8f00415ef03b24edb3bbd6cf8">AI_hyperalert_info</a>
, <a class="el" href="structpkt__info.html#a231d4734d3c62292b06eb9ea4b49c339">pkt_info</a> , <a class="el" href="structpkt__info.html#a231d4734d3c62292b06eb9ea4b49c339">pkt_info</a>
, <a class="el" href="structAI__alert__correlation.html#a4e27da4922a1d44497634c8e5968d870">AI_alert_correlation</a>
</li> </li>
</ul> </ul>
@ -233,6 +243,9 @@ Here is a list of all struct and union fields with links to the structures/union
<h3><a class="anchor" id="index_n"></a>- n -</h3><ul> <h3><a class="anchor" id="index_n"></a>- n -</h3><ul>
<li>n_derived_alerts
: <a class="el" href="struct__AI__snort__alert.html#a1f2d5e8cfd0e6321b977173d1e90cb68">_AI_snort_alert</a>
</li>
<li>n_postconds <li>n_postconds
: <a class="el" href="structAI__hyperalert__info.html#a73322b6cad3e883abed03b62c6c21719">AI_hyperalert_info</a> : <a class="el" href="structAI__hyperalert__info.html#a73322b6cad3e883abed03b62c6c21719">AI_hyperalert_info</a>
</li> </li>
@ -269,6 +282,9 @@ Here is a list of all struct and union fields with links to the structures/union
<li>preconds <li>preconds
: <a class="el" href="structAI__hyperalert__info.html#a8ac4e028c47a98a8be5afd4363164031">AI_hyperalert_info</a> : <a class="el" href="structAI__hyperalert__info.html#a8ac4e028c47a98a8be5afd4363164031">AI_hyperalert_info</a>
</li> </li>
<li>previous_correlated
: <a class="el" href="struct__AI__snort__alert.html#a55a5488c7ee7706ded4c16b1235fd9c7">_AI_snort_alert</a>
</li>
<li>priority <li>priority
: <a class="el" href="struct__AI__snort__alert.html#a25661fa4e212c5e30af5e6a892985ec9">_AI_snort_alert</a> : <a class="el" href="struct__AI__snort__alert.html#a25661fa4e212c5e30af5e6a892985ec9">_AI_snort_alert</a>
</li> </li>
@ -346,7 +362,7 @@ Here is a list of all struct and union fields with links to the structures/union
</iframe> </iframe>
</div> </div>
<hr class="footer"/><address class="footer"><small>Generated on Sat Sep 11 2010 12:45:18 for Snort AI preprocessor module by&nbsp; <hr class="footer"/><address class="footer"><small>Generated on Tue Sep 14 2010 19:23:42 for Snort AI preprocessor module by&nbsp;
<a href="http://www.doxygen.org/index.html"> <a href="http://www.doxygen.org/index.html">
<img class="footer" src="doxygen.png" alt="doxygen"/></a> 1.7.1 </small></address> <img class="footer" src="doxygen.png" alt="doxygen"/></a> 1.7.1 </small></address>
</body> </body>

View file

@ -77,7 +77,7 @@ var searchBox = new SearchBox("searchBox", "search",false,'Search');
<h3><a class="anchor" id="index_a"></a>- a -</h3><ul> <h3><a class="anchor" id="index_a"></a>- a -</h3><ul>
<li>a <li>a
: <a class="el" href="structAI__alert__correlation.html#a8737f171e1c1b2305c8fe77101d6aeb7">AI_alert_correlation</a> : <a class="el" href="structAI__alert__correlation__key.html#a774daec9332da25835a0904d853acadb">AI_alert_correlation_key</a>
</li> </li>
<li>alertClusteringInterval <li>alertClusteringInterval
: <a class="el" href="structAI__config.html#a7d0d098b8263aa3d8415b11d1ec7f93d">AI_config</a> : <a class="el" href="structAI__config.html#a7d0d098b8263aa3d8415b11d1ec7f93d">AI_config</a>
@ -90,7 +90,7 @@ var searchBox = new SearchBox("searchBox", "search",false,'Search');
<h3><a class="anchor" id="index_b"></a>- b -</h3><ul> <h3><a class="anchor" id="index_b"></a>- b -</h3><ul>
<li>b <li>b
: <a class="el" href="structAI__alert__correlation.html#a478f1a6f18f9c083b203efdf776379cd">AI_alert_correlation</a> : <a class="el" href="structAI__alert__correlation__key.html#a5805dec6499a83b818091b4f21c715dc">AI_alert_correlation_key</a>
</li> </li>
</ul> </ul>
@ -105,6 +105,9 @@ var searchBox = new SearchBox("searchBox", "search",false,'Search');
<li>clusterfile <li>clusterfile
: <a class="el" href="structAI__config.html#a6da02a3f7116fd3810a41b738e8883a3">AI_config</a> : <a class="el" href="structAI__config.html#a6da02a3f7116fd3810a41b738e8883a3">AI_config</a>
</li> </li>
<li>corr_alerts_dir
: <a class="el" href="structAI__config.html#ae68f5489e2ec9ea1408f98fe36d050c9">AI_config</a>
</li>
<li>corr_rules_dir <li>corr_rules_dir
: <a class="el" href="structAI__config.html#ab7ea93bbe72b85c4019b4f5656ad62fc">AI_config</a> : <a class="el" href="structAI__config.html#ab7ea93bbe72b85c4019b4f5656ad62fc">AI_config</a>
</li> </li>
@ -114,6 +117,9 @@ var searchBox = new SearchBox("searchBox", "search",false,'Search');
<li>correlationGraphInterval <li>correlationGraphInterval
: <a class="el" href="structAI__config.html#aa736375e57a59936e2e782b7cd200e41">AI_config</a> : <a class="el" href="structAI__config.html#aa736375e57a59936e2e782b7cd200e41">AI_config</a>
</li> </li>
<li>correlationThresholdCoefficient
: <a class="el" href="structAI__config.html#adf6ef0faedfb4dea0a1353e781b14883">AI_config</a>
</li>
<li>count <li>count
: <a class="el" href="structattribute__value.html#a5579c0304c2e9ab488ac94905b385045">attribute_value</a> : <a class="el" href="structattribute__value.html#a5579c0304c2e9ab488ac94905b385045">attribute_value</a>
</li> </li>
@ -136,6 +142,9 @@ var searchBox = new SearchBox("searchBox", "search",false,'Search');
<li>dbuser <li>dbuser
: <a class="el" href="structAI__config.html#aa004adebfdafb6d14092aecd7f4912b0">AI_config</a> : <a class="el" href="structAI__config.html#aa004adebfdafb6d14092aecd7f4912b0">AI_config</a>
</li> </li>
<li>derived_alerts
: <a class="el" href="struct__AI__snort__alert.html#aac5e4078600ed17532db1f3d78165390">_AI_snort_alert</a>
</li>
<li>desc <li>desc
: <a class="el" href="struct__AI__snort__alert.html#ac0902d7c756ec675fb06347ce4706135">_AI_snort_alert</a> : <a class="el" href="struct__AI__snort__alert.html#ac0902d7c756ec675fb06347ce4706135">_AI_snort_alert</a>
</li> </li>
@ -205,6 +214,7 @@ var searchBox = new SearchBox("searchBox", "search",false,'Search');
: <a class="el" href="structattribute__value.html#aa8b5ae41c150e4fefb800d3b1924278d">attribute_value</a> : <a class="el" href="structattribute__value.html#aa8b5ae41c150e4fefb800d3b1924278d">attribute_value</a>
, <a class="el" href="structAI__hyperalert__info.html#a9d461da8f00415ef03b24edb3bbd6cf8">AI_hyperalert_info</a> , <a class="el" href="structAI__hyperalert__info.html#a9d461da8f00415ef03b24edb3bbd6cf8">AI_hyperalert_info</a>
, <a class="el" href="structpkt__info.html#a231d4734d3c62292b06eb9ea4b49c339">pkt_info</a> , <a class="el" href="structpkt__info.html#a231d4734d3c62292b06eb9ea4b49c339">pkt_info</a>
, <a class="el" href="structAI__alert__correlation.html#a4e27da4922a1d44497634c8e5968d870">AI_alert_correlation</a>
</li> </li>
</ul> </ul>
@ -233,6 +243,9 @@ var searchBox = new SearchBox("searchBox", "search",false,'Search');
<h3><a class="anchor" id="index_n"></a>- n -</h3><ul> <h3><a class="anchor" id="index_n"></a>- n -</h3><ul>
<li>n_derived_alerts
: <a class="el" href="struct__AI__snort__alert.html#a1f2d5e8cfd0e6321b977173d1e90cb68">_AI_snort_alert</a>
</li>
<li>n_postconds <li>n_postconds
: <a class="el" href="structAI__hyperalert__info.html#a73322b6cad3e883abed03b62c6c21719">AI_hyperalert_info</a> : <a class="el" href="structAI__hyperalert__info.html#a73322b6cad3e883abed03b62c6c21719">AI_hyperalert_info</a>
</li> </li>
@ -269,6 +282,9 @@ var searchBox = new SearchBox("searchBox", "search",false,'Search');
<li>preconds <li>preconds
: <a class="el" href="structAI__hyperalert__info.html#a8ac4e028c47a98a8be5afd4363164031">AI_hyperalert_info</a> : <a class="el" href="structAI__hyperalert__info.html#a8ac4e028c47a98a8be5afd4363164031">AI_hyperalert_info</a>
</li> </li>
<li>previous_correlated
: <a class="el" href="struct__AI__snort__alert.html#a55a5488c7ee7706ded4c16b1235fd9c7">_AI_snort_alert</a>
</li>
<li>priority <li>priority
: <a class="el" href="struct__AI__snort__alert.html#a25661fa4e212c5e30af5e6a892985ec9">_AI_snort_alert</a> : <a class="el" href="struct__AI__snort__alert.html#a25661fa4e212c5e30af5e6a892985ec9">_AI_snort_alert</a>
</li> </li>
@ -346,7 +362,7 @@ var searchBox = new SearchBox("searchBox", "search",false,'Search');
</iframe> </iframe>
</div> </div>
<hr class="footer"/><address class="footer"><small>Generated on Sat Sep 11 2010 12:45:18 for Snort AI preprocessor module by&nbsp; <hr class="footer"/><address class="footer"><small>Generated on Tue Sep 14 2010 19:23:42 for Snort AI preprocessor module by&nbsp;
<a href="http://www.doxygen.org/index.html"> <a href="http://www.doxygen.org/index.html">
<img class="footer" src="doxygen.png" alt="doxygen"/></a> 1.7.1 </small></address> <img class="footer" src="doxygen.png" alt="doxygen"/></a> 1.7.1 </small></address>
</body> </body>

View file

@ -94,11 +94,20 @@ Here is a list of all functions, variables, defines, enums, and typedefs with li
: <a class="el" href="group__cluster.html#gab4c8ab92691e85a6f0ac4abb122712fd">cluster.c</a> : <a class="el" href="group__cluster.html#gab4c8ab92691e85a6f0ac4abb122712fd">cluster.c</a>
</li> </li>
<li>_AI_correlation_coefficient() <li>_AI_correlation_coefficient()
: <a class="el" href="group__correlation.html#ga130e82017fc0abcb76b1a7740ae2f4df">correlation.c</a> : <a class="el" href="group__correlation.html#ga9cb283b28a66829574add58a251b93c6">correlation.c</a>
</li>
<li>_AI_correlation_table_cleanup()
: <a class="el" href="group__correlation.html#ga9bcb94264ffe30f113f3fb7287b774e3">correlation.c</a>
</li> </li>
<li>_AI_equal_alarms() <li>_AI_equal_alarms()
: <a class="el" href="group__cluster.html#ga0f91c8bfc37a3975f5c26b19fd6c5cba">cluster.c</a> : <a class="el" href="group__cluster.html#ga0f91c8bfc37a3975f5c26b19fd6c5cba">cluster.c</a>
</li> </li>
<li>_AI_get_function_arguments()
: <a class="el" href="group__correlation.html#gab716702cd226ab2ad957234a92da6e4a">correlation.c</a>
</li>
<li>_AI_get_function_name()
: <a class="el" href="group__correlation.html#ga7a1b2d01f526f24ea91d7f08bdefd4fe">correlation.c</a>
</li>
<li>_AI_get_min_hierarchy_node() <li>_AI_get_min_hierarchy_node()
: <a class="el" href="group__cluster.html#ga6ddddcd505b1f763c339e81fc143e079">cluster.c</a> : <a class="el" href="group__cluster.html#ga6ddddcd505b1f763c339e81fc143e079">cluster.c</a>
</li> </li>
@ -106,7 +115,7 @@ Here is a list of all functions, variables, defines, enums, and typedefs with li
: <a class="el" href="group__correlation.html#ga929e5c17fdb247a998d83ed6a4ae5a65">correlation.c</a> : <a class="el" href="group__correlation.html#ga929e5c17fdb247a998d83ed6a4ae5a65">correlation.c</a>
</li> </li>
<li>_AI_macro_subst() <li>_AI_macro_subst()
: <a class="el" href="group__correlation.html#ga0d094eae1d014d89a2de21263fa747da">correlation.c</a> : <a class="el" href="group__correlation.html#ga70a4aaf8b689472dad62ba7a9bbde1a6">correlation.c</a>
</li> </li>
<li>_AI_merge_alerts() <li>_AI_merge_alerts()
: <a class="el" href="group__cluster.html#ga8ce8e5a5d8954672297fa2dedb380dcd">cluster.c</a> : <a class="el" href="group__cluster.html#ga8ce8e5a5d8954672297fa2dedb380dcd">cluster.c</a>
@ -114,6 +123,9 @@ Here is a list of all functions, variables, defines, enums, and typedefs with li
<li>_AI_print_clustered_alerts() <li>_AI_print_clustered_alerts()
: <a class="el" href="group__cluster.html#ga7d151880080470b542e99643dc0426a7">cluster.c</a> : <a class="el" href="group__cluster.html#ga7d151880080470b542e99643dc0426a7">cluster.c</a>
</li> </li>
<li>_AI_print_correlated_alerts()
: <a class="el" href="group__correlation.html#ga4267a39fa1a5ac035015823bca43288e">correlation.c</a>
</li>
<li>_AI_stream_free() <li>_AI_stream_free()
: <a class="el" href="group__stream.html#ga80016adf701c717a6ebfb5b15b8a5749">stream.c</a> : <a class="el" href="group__stream.html#ga80016adf701c717a6ebfb5b15b8a5749">stream.c</a>
</li> </li>
@ -247,9 +259,15 @@ Here is a list of all functions, variables, defines, enums, and typedefs with li
<li>DEFAULT_CLUSTER_LOG_FILE <li>DEFAULT_CLUSTER_LOG_FILE
: <a class="el" href="spp__ai_8h.html#a803dc913297ccdace9e604dbfecda97d">spp_ai.h</a> : <a class="el" href="spp__ai_8h.html#a803dc913297ccdace9e604dbfecda97d">spp_ai.h</a>
</li> </li>
<li>DEFAULT_CORR_ALERTS_DIR
: <a class="el" href="spp__ai_8h.html#a7bbeccba60012abcc98db33d39294829">spp_ai.h</a>
</li>
<li>DEFAULT_CORR_RULES_DIR <li>DEFAULT_CORR_RULES_DIR
: <a class="el" href="spp__ai_8h.html#a89448386cad5d5533992ae7ee84f4f1d">spp_ai.h</a> : <a class="el" href="spp__ai_8h.html#a89448386cad5d5533992ae7ee84f4f1d">spp_ai.h</a>
</li> </li>
<li>DEFAULT_CORR_THRESHOLD
: <a class="el" href="spp__ai_8h.html#aaedb0b7dc2bdf8d44d3fee2189a55a19">spp_ai.h</a>
</li>
<li>DEFAULT_DATABASE_INTERVAL <li>DEFAULT_DATABASE_INTERVAL
: <a class="el" href="spp__ai_8h.html#a3c4984a0ee515fbc091ac6e33b05e310">spp_ai.h</a> : <a class="el" href="spp__ai_8h.html#a3c4984a0ee515fbc091ac6e33b05e310">spp_ai.h</a>
</li> </li>
@ -424,7 +442,7 @@ Here is a list of all functions, variables, defines, enums, and typedefs with li
</iframe> </iframe>
</div> </div>
<hr class="footer"/><address class="footer"><small>Generated on Sat Sep 11 2010 12:45:18 for Snort AI preprocessor module by&nbsp; <hr class="footer"/><address class="footer"><small>Generated on Tue Sep 14 2010 19:23:42 for Snort AI preprocessor module by&nbsp;
<a href="http://www.doxygen.org/index.html"> <a href="http://www.doxygen.org/index.html">
<img class="footer" src="doxygen.png" alt="doxygen"/></a> 1.7.1 </small></address> <img class="footer" src="doxygen.png" alt="doxygen"/></a> 1.7.1 </small></address>
</body> </body>

View file

@ -73,9 +73,15 @@ var searchBox = new SearchBox("searchBox", "search",false,'Search');
<li>DEFAULT_CLUSTER_LOG_FILE <li>DEFAULT_CLUSTER_LOG_FILE
: <a class="el" href="spp__ai_8h.html#a803dc913297ccdace9e604dbfecda97d">spp_ai.h</a> : <a class="el" href="spp__ai_8h.html#a803dc913297ccdace9e604dbfecda97d">spp_ai.h</a>
</li> </li>
<li>DEFAULT_CORR_ALERTS_DIR
: <a class="el" href="spp__ai_8h.html#a7bbeccba60012abcc98db33d39294829">spp_ai.h</a>
</li>
<li>DEFAULT_CORR_RULES_DIR <li>DEFAULT_CORR_RULES_DIR
: <a class="el" href="spp__ai_8h.html#a89448386cad5d5533992ae7ee84f4f1d">spp_ai.h</a> : <a class="el" href="spp__ai_8h.html#a89448386cad5d5533992ae7ee84f4f1d">spp_ai.h</a>
</li> </li>
<li>DEFAULT_CORR_THRESHOLD
: <a class="el" href="spp__ai_8h.html#aaedb0b7dc2bdf8d44d3fee2189a55a19">spp_ai.h</a>
</li>
<li>DEFAULT_DATABASE_INTERVAL <li>DEFAULT_DATABASE_INTERVAL
: <a class="el" href="spp__ai_8h.html#a3c4984a0ee515fbc091ac6e33b05e310">spp_ai.h</a> : <a class="el" href="spp__ai_8h.html#a3c4984a0ee515fbc091ac6e33b05e310">spp_ai.h</a>
</li> </li>
@ -116,7 +122,7 @@ var searchBox = new SearchBox("searchBox", "search",false,'Search');
</iframe> </iframe>
</div> </div>
<hr class="footer"/><address class="footer"><small>Generated on Sat Sep 11 2010 12:45:18 for Snort AI preprocessor module by&nbsp; <hr class="footer"/><address class="footer"><small>Generated on Tue Sep 14 2010 19:23:42 for Snort AI preprocessor module by&nbsp;
<a href="http://www.doxygen.org/index.html"> <a href="http://www.doxygen.org/index.html">
<img class="footer" src="doxygen.png" alt="doxygen"/></a> 1.7.1 </small></address> <img class="footer" src="doxygen.png" alt="doxygen"/></a> 1.7.1 </small></address>
</body> </body>

View file

@ -80,7 +80,7 @@ var searchBox = new SearchBox("searchBox", "search",false,'Search');
</iframe> </iframe>
</div> </div>
<hr class="footer"/><address class="footer"><small>Generated on Sat Sep 11 2010 12:45:18 for Snort AI preprocessor module by&nbsp; <hr class="footer"/><address class="footer"><small>Generated on Tue Sep 14 2010 19:23:42 for Snort AI preprocessor module by&nbsp;
<a href="http://www.doxygen.org/index.html"> <a href="http://www.doxygen.org/index.html">
<img class="footer" src="doxygen.png" alt="doxygen"/></a> 1.7.1 </small></address> <img class="footer" src="doxygen.png" alt="doxygen"/></a> 1.7.1 </small></address>
</body> </body>

View file

@ -113,7 +113,7 @@ var searchBox = new SearchBox("searchBox", "search",false,'Search');
</iframe> </iframe>
</div> </div>
<hr class="footer"/><address class="footer"><small>Generated on Sat Sep 11 2010 12:45:18 for Snort AI preprocessor module by&nbsp; <hr class="footer"/><address class="footer"><small>Generated on Tue Sep 14 2010 19:23:42 for Snort AI preprocessor module by&nbsp;
<a href="http://www.doxygen.org/index.html"> <a href="http://www.doxygen.org/index.html">
<img class="footer" src="doxygen.png" alt="doxygen"/></a> 1.7.1 </small></address> <img class="footer" src="doxygen.png" alt="doxygen"/></a> 1.7.1 </small></address>
</body> </body>

View file

@ -81,11 +81,20 @@ var searchBox = new SearchBox("searchBox", "search",false,'Search');
: <a class="el" href="group__cluster.html#gab4c8ab92691e85a6f0ac4abb122712fd">cluster.c</a> : <a class="el" href="group__cluster.html#gab4c8ab92691e85a6f0ac4abb122712fd">cluster.c</a>
</li> </li>
<li>_AI_correlation_coefficient() <li>_AI_correlation_coefficient()
: <a class="el" href="group__correlation.html#ga130e82017fc0abcb76b1a7740ae2f4df">correlation.c</a> : <a class="el" href="group__correlation.html#ga9cb283b28a66829574add58a251b93c6">correlation.c</a>
</li>
<li>_AI_correlation_table_cleanup()
: <a class="el" href="group__correlation.html#ga9bcb94264ffe30f113f3fb7287b774e3">correlation.c</a>
</li> </li>
<li>_AI_equal_alarms() <li>_AI_equal_alarms()
: <a class="el" href="group__cluster.html#ga0f91c8bfc37a3975f5c26b19fd6c5cba">cluster.c</a> : <a class="el" href="group__cluster.html#ga0f91c8bfc37a3975f5c26b19fd6c5cba">cluster.c</a>
</li> </li>
<li>_AI_get_function_arguments()
: <a class="el" href="group__correlation.html#gab716702cd226ab2ad957234a92da6e4a">correlation.c</a>
</li>
<li>_AI_get_function_name()
: <a class="el" href="group__correlation.html#ga7a1b2d01f526f24ea91d7f08bdefd4fe">correlation.c</a>
</li>
<li>_AI_get_min_hierarchy_node() <li>_AI_get_min_hierarchy_node()
: <a class="el" href="group__cluster.html#ga6ddddcd505b1f763c339e81fc143e079">cluster.c</a> : <a class="el" href="group__cluster.html#ga6ddddcd505b1f763c339e81fc143e079">cluster.c</a>
</li> </li>
@ -93,7 +102,7 @@ var searchBox = new SearchBox("searchBox", "search",false,'Search');
: <a class="el" href="group__correlation.html#ga929e5c17fdb247a998d83ed6a4ae5a65">correlation.c</a> : <a class="el" href="group__correlation.html#ga929e5c17fdb247a998d83ed6a4ae5a65">correlation.c</a>
</li> </li>
<li>_AI_macro_subst() <li>_AI_macro_subst()
: <a class="el" href="group__correlation.html#ga0d094eae1d014d89a2de21263fa747da">correlation.c</a> : <a class="el" href="group__correlation.html#ga70a4aaf8b689472dad62ba7a9bbde1a6">correlation.c</a>
</li> </li>
<li>_AI_merge_alerts() <li>_AI_merge_alerts()
: <a class="el" href="group__cluster.html#ga8ce8e5a5d8954672297fa2dedb380dcd">cluster.c</a> : <a class="el" href="group__cluster.html#ga8ce8e5a5d8954672297fa2dedb380dcd">cluster.c</a>
@ -101,6 +110,9 @@ var searchBox = new SearchBox("searchBox", "search",false,'Search');
<li>_AI_print_clustered_alerts() <li>_AI_print_clustered_alerts()
: <a class="el" href="group__cluster.html#ga7d151880080470b542e99643dc0426a7">cluster.c</a> : <a class="el" href="group__cluster.html#ga7d151880080470b542e99643dc0426a7">cluster.c</a>
</li> </li>
<li>_AI_print_correlated_alerts()
: <a class="el" href="group__correlation.html#ga4267a39fa1a5ac035015823bca43288e">correlation.c</a>
</li>
<li>_AI_stream_free() <li>_AI_stream_free()
: <a class="el" href="group__stream.html#ga80016adf701c717a6ebfb5b15b8a5749">stream.c</a> : <a class="el" href="group__stream.html#ga80016adf701c717a6ebfb5b15b8a5749">stream.c</a>
</li> </li>
@ -206,7 +218,7 @@ var searchBox = new SearchBox("searchBox", "search",false,'Search');
</iframe> </iframe>
</div> </div>
<hr class="footer"/><address class="footer"><small>Generated on Sat Sep 11 2010 12:45:18 for Snort AI preprocessor module by&nbsp; <hr class="footer"/><address class="footer"><small>Generated on Tue Sep 14 2010 19:23:42 for Snort AI preprocessor module by&nbsp;
<a href="http://www.doxygen.org/index.html"> <a href="http://www.doxygen.org/index.html">
<img class="footer" src="doxygen.png" alt="doxygen"/></a> 1.7.1 </small></address> <img class="footer" src="doxygen.png" alt="doxygen"/></a> 1.7.1 </small></address>
</body> </body>

View file

@ -89,7 +89,7 @@ var searchBox = new SearchBox("searchBox", "search",false,'Search');
</iframe> </iframe>
</div> </div>
<hr class="footer"/><address class="footer"><small>Generated on Sat Sep 11 2010 12:45:18 for Snort AI preprocessor module by&nbsp; <hr class="footer"/><address class="footer"><small>Generated on Tue Sep 14 2010 19:23:42 for Snort AI preprocessor module by&nbsp;
<a href="http://www.doxygen.org/index.html"> <a href="http://www.doxygen.org/index.html">
<img class="footer" src="doxygen.png" alt="doxygen"/></a> 1.7.1 </small></address> <img class="footer" src="doxygen.png" alt="doxygen"/></a> 1.7.1 </small></address>
</body> </body>

View file

@ -125,7 +125,7 @@ var searchBox = new SearchBox("searchBox", "search",false,'Search');
</iframe> </iframe>
</div> </div>
<hr class="footer"/><address class="footer"><small>Generated on Sat Sep 11 2010 12:45:18 for Snort AI preprocessor module by&nbsp; <hr class="footer"/><address class="footer"><small>Generated on Tue Sep 14 2010 19:23:42 for Snort AI preprocessor module by&nbsp;
<a href="http://www.doxygen.org/index.html"> <a href="http://www.doxygen.org/index.html">
<img class="footer" src="doxygen.png" alt="doxygen"/></a> 1.7.1 </small></address> <img class="footer" src="doxygen.png" alt="doxygen"/></a> 1.7.1 </small></address>
</body> </body>

View file

@ -174,7 +174,7 @@ Functions</h2></td></tr>
</iframe> </iframe>
</div> </div>
<hr class="footer"/><address class="footer"><small>Generated on Sat Sep 11 2010 12:45:18 for Snort AI preprocessor module by&nbsp; <hr class="footer"/><address class="footer"><small>Generated on Tue Sep 14 2010 19:23:42 for Snort AI preprocessor module by&nbsp;
<a href="http://www.doxygen.org/index.html"> <a href="http://www.doxygen.org/index.html">
<img class="footer" src="doxygen.png" alt="doxygen"/></a> 1.7.1 </small></address> <img class="footer" src="doxygen.png" alt="doxygen"/></a> 1.7.1 </small></address>
</body> </body>

View file

@ -541,7 +541,7 @@ Variables</h2></td></tr>
</iframe> </iframe>
</div> </div>
<hr class="footer"/><address class="footer"><small>Generated on Sat Sep 11 2010 12:45:18 for Snort AI preprocessor module by&nbsp; <hr class="footer"/><address class="footer"><small>Generated on Tue Sep 14 2010 19:23:42 for Snort AI preprocessor module by&nbsp;
<a href="http://www.doxygen.org/index.html"> <a href="http://www.doxygen.org/index.html">
<img class="footer" src="doxygen.png" alt="doxygen"/></a> 1.7.1 </small></address> <img class="footer" src="doxygen.png" alt="doxygen"/></a> 1.7.1 </small></address>
</body> </body>

View file

@ -52,6 +52,7 @@ var searchBox = new SearchBox("searchBox", "search",false,'Search');
<table class="memberdecls"> <table class="memberdecls">
<tr><td colspan="2"><h2><a name="nested-classes"></a> <tr><td colspan="2"><h2><a name="nested-classes"></a>
Data Structures</h2></td></tr> Data Structures</h2></td></tr>
<tr><td class="memItemLeft" align="right" valign="top">struct &nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="structAI__alert__correlation__key.html">AI_alert_correlation_key</a></td></tr>
<tr><td class="memItemLeft" align="right" valign="top">struct &nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="structAI__alert__correlation.html">AI_alert_correlation</a></td></tr> <tr><td class="memItemLeft" align="right" valign="top">struct &nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="structAI__alert__correlation.html">AI_alert_correlation</a></td></tr>
<tr><td colspan="2"><h2><a name="enum-members"></a> <tr><td colspan="2"><h2><a name="enum-members"></a>
Enumerations</h2></td></tr> Enumerations</h2></td></tr>
@ -66,10 +67,18 @@ Enumerations</h2></td></tr>
}</td></tr> }</td></tr>
<tr><td colspan="2"><h2><a name="func-members"></a> <tr><td colspan="2"><h2><a name="func-members"></a>
Functions</h2></td></tr> Functions</h2></td></tr>
<tr><td class="memItemLeft" align="right" valign="top">double&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="group__correlation.html#ga130e82017fc0abcb76b1a7740ae2f4df">_AI_correlation_coefficient</a> (<a class="el" href="struct__AI__snort__alert.html">AI_snort_alert</a> *a, <a class="el" href="struct__AI__snort__alert.html">AI_snort_alert</a> *b)</td></tr> <tr><td class="memItemLeft" align="right" valign="top">PRIVATE void&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="group__correlation.html#ga9bcb94264ffe30f113f3fb7287b774e3">_AI_correlation_table_cleanup</a> ()</td></tr>
<tr><td class="mdescLeft">&nbsp;</td><td class="mdescRight">Compute the correlation coefficient between two alerts, as INTERSECTION(pre(B), post(A) / UNION(pre(B), post(A)). <a href="#ga130e82017fc0abcb76b1a7740ae2f4df"></a><br/></td></tr> <tr><td class="mdescLeft">&nbsp;</td><td class="mdescRight">Clean up the correlation hash table. <a href="#ga9bcb94264ffe30f113f3fb7287b774e3"></a><br/></td></tr>
<tr><td class="memItemLeft" align="right" valign="top">void&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="group__correlation.html#ga0d094eae1d014d89a2de21263fa747da">_AI_macro_subst</a> (<a class="el" href="struct__AI__snort__alert.html">AI_snort_alert</a> **alert)</td></tr> <tr><td class="memItemLeft" align="right" valign="top">PRIVATE void&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="group__correlation.html#ga4267a39fa1a5ac035015823bca43288e">_AI_print_correlated_alerts</a> (<a class="el" href="structAI__alert__correlation.html">AI_alert_correlation</a> *corr, FILE *fp)</td></tr>
<tr><td class="mdescLeft">&nbsp;</td><td class="mdescRight">Substitute the macros in hyperalert pre-conditions and post-conditions with their associated values. <a href="#ga0d094eae1d014d89a2de21263fa747da"></a><br/></td></tr> <tr><td class="mdescLeft">&nbsp;</td><td class="mdescRight">Recursively write a flow of correlated alerts to a .dot file, ready for being rendered as graph. <a href="#ga4267a39fa1a5ac035015823bca43288e"></a><br/></td></tr>
<tr><td class="memItemLeft" align="right" valign="top">PRIVATE char *&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="group__correlation.html#ga7a1b2d01f526f24ea91d7f08bdefd4fe">_AI_get_function_name</a> (const char *orig_stmt)</td></tr>
<tr><td class="mdescLeft">&nbsp;</td><td class="mdescRight">Get the name of the function called by a pre-condition or post-condition predicate. <a href="#ga7a1b2d01f526f24ea91d7f08bdefd4fe"></a><br/></td></tr>
<tr><td class="memItemLeft" align="right" valign="top">PRIVATE char **&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="group__correlation.html#gab716702cd226ab2ad957234a92da6e4a">_AI_get_function_arguments</a> (char *orig_stmt, int *n_args)</td></tr>
<tr><td class="mdescLeft">&nbsp;</td><td class="mdescRight">Get the arguments passed to a function predicate in a pre-condition or post-condition (comma-separated values). <a href="#gab716702cd226ab2ad957234a92da6e4a"></a><br/></td></tr>
<tr><td class="memItemLeft" align="right" valign="top">PRIVATE double&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="group__correlation.html#ga9cb283b28a66829574add58a251b93c6">_AI_correlation_coefficient</a> (<a class="el" href="struct__AI__snort__alert.html">AI_snort_alert</a> *a, <a class="el" href="struct__AI__snort__alert.html">AI_snort_alert</a> *b)</td></tr>
<tr><td class="mdescLeft">&nbsp;</td><td class="mdescRight">Compute the correlation coefficient between two alerts, as INTERSECTION(pre(B), post(A) / UNION(pre(B), post(A)). <a href="#ga9cb283b28a66829574add58a251b93c6"></a><br/></td></tr>
<tr><td class="memItemLeft" align="right" valign="top">PRIVATE void&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="group__correlation.html#ga70a4aaf8b689472dad62ba7a9bbde1a6">_AI_macro_subst</a> (<a class="el" href="struct__AI__snort__alert.html">AI_snort_alert</a> **alert)</td></tr>
<tr><td class="mdescLeft">&nbsp;</td><td class="mdescRight">Substitute the macros in hyperalert pre-conditions and post-conditions with their associated values. <a href="#ga70a4aaf8b689472dad62ba7a9bbde1a6"></a><br/></td></tr>
<tr><td class="memItemLeft" align="right" valign="top">PRIVATE <a class="el" href="structAI__hyperalert__info.html">AI_hyperalert_info</a> *&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="group__correlation.html#ga929e5c17fdb247a998d83ed6a4ae5a65">_AI_hyperalert_from_XML</a> (<a class="el" href="structAI__hyperalert__key.html">AI_hyperalert_key</a> key)</td></tr> <tr><td class="memItemLeft" align="right" valign="top">PRIVATE <a class="el" href="structAI__hyperalert__info.html">AI_hyperalert_info</a> *&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="group__correlation.html#ga929e5c17fdb247a998d83ed6a4ae5a65">_AI_hyperalert_from_XML</a> (<a class="el" href="structAI__hyperalert__key.html">AI_hyperalert_key</a> key)</td></tr>
<tr><td class="mdescLeft">&nbsp;</td><td class="mdescRight">Parse info about a hyperalert from a correlation XML file, if it exists. <a href="#ga929e5c17fdb247a998d83ed6a4ae5a65"></a><br/></td></tr> <tr><td class="mdescLeft">&nbsp;</td><td class="mdescRight">Parse info about a hyperalert from a correlation XML file, if it exists. <a href="#ga929e5c17fdb247a998d83ed6a4ae5a65"></a><br/></td></tr>
<tr><td class="memItemLeft" align="right" valign="top">void *&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="group__correlation.html#ga939353a4e15de7a8f4145ab986f584be">AI_alert_correlation_thread</a> (void *arg)</td></tr> <tr><td class="memItemLeft" align="right" valign="top">void *&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="group__correlation.html#ga939353a4e15de7a8f4145ab986f584be">AI_alert_correlation_thread</a> (void *arg)</td></tr>
@ -112,12 +121,12 @@ Variables</h2></td></tr>
</div> </div>
</div> </div>
<hr/><h2>Function Documentation</h2> <hr/><h2>Function Documentation</h2>
<a class="anchor" id="ga130e82017fc0abcb76b1a7740ae2f4df"></a><!-- doxytag: member="correlation.c::_AI_correlation_coefficient" ref="ga130e82017fc0abcb76b1a7740ae2f4df" args="(AI_snort_alert *a, AI_snort_alert *b)" --> <a class="anchor" id="ga9cb283b28a66829574add58a251b93c6"></a><!-- doxytag: member="correlation.c::_AI_correlation_coefficient" ref="ga9cb283b28a66829574add58a251b93c6" args="(AI_snort_alert *a, AI_snort_alert *b)" -->
<div class="memitem"> <div class="memitem">
<div class="memproto"> <div class="memproto">
<table class="memname"> <table class="memname">
<tr> <tr>
<td class="memname">double _AI_correlation_coefficient </td> <td class="memname">PRIVATE double _AI_correlation_coefficient </td>
<td>(</td> <td>(</td>
<td class="paramtype"><a class="el" href="struct__AI__snort__alert.html">AI_snort_alert</a> *&nbsp;</td> <td class="paramtype"><a class="el" href="struct__AI__snort__alert.html">AI_snort_alert</a> *&nbsp;</td>
<td class="paramname"> <em>a</em>, </td> <td class="paramname"> <em>a</em>, </td>
@ -147,6 +156,90 @@ Variables</h2></td></tr>
</dl> </dl>
<dl class="return"><dt><b>Returns:</b></dt><dd>The correlation coefficient between A and B as coefficient in [0,1] </dd></dl> <dl class="return"><dt><b>Returns:</b></dt><dd>The correlation coefficient between A and B as coefficient in [0,1] </dd></dl>
</div>
</div>
<a class="anchor" id="ga9bcb94264ffe30f113f3fb7287b774e3"></a><!-- doxytag: member="correlation.c::_AI_correlation_table_cleanup" ref="ga9bcb94264ffe30f113f3fb7287b774e3" args="()" -->
<div class="memitem">
<div class="memproto">
<table class="memname">
<tr>
<td class="memname">PRIVATE void _AI_correlation_table_cleanup </td>
<td>(</td>
<td class="paramname"></td>
<td>&nbsp;)&nbsp;</td>
<td></td>
</tr>
</table>
</div>
<div class="memdoc">
<p>Clean up the correlation hash table. </p>
</div>
</div>
<a class="anchor" id="gab716702cd226ab2ad957234a92da6e4a"></a><!-- doxytag: member="correlation.c::_AI_get_function_arguments" ref="gab716702cd226ab2ad957234a92da6e4a" args="(char *orig_stmt, int *n_args)" -->
<div class="memitem">
<div class="memproto">
<table class="memname">
<tr>
<td class="memname">PRIVATE char** _AI_get_function_arguments </td>
<td>(</td>
<td class="paramtype">char *&nbsp;</td>
<td class="paramname"> <em>orig_stmt</em>, </td>
</tr>
<tr>
<td class="paramkey"></td>
<td></td>
<td class="paramtype">int *&nbsp;</td>
<td class="paramname"> <em>n_args</em></td><td>&nbsp;</td>
</tr>
<tr>
<td></td>
<td>)</td>
<td></td><td></td><td></td>
</tr>
</table>
</div>
<div class="memdoc">
<p>Get the arguments passed to a function predicate in a pre-condition or post-condition (comma-separated values). </p>
<p>FUNCTION: _AI_get_function_arguments </p>
<dl><dt><b>Parameters:</b></dt><dd>
<table border="0" cellspacing="2" cellpadding="0">
<tr><td valign="top"></td><td valign="top"><em>origstmt</em>&nbsp;</td><td>Statement representing a pre-condition or post-condition </td></tr>
<tr><td valign="top"></td><td valign="top"><em>n_args</em>&nbsp;</td><td>Reference to an integer that will contain the number of arguments read </td></tr>
</table>
</dd>
</dl>
<dl class="return"><dt><b>Returns:</b></dt><dd>An array of strings containing the arguments of the function </dd></dl>
</div>
</div>
<a class="anchor" id="ga7a1b2d01f526f24ea91d7f08bdefd4fe"></a><!-- doxytag: member="correlation.c::_AI_get_function_name" ref="ga7a1b2d01f526f24ea91d7f08bdefd4fe" args="(const char *orig_stmt)" -->
<div class="memitem">
<div class="memproto">
<table class="memname">
<tr>
<td class="memname">PRIVATE char* _AI_get_function_name </td>
<td>(</td>
<td class="paramtype">const char *&nbsp;</td>
<td class="paramname"> <em>orig_stmt</em></td>
<td>&nbsp;)&nbsp;</td>
<td></td>
</tr>
</table>
</div>
<div class="memdoc">
<p>Get the name of the function called by a pre-condition or post-condition predicate. </p>
<dl><dt><b>Parameters:</b></dt><dd>
<table border="0" cellspacing="2" cellpadding="0">
<tr><td valign="top"></td><td valign="top"><em>orig_stmt</em>&nbsp;</td><td>Statement representing a pre-condition or post-condition </td></tr>
</table>
</dd>
</dl>
<dl class="return"><dt><b>Returns:</b></dt><dd>The name of the function called by that statement </dd></dl>
</div> </div>
</div> </div>
<a class="anchor" id="ga929e5c17fdb247a998d83ed6a4ae5a65"></a><!-- doxytag: member="correlation.c::_AI_hyperalert_from_XML" ref="ga929e5c17fdb247a998d83ed6a4ae5a65" args="(AI_hyperalert_key key)" --> <a class="anchor" id="ga929e5c17fdb247a998d83ed6a4ae5a65"></a><!-- doxytag: member="correlation.c::_AI_hyperalert_from_XML" ref="ga929e5c17fdb247a998d83ed6a4ae5a65" args="(AI_hyperalert_key key)" -->
@ -176,12 +269,12 @@ Variables</h2></td></tr>
</div> </div>
</div> </div>
<a class="anchor" id="ga0d094eae1d014d89a2de21263fa747da"></a><!-- doxytag: member="correlation.c::_AI_macro_subst" ref="ga0d094eae1d014d89a2de21263fa747da" args="(AI_snort_alert **alert)" --> <a class="anchor" id="ga70a4aaf8b689472dad62ba7a9bbde1a6"></a><!-- doxytag: member="correlation.c::_AI_macro_subst" ref="ga70a4aaf8b689472dad62ba7a9bbde1a6" args="(AI_snort_alert **alert)" -->
<div class="memitem"> <div class="memitem">
<div class="memproto"> <div class="memproto">
<table class="memname"> <table class="memname">
<tr> <tr>
<td class="memname">void _AI_macro_subst </td> <td class="memname">PRIVATE void _AI_macro_subst </td>
<td>(</td> <td>(</td>
<td class="paramtype"><a class="el" href="struct__AI__snort__alert.html">AI_snort_alert</a> **&nbsp;</td> <td class="paramtype"><a class="el" href="struct__AI__snort__alert.html">AI_snort_alert</a> **&nbsp;</td>
<td class="paramname"> <em>alert</em></td> <td class="paramname"> <em>alert</em></td>
@ -200,6 +293,42 @@ Variables</h2></td></tr>
</dd> </dd>
</dl> </dl>
</div>
</div>
<a class="anchor" id="ga4267a39fa1a5ac035015823bca43288e"></a><!-- doxytag: member="correlation.c::_AI_print_correlated_alerts" ref="ga4267a39fa1a5ac035015823bca43288e" args="(AI_alert_correlation *corr, FILE *fp)" -->
<div class="memitem">
<div class="memproto">
<table class="memname">
<tr>
<td class="memname">PRIVATE void _AI_print_correlated_alerts </td>
<td>(</td>
<td class="paramtype"><a class="el" href="structAI__alert__correlation.html">AI_alert_correlation</a> *&nbsp;</td>
<td class="paramname"> <em>corr</em>, </td>
</tr>
<tr>
<td class="paramkey"></td>
<td></td>
<td class="paramtype">FILE *&nbsp;</td>
<td class="paramname"> <em>fp</em></td><td>&nbsp;</td>
</tr>
<tr>
<td></td>
<td>)</td>
<td></td><td></td><td></td>
</tr>
</table>
</div>
<div class="memdoc">
<p>Recursively write a flow of correlated alerts to a .dot file, ready for being rendered as graph. </p>
<dl><dt><b>Parameters:</b></dt><dd>
<table border="0" cellspacing="2" cellpadding="0">
<tr><td valign="top"></td><td valign="top"><em>corr_alerts</em>&nbsp;</td><td>Correlated alerts </td></tr>
<tr><td valign="top"></td><td valign="top"><em>fp</em>&nbsp;</td><td>File pointer </td></tr>
</table>
</dd>
</dl>
</div> </div>
</div> </div>
<a class="anchor" id="ga939353a4e15de7a8f4145ab986f584be"></a><!-- doxytag: member="correlation.c::AI_alert_correlation_thread" ref="ga939353a4e15de7a8f4145ab986f584be" args="(void *arg)" --> <a class="anchor" id="ga939353a4e15de7a8f4145ab986f584be"></a><!-- doxytag: member="correlation.c::AI_alert_correlation_thread" ref="ga939353a4e15de7a8f4145ab986f584be" args="(void *arg)" -->
@ -309,7 +438,7 @@ Variables</h2></td></tr>
</iframe> </iframe>
</div> </div>
<hr class="footer"/><address class="footer"><small>Generated on Sat Sep 11 2010 12:45:18 for Snort AI preprocessor module by&nbsp; <hr class="footer"/><address class="footer"><small>Generated on Tue Sep 14 2010 19:23:42 for Snort AI preprocessor module by&nbsp;
<a href="http://www.doxygen.org/index.html"> <a href="http://www.doxygen.org/index.html">
<img class="footer" src="doxygen.png" alt="doxygen"/></a> 1.7.1 </small></address> <img class="footer" src="doxygen.png" alt="doxygen"/></a> 1.7.1 </small></address>
</body> </body>

View file

@ -211,7 +211,7 @@ Functions</h2></td></tr>
</iframe> </iframe>
</div> </div>
<hr class="footer"/><address class="footer"><small>Generated on Sat Sep 11 2010 12:45:18 for Snort AI preprocessor module by&nbsp; <hr class="footer"/><address class="footer"><small>Generated on Tue Sep 14 2010 19:23:42 for Snort AI preprocessor module by&nbsp;
<a href="http://www.doxygen.org/index.html"> <a href="http://www.doxygen.org/index.html">
<img class="footer" src="doxygen.png" alt="doxygen"/></a> 1.7.1 </small></address> <img class="footer" src="doxygen.png" alt="doxygen"/></a> 1.7.1 </small></address>
</body> </body>

View file

@ -215,7 +215,7 @@ Variables</h2></td></tr>
</iframe> </iframe>
</div> </div>
<hr class="footer"/><address class="footer"><small>Generated on Sat Sep 11 2010 12:45:18 for Snort AI preprocessor module by&nbsp; <hr class="footer"/><address class="footer"><small>Generated on Tue Sep 14 2010 19:23:42 for Snort AI preprocessor module by&nbsp;
<a href="http://www.doxygen.org/index.html"> <a href="http://www.doxygen.org/index.html">
<img class="footer" src="doxygen.png" alt="doxygen"/></a> 1.7.1 </small></address> <img class="footer" src="doxygen.png" alt="doxygen"/></a> 1.7.1 </small></address>
</body> </body>

View file

@ -207,7 +207,7 @@ Functions</h2></td></tr>
</iframe> </iframe>
</div> </div>
<hr class="footer"/><address class="footer"><small>Generated on Sat Sep 11 2010 12:45:18 for Snort AI preprocessor module by&nbsp; <hr class="footer"/><address class="footer"><small>Generated on Tue Sep 14 2010 19:23:42 for Snort AI preprocessor module by&nbsp;
<a href="http://www.doxygen.org/index.html"> <a href="http://www.doxygen.org/index.html">
<img class="footer" src="doxygen.png" alt="doxygen"/></a> 1.7.1 </small></address> <img class="footer" src="doxygen.png" alt="doxygen"/></a> 1.7.1 </small></address>
</body> </body>

View file

@ -59,7 +59,7 @@ var searchBox = new SearchBox("searchBox", "search",false,'Search');
</iframe> </iframe>
</div> </div>
<hr class="footer"/><address class="footer"><small>Generated on Sat Sep 11 2010 12:45:18 for Snort AI preprocessor module by&nbsp; <hr class="footer"/><address class="footer"><small>Generated on Tue Sep 14 2010 19:23:42 for Snort AI preprocessor module by&nbsp;
<a href="http://www.doxygen.org/index.html"> <a href="http://www.doxygen.org/index.html">
<img class="footer" src="doxygen.png" alt="doxygen"/></a> 1.7.1 </small></address> <img class="footer" src="doxygen.png" alt="doxygen"/></a> 1.7.1 </small></address>
</body> </body>

View file

@ -67,7 +67,7 @@ Here is a list of all modules:<ul>
</iframe> </iframe>
</div> </div>
<hr class="footer"/><address class="footer"><small>Generated on Sat Sep 11 2010 12:45:18 for Snort AI preprocessor module by&nbsp; <hr class="footer"/><address class="footer"><small>Generated on Tue Sep 14 2010 19:23:42 for Snort AI preprocessor module by&nbsp;
<a href="http://www.doxygen.org/index.html"> <a href="http://www.doxygen.org/index.html">
<img class="footer" src="doxygen.png" alt="doxygen"/></a> 1.7.1 </small></address> <img class="footer" src="doxygen.png" alt="doxygen"/></a> 1.7.1 </small></address>
</body> </body>

View file

@ -68,7 +68,7 @@ var searchBox = new SearchBox("searchBox", "search",false,'Search');
</iframe> </iframe>
</div> </div>
<hr class="footer"/><address class="footer"><small>Generated on Sat Sep 11 2010 12:45:18 for Snort AI preprocessor module by&nbsp; <hr class="footer"/><address class="footer"><small>Generated on Tue Sep 14 2010 19:23:42 for Snort AI preprocessor module by&nbsp;
<a href="http://www.doxygen.org/index.html"> <a href="http://www.doxygen.org/index.html">
<img class="footer" src="doxygen.png" alt="doxygen"/></a> 1.7.1 </small></address> <img class="footer" src="doxygen.png" alt="doxygen"/></a> 1.7.1 </small></address>
</body> </body>

View file

@ -82,7 +82,7 @@ Functions</h2></td></tr>
</iframe> </iframe>
</div> </div>
<hr class="footer"/><address class="footer"><small>Generated on Sat Sep 11 2010 12:45:18 for Snort AI preprocessor module by&nbsp; <hr class="footer"/><address class="footer"><small>Generated on Tue Sep 14 2010 19:23:42 for Snort AI preprocessor module by&nbsp;
<a href="http://www.doxygen.org/index.html"> <a href="http://www.doxygen.org/index.html">
<img class="footer" src="doxygen.png" alt="doxygen"/></a> 1.7.1 </small></address> <img class="footer" src="doxygen.png" alt="doxygen"/></a> 1.7.1 </small></address>
</body> </body>

View file

@ -33,89 +33,113 @@
</div> </div>
<div class="SRResult" id="SR__5fai_5fcorrelation_5fcoefficient"> <div class="SRResult" id="SR__5fai_5fcorrelation_5fcoefficient">
<div class="SREntry"> <div class="SREntry">
<a id="Item4" onkeydown="return searchResults.Nav(event,4)" onkeypress="return searchResults.Nav(event,4)" onkeyup="return searchResults.Nav(event,4)" class="SRSymbol" href="../group__correlation.html#ga130e82017fc0abcb76b1a7740ae2f4df" target="_parent">_AI_correlation_coefficient</a> <a id="Item4" onkeydown="return searchResults.Nav(event,4)" onkeypress="return searchResults.Nav(event,4)" onkeyup="return searchResults.Nav(event,4)" class="SRSymbol" href="../group__correlation.html#ga9cb283b28a66829574add58a251b93c6" target="_parent">_AI_correlation_coefficient</a>
<span class="SRScope">correlation.c</span>
</div>
</div>
<div class="SRResult" id="SR__5fai_5fcorrelation_5ftable_5fcleanup">
<div class="SREntry">
<a id="Item5" onkeydown="return searchResults.Nav(event,5)" onkeypress="return searchResults.Nav(event,5)" onkeyup="return searchResults.Nav(event,5)" class="SRSymbol" href="../group__correlation.html#ga9bcb94264ffe30f113f3fb7287b774e3" target="_parent">_AI_correlation_table_cleanup</a>
<span class="SRScope">correlation.c</span> <span class="SRScope">correlation.c</span>
</div> </div>
</div> </div>
<div class="SRResult" id="SR__5fai_5fequal_5falarms"> <div class="SRResult" id="SR__5fai_5fequal_5falarms">
<div class="SREntry"> <div class="SREntry">
<a id="Item5" onkeydown="return searchResults.Nav(event,5)" onkeypress="return searchResults.Nav(event,5)" onkeyup="return searchResults.Nav(event,5)" class="SRSymbol" href="../group__cluster.html#ga0f91c8bfc37a3975f5c26b19fd6c5cba" target="_parent">_AI_equal_alarms</a> <a id="Item6" onkeydown="return searchResults.Nav(event,6)" onkeypress="return searchResults.Nav(event,6)" onkeyup="return searchResults.Nav(event,6)" class="SRSymbol" href="../group__cluster.html#ga0f91c8bfc37a3975f5c26b19fd6c5cba" target="_parent">_AI_equal_alarms</a>
<span class="SRScope">cluster.c</span> <span class="SRScope">cluster.c</span>
</div> </div>
</div> </div>
<div class="SRResult" id="SR__5fai_5fget_5ffunction_5farguments">
<div class="SREntry">
<a id="Item7" onkeydown="return searchResults.Nav(event,7)" onkeypress="return searchResults.Nav(event,7)" onkeyup="return searchResults.Nav(event,7)" class="SRSymbol" href="../group__correlation.html#gab716702cd226ab2ad957234a92da6e4a" target="_parent">_AI_get_function_arguments</a>
<span class="SRScope">correlation.c</span>
</div>
</div>
<div class="SRResult" id="SR__5fai_5fget_5ffunction_5fname">
<div class="SREntry">
<a id="Item8" onkeydown="return searchResults.Nav(event,8)" onkeypress="return searchResults.Nav(event,8)" onkeyup="return searchResults.Nav(event,8)" class="SRSymbol" href="../group__correlation.html#ga7a1b2d01f526f24ea91d7f08bdefd4fe" target="_parent">_AI_get_function_name</a>
<span class="SRScope">correlation.c</span>
</div>
</div>
<div class="SRResult" id="SR__5fai_5fget_5fmin_5fhierarchy_5fnode"> <div class="SRResult" id="SR__5fai_5fget_5fmin_5fhierarchy_5fnode">
<div class="SREntry"> <div class="SREntry">
<a id="Item6" onkeydown="return searchResults.Nav(event,6)" onkeypress="return searchResults.Nav(event,6)" onkeyup="return searchResults.Nav(event,6)" class="SRSymbol" href="../group__cluster.html#ga6ddddcd505b1f763c339e81fc143e079" target="_parent">_AI_get_min_hierarchy_node</a> <a id="Item9" onkeydown="return searchResults.Nav(event,9)" onkeypress="return searchResults.Nav(event,9)" onkeyup="return searchResults.Nav(event,9)" class="SRSymbol" href="../group__cluster.html#ga6ddddcd505b1f763c339e81fc143e079" target="_parent">_AI_get_min_hierarchy_node</a>
<span class="SRScope">cluster.c</span> <span class="SRScope">cluster.c</span>
</div> </div>
</div> </div>
<div class="SRResult" id="SR__5fai_5fhyperalert_5ffrom_5fxml"> <div class="SRResult" id="SR__5fai_5fhyperalert_5ffrom_5fxml">
<div class="SREntry"> <div class="SREntry">
<a id="Item7" onkeydown="return searchResults.Nav(event,7)" onkeypress="return searchResults.Nav(event,7)" onkeyup="return searchResults.Nav(event,7)" class="SRSymbol" href="../group__correlation.html#ga929e5c17fdb247a998d83ed6a4ae5a65" target="_parent">_AI_hyperalert_from_XML</a> <a id="Item10" onkeydown="return searchResults.Nav(event,10)" onkeypress="return searchResults.Nav(event,10)" onkeyup="return searchResults.Nav(event,10)" class="SRSymbol" href="../group__correlation.html#ga929e5c17fdb247a998d83ed6a4ae5a65" target="_parent">_AI_hyperalert_from_XML</a>
<span class="SRScope">correlation.c</span> <span class="SRScope">correlation.c</span>
</div> </div>
</div> </div>
<div class="SRResult" id="SR__5fai_5fmacro_5fsubst"> <div class="SRResult" id="SR__5fai_5fmacro_5fsubst">
<div class="SREntry"> <div class="SREntry">
<a id="Item8" onkeydown="return searchResults.Nav(event,8)" onkeypress="return searchResults.Nav(event,8)" onkeyup="return searchResults.Nav(event,8)" class="SRSymbol" href="../group__correlation.html#ga0d094eae1d014d89a2de21263fa747da" target="_parent">_AI_macro_subst</a> <a id="Item11" onkeydown="return searchResults.Nav(event,11)" onkeypress="return searchResults.Nav(event,11)" onkeyup="return searchResults.Nav(event,11)" class="SRSymbol" href="../group__correlation.html#ga70a4aaf8b689472dad62ba7a9bbde1a6" target="_parent">_AI_macro_subst</a>
<span class="SRScope">correlation.c</span> <span class="SRScope">correlation.c</span>
</div> </div>
</div> </div>
<div class="SRResult" id="SR__5fai_5fmerge_5falerts"> <div class="SRResult" id="SR__5fai_5fmerge_5falerts">
<div class="SREntry"> <div class="SREntry">
<a id="Item9" onkeydown="return searchResults.Nav(event,9)" onkeypress="return searchResults.Nav(event,9)" onkeyup="return searchResults.Nav(event,9)" class="SRSymbol" href="../group__cluster.html#ga8ce8e5a5d8954672297fa2dedb380dcd" target="_parent">_AI_merge_alerts</a> <a id="Item12" onkeydown="return searchResults.Nav(event,12)" onkeypress="return searchResults.Nav(event,12)" onkeyup="return searchResults.Nav(event,12)" class="SRSymbol" href="../group__cluster.html#ga8ce8e5a5d8954672297fa2dedb380dcd" target="_parent">_AI_merge_alerts</a>
<span class="SRScope">cluster.c</span> <span class="SRScope">cluster.c</span>
</div> </div>
</div> </div>
<div class="SRResult" id="SR__5fai_5fprint_5fclustered_5falerts"> <div class="SRResult" id="SR__5fai_5fprint_5fclustered_5falerts">
<div class="SREntry"> <div class="SREntry">
<a id="Item10" onkeydown="return searchResults.Nav(event,10)" onkeypress="return searchResults.Nav(event,10)" onkeyup="return searchResults.Nav(event,10)" class="SRSymbol" href="../group__cluster.html#ga7d151880080470b542e99643dc0426a7" target="_parent">_AI_print_clustered_alerts</a> <a id="Item13" onkeydown="return searchResults.Nav(event,13)" onkeypress="return searchResults.Nav(event,13)" onkeyup="return searchResults.Nav(event,13)" class="SRSymbol" href="../group__cluster.html#ga7d151880080470b542e99643dc0426a7" target="_parent">_AI_print_clustered_alerts</a>
<span class="SRScope">cluster.c</span> <span class="SRScope">cluster.c</span>
</div> </div>
</div> </div>
<div class="SRResult" id="SR__5fai_5fprint_5fcorrelated_5falerts">
<div class="SREntry">
<a id="Item14" onkeydown="return searchResults.Nav(event,14)" onkeypress="return searchResults.Nav(event,14)" onkeyup="return searchResults.Nav(event,14)" class="SRSymbol" href="../group__correlation.html#ga4267a39fa1a5ac035015823bca43288e" target="_parent">_AI_print_correlated_alerts</a>
<span class="SRScope">correlation.c</span>
</div>
</div>
<div class="SRResult" id="SR__5fai_5fsnort_5falert"> <div class="SRResult" id="SR__5fai_5fsnort_5falert">
<div class="SREntry"> <div class="SREntry">
<a id="Item11" onkeydown="return searchResults.Nav(event,11)" onkeypress="return searchResults.Nav(event,11)" onkeyup="return searchResults.Nav(event,11)" class="SRSymbol" href="../struct__AI__snort__alert.html" target="_parent">_AI_snort_alert</a> <a id="Item15" onkeydown="return searchResults.Nav(event,15)" onkeypress="return searchResults.Nav(event,15)" onkeyup="return searchResults.Nav(event,15)" class="SRSymbol" href="../struct__AI__snort__alert.html" target="_parent">_AI_snort_alert</a>
</div> </div>
</div> </div>
<div class="SRResult" id="SR__5fai_5fstream_5ffree"> <div class="SRResult" id="SR__5fai_5fstream_5ffree">
<div class="SREntry"> <div class="SREntry">
<a id="Item12" onkeydown="return searchResults.Nav(event,12)" onkeypress="return searchResults.Nav(event,12)" onkeyup="return searchResults.Nav(event,12)" class="SRSymbol" href="../group__stream.html#ga80016adf701c717a6ebfb5b15b8a5749" target="_parent">_AI_stream_free</a> <a id="Item16" onkeydown="return searchResults.Nav(event,16)" onkeypress="return searchResults.Nav(event,16)" onkeyup="return searchResults.Nav(event,16)" class="SRSymbol" href="../group__stream.html#ga80016adf701c717a6ebfb5b15b8a5749" target="_parent">_AI_stream_free</a>
<span class="SRScope">stream.c</span> <span class="SRScope">stream.c</span>
</div> </div>
</div> </div>
<div class="SRResult" id="SR__5fconfig"> <div class="SRResult" id="SR__5fconfig">
<div class="SREntry"> <div class="SREntry">
<a id="Item13" onkeydown="return searchResults.Nav(event,13)" onkeypress="return searchResults.Nav(event,13)" onkeyup="return searchResults.Nav(event,13)" class="SRSymbol" href="../group__cluster.html#ga91458e2d34595688e39fcb63ba418849" target="_parent">_config</a> <a id="Item17" onkeydown="return searchResults.Nav(event,17)" onkeypress="return searchResults.Nav(event,17)" onkeyup="return searchResults.Nav(event,17)" class="SRSymbol" href="../group__cluster.html#ga91458e2d34595688e39fcb63ba418849" target="_parent">_config</a>
<span class="SRScope">cluster.c</span> <span class="SRScope">cluster.c</span>
</div> </div>
</div> </div>
<div class="SRResult" id="SR__5fdpd"> <div class="SRResult" id="SR__5fdpd">
<div class="SREntry"> <div class="SREntry">
<a id="Item14" onkeydown="return searchResults.Nav(event,14)" onkeypress="return searchResults.Nav(event,14)" onkeyup="return searchResults.Nav(event,14)" class="SRSymbol" href="../spp__ai_8h.html#ab46420126c43c1aac5eabc5db266a71c" target="_parent">_dpd</a> <a id="Item18" onkeydown="return searchResults.Nav(event,18)" onkeypress="return searchResults.Nav(event,18)" onkeyup="return searchResults.Nav(event,18)" class="SRSymbol" href="../spp__ai_8h.html#ab46420126c43c1aac5eabc5db266a71c" target="_parent">_dpd</a>
<span class="SRScope">spp_ai.h</span> <span class="SRScope">spp_ai.h</span>
</div> </div>
</div> </div>
<div class="SRResult" id="SR__5fheuristic_5ffunc"> <div class="SRResult" id="SR__5fheuristic_5ffunc">
<div class="SREntry"> <div class="SREntry">
<a id="Item15" onkeydown="return searchResults.Nav(event,15)" onkeypress="return searchResults.Nav(event,15)" onkeyup="return searchResults.Nav(event,15)" class="SRSymbol" href="../group__cluster.html#ga81f5fa721719fdb281595a568eef2101" target="_parent">_heuristic_func</a> <a id="Item19" onkeydown="return searchResults.Nav(event,19)" onkeypress="return searchResults.Nav(event,19)" onkeyup="return searchResults.Nav(event,19)" class="SRSymbol" href="../group__cluster.html#ga81f5fa721719fdb281595a568eef2101" target="_parent">_heuristic_func</a>
<span class="SRScope">cluster.c</span> <span class="SRScope">cluster.c</span>
</div> </div>
</div> </div>
<div class="SRResult" id="SR__5fhierarchy_5fnode"> <div class="SRResult" id="SR__5fhierarchy_5fnode">
<div class="SREntry"> <div class="SREntry">
<a id="Item16" onkeydown="return searchResults.Nav(event,16)" onkeypress="return searchResults.Nav(event,16)" onkeyup="return searchResults.Nav(event,16)" class="SRSymbol" href="../struct__hierarchy__node.html" target="_parent">_hierarchy_node</a> <a id="Item20" onkeydown="return searchResults.Nav(event,20)" onkeypress="return searchResults.Nav(event,20)" onkeyup="return searchResults.Nav(event,20)" class="SRSymbol" href="../struct__hierarchy__node.html" target="_parent">_hierarchy_node</a>
</div> </div>
</div> </div>
<div class="SRResult" id="SR__5fhierarchy_5fnode_5fappend"> <div class="SRResult" id="SR__5fhierarchy_5fnode_5fappend">
<div class="SREntry"> <div class="SREntry">
<a id="Item17" onkeydown="return searchResults.Nav(event,17)" onkeypress="return searchResults.Nav(event,17)" onkeyup="return searchResults.Nav(event,17)" class="SRSymbol" href="../group__cluster.html#ga5601a1f603d9c870ef6e2df192e30c30" target="_parent">_hierarchy_node_append</a> <a id="Item21" onkeydown="return searchResults.Nav(event,21)" onkeypress="return searchResults.Nav(event,21)" onkeyup="return searchResults.Nav(event,21)" class="SRSymbol" href="../group__cluster.html#ga5601a1f603d9c870ef6e2df192e30c30" target="_parent">_hierarchy_node_append</a>
<span class="SRScope">cluster.c</span> <span class="SRScope">cluster.c</span>
</div> </div>
</div> </div>
<div class="SRResult" id="SR__5fhierarchy_5fnode_5fnew"> <div class="SRResult" id="SR__5fhierarchy_5fnode_5fnew">
<div class="SREntry"> <div class="SREntry">
<a id="Item18" onkeydown="return searchResults.Nav(event,18)" onkeypress="return searchResults.Nav(event,18)" onkeyup="return searchResults.Nav(event,18)" class="SRSymbol" href="../group__cluster.html#ga2f1a22cfea64e4669da0467620c3e3b3" target="_parent">_hierarchy_node_new</a> <a id="Item22" onkeydown="return searchResults.Nav(event,22)" onkeypress="return searchResults.Nav(event,22)" onkeyup="return searchResults.Nav(event,22)" class="SRSymbol" href="../group__cluster.html#ga2f1a22cfea64e4669da0467620c3e3b3" target="_parent">_hierarchy_node_new</a>
<span class="SRScope">cluster.c</span> <span class="SRScope">cluster.c</span>
</div> </div>
</div> </div>

View file

@ -9,8 +9,8 @@
<div class="SRStatus" id="Loading">Loading...</div> <div class="SRStatus" id="Loading">Loading...</div>
<div class="SRResult" id="SR_a"> <div class="SRResult" id="SR_a">
<div class="SREntry"> <div class="SREntry">
<a id="Item0" onkeydown="return searchResults.Nav(event,0)" onkeypress="return searchResults.Nav(event,0)" onkeyup="return searchResults.Nav(event,0)" class="SRSymbol" href="../structAI__alert__correlation.html#a8737f171e1c1b2305c8fe77101d6aeb7" target="_parent">a</a> <a id="Item0" onkeydown="return searchResults.Nav(event,0)" onkeypress="return searchResults.Nav(event,0)" onkeyup="return searchResults.Nav(event,0)" class="SRSymbol" href="../structAI__alert__correlation__key.html#a774daec9332da25835a0904d853acadb" target="_parent">a</a>
<span class="SRScope">AI_alert_correlation</span> <span class="SRScope">AI_alert_correlation_key</span>
</div> </div>
</div> </div>
<div class="SRResult" id="SR_ai_5falert_5fcorrelation"> <div class="SRResult" id="SR_ai_5falert_5fcorrelation">
@ -18,196 +18,201 @@
<a id="Item1" onkeydown="return searchResults.Nav(event,1)" onkeypress="return searchResults.Nav(event,1)" onkeyup="return searchResults.Nav(event,1)" class="SRSymbol" href="../structAI__alert__correlation.html" target="_parent">AI_alert_correlation</a> <a id="Item1" onkeydown="return searchResults.Nav(event,1)" onkeypress="return searchResults.Nav(event,1)" onkeyup="return searchResults.Nav(event,1)" class="SRSymbol" href="../structAI__alert__correlation.html" target="_parent">AI_alert_correlation</a>
</div> </div>
</div> </div>
<div class="SRResult" id="SR_ai_5falert_5fcorrelation_5fkey">
<div class="SREntry">
<a id="Item2" onkeydown="return searchResults.Nav(event,2)" onkeypress="return searchResults.Nav(event,2)" onkeyup="return searchResults.Nav(event,2)" class="SRSymbol" href="../structAI__alert__correlation__key.html" target="_parent">AI_alert_correlation_key</a>
</div>
</div>
<div class="SRResult" id="SR_ai_5falert_5fcorrelation_5fthread"> <div class="SRResult" id="SR_ai_5falert_5fcorrelation_5fthread">
<div class="SREntry"> <div class="SREntry">
<a id="Item2" onkeydown="return searchResults.Nav(event,2)" onkeypress="return searchResults.Nav(event,2)" onkeyup="return searchResults.Nav(event,2)" class="SRSymbol" href="javascript:searchResults.Toggle('SR_ai_5falert_5fcorrelation_5fthread')">AI_alert_correlation_thread</a> <a id="Item3" onkeydown="return searchResults.Nav(event,3)" onkeypress="return searchResults.Nav(event,3)" onkeyup="return searchResults.Nav(event,3)" class="SRSymbol" href="javascript:searchResults.Toggle('SR_ai_5falert_5fcorrelation_5fthread')">AI_alert_correlation_thread</a>
<div class="SRChildren"> <div class="SRChildren">
<a id="Item2_c0" onkeydown="return searchResults.NavChild(event,2,0)" onkeypress="return searchResults.NavChild(event,2,0)" onkeyup="return searchResults.NavChild(event,2,0)" class="SRScope" href="../group__correlation.html#ga939353a4e15de7a8f4145ab986f584be" target="_parent">AI_alert_correlation_thread(void *arg):&nbsp;correlation.c</a> <a id="Item3_c0" onkeydown="return searchResults.NavChild(event,3,0)" onkeypress="return searchResults.NavChild(event,3,0)" onkeyup="return searchResults.NavChild(event,3,0)" class="SRScope" href="../group__correlation.html#ga939353a4e15de7a8f4145ab986f584be" target="_parent">AI_alert_correlation_thread(void *arg):&nbsp;correlation.c</a>
<a id="Item2_c1" onkeydown="return searchResults.NavChild(event,2,1)" onkeypress="return searchResults.NavChild(event,2,1)" onkeyup="return searchResults.NavChild(event,2,1)" class="SRScope" href="../group__correlation.html#ga939353a4e15de7a8f4145ab986f584be" target="_parent">AI_alert_correlation_thread(void *):&nbsp;correlation.c</a> <a id="Item3_c1" onkeydown="return searchResults.NavChild(event,3,1)" onkeypress="return searchResults.NavChild(event,3,1)" onkeyup="return searchResults.NavChild(event,3,1)" class="SRScope" href="../group__correlation.html#ga939353a4e15de7a8f4145ab986f584be" target="_parent">AI_alert_correlation_thread(void *):&nbsp;correlation.c</a>
</div> </div>
</div> </div>
</div> </div>
<div class="SRResult" id="SR_ai_5fconfig"> <div class="SRResult" id="SR_ai_5fconfig">
<div class="SREntry"> <div class="SREntry">
<a id="Item3" onkeydown="return searchResults.Nav(event,3)" onkeypress="return searchResults.Nav(event,3)" onkeyup="return searchResults.Nav(event,3)" class="SRSymbol" href="../structAI__config.html" target="_parent">AI_config</a> <a id="Item4" onkeydown="return searchResults.Nav(event,4)" onkeypress="return searchResults.Nav(event,4)" onkeyup="return searchResults.Nav(event,4)" class="SRSymbol" href="../structAI__config.html" target="_parent">AI_config</a>
</div> </div>
</div> </div>
<div class="SRResult" id="SR_ai_5ffile_5falertparser_5fthread"> <div class="SRResult" id="SR_ai_5ffile_5falertparser_5fthread">
<div class="SREntry"> <div class="SREntry">
<a id="Item4" onkeydown="return searchResults.Nav(event,4)" onkeypress="return searchResults.Nav(event,4)" onkeyup="return searchResults.Nav(event,4)" class="SRSymbol" href="javascript:searchResults.Toggle('SR_ai_5ffile_5falertparser_5fthread')">AI_file_alertparser_thread</a> <a id="Item5" onkeydown="return searchResults.Nav(event,5)" onkeypress="return searchResults.Nav(event,5)" onkeyup="return searchResults.Nav(event,5)" class="SRSymbol" href="javascript:searchResults.Toggle('SR_ai_5ffile_5falertparser_5fthread')">AI_file_alertparser_thread</a>
<div class="SRChildren"> <div class="SRChildren">
<a id="Item4_c0" onkeydown="return searchResults.NavChild(event,4,0)" onkeypress="return searchResults.NavChild(event,4,0)" onkeyup="return searchResults.NavChild(event,4,0)" class="SRScope" href="../group__alert__parser.html#ga5aab8d9bdf0e92a51731442fd787f61f" target="_parent">AI_file_alertparser_thread(void *arg):&nbsp;alert_parser.c</a> <a id="Item5_c0" onkeydown="return searchResults.NavChild(event,5,0)" onkeypress="return searchResults.NavChild(event,5,0)" onkeyup="return searchResults.NavChild(event,5,0)" class="SRScope" href="../group__alert__parser.html#ga5aab8d9bdf0e92a51731442fd787f61f" target="_parent">AI_file_alertparser_thread(void *arg):&nbsp;alert_parser.c</a>
<a id="Item4_c1" onkeydown="return searchResults.NavChild(event,4,1)" onkeypress="return searchResults.NavChild(event,4,1)" onkeyup="return searchResults.NavChild(event,4,1)" class="SRScope" href="../group__alert__parser.html#ga5aab8d9bdf0e92a51731442fd787f61f" target="_parent">AI_file_alertparser_thread(void *):&nbsp;alert_parser.c</a> <a id="Item5_c1" onkeydown="return searchResults.NavChild(event,5,1)" onkeypress="return searchResults.NavChild(event,5,1)" onkeyup="return searchResults.NavChild(event,5,1)" class="SRScope" href="../group__alert__parser.html#ga5aab8d9bdf0e92a51731442fd787f61f" target="_parent">AI_file_alertparser_thread(void *):&nbsp;alert_parser.c</a>
</div> </div>
</div> </div>
</div> </div>
<div class="SRResult" id="SR_ai_5ffree_5falerts"> <div class="SRResult" id="SR_ai_5ffree_5falerts">
<div class="SREntry"> <div class="SREntry">
<a id="Item5" onkeydown="return searchResults.Nav(event,5)" onkeypress="return searchResults.Nav(event,5)" onkeyup="return searchResults.Nav(event,5)" class="SRSymbol" href="javascript:searchResults.Toggle('SR_ai_5ffree_5falerts')">AI_free_alerts</a> <a id="Item6" onkeydown="return searchResults.Nav(event,6)" onkeypress="return searchResults.Nav(event,6)" onkeyup="return searchResults.Nav(event,6)" class="SRSymbol" href="javascript:searchResults.Toggle('SR_ai_5ffree_5falerts')">AI_free_alerts</a>
<div class="SRChildren"> <div class="SRChildren">
<a id="Item5_c0" onkeydown="return searchResults.NavChild(event,5,0)" onkeypress="return searchResults.NavChild(event,5,0)" onkeyup="return searchResults.NavChild(event,5,0)" class="SRScope" href="../group__alert__parser.html#ga270e86669a0aa64a8da37bc16cda645b" target="_parent">AI_free_alerts(AI_snort_alert *node):&nbsp;alert_parser.c</a> <a id="Item6_c0" onkeydown="return searchResults.NavChild(event,6,0)" onkeypress="return searchResults.NavChild(event,6,0)" onkeyup="return searchResults.NavChild(event,6,0)" class="SRScope" href="../group__alert__parser.html#ga270e86669a0aa64a8da37bc16cda645b" target="_parent">AI_free_alerts(AI_snort_alert *node):&nbsp;alert_parser.c</a>
<a id="Item5_c1" onkeydown="return searchResults.NavChild(event,5,1)" onkeypress="return searchResults.NavChild(event,5,1)" onkeyup="return searchResults.NavChild(event,5,1)" class="SRScope" href="../group__alert__parser.html#ga270e86669a0aa64a8da37bc16cda645b" target="_parent">AI_free_alerts(AI_snort_alert *node):&nbsp;alert_parser.c</a> <a id="Item6_c1" onkeydown="return searchResults.NavChild(event,6,1)" onkeypress="return searchResults.NavChild(event,6,1)" onkeyup="return searchResults.NavChild(event,6,1)" class="SRScope" href="../group__alert__parser.html#ga270e86669a0aa64a8da37bc16cda645b" target="_parent">AI_free_alerts(AI_snort_alert *node):&nbsp;alert_parser.c</a>
</div> </div>
</div> </div>
</div> </div>
<div class="SRResult" id="SR_ai_5fget_5falerts"> <div class="SRResult" id="SR_ai_5fget_5falerts">
<div class="SREntry"> <div class="SREntry">
<a id="Item6" onkeydown="return searchResults.Nav(event,6)" onkeypress="return searchResults.Nav(event,6)" onkeyup="return searchResults.Nav(event,6)" class="SRSymbol" href="javascript:searchResults.Toggle('SR_ai_5fget_5falerts')">AI_get_alerts</a> <a id="Item7" onkeydown="return searchResults.Nav(event,7)" onkeypress="return searchResults.Nav(event,7)" onkeyup="return searchResults.Nav(event,7)" class="SRSymbol" href="javascript:searchResults.Toggle('SR_ai_5fget_5falerts')">AI_get_alerts</a>
<div class="SRChildren"> <div class="SRChildren">
<a id="Item6_c0" onkeydown="return searchResults.NavChild(event,6,0)" onkeypress="return searchResults.NavChild(event,6,0)" onkeyup="return searchResults.NavChild(event,6,0)" class="SRScope" href="../group__alert__parser.html#ga99474495643197b3075ac22ec6f6c70f" target="_parent">AI_get_alerts():&nbsp;alert_parser.c</a> <a id="Item7_c0" onkeydown="return searchResults.NavChild(event,7,0)" onkeypress="return searchResults.NavChild(event,7,0)" onkeyup="return searchResults.NavChild(event,7,0)" class="SRScope" href="../group__alert__parser.html#ga99474495643197b3075ac22ec6f6c70f" target="_parent">AI_get_alerts():&nbsp;alert_parser.c</a>
<a id="Item6_c1" onkeydown="return searchResults.NavChild(event,6,1)" onkeypress="return searchResults.NavChild(event,6,1)" onkeyup="return searchResults.NavChild(event,6,1)" class="SRScope" href="../group__alert__parser.html#ga99474495643197b3075ac22ec6f6c70f" target="_parent">AI_get_alerts(void):&nbsp;alert_parser.c</a> <a id="Item7_c1" onkeydown="return searchResults.NavChild(event,7,1)" onkeypress="return searchResults.NavChild(event,7,1)" onkeyup="return searchResults.NavChild(event,7,1)" class="SRScope" href="../group__alert__parser.html#ga99474495643197b3075ac22ec6f6c70f" target="_parent">AI_get_alerts(void):&nbsp;alert_parser.c</a>
</div> </div>
</div> </div>
</div> </div>
<div class="SRResult" id="SR_ai_5fget_5fclustered_5falerts"> <div class="SRResult" id="SR_ai_5fget_5fclustered_5falerts">
<div class="SREntry"> <div class="SREntry">
<a id="Item7" onkeydown="return searchResults.Nav(event,7)" onkeypress="return searchResults.Nav(event,7)" onkeyup="return searchResults.Nav(event,7)" class="SRSymbol" href="javascript:searchResults.Toggle('SR_ai_5fget_5fclustered_5falerts')">AI_get_clustered_alerts</a> <a id="Item8" onkeydown="return searchResults.Nav(event,8)" onkeypress="return searchResults.Nav(event,8)" onkeyup="return searchResults.Nav(event,8)" class="SRSymbol" href="javascript:searchResults.Toggle('SR_ai_5fget_5fclustered_5falerts')">AI_get_clustered_alerts</a>
<div class="SRChildren"> <div class="SRChildren">
<a id="Item7_c0" onkeydown="return searchResults.NavChild(event,7,0)" onkeypress="return searchResults.NavChild(event,7,0)" onkeyup="return searchResults.NavChild(event,7,0)" class="SRScope" href="../group__cluster.html#ga2553c678eeb83282c230d649a0e8fcd4" target="_parent">AI_get_clustered_alerts():&nbsp;cluster.c</a> <a id="Item8_c0" onkeydown="return searchResults.NavChild(event,8,0)" onkeypress="return searchResults.NavChild(event,8,0)" onkeyup="return searchResults.NavChild(event,8,0)" class="SRScope" href="../group__cluster.html#ga2553c678eeb83282c230d649a0e8fcd4" target="_parent">AI_get_clustered_alerts():&nbsp;cluster.c</a>
<a id="Item7_c1" onkeydown="return searchResults.NavChild(event,7,1)" onkeypress="return searchResults.NavChild(event,7,1)" onkeyup="return searchResults.NavChild(event,7,1)" class="SRScope" href="../group__cluster.html#ga2553c678eeb83282c230d649a0e8fcd4" target="_parent">AI_get_clustered_alerts(void):&nbsp;cluster.c</a> <a id="Item8_c1" onkeydown="return searchResults.NavChild(event,8,1)" onkeypress="return searchResults.NavChild(event,8,1)" onkeyup="return searchResults.NavChild(event,8,1)" class="SRScope" href="../group__cluster.html#ga2553c678eeb83282c230d649a0e8fcd4" target="_parent">AI_get_clustered_alerts(void):&nbsp;cluster.c</a>
</div> </div>
</div> </div>
</div> </div>
<div class="SRResult" id="SR_ai_5fget_5fstream_5fby_5fkey"> <div class="SRResult" id="SR_ai_5fget_5fstream_5fby_5fkey">
<div class="SREntry"> <div class="SREntry">
<a id="Item8" onkeydown="return searchResults.Nav(event,8)" onkeypress="return searchResults.Nav(event,8)" onkeyup="return searchResults.Nav(event,8)" class="SRSymbol" href="javascript:searchResults.Toggle('SR_ai_5fget_5fstream_5fby_5fkey')">AI_get_stream_by_key</a> <a id="Item9" onkeydown="return searchResults.Nav(event,9)" onkeypress="return searchResults.Nav(event,9)" onkeyup="return searchResults.Nav(event,9)" class="SRSymbol" href="javascript:searchResults.Toggle('SR_ai_5fget_5fstream_5fby_5fkey')">AI_get_stream_by_key</a>
<div class="SRChildren"> <div class="SRChildren">
<a id="Item8_c0" onkeydown="return searchResults.NavChild(event,8,0)" onkeypress="return searchResults.NavChild(event,8,0)" onkeyup="return searchResults.NavChild(event,8,0)" class="SRScope" href="../group__stream.html#ga2efedcabbfd12c5345f0c93a3dd4735c" target="_parent">AI_get_stream_by_key(struct pkt_key):&nbsp;stream.c</a> <a id="Item9_c0" onkeydown="return searchResults.NavChild(event,9,0)" onkeypress="return searchResults.NavChild(event,9,0)" onkeyup="return searchResults.NavChild(event,9,0)" class="SRScope" href="../group__stream.html#ga2efedcabbfd12c5345f0c93a3dd4735c" target="_parent">AI_get_stream_by_key(struct pkt_key):&nbsp;stream.c</a>
<a id="Item8_c1" onkeydown="return searchResults.NavChild(event,8,1)" onkeypress="return searchResults.NavChild(event,8,1)" onkeyup="return searchResults.NavChild(event,8,1)" class="SRScope" href="../group__stream.html#ga2efedcabbfd12c5345f0c93a3dd4735c" target="_parent">AI_get_stream_by_key(struct pkt_key key):&nbsp;stream.c</a> <a id="Item9_c1" onkeydown="return searchResults.NavChild(event,9,1)" onkeypress="return searchResults.NavChild(event,9,1)" onkeyup="return searchResults.NavChild(event,9,1)" class="SRScope" href="../group__stream.html#ga2efedcabbfd12c5345f0c93a3dd4735c" target="_parent">AI_get_stream_by_key(struct pkt_key key):&nbsp;stream.c</a>
</div> </div>
</div> </div>
</div> </div>
<div class="SRResult" id="SR_ai_5fhashcleanup_5fthread"> <div class="SRResult" id="SR_ai_5fhashcleanup_5fthread">
<div class="SREntry"> <div class="SREntry">
<a id="Item9" onkeydown="return searchResults.Nav(event,9)" onkeypress="return searchResults.Nav(event,9)" onkeyup="return searchResults.Nav(event,9)" class="SRSymbol" href="javascript:searchResults.Toggle('SR_ai_5fhashcleanup_5fthread')">AI_hashcleanup_thread</a> <a id="Item10" onkeydown="return searchResults.Nav(event,10)" onkeypress="return searchResults.Nav(event,10)" onkeyup="return searchResults.Nav(event,10)" class="SRSymbol" href="javascript:searchResults.Toggle('SR_ai_5fhashcleanup_5fthread')">AI_hashcleanup_thread</a>
<div class="SRChildren"> <div class="SRChildren">
<a id="Item9_c0" onkeydown="return searchResults.NavChild(event,9,0)" onkeypress="return searchResults.NavChild(event,9,0)" onkeyup="return searchResults.NavChild(event,9,0)" class="SRScope" href="../group__stream.html#ga24b1131374e5059564b8a12380c4eb75" target="_parent">AI_hashcleanup_thread(void *):&nbsp;stream.c</a> <a id="Item10_c0" onkeydown="return searchResults.NavChild(event,10,0)" onkeypress="return searchResults.NavChild(event,10,0)" onkeyup="return searchResults.NavChild(event,10,0)" class="SRScope" href="../group__stream.html#ga24b1131374e5059564b8a12380c4eb75" target="_parent">AI_hashcleanup_thread(void *):&nbsp;stream.c</a>
<a id="Item9_c1" onkeydown="return searchResults.NavChild(event,9,1)" onkeypress="return searchResults.NavChild(event,9,1)" onkeyup="return searchResults.NavChild(event,9,1)" class="SRScope" href="../group__stream.html#ga24b1131374e5059564b8a12380c4eb75" target="_parent">AI_hashcleanup_thread(void *arg):&nbsp;stream.c</a> <a id="Item10_c1" onkeydown="return searchResults.NavChild(event,10,1)" onkeypress="return searchResults.NavChild(event,10,1)" onkeyup="return searchResults.NavChild(event,10,1)" class="SRScope" href="../group__stream.html#ga24b1131374e5059564b8a12380c4eb75" target="_parent">AI_hashcleanup_thread(void *arg):&nbsp;stream.c</a>
</div> </div>
</div> </div>
</div> </div>
<div class="SRResult" id="SR_ai_5fhierarchies_5fbuild"> <div class="SRResult" id="SR_ai_5fhierarchies_5fbuild">
<div class="SREntry"> <div class="SREntry">
<a id="Item10" onkeydown="return searchResults.Nav(event,10)" onkeypress="return searchResults.Nav(event,10)" onkeyup="return searchResults.Nav(event,10)" class="SRSymbol" href="javascript:searchResults.Toggle('SR_ai_5fhierarchies_5fbuild')">AI_hierarchies_build</a> <a id="Item11" onkeydown="return searchResults.Nav(event,11)" onkeypress="return searchResults.Nav(event,11)" onkeyup="return searchResults.Nav(event,11)" class="SRSymbol" href="javascript:searchResults.Toggle('SR_ai_5fhierarchies_5fbuild')">AI_hierarchies_build</a>
<div class="SRChildren"> <div class="SRChildren">
<a id="Item10_c0" onkeydown="return searchResults.NavChild(event,10,0)" onkeypress="return searchResults.NavChild(event,10,0)" onkeyup="return searchResults.NavChild(event,10,0)" class="SRScope" href="../group__cluster.html#ga1445818b37483f78cc3fb2890155842c" target="_parent">AI_hierarchies_build(AI_config *conf, hierarchy_node **nodes, int n_nodes):&nbsp;cluster.c</a> <a id="Item11_c0" onkeydown="return searchResults.NavChild(event,11,0)" onkeypress="return searchResults.NavChild(event,11,0)" onkeyup="return searchResults.NavChild(event,11,0)" class="SRScope" href="../group__cluster.html#ga1445818b37483f78cc3fb2890155842c" target="_parent">AI_hierarchies_build(AI_config *conf, hierarchy_node **nodes, int n_nodes):&nbsp;cluster.c</a>
<a id="Item10_c1" onkeydown="return searchResults.NavChild(event,10,1)" onkeypress="return searchResults.NavChild(event,10,1)" onkeyup="return searchResults.NavChild(event,10,1)" class="SRScope" href="../group__cluster.html#ga1445818b37483f78cc3fb2890155842c" target="_parent">AI_hierarchies_build(AI_config *, hierarchy_node **, int):&nbsp;cluster.c</a> <a id="Item11_c1" onkeydown="return searchResults.NavChild(event,11,1)" onkeypress="return searchResults.NavChild(event,11,1)" onkeyup="return searchResults.NavChild(event,11,1)" class="SRScope" href="../group__cluster.html#ga1445818b37483f78cc3fb2890155842c" target="_parent">AI_hierarchies_build(AI_config *, hierarchy_node **, int):&nbsp;cluster.c</a>
</div> </div>
</div> </div>
</div> </div>
<div class="SRResult" id="SR_ai_5fhyperalert_5finfo"> <div class="SRResult" id="SR_ai_5fhyperalert_5finfo">
<div class="SREntry"> <div class="SREntry">
<a id="Item11" onkeydown="return searchResults.Nav(event,11)" onkeypress="return searchResults.Nav(event,11)" onkeyup="return searchResults.Nav(event,11)" class="SRSymbol" href="../structAI__hyperalert__info.html" target="_parent">AI_hyperalert_info</a> <a id="Item12" onkeydown="return searchResults.Nav(event,12)" onkeypress="return searchResults.Nav(event,12)" onkeyup="return searchResults.Nav(event,12)" class="SRSymbol" href="../structAI__hyperalert__info.html" target="_parent">AI_hyperalert_info</a>
</div> </div>
</div> </div>
<div class="SRResult" id="SR_ai_5fhyperalert_5fkey"> <div class="SRResult" id="SR_ai_5fhyperalert_5fkey">
<div class="SREntry"> <div class="SREntry">
<a id="Item12" onkeydown="return searchResults.Nav(event,12)" onkeypress="return searchResults.Nav(event,12)" onkeyup="return searchResults.Nav(event,12)" class="SRSymbol" href="../structAI__hyperalert__key.html" target="_parent">AI_hyperalert_key</a> <a id="Item13" onkeydown="return searchResults.Nav(event,13)" onkeypress="return searchResults.Nav(event,13)" onkeyup="return searchResults.Nav(event,13)" class="SRSymbol" href="../structAI__hyperalert__key.html" target="_parent">AI_hyperalert_key</a>
</div> </div>
</div> </div>
<div class="SRResult" id="SR_ai_5finit"> <div class="SRResult" id="SR_ai_5finit">
<div class="SREntry"> <div class="SREntry">
<a id="Item13" onkeydown="return searchResults.Nav(event,13)" onkeypress="return searchResults.Nav(event,13)" onkeyup="return searchResults.Nav(event,13)" class="SRSymbol" href="../group__spp__ai.html#ga3524cbdf8fddbcf38c4ed55241002242" target="_parent">AI_init</a> <a id="Item14" onkeydown="return searchResults.Nav(event,14)" onkeypress="return searchResults.Nav(event,14)" onkeyup="return searchResults.Nav(event,14)" class="SRSymbol" href="../group__spp__ai.html#ga3524cbdf8fddbcf38c4ed55241002242" target="_parent">AI_init</a>
<span class="SRScope">spp_ai.c</span> <span class="SRScope">spp_ai.c</span>
</div> </div>
</div> </div>
<div class="SRResult" id="SR_ai_5fparse"> <div class="SRResult" id="SR_ai_5fparse">
<div class="SREntry"> <div class="SREntry">
<a id="Item14" onkeydown="return searchResults.Nav(event,14)" onkeypress="return searchResults.Nav(event,14)" onkeyup="return searchResults.Nav(event,14)" class="SRSymbol" href="../group__spp__ai.html#gae1c5c4b38ee2819d427848eb3046373e" target="_parent">AI_parse</a> <a id="Item15" onkeydown="return searchResults.Nav(event,15)" onkeypress="return searchResults.Nav(event,15)" onkeyup="return searchResults.Nav(event,15)" class="SRSymbol" href="../group__spp__ai.html#gae1c5c4b38ee2819d427848eb3046373e" target="_parent">AI_parse</a>
<span class="SRScope">spp_ai.c</span> <span class="SRScope">spp_ai.c</span>
</div> </div>
</div> </div>
<div class="SRResult" id="SR_ai_5fpkt_5fenqueue"> <div class="SRResult" id="SR_ai_5fpkt_5fenqueue">
<div class="SREntry"> <div class="SREntry">
<a id="Item15" onkeydown="return searchResults.Nav(event,15)" onkeypress="return searchResults.Nav(event,15)" onkeyup="return searchResults.Nav(event,15)" class="SRSymbol" href="javascript:searchResults.Toggle('SR_ai_5fpkt_5fenqueue')">AI_pkt_enqueue</a> <a id="Item16" onkeydown="return searchResults.Nav(event,16)" onkeypress="return searchResults.Nav(event,16)" onkeyup="return searchResults.Nav(event,16)" class="SRSymbol" href="javascript:searchResults.Toggle('SR_ai_5fpkt_5fenqueue')">AI_pkt_enqueue</a>
<div class="SRChildren"> <div class="SRChildren">
<a id="Item15_c0" onkeydown="return searchResults.NavChild(event,15,0)" onkeypress="return searchResults.NavChild(event,15,0)" onkeyup="return searchResults.NavChild(event,15,0)" class="SRScope" href="../group__stream.html#ga7d71c5645b9baff7b6c4b9a181bf80c5" target="_parent">AI_pkt_enqueue(SFSnortPacket *):&nbsp;stream.c</a> <a id="Item16_c0" onkeydown="return searchResults.NavChild(event,16,0)" onkeypress="return searchResults.NavChild(event,16,0)" onkeyup="return searchResults.NavChild(event,16,0)" class="SRScope" href="../group__stream.html#ga7d71c5645b9baff7b6c4b9a181bf80c5" target="_parent">AI_pkt_enqueue(SFSnortPacket *):&nbsp;stream.c</a>
<a id="Item15_c1" onkeydown="return searchResults.NavChild(event,15,1)" onkeypress="return searchResults.NavChild(event,15,1)" onkeyup="return searchResults.NavChild(event,15,1)" class="SRScope" href="../group__stream.html#ga7d71c5645b9baff7b6c4b9a181bf80c5" target="_parent">AI_pkt_enqueue(SFSnortPacket *pkt):&nbsp;stream.c</a> <a id="Item16_c1" onkeydown="return searchResults.NavChild(event,16,1)" onkeypress="return searchResults.NavChild(event,16,1)" onkeyup="return searchResults.NavChild(event,16,1)" class="SRScope" href="../group__stream.html#ga7d71c5645b9baff7b6c4b9a181bf80c5" target="_parent">AI_pkt_enqueue(SFSnortPacket *pkt):&nbsp;stream.c</a>
</div> </div>
</div> </div>
</div> </div>
<div class="SRResult" id="SR_ai_5fprocess"> <div class="SRResult" id="SR_ai_5fprocess">
<div class="SREntry"> <div class="SREntry">
<a id="Item16" onkeydown="return searchResults.Nav(event,16)" onkeypress="return searchResults.Nav(event,16)" onkeyup="return searchResults.Nav(event,16)" class="SRSymbol" href="../group__spp__ai.html#ga57c05cda012c443cb4c358dc327cd3d1" target="_parent">AI_process</a> <a id="Item17" onkeydown="return searchResults.Nav(event,17)" onkeypress="return searchResults.Nav(event,17)" onkeyup="return searchResults.Nav(event,17)" class="SRSymbol" href="../group__spp__ai.html#ga57c05cda012c443cb4c358dc327cd3d1" target="_parent">AI_process</a>
<span class="SRScope">spp_ai.c</span> <span class="SRScope">spp_ai.c</span>
</div> </div>
</div> </div>
<div class="SRResult" id="SR_ai_5fset_5fstream_5fobserved"> <div class="SRResult" id="SR_ai_5fset_5fstream_5fobserved">
<div class="SREntry"> <div class="SREntry">
<a id="Item17" onkeydown="return searchResults.Nav(event,17)" onkeypress="return searchResults.Nav(event,17)" onkeyup="return searchResults.Nav(event,17)" class="SRSymbol" href="javascript:searchResults.Toggle('SR_ai_5fset_5fstream_5fobserved')">AI_set_stream_observed</a> <a id="Item18" onkeydown="return searchResults.Nav(event,18)" onkeypress="return searchResults.Nav(event,18)" onkeyup="return searchResults.Nav(event,18)" class="SRSymbol" href="javascript:searchResults.Toggle('SR_ai_5fset_5fstream_5fobserved')">AI_set_stream_observed</a>
<div class="SRChildren"> <div class="SRChildren">
<a id="Item17_c0" onkeydown="return searchResults.NavChild(event,17,0)" onkeypress="return searchResults.NavChild(event,17,0)" onkeyup="return searchResults.NavChild(event,17,0)" class="SRScope" href="../group__stream.html#ga8749989cee2ac05a7de058faac280c02" target="_parent">AI_set_stream_observed(struct pkt_key key):&nbsp;stream.c</a> <a id="Item18_c0" onkeydown="return searchResults.NavChild(event,18,0)" onkeypress="return searchResults.NavChild(event,18,0)" onkeyup="return searchResults.NavChild(event,18,0)" class="SRScope" href="../group__stream.html#ga8749989cee2ac05a7de058faac280c02" target="_parent">AI_set_stream_observed(struct pkt_key key):&nbsp;stream.c</a>
<a id="Item17_c1" onkeydown="return searchResults.NavChild(event,17,1)" onkeypress="return searchResults.NavChild(event,17,1)" onkeyup="return searchResults.NavChild(event,17,1)" class="SRScope" href="../group__stream.html#ga8749989cee2ac05a7de058faac280c02" target="_parent">AI_set_stream_observed(struct pkt_key key):&nbsp;stream.c</a> <a id="Item18_c1" onkeydown="return searchResults.NavChild(event,18,1)" onkeypress="return searchResults.NavChild(event,18,1)" onkeyup="return searchResults.NavChild(event,18,1)" class="SRScope" href="../group__stream.html#ga8749989cee2ac05a7de058faac280c02" target="_parent">AI_set_stream_observed(struct pkt_key key):&nbsp;stream.c</a>
</div> </div>
</div> </div>
</div> </div>
<div class="SRResult" id="SR_ai_5fsetup"> <div class="SRResult" id="SR_ai_5fsetup">
<div class="SREntry"> <div class="SREntry">
<a id="Item18" onkeydown="return searchResults.Nav(event,18)" onkeypress="return searchResults.Nav(event,18)" onkeyup="return searchResults.Nav(event,18)" class="SRSymbol" href="javascript:searchResults.Toggle('SR_ai_5fsetup')">AI_setup</a> <a id="Item19" onkeydown="return searchResults.Nav(event,19)" onkeypress="return searchResults.Nav(event,19)" onkeyup="return searchResults.Nav(event,19)" class="SRSymbol" href="javascript:searchResults.Toggle('SR_ai_5fsetup')">AI_setup</a>
<div class="SRChildren"> <div class="SRChildren">
<a id="Item18_c0" onkeydown="return searchResults.NavChild(event,18,0)" onkeypress="return searchResults.NavChild(event,18,0)" onkeyup="return searchResults.NavChild(event,18,0)" class="SRScope" href="../group__spp__ai.html#ga1b9ebb5c719c7d9426ddfc1f3da36570" target="_parent">AI_setup():&nbsp;spp_ai.c</a> <a id="Item19_c0" onkeydown="return searchResults.NavChild(event,19,0)" onkeypress="return searchResults.NavChild(event,19,0)" onkeyup="return searchResults.NavChild(event,19,0)" class="SRScope" href="../group__spp__ai.html#ga1b9ebb5c719c7d9426ddfc1f3da36570" target="_parent">AI_setup():&nbsp;spp_ai.c</a>
<a id="Item18_c1" onkeydown="return searchResults.NavChild(event,18,1)" onkeypress="return searchResults.NavChild(event,18,1)" onkeyup="return searchResults.NavChild(event,18,1)" class="SRScope" href="../group__spp__ai.html#ga1b9ebb5c719c7d9426ddfc1f3da36570" target="_parent">AI_setup(void):&nbsp;spp_ai.c</a> <a id="Item19_c1" onkeydown="return searchResults.NavChild(event,19,1)" onkeypress="return searchResults.NavChild(event,19,1)" onkeyup="return searchResults.NavChild(event,19,1)" class="SRScope" href="../group__spp__ai.html#ga1b9ebb5c719c7d9426ddfc1f3da36570" target="_parent">AI_setup(void):&nbsp;spp_ai.c</a>
</div> </div>
</div> </div>
</div> </div>
<div class="SRResult" id="SR_ai_5fsnort_5falert"> <div class="SRResult" id="SR_ai_5fsnort_5falert">
<div class="SREntry"> <div class="SREntry">
<a id="Item19" onkeydown="return searchResults.Nav(event,19)" onkeypress="return searchResults.Nav(event,19)" onkeyup="return searchResults.Nav(event,19)" class="SRSymbol" href="../spp__ai_8h.html#a982be90e72362e88d09f28336c9a1897" target="_parent">AI_snort_alert</a> <a id="Item20" onkeydown="return searchResults.Nav(event,20)" onkeypress="return searchResults.Nav(event,20)" onkeyup="return searchResults.Nav(event,20)" class="SRSymbol" href="../spp__ai_8h.html#a982be90e72362e88d09f28336c9a1897" target="_parent">AI_snort_alert</a>
<span class="SRScope">spp_ai.h</span> <span class="SRScope">spp_ai.h</span>
</div> </div>
</div> </div>
<div class="SRResult" id="SR_alert_5ffp"> <div class="SRResult" id="SR_alert_5ffp">
<div class="SREntry"> <div class="SREntry">
<a id="Item20" onkeydown="return searchResults.Nav(event,20)" onkeypress="return searchResults.Nav(event,20)" onkeyup="return searchResults.Nav(event,20)" class="SRSymbol" href="../alert__parser_8c.html#abee2a33368912d9288c76b51160a9ed6" target="_parent">alert_fp</a> <a id="Item21" onkeydown="return searchResults.Nav(event,21)" onkeypress="return searchResults.Nav(event,21)" onkeyup="return searchResults.Nav(event,21)" class="SRSymbol" href="../alert__parser_8c.html#abee2a33368912d9288c76b51160a9ed6" target="_parent">alert_fp</a>
<span class="SRScope">alert_parser.c</span> <span class="SRScope">alert_parser.c</span>
</div> </div>
</div> </div>
<div class="SRResult" id="SR_alert_5flog"> <div class="SRResult" id="SR_alert_5flog">
<div class="SREntry"> <div class="SREntry">
<a id="Item21" onkeydown="return searchResults.Nav(event,21)" onkeypress="return searchResults.Nav(event,21)" onkeyup="return searchResults.Nav(event,21)" class="SRSymbol" href="../group__cluster.html#gaaf4c19f60f48741b0890c6114dcff7d9" target="_parent">alert_log</a> <a id="Item22" onkeydown="return searchResults.Nav(event,22)" onkeypress="return searchResults.Nav(event,22)" onkeyup="return searchResults.Nav(event,22)" class="SRSymbol" href="../group__cluster.html#gaaf4c19f60f48741b0890c6114dcff7d9" target="_parent">alert_log</a>
<span class="SRScope">cluster.c</span> <span class="SRScope">cluster.c</span>
</div> </div>
</div> </div>
<div class="SRResult" id="SR_alert_5fparser_2ec"> <div class="SRResult" id="SR_alert_5fparser_2ec">
<div class="SREntry"> <div class="SREntry">
<a id="Item22" onkeydown="return searchResults.Nav(event,22)" onkeypress="return searchResults.Nav(event,22)" onkeyup="return searchResults.Nav(event,22)" class="SRSymbol" href="../alert__parser_8c.html" target="_parent">alert_parser.c</a> <a id="Item23" onkeydown="return searchResults.Nav(event,23)" onkeypress="return searchResults.Nav(event,23)" onkeyup="return searchResults.Nav(event,23)" class="SRSymbol" href="../alert__parser_8c.html" target="_parent">alert_parser.c</a>
</div> </div>
</div> </div>
<div class="SRResult" id="SR_alertclusteringinterval"> <div class="SRResult" id="SR_alertclusteringinterval">
<div class="SREntry"> <div class="SREntry">
<a id="Item23" onkeydown="return searchResults.Nav(event,23)" onkeypress="return searchResults.Nav(event,23)" onkeyup="return searchResults.Nav(event,23)" class="SRSymbol" href="../structAI__config.html#a7d0d098b8263aa3d8415b11d1ec7f93d" target="_parent">alertClusteringInterval</a> <a id="Item24" onkeydown="return searchResults.Nav(event,24)" onkeypress="return searchResults.Nav(event,24)" onkeyup="return searchResults.Nav(event,24)" class="SRSymbol" href="../structAI__config.html#a7d0d098b8263aa3d8415b11d1ec7f93d" target="_parent">alertClusteringInterval</a>
<span class="SRScope">AI_config</span> <span class="SRScope">AI_config</span>
</div> </div>
</div> </div>
<div class="SRResult" id="SR_alertfile"> <div class="SRResult" id="SR_alertfile">
<div class="SREntry"> <div class="SREntry">
<a id="Item24" onkeydown="return searchResults.Nav(event,24)" onkeypress="return searchResults.Nav(event,24)" onkeyup="return searchResults.Nav(event,24)" class="SRSymbol" href="../structAI__config.html#a2efa9590d7eea6dce8b5dd9aa76ed8ca" target="_parent">alertfile</a> <a id="Item25" onkeydown="return searchResults.Nav(event,25)" onkeypress="return searchResults.Nav(event,25)" onkeyup="return searchResults.Nav(event,25)" class="SRSymbol" href="../structAI__config.html#a2efa9590d7eea6dce8b5dd9aa76ed8ca" target="_parent">alertfile</a>
<span class="SRScope">AI_config</span> <span class="SRScope">AI_config</span>
</div> </div>
</div> </div>
<div class="SRResult" id="SR_alertparser_5fthread"> <div class="SRResult" id="SR_alertparser_5fthread">
<div class="SREntry"> <div class="SREntry">
<a id="Item25" onkeydown="return searchResults.Nav(event,25)" onkeypress="return searchResults.Nav(event,25)" onkeyup="return searchResults.Nav(event,25)" class="SRSymbol" href="../group__spp__ai.html#gaa3100e48acef5cf4370c3042ff548ed0" target="_parent">alertparser_thread</a> <a id="Item26" onkeydown="return searchResults.Nav(event,26)" onkeypress="return searchResults.Nav(event,26)" onkeyup="return searchResults.Nav(event,26)" class="SRSymbol" href="../group__spp__ai.html#gaa3100e48acef5cf4370c3042ff548ed0" target="_parent">alertparser_thread</a>
<span class="SRScope">spp_ai.c</span> <span class="SRScope">spp_ai.c</span>
</div> </div>
</div> </div>
<div class="SRResult" id="SR_alerts"> <div class="SRResult" id="SR_alerts">
<div class="SREntry"> <div class="SREntry">
<a id="Item26" onkeydown="return searchResults.Nav(event,26)" onkeypress="return searchResults.Nav(event,26)" onkeyup="return searchResults.Nav(event,26)" class="SRSymbol" href="javascript:searchResults.Toggle('SR_alerts')">alerts</a> <a id="Item27" onkeydown="return searchResults.Nav(event,27)" onkeypress="return searchResults.Nav(event,27)" onkeyup="return searchResults.Nav(event,27)" class="SRSymbol" href="javascript:searchResults.Toggle('SR_alerts')">alerts</a>
<div class="SRChildren"> <div class="SRChildren">
<a id="Item26_c0" onkeydown="return searchResults.NavChild(event,26,0)" onkeypress="return searchResults.NavChild(event,26,0)" onkeyup="return searchResults.NavChild(event,26,0)" class="SRScope" href="../alert__parser_8c.html#ae837fc04e61c0eb052f997c54b4fd9fe" target="_parent">alerts():&nbsp;alert_parser.c</a> <a id="Item27_c0" onkeydown="return searchResults.NavChild(event,27,0)" onkeypress="return searchResults.NavChild(event,27,0)" onkeyup="return searchResults.NavChild(event,27,0)" class="SRScope" href="../alert__parser_8c.html#ae837fc04e61c0eb052f997c54b4fd9fe" target="_parent">alerts():&nbsp;alert_parser.c</a>
<a id="Item26_c1" onkeydown="return searchResults.NavChild(event,26,1)" onkeypress="return searchResults.NavChild(event,26,1)" onkeyup="return searchResults.NavChild(event,26,1)" class="SRScope" href="../group__correlation.html#gae837fc04e61c0eb052f997c54b4fd9fe" target="_parent">alerts():&nbsp;correlation.c</a> <a id="Item27_c1" onkeydown="return searchResults.NavChild(event,27,1)" onkeypress="return searchResults.NavChild(event,27,1)" onkeyup="return searchResults.NavChild(event,27,1)" class="SRScope" href="../group__correlation.html#gae837fc04e61c0eb052f997c54b4fd9fe" target="_parent">alerts():&nbsp;correlation.c</a>
</div> </div>
</div> </div>
</div> </div>
<div class="SRResult" id="SR_attribute_5fkey"> <div class="SRResult" id="SR_attribute_5fkey">
<div class="SREntry"> <div class="SREntry">
<a id="Item27" onkeydown="return searchResults.Nav(event,27)" onkeypress="return searchResults.Nav(event,27)" onkeyup="return searchResults.Nav(event,27)" class="SRSymbol" href="../structattribute__key.html" target="_parent">attribute_key</a> <a id="Item28" onkeydown="return searchResults.Nav(event,28)" onkeypress="return searchResults.Nav(event,28)" onkeyup="return searchResults.Nav(event,28)" class="SRSymbol" href="../structattribute__key.html" target="_parent">attribute_key</a>
</div> </div>
</div> </div>
<div class="SRResult" id="SR_attribute_5fvalue"> <div class="SRResult" id="SR_attribute_5fvalue">
<div class="SREntry"> <div class="SREntry">
<a id="Item28" onkeydown="return searchResults.Nav(event,28)" onkeypress="return searchResults.Nav(event,28)" onkeyup="return searchResults.Nav(event,28)" class="SRSymbol" href="../structattribute__value.html" target="_parent">attribute_value</a> <a id="Item29" onkeydown="return searchResults.Nav(event,29)" onkeypress="return searchResults.Nav(event,29)" onkeyup="return searchResults.Nav(event,29)" class="SRSymbol" href="../structattribute__value.html" target="_parent">attribute_value</a>
</div> </div>
</div> </div>
<div class="SRStatus" id="Searching">Searching...</div> <div class="SRStatus" id="Searching">Searching...</div>

View file

@ -9,8 +9,8 @@
<div class="SRStatus" id="Loading">Loading...</div> <div class="SRStatus" id="Loading">Loading...</div>
<div class="SRResult" id="SR_b"> <div class="SRResult" id="SR_b">
<div class="SREntry"> <div class="SREntry">
<a id="Item0" onkeydown="return searchResults.Nav(event,0)" onkeypress="return searchResults.Nav(event,0)" onkeyup="return searchResults.Nav(event,0)" class="SRSymbol" href="../structAI__alert__correlation.html#a478f1a6f18f9c083b203efdf776379cd" target="_parent">b</a> <a id="Item0" onkeydown="return searchResults.Nav(event,0)" onkeypress="return searchResults.Nav(event,0)" onkeyup="return searchResults.Nav(event,0)" class="SRSymbol" href="../structAI__alert__correlation__key.html#a5805dec6499a83b818091b4f21c715dc" target="_parent">b</a>
<span class="SRScope">AI_alert_correlation</span> <span class="SRScope">AI_alert_correlation_key</span>
</div> </div>
</div> </div>
<div class="SRResult" id="SR_bool"> <div class="SRResult" id="SR_bool">

View file

@ -48,38 +48,50 @@
<span class="SRScope">correlation.c</span> <span class="SRScope">correlation.c</span>
</div> </div>
</div> </div>
<div class="SRResult" id="SR_corr_5falerts_5fdir">
<div class="SREntry">
<a id="Item7" onkeydown="return searchResults.Nav(event,7)" onkeypress="return searchResults.Nav(event,7)" onkeyup="return searchResults.Nav(event,7)" class="SRSymbol" href="../structAI__config.html#ae68f5489e2ec9ea1408f98fe36d050c9" target="_parent">corr_alerts_dir</a>
<span class="SRScope">AI_config</span>
</div>
</div>
<div class="SRResult" id="SR_corr_5frules_5fdir"> <div class="SRResult" id="SR_corr_5frules_5fdir">
<div class="SREntry"> <div class="SREntry">
<a id="Item7" onkeydown="return searchResults.Nav(event,7)" onkeypress="return searchResults.Nav(event,7)" onkeyup="return searchResults.Nav(event,7)" class="SRSymbol" href="../structAI__config.html#ab7ea93bbe72b85c4019b4f5656ad62fc" target="_parent">corr_rules_dir</a> <a id="Item8" onkeydown="return searchResults.Nav(event,8)" onkeypress="return searchResults.Nav(event,8)" onkeyup="return searchResults.Nav(event,8)" class="SRSymbol" href="../structAI__config.html#ab7ea93bbe72b85c4019b4f5656ad62fc" target="_parent">corr_rules_dir</a>
<span class="SRScope">AI_config</span> <span class="SRScope">AI_config</span>
</div> </div>
</div> </div>
<div class="SRResult" id="SR_correlation"> <div class="SRResult" id="SR_correlation">
<div class="SREntry"> <div class="SREntry">
<a id="Item8" onkeydown="return searchResults.Nav(event,8)" onkeypress="return searchResults.Nav(event,8)" onkeyup="return searchResults.Nav(event,8)" class="SRSymbol" href="../structAI__alert__correlation.html#aad417b2126ae26d7576f006a3dbcdc81" target="_parent">correlation</a> <a id="Item9" onkeydown="return searchResults.Nav(event,9)" onkeypress="return searchResults.Nav(event,9)" onkeyup="return searchResults.Nav(event,9)" class="SRSymbol" href="../structAI__alert__correlation.html#aad417b2126ae26d7576f006a3dbcdc81" target="_parent">correlation</a>
<span class="SRScope">AI_alert_correlation</span> <span class="SRScope">AI_alert_correlation</span>
</div> </div>
</div> </div>
<div class="SRResult" id="SR_correlation_2ec"> <div class="SRResult" id="SR_correlation_2ec">
<div class="SREntry"> <div class="SREntry">
<a id="Item9" onkeydown="return searchResults.Nav(event,9)" onkeypress="return searchResults.Nav(event,9)" onkeyup="return searchResults.Nav(event,9)" class="SRSymbol" href="../correlation_8c.html" target="_parent">correlation.c</a> <a id="Item10" onkeydown="return searchResults.Nav(event,10)" onkeypress="return searchResults.Nav(event,10)" onkeyup="return searchResults.Nav(event,10)" class="SRSymbol" href="../correlation_8c.html" target="_parent">correlation.c</a>
</div> </div>
</div> </div>
<div class="SRResult" id="SR_correlation_5ftable"> <div class="SRResult" id="SR_correlation_5ftable">
<div class="SREntry"> <div class="SREntry">
<a id="Item10" onkeydown="return searchResults.Nav(event,10)" onkeypress="return searchResults.Nav(event,10)" onkeyup="return searchResults.Nav(event,10)" class="SRSymbol" href="../group__correlation.html#ga701934a296c51f2397d24e8bf4a9f021" target="_parent">correlation_table</a> <a id="Item11" onkeydown="return searchResults.Nav(event,11)" onkeypress="return searchResults.Nav(event,11)" onkeyup="return searchResults.Nav(event,11)" class="SRSymbol" href="../group__correlation.html#ga701934a296c51f2397d24e8bf4a9f021" target="_parent">correlation_table</a>
<span class="SRScope">correlation.c</span> <span class="SRScope">correlation.c</span>
</div> </div>
</div> </div>
<div class="SRResult" id="SR_correlationgraphinterval"> <div class="SRResult" id="SR_correlationgraphinterval">
<div class="SREntry"> <div class="SREntry">
<a id="Item11" onkeydown="return searchResults.Nav(event,11)" onkeypress="return searchResults.Nav(event,11)" onkeyup="return searchResults.Nav(event,11)" class="SRSymbol" href="../structAI__config.html#aa736375e57a59936e2e782b7cd200e41" target="_parent">correlationGraphInterval</a> <a id="Item12" onkeydown="return searchResults.Nav(event,12)" onkeypress="return searchResults.Nav(event,12)" onkeyup="return searchResults.Nav(event,12)" class="SRSymbol" href="../structAI__config.html#aa736375e57a59936e2e782b7cd200e41" target="_parent">correlationGraphInterval</a>
<span class="SRScope">AI_config</span>
</div>
</div>
<div class="SRResult" id="SR_correlationthresholdcoefficient">
<div class="SREntry">
<a id="Item13" onkeydown="return searchResults.Nav(event,13)" onkeypress="return searchResults.Nav(event,13)" onkeyup="return searchResults.Nav(event,13)" class="SRSymbol" href="../structAI__config.html#adf6ef0faedfb4dea0a1353e781b14883" target="_parent">correlationThresholdCoefficient</a>
<span class="SRScope">AI_config</span> <span class="SRScope">AI_config</span>
</div> </div>
</div> </div>
<div class="SRResult" id="SR_count"> <div class="SRResult" id="SR_count">
<div class="SREntry"> <div class="SREntry">
<a id="Item12" onkeydown="return searchResults.Nav(event,12)" onkeypress="return searchResults.Nav(event,12)" onkeyup="return searchResults.Nav(event,12)" class="SRSymbol" href="../structattribute__value.html#a5579c0304c2e9ab488ac94905b385045" target="_parent">count</a> <a id="Item14" onkeydown="return searchResults.Nav(event,14)" onkeypress="return searchResults.Nav(event,14)" onkeyup="return searchResults.Nav(event,14)" class="SRSymbol" href="../structattribute__value.html#a5579c0304c2e9ab488ac94905b385045" target="_parent">count</a>
<span class="SRScope">attribute_value</span> <span class="SRScope">attribute_value</span>
</div> </div>
</div> </div>

View file

@ -71,54 +71,72 @@
<span class="SRScope">spp_ai.h</span> <span class="SRScope">spp_ai.h</span>
</div> </div>
</div> </div>
<div class="SRResult" id="SR_default_5fcorr_5falerts_5fdir">
<div class="SREntry">
<a id="Item11" onkeydown="return searchResults.Nav(event,11)" onkeypress="return searchResults.Nav(event,11)" onkeyup="return searchResults.Nav(event,11)" class="SRSymbol" href="../spp__ai_8h.html#a7bbeccba60012abcc98db33d39294829" target="_parent">DEFAULT_CORR_ALERTS_DIR</a>
<span class="SRScope">spp_ai.h</span>
</div>
</div>
<div class="SRResult" id="SR_default_5fcorr_5frules_5fdir"> <div class="SRResult" id="SR_default_5fcorr_5frules_5fdir">
<div class="SREntry"> <div class="SREntry">
<a id="Item11" onkeydown="return searchResults.Nav(event,11)" onkeypress="return searchResults.Nav(event,11)" onkeyup="return searchResults.Nav(event,11)" class="SRSymbol" href="../spp__ai_8h.html#a89448386cad5d5533992ae7ee84f4f1d" target="_parent">DEFAULT_CORR_RULES_DIR</a> <a id="Item12" onkeydown="return searchResults.Nav(event,12)" onkeypress="return searchResults.Nav(event,12)" onkeyup="return searchResults.Nav(event,12)" class="SRSymbol" href="../spp__ai_8h.html#a89448386cad5d5533992ae7ee84f4f1d" target="_parent">DEFAULT_CORR_RULES_DIR</a>
<span class="SRScope">spp_ai.h</span>
</div>
</div>
<div class="SRResult" id="SR_default_5fcorr_5fthreshold">
<div class="SREntry">
<a id="Item13" onkeydown="return searchResults.Nav(event,13)" onkeypress="return searchResults.Nav(event,13)" onkeyup="return searchResults.Nav(event,13)" class="SRSymbol" href="../spp__ai_8h.html#aaedb0b7dc2bdf8d44d3fee2189a55a19" target="_parent">DEFAULT_CORR_THRESHOLD</a>
<span class="SRScope">spp_ai.h</span> <span class="SRScope">spp_ai.h</span>
</div> </div>
</div> </div>
<div class="SRResult" id="SR_default_5fdatabase_5finterval"> <div class="SRResult" id="SR_default_5fdatabase_5finterval">
<div class="SREntry"> <div class="SREntry">
<a id="Item12" onkeydown="return searchResults.Nav(event,12)" onkeypress="return searchResults.Nav(event,12)" onkeyup="return searchResults.Nav(event,12)" class="SRSymbol" href="../spp__ai_8h.html#a3c4984a0ee515fbc091ac6e33b05e310" target="_parent">DEFAULT_DATABASE_INTERVAL</a> <a id="Item14" onkeydown="return searchResults.Nav(event,14)" onkeypress="return searchResults.Nav(event,14)" onkeyup="return searchResults.Nav(event,14)" class="SRSymbol" href="../spp__ai_8h.html#a3c4984a0ee515fbc091ac6e33b05e310" target="_parent">DEFAULT_DATABASE_INTERVAL</a>
<span class="SRScope">spp_ai.h</span> <span class="SRScope">spp_ai.h</span>
</div> </div>
</div> </div>
<div class="SRResult" id="SR_default_5fhash_5fcleanup_5finterval"> <div class="SRResult" id="SR_default_5fhash_5fcleanup_5finterval">
<div class="SREntry"> <div class="SREntry">
<a id="Item13" onkeydown="return searchResults.Nav(event,13)" onkeypress="return searchResults.Nav(event,13)" onkeyup="return searchResults.Nav(event,13)" class="SRSymbol" href="../spp__ai_8h.html#a5f555c0ebd29ce2771a3e2dd4f526746" target="_parent">DEFAULT_HASH_CLEANUP_INTERVAL</a> <a id="Item15" onkeydown="return searchResults.Nav(event,15)" onkeypress="return searchResults.Nav(event,15)" onkeyup="return searchResults.Nav(event,15)" class="SRSymbol" href="../spp__ai_8h.html#a5f555c0ebd29ce2771a3e2dd4f526746" target="_parent">DEFAULT_HASH_CLEANUP_INTERVAL</a>
<span class="SRScope">spp_ai.h</span> <span class="SRScope">spp_ai.h</span>
</div> </div>
</div> </div>
<div class="SRResult" id="SR_default_5fstream_5fexpire_5finterval"> <div class="SRResult" id="SR_default_5fstream_5fexpire_5finterval">
<div class="SREntry"> <div class="SREntry">
<a id="Item14" onkeydown="return searchResults.Nav(event,14)" onkeypress="return searchResults.Nav(event,14)" onkeyup="return searchResults.Nav(event,14)" class="SRSymbol" href="../spp__ai_8h.html#a0f6a189af15ef783fb46ed37c144e031" target="_parent">DEFAULT_STREAM_EXPIRE_INTERVAL</a> <a id="Item16" onkeydown="return searchResults.Nav(event,16)" onkeypress="return searchResults.Nav(event,16)" onkeyup="return searchResults.Nav(event,16)" class="SRSymbol" href="../spp__ai_8h.html#a0f6a189af15ef783fb46ed37c144e031" target="_parent">DEFAULT_STREAM_EXPIRE_INTERVAL</a>
<span class="SRScope">spp_ai.h</span> <span class="SRScope">spp_ai.h</span>
</div> </div>
</div> </div>
<div class="SRResult" id="SR_derived_5falerts">
<div class="SREntry">
<a id="Item17" onkeydown="return searchResults.Nav(event,17)" onkeypress="return searchResults.Nav(event,17)" onkeyup="return searchResults.Nav(event,17)" class="SRSymbol" href="../struct__AI__snort__alert.html#aac5e4078600ed17532db1f3d78165390" target="_parent">derived_alerts</a>
<span class="SRScope">_AI_snort_alert</span>
</div>
</div>
<div class="SRResult" id="SR_desc"> <div class="SRResult" id="SR_desc">
<div class="SREntry"> <div class="SREntry">
<a id="Item15" onkeydown="return searchResults.Nav(event,15)" onkeypress="return searchResults.Nav(event,15)" onkeyup="return searchResults.Nav(event,15)" class="SRSymbol" href="../struct__AI__snort__alert.html#ac0902d7c756ec675fb06347ce4706135" target="_parent">desc</a> <a id="Item18" onkeydown="return searchResults.Nav(event,18)" onkeypress="return searchResults.Nav(event,18)" onkeyup="return searchResults.Nav(event,18)" class="SRSymbol" href="../struct__AI__snort__alert.html#ac0902d7c756ec675fb06347ce4706135" target="_parent">desc</a>
<span class="SRScope">_AI_snort_alert</span> <span class="SRScope">_AI_snort_alert</span>
</div> </div>
</div> </div>
<div class="SRResult" id="SR_dst_5faddr"> <div class="SRResult" id="SR_dst_5faddr">
<div class="SREntry"> <div class="SREntry">
<a id="Item16" onkeydown="return searchResults.Nav(event,16)" onkeypress="return searchResults.Nav(event,16)" onkeyup="return searchResults.Nav(event,16)" class="SRSymbol" href="../spp__ai_8h.html#ae2ff3c6586aa2ab211a102abfde86640aa000f955ef1374c60cdb16bf43a1593c" target="_parent">dst_addr</a> <a id="Item19" onkeydown="return searchResults.Nav(event,19)" onkeypress="return searchResults.Nav(event,19)" onkeyup="return searchResults.Nav(event,19)" class="SRSymbol" href="../spp__ai_8h.html#ae2ff3c6586aa2ab211a102abfde86640aa000f955ef1374c60cdb16bf43a1593c" target="_parent">dst_addr</a>
<span class="SRScope">spp_ai.h</span> <span class="SRScope">spp_ai.h</span>
</div> </div>
</div> </div>
<div class="SRResult" id="SR_dst_5fport"> <div class="SRResult" id="SR_dst_5fport">
<div class="SREntry"> <div class="SREntry">
<a id="Item17" onkeydown="return searchResults.Nav(event,17)" onkeypress="return searchResults.Nav(event,17)" onkeyup="return searchResults.Nav(event,17)" class="SRSymbol" href="javascript:searchResults.Toggle('SR_dst_5fport')">dst_port</a> <a id="Item20" onkeydown="return searchResults.Nav(event,20)" onkeypress="return searchResults.Nav(event,20)" onkeyup="return searchResults.Nav(event,20)" class="SRSymbol" href="javascript:searchResults.Toggle('SR_dst_5fport')">dst_port</a>
<div class="SRChildren"> <div class="SRChildren">
<a id="Item17_c0" onkeydown="return searchResults.NavChild(event,17,0)" onkeypress="return searchResults.NavChild(event,17,0)" onkeyup="return searchResults.NavChild(event,17,0)" class="SRScope" href="../structpkt__key.html#af77f5eb1f4cd88b43fe99fd73553351d" target="_parent">pkt_key::dst_port()</a> <a id="Item20_c0" onkeydown="return searchResults.NavChild(event,20,0)" onkeypress="return searchResults.NavChild(event,20,0)" onkeyup="return searchResults.NavChild(event,20,0)" class="SRScope" href="../structpkt__key.html#af77f5eb1f4cd88b43fe99fd73553351d" target="_parent">pkt_key::dst_port()</a>
<a id="Item17_c1" onkeydown="return searchResults.NavChild(event,17,1)" onkeypress="return searchResults.NavChild(event,17,1)" onkeyup="return searchResults.NavChild(event,17,1)" class="SRScope" href="../spp__ai_8h.html#ae2ff3c6586aa2ab211a102abfde86640abc4f89a184ada44073bd6f54d7fc11c9" target="_parent">dst_port():&nbsp;spp_ai.h</a> <a id="Item20_c1" onkeydown="return searchResults.NavChild(event,20,1)" onkeypress="return searchResults.NavChild(event,20,1)" onkeyup="return searchResults.NavChild(event,20,1)" class="SRScope" href="../spp__ai_8h.html#ae2ff3c6586aa2ab211a102abfde86640abc4f89a184ada44073bd6f54d7fc11c9" target="_parent">dst_port():&nbsp;spp_ai.h</a>
</div> </div>
</div> </div>
</div> </div>
<div class="SRResult" id="SR_dynamic_5fpreproc_5fsetup"> <div class="SRResult" id="SR_dynamic_5fpreproc_5fsetup">
<div class="SREntry"> <div class="SREntry">
<a id="Item18" onkeydown="return searchResults.Nav(event,18)" onkeypress="return searchResults.Nav(event,18)" onkeyup="return searchResults.Nav(event,18)" class="SRSymbol" href="../sf__preproc__info_8h.html#aba4c0d0af324a3861e662ed4650aae44" target="_parent">DYNAMIC_PREPROC_SETUP</a> <a id="Item21" onkeydown="return searchResults.Nav(event,21)" onkeypress="return searchResults.Nav(event,21)" onkeyup="return searchResults.Nav(event,21)" class="SRSymbol" href="../sf__preproc__info_8h.html#aba4c0d0af324a3861e662ed4650aae44" target="_parent">DYNAMIC_PREPROC_SETUP</a>
<span class="SRScope">sf_preproc_info.h</span> <span class="SRScope">sf_preproc_info.h</span>
</div> </div>
</div> </div>

View file

@ -12,8 +12,9 @@
<a id="Item0" onkeydown="return searchResults.Nav(event,0)" onkeypress="return searchResults.Nav(event,0)" onkeyup="return searchResults.Nav(event,0)" class="SRSymbol" href="javascript:searchResults.Toggle('SR_key')">key</a> <a id="Item0" onkeydown="return searchResults.Nav(event,0)" onkeypress="return searchResults.Nav(event,0)" onkeyup="return searchResults.Nav(event,0)" class="SRSymbol" href="javascript:searchResults.Toggle('SR_key')">key</a>
<div class="SRChildren"> <div class="SRChildren">
<a id="Item0_c0" onkeydown="return searchResults.NavChild(event,0,0)" onkeypress="return searchResults.NavChild(event,0,0)" onkeyup="return searchResults.NavChild(event,0,0)" class="SRScope" href="../structattribute__value.html#aa8b5ae41c150e4fefb800d3b1924278d" target="_parent">attribute_value::key()</a> <a id="Item0_c0" onkeydown="return searchResults.NavChild(event,0,0)" onkeypress="return searchResults.NavChild(event,0,0)" onkeyup="return searchResults.NavChild(event,0,0)" class="SRScope" href="../structattribute__value.html#aa8b5ae41c150e4fefb800d3b1924278d" target="_parent">attribute_value::key()</a>
<a id="Item0_c1" onkeydown="return searchResults.NavChild(event,0,1)" onkeypress="return searchResults.NavChild(event,0,1)" onkeyup="return searchResults.NavChild(event,0,1)" class="SRScope" href="../structpkt__info.html#a231d4734d3c62292b06eb9ea4b49c339" target="_parent">pkt_info::key()</a> <a id="Item0_c1" onkeydown="return searchResults.NavChild(event,0,1)" onkeypress="return searchResults.NavChild(event,0,1)" onkeyup="return searchResults.NavChild(event,0,1)" class="SRScope" href="../structAI__alert__correlation.html#a4e27da4922a1d44497634c8e5968d870" target="_parent">AI_alert_correlation::key()</a>
<a id="Item0_c2" onkeydown="return searchResults.NavChild(event,0,2)" onkeypress="return searchResults.NavChild(event,0,2)" onkeyup="return searchResults.NavChild(event,0,2)" class="SRScope" href="../structAI__hyperalert__info.html#a9d461da8f00415ef03b24edb3bbd6cf8" target="_parent">AI_hyperalert_info::key()</a> <a id="Item0_c2" onkeydown="return searchResults.NavChild(event,0,2)" onkeypress="return searchResults.NavChild(event,0,2)" onkeyup="return searchResults.NavChild(event,0,2)" class="SRScope" href="../structpkt__info.html#a231d4734d3c62292b06eb9ea4b49c339" target="_parent">pkt_info::key()</a>
<a id="Item0_c3" onkeydown="return searchResults.NavChild(event,0,3)" onkeypress="return searchResults.NavChild(event,0,3)" onkeyup="return searchResults.NavChild(event,0,3)" class="SRScope" href="../structAI__hyperalert__info.html#a9d461da8f00415ef03b24edb3bbd6cf8" target="_parent">AI_hyperalert_info::key()</a>
</div> </div>
</div> </div>
</div> </div>

View file

@ -7,36 +7,42 @@
<body class="SRPage"> <body class="SRPage">
<div id="SRIndex"> <div id="SRIndex">
<div class="SRStatus" id="Loading">Loading...</div> <div class="SRStatus" id="Loading">Loading...</div>
<div class="SRResult" id="SR_n_5fderived_5falerts">
<div class="SREntry">
<a id="Item0" onkeydown="return searchResults.Nav(event,0)" onkeypress="return searchResults.Nav(event,0)" onkeyup="return searchResults.Nav(event,0)" class="SRSymbol" href="../struct__AI__snort__alert.html#a1f2d5e8cfd0e6321b977173d1e90cb68" target="_parent">n_derived_alerts</a>
<span class="SRScope">_AI_snort_alert</span>
</div>
</div>
<div class="SRResult" id="SR_n_5fpostconds"> <div class="SRResult" id="SR_n_5fpostconds">
<div class="SREntry"> <div class="SREntry">
<a id="Item0" onkeydown="return searchResults.Nav(event,0)" onkeypress="return searchResults.Nav(event,0)" onkeyup="return searchResults.Nav(event,0)" class="SRSymbol" href="../structAI__hyperalert__info.html#a73322b6cad3e883abed03b62c6c21719" target="_parent">n_postconds</a> <a id="Item1" onkeydown="return searchResults.Nav(event,1)" onkeypress="return searchResults.Nav(event,1)" onkeyup="return searchResults.Nav(event,1)" class="SRSymbol" href="../structAI__hyperalert__info.html#a73322b6cad3e883abed03b62c6c21719" target="_parent">n_postconds</a>
<span class="SRScope">AI_hyperalert_info</span> <span class="SRScope">AI_hyperalert_info</span>
</div> </div>
</div> </div>
<div class="SRResult" id="SR_n_5fpreconds"> <div class="SRResult" id="SR_n_5fpreconds">
<div class="SREntry"> <div class="SREntry">
<a id="Item1" onkeydown="return searchResults.Nav(event,1)" onkeypress="return searchResults.Nav(event,1)" onkeyup="return searchResults.Nav(event,1)" class="SRSymbol" href="../structAI__hyperalert__info.html#a616c16f364dbb2d726e88df6b364ea40" target="_parent">n_preconds</a> <a id="Item2" onkeydown="return searchResults.Nav(event,2)" onkeypress="return searchResults.Nav(event,2)" onkeyup="return searchResults.Nav(event,2)" class="SRSymbol" href="../structAI__hyperalert__info.html#a616c16f364dbb2d726e88df6b364ea40" target="_parent">n_preconds</a>
<span class="SRScope">AI_hyperalert_info</span> <span class="SRScope">AI_hyperalert_info</span>
</div> </div>
</div> </div>
<div class="SRResult" id="SR_nchildren"> <div class="SRResult" id="SR_nchildren">
<div class="SREntry"> <div class="SREntry">
<a id="Item2" onkeydown="return searchResults.Nav(event,2)" onkeypress="return searchResults.Nav(event,2)" onkeyup="return searchResults.Nav(event,2)" class="SRSymbol" href="../struct__hierarchy__node.html#a849256ce1039e2cefaaf64d91171be0a" target="_parent">nchildren</a> <a id="Item3" onkeydown="return searchResults.Nav(event,3)" onkeypress="return searchResults.Nav(event,3)" onkeyup="return searchResults.Nav(event,3)" class="SRSymbol" href="../struct__hierarchy__node.html#a849256ce1039e2cefaaf64d91171be0a" target="_parent">nchildren</a>
<span class="SRScope">_hierarchy_node</span> <span class="SRScope">_hierarchy_node</span>
</div> </div>
</div> </div>
<div class="SRResult" id="SR_next"> <div class="SRResult" id="SR_next">
<div class="SREntry"> <div class="SREntry">
<a id="Item3" onkeydown="return searchResults.Nav(event,3)" onkeypress="return searchResults.Nav(event,3)" onkeyup="return searchResults.Nav(event,3)" class="SRSymbol" href="javascript:searchResults.Toggle('SR_next')">next</a> <a id="Item4" onkeydown="return searchResults.Nav(event,4)" onkeypress="return searchResults.Nav(event,4)" onkeyup="return searchResults.Nav(event,4)" class="SRSymbol" href="javascript:searchResults.Toggle('SR_next')">next</a>
<div class="SRChildren"> <div class="SRChildren">
<a id="Item3_c0" onkeydown="return searchResults.NavChild(event,3,0)" onkeypress="return searchResults.NavChild(event,3,0)" onkeyup="return searchResults.NavChild(event,3,0)" class="SRScope" href="../structpkt__info.html#a5ee3c51f2ca5768b94819182641ef168" target="_parent">pkt_info::next()</a> <a id="Item4_c0" onkeydown="return searchResults.NavChild(event,4,0)" onkeypress="return searchResults.NavChild(event,4,0)" onkeyup="return searchResults.NavChild(event,4,0)" class="SRScope" href="../structpkt__info.html#a5ee3c51f2ca5768b94819182641ef168" target="_parent">pkt_info::next()</a>
<a id="Item3_c1" onkeydown="return searchResults.NavChild(event,3,1)" onkeypress="return searchResults.NavChild(event,3,1)" onkeyup="return searchResults.NavChild(event,3,1)" class="SRScope" href="../struct__AI__snort__alert.html#aa8336d4b3359015ed8ea312ca1fd1173" target="_parent">_AI_snort_alert::next()</a> <a id="Item4_c1" onkeydown="return searchResults.NavChild(event,4,1)" onkeypress="return searchResults.NavChild(event,4,1)" onkeyup="return searchResults.NavChild(event,4,1)" class="SRScope" href="../struct__AI__snort__alert.html#aa8336d4b3359015ed8ea312ca1fd1173" target="_parent">_AI_snort_alert::next()</a>
</div> </div>
</div> </div>
</div> </div>
<div class="SRResult" id="SR_none"> <div class="SRResult" id="SR_none">
<div class="SREntry"> <div class="SREntry">
<a id="Item4" onkeydown="return searchResults.Nav(event,4)" onkeypress="return searchResults.Nav(event,4)" onkeyup="return searchResults.Nav(event,4)" class="SRSymbol" href="../spp__ai_8h.html#ae2ff3c6586aa2ab211a102abfde86640ab7e4e0120a041dbe6528b050c04269e0" target="_parent">none</a> <a id="Item5" onkeydown="return searchResults.Nav(event,5)" onkeypress="return searchResults.Nav(event,5)" onkeyup="return searchResults.Nav(event,5)" class="SRSymbol" href="../spp__ai_8h.html#ae2ff3c6586aa2ab211a102abfde86640ab7e4e0120a041dbe6528b050c04269e0" target="_parent">none</a>
<span class="SRScope">spp_ai.h</span> <span class="SRScope">spp_ai.h</span>
</div> </div>
</div> </div>

View file

@ -56,15 +56,21 @@
<span class="SRScope">sf_preproc_info.h</span> <span class="SRScope">sf_preproc_info.h</span>
</div> </div>
</div> </div>
<div class="SRResult" id="SR_previous_5fcorrelated">
<div class="SREntry">
<a id="Item8" onkeydown="return searchResults.Nav(event,8)" onkeypress="return searchResults.Nav(event,8)" onkeyup="return searchResults.Nav(event,8)" class="SRSymbol" href="../struct__AI__snort__alert.html#a55a5488c7ee7706ded4c16b1235fd9c7" target="_parent">previous_correlated</a>
<span class="SRScope">_AI_snort_alert</span>
</div>
</div>
<div class="SRResult" id="SR_priority"> <div class="SRResult" id="SR_priority">
<div class="SREntry"> <div class="SREntry">
<a id="Item8" onkeydown="return searchResults.Nav(event,8)" onkeypress="return searchResults.Nav(event,8)" onkeyup="return searchResults.Nav(event,8)" class="SRSymbol" href="../struct__AI__snort__alert.html#a25661fa4e212c5e30af5e6a892985ec9" target="_parent">priority</a> <a id="Item9" onkeydown="return searchResults.Nav(event,9)" onkeypress="return searchResults.Nav(event,9)" onkeyup="return searchResults.Nav(event,9)" class="SRSymbol" href="../struct__AI__snort__alert.html#a25661fa4e212c5e30af5e6a892985ec9" target="_parent">priority</a>
<span class="SRScope">_AI_snort_alert</span> <span class="SRScope">_AI_snort_alert</span>
</div> </div>
</div> </div>
<div class="SRResult" id="SR_private"> <div class="SRResult" id="SR_private">
<div class="SREntry"> <div class="SREntry">
<a id="Item9" onkeydown="return searchResults.Nav(event,9)" onkeypress="return searchResults.Nav(event,9)" onkeyup="return searchResults.Nav(event,9)" class="SRSymbol" href="../spp__ai_8h.html#a5e151c615eda34903514212f05a5ccf8" target="_parent">PRIVATE</a> <a id="Item10" onkeydown="return searchResults.Nav(event,10)" onkeypress="return searchResults.Nav(event,10)" onkeyup="return searchResults.Nav(event,10)" class="SRSymbol" href="../spp__ai_8h.html#a5e151c615eda34903514212f05a5ccf8" target="_parent">PRIVATE</a>
<span class="SRScope">spp_ai.h</span> <span class="SRScope">spp_ai.h</span>
</div> </div>
</div> </div>

View file

@ -12,29 +12,34 @@
<a id="Item0" onkeydown="return searchResults.Nav(event,0)" onkeypress="return searchResults.Nav(event,0)" onkeyup="return searchResults.Nav(event,0)" class="SRSymbol" href="../structAI__alert__correlation.html" target="_parent">AI_alert_correlation</a> <a id="Item0" onkeydown="return searchResults.Nav(event,0)" onkeypress="return searchResults.Nav(event,0)" onkeyup="return searchResults.Nav(event,0)" class="SRSymbol" href="../structAI__alert__correlation.html" target="_parent">AI_alert_correlation</a>
</div> </div>
</div> </div>
<div class="SRResult" id="SR_ai_5falert_5fcorrelation_5fkey">
<div class="SREntry">
<a id="Item1" onkeydown="return searchResults.Nav(event,1)" onkeypress="return searchResults.Nav(event,1)" onkeyup="return searchResults.Nav(event,1)" class="SRSymbol" href="../structAI__alert__correlation__key.html" target="_parent">AI_alert_correlation_key</a>
</div>
</div>
<div class="SRResult" id="SR_ai_5fconfig"> <div class="SRResult" id="SR_ai_5fconfig">
<div class="SREntry"> <div class="SREntry">
<a id="Item1" onkeydown="return searchResults.Nav(event,1)" onkeypress="return searchResults.Nav(event,1)" onkeyup="return searchResults.Nav(event,1)" class="SRSymbol" href="../structAI__config.html" target="_parent">AI_config</a> <a id="Item2" onkeydown="return searchResults.Nav(event,2)" onkeypress="return searchResults.Nav(event,2)" onkeyup="return searchResults.Nav(event,2)" class="SRSymbol" href="../structAI__config.html" target="_parent">AI_config</a>
</div> </div>
</div> </div>
<div class="SRResult" id="SR_ai_5fhyperalert_5finfo"> <div class="SRResult" id="SR_ai_5fhyperalert_5finfo">
<div class="SREntry"> <div class="SREntry">
<a id="Item2" onkeydown="return searchResults.Nav(event,2)" onkeypress="return searchResults.Nav(event,2)" onkeyup="return searchResults.Nav(event,2)" class="SRSymbol" href="../structAI__hyperalert__info.html" target="_parent">AI_hyperalert_info</a> <a id="Item3" onkeydown="return searchResults.Nav(event,3)" onkeypress="return searchResults.Nav(event,3)" onkeyup="return searchResults.Nav(event,3)" class="SRSymbol" href="../structAI__hyperalert__info.html" target="_parent">AI_hyperalert_info</a>
</div> </div>
</div> </div>
<div class="SRResult" id="SR_ai_5fhyperalert_5fkey"> <div class="SRResult" id="SR_ai_5fhyperalert_5fkey">
<div class="SREntry"> <div class="SREntry">
<a id="Item3" onkeydown="return searchResults.Nav(event,3)" onkeypress="return searchResults.Nav(event,3)" onkeyup="return searchResults.Nav(event,3)" class="SRSymbol" href="../structAI__hyperalert__key.html" target="_parent">AI_hyperalert_key</a> <a id="Item4" onkeydown="return searchResults.Nav(event,4)" onkeypress="return searchResults.Nav(event,4)" onkeyup="return searchResults.Nav(event,4)" class="SRSymbol" href="../structAI__hyperalert__key.html" target="_parent">AI_hyperalert_key</a>
</div> </div>
</div> </div>
<div class="SRResult" id="SR_attribute_5fkey"> <div class="SRResult" id="SR_attribute_5fkey">
<div class="SREntry"> <div class="SREntry">
<a id="Item4" onkeydown="return searchResults.Nav(event,4)" onkeypress="return searchResults.Nav(event,4)" onkeyup="return searchResults.Nav(event,4)" class="SRSymbol" href="../structattribute__key.html" target="_parent">attribute_key</a> <a id="Item5" onkeydown="return searchResults.Nav(event,5)" onkeypress="return searchResults.Nav(event,5)" onkeyup="return searchResults.Nav(event,5)" class="SRSymbol" href="../structattribute__key.html" target="_parent">attribute_key</a>
</div> </div>
</div> </div>
<div class="SRResult" id="SR_attribute_5fvalue"> <div class="SRResult" id="SR_attribute_5fvalue">
<div class="SREntry"> <div class="SREntry">
<a id="Item5" onkeydown="return searchResults.Nav(event,5)" onkeypress="return searchResults.Nav(event,5)" onkeyup="return searchResults.Nav(event,5)" class="SRSymbol" href="../structattribute__value.html" target="_parent">attribute_value</a> <a id="Item6" onkeydown="return searchResults.Nav(event,6)" onkeypress="return searchResults.Nav(event,6)" onkeyup="return searchResults.Nav(event,6)" class="SRSymbol" href="../structattribute__value.html" target="_parent">attribute_value</a>
</div> </div>
</div> </div>
<div class="SRStatus" id="Searching">Searching...</div> <div class="SRStatus" id="Searching">Searching...</div>

View file

@ -31,33 +31,45 @@
<span class="SRScope">spp_ai.h</span> <span class="SRScope">spp_ai.h</span>
</div> </div>
</div> </div>
<div class="SRResult" id="SR_default_5fcorr_5falerts_5fdir">
<div class="SREntry">
<a id="Item4" onkeydown="return searchResults.Nav(event,4)" onkeypress="return searchResults.Nav(event,4)" onkeyup="return searchResults.Nav(event,4)" class="SRSymbol" href="../spp__ai_8h.html#a7bbeccba60012abcc98db33d39294829" target="_parent">DEFAULT_CORR_ALERTS_DIR</a>
<span class="SRScope">spp_ai.h</span>
</div>
</div>
<div class="SRResult" id="SR_default_5fcorr_5frules_5fdir"> <div class="SRResult" id="SR_default_5fcorr_5frules_5fdir">
<div class="SREntry"> <div class="SREntry">
<a id="Item4" onkeydown="return searchResults.Nav(event,4)" onkeypress="return searchResults.Nav(event,4)" onkeyup="return searchResults.Nav(event,4)" class="SRSymbol" href="../spp__ai_8h.html#a89448386cad5d5533992ae7ee84f4f1d" target="_parent">DEFAULT_CORR_RULES_DIR</a> <a id="Item5" onkeydown="return searchResults.Nav(event,5)" onkeypress="return searchResults.Nav(event,5)" onkeyup="return searchResults.Nav(event,5)" class="SRSymbol" href="../spp__ai_8h.html#a89448386cad5d5533992ae7ee84f4f1d" target="_parent">DEFAULT_CORR_RULES_DIR</a>
<span class="SRScope">spp_ai.h</span>
</div>
</div>
<div class="SRResult" id="SR_default_5fcorr_5fthreshold">
<div class="SREntry">
<a id="Item6" onkeydown="return searchResults.Nav(event,6)" onkeypress="return searchResults.Nav(event,6)" onkeyup="return searchResults.Nav(event,6)" class="SRSymbol" href="../spp__ai_8h.html#aaedb0b7dc2bdf8d44d3fee2189a55a19" target="_parent">DEFAULT_CORR_THRESHOLD</a>
<span class="SRScope">spp_ai.h</span> <span class="SRScope">spp_ai.h</span>
</div> </div>
</div> </div>
<div class="SRResult" id="SR_default_5fdatabase_5finterval"> <div class="SRResult" id="SR_default_5fdatabase_5finterval">
<div class="SREntry"> <div class="SREntry">
<a id="Item5" onkeydown="return searchResults.Nav(event,5)" onkeypress="return searchResults.Nav(event,5)" onkeyup="return searchResults.Nav(event,5)" class="SRSymbol" href="../spp__ai_8h.html#a3c4984a0ee515fbc091ac6e33b05e310" target="_parent">DEFAULT_DATABASE_INTERVAL</a> <a id="Item7" onkeydown="return searchResults.Nav(event,7)" onkeypress="return searchResults.Nav(event,7)" onkeyup="return searchResults.Nav(event,7)" class="SRSymbol" href="../spp__ai_8h.html#a3c4984a0ee515fbc091ac6e33b05e310" target="_parent">DEFAULT_DATABASE_INTERVAL</a>
<span class="SRScope">spp_ai.h</span> <span class="SRScope">spp_ai.h</span>
</div> </div>
</div> </div>
<div class="SRResult" id="SR_default_5fhash_5fcleanup_5finterval"> <div class="SRResult" id="SR_default_5fhash_5fcleanup_5finterval">
<div class="SREntry"> <div class="SREntry">
<a id="Item6" onkeydown="return searchResults.Nav(event,6)" onkeypress="return searchResults.Nav(event,6)" onkeyup="return searchResults.Nav(event,6)" class="SRSymbol" href="../spp__ai_8h.html#a5f555c0ebd29ce2771a3e2dd4f526746" target="_parent">DEFAULT_HASH_CLEANUP_INTERVAL</a> <a id="Item8" onkeydown="return searchResults.Nav(event,8)" onkeypress="return searchResults.Nav(event,8)" onkeyup="return searchResults.Nav(event,8)" class="SRSymbol" href="../spp__ai_8h.html#a5f555c0ebd29ce2771a3e2dd4f526746" target="_parent">DEFAULT_HASH_CLEANUP_INTERVAL</a>
<span class="SRScope">spp_ai.h</span> <span class="SRScope">spp_ai.h</span>
</div> </div>
</div> </div>
<div class="SRResult" id="SR_default_5fstream_5fexpire_5finterval"> <div class="SRResult" id="SR_default_5fstream_5fexpire_5finterval">
<div class="SREntry"> <div class="SREntry">
<a id="Item7" onkeydown="return searchResults.Nav(event,7)" onkeypress="return searchResults.Nav(event,7)" onkeyup="return searchResults.Nav(event,7)" class="SRSymbol" href="../spp__ai_8h.html#a0f6a189af15ef783fb46ed37c144e031" target="_parent">DEFAULT_STREAM_EXPIRE_INTERVAL</a> <a id="Item9" onkeydown="return searchResults.Nav(event,9)" onkeypress="return searchResults.Nav(event,9)" onkeyup="return searchResults.Nav(event,9)" class="SRSymbol" href="../spp__ai_8h.html#a0f6a189af15ef783fb46ed37c144e031" target="_parent">DEFAULT_STREAM_EXPIRE_INTERVAL</a>
<span class="SRScope">spp_ai.h</span> <span class="SRScope">spp_ai.h</span>
</div> </div>
</div> </div>
<div class="SRResult" id="SR_dynamic_5fpreproc_5fsetup"> <div class="SRResult" id="SR_dynamic_5fpreproc_5fsetup">
<div class="SREntry"> <div class="SREntry">
<a id="Item8" onkeydown="return searchResults.Nav(event,8)" onkeypress="return searchResults.Nav(event,8)" onkeyup="return searchResults.Nav(event,8)" class="SRSymbol" href="../sf__preproc__info_8h.html#aba4c0d0af324a3861e662ed4650aae44" target="_parent">DYNAMIC_PREPROC_SETUP</a> <a id="Item10" onkeydown="return searchResults.Nav(event,10)" onkeypress="return searchResults.Nav(event,10)" onkeyup="return searchResults.Nav(event,10)" class="SRSymbol" href="../sf__preproc__info_8h.html#aba4c0d0af324a3861e662ed4650aae44" target="_parent">DYNAMIC_PREPROC_SETUP</a>
<span class="SRScope">sf_preproc_info.h</span> <span class="SRScope">sf_preproc_info.h</span>
</div> </div>
</div> </div>

View file

@ -33,67 +33,91 @@
</div> </div>
<div class="SRResult" id="SR__5fai_5fcorrelation_5fcoefficient"> <div class="SRResult" id="SR__5fai_5fcorrelation_5fcoefficient">
<div class="SREntry"> <div class="SREntry">
<a id="Item4" onkeydown="return searchResults.Nav(event,4)" onkeypress="return searchResults.Nav(event,4)" onkeyup="return searchResults.Nav(event,4)" class="SRSymbol" href="../group__correlation.html#ga130e82017fc0abcb76b1a7740ae2f4df" target="_parent">_AI_correlation_coefficient</a> <a id="Item4" onkeydown="return searchResults.Nav(event,4)" onkeypress="return searchResults.Nav(event,4)" onkeyup="return searchResults.Nav(event,4)" class="SRSymbol" href="../group__correlation.html#ga9cb283b28a66829574add58a251b93c6" target="_parent">_AI_correlation_coefficient</a>
<span class="SRScope">correlation.c</span>
</div>
</div>
<div class="SRResult" id="SR__5fai_5fcorrelation_5ftable_5fcleanup">
<div class="SREntry">
<a id="Item5" onkeydown="return searchResults.Nav(event,5)" onkeypress="return searchResults.Nav(event,5)" onkeyup="return searchResults.Nav(event,5)" class="SRSymbol" href="../group__correlation.html#ga9bcb94264ffe30f113f3fb7287b774e3" target="_parent">_AI_correlation_table_cleanup</a>
<span class="SRScope">correlation.c</span> <span class="SRScope">correlation.c</span>
</div> </div>
</div> </div>
<div class="SRResult" id="SR__5fai_5fequal_5falarms"> <div class="SRResult" id="SR__5fai_5fequal_5falarms">
<div class="SREntry"> <div class="SREntry">
<a id="Item5" onkeydown="return searchResults.Nav(event,5)" onkeypress="return searchResults.Nav(event,5)" onkeyup="return searchResults.Nav(event,5)" class="SRSymbol" href="../group__cluster.html#ga0f91c8bfc37a3975f5c26b19fd6c5cba" target="_parent">_AI_equal_alarms</a> <a id="Item6" onkeydown="return searchResults.Nav(event,6)" onkeypress="return searchResults.Nav(event,6)" onkeyup="return searchResults.Nav(event,6)" class="SRSymbol" href="../group__cluster.html#ga0f91c8bfc37a3975f5c26b19fd6c5cba" target="_parent">_AI_equal_alarms</a>
<span class="SRScope">cluster.c</span> <span class="SRScope">cluster.c</span>
</div> </div>
</div> </div>
<div class="SRResult" id="SR__5fai_5fget_5ffunction_5farguments">
<div class="SREntry">
<a id="Item7" onkeydown="return searchResults.Nav(event,7)" onkeypress="return searchResults.Nav(event,7)" onkeyup="return searchResults.Nav(event,7)" class="SRSymbol" href="../group__correlation.html#gab716702cd226ab2ad957234a92da6e4a" target="_parent">_AI_get_function_arguments</a>
<span class="SRScope">correlation.c</span>
</div>
</div>
<div class="SRResult" id="SR__5fai_5fget_5ffunction_5fname">
<div class="SREntry">
<a id="Item8" onkeydown="return searchResults.Nav(event,8)" onkeypress="return searchResults.Nav(event,8)" onkeyup="return searchResults.Nav(event,8)" class="SRSymbol" href="../group__correlation.html#ga7a1b2d01f526f24ea91d7f08bdefd4fe" target="_parent">_AI_get_function_name</a>
<span class="SRScope">correlation.c</span>
</div>
</div>
<div class="SRResult" id="SR__5fai_5fget_5fmin_5fhierarchy_5fnode"> <div class="SRResult" id="SR__5fai_5fget_5fmin_5fhierarchy_5fnode">
<div class="SREntry"> <div class="SREntry">
<a id="Item6" onkeydown="return searchResults.Nav(event,6)" onkeypress="return searchResults.Nav(event,6)" onkeyup="return searchResults.Nav(event,6)" class="SRSymbol" href="../group__cluster.html#ga6ddddcd505b1f763c339e81fc143e079" target="_parent">_AI_get_min_hierarchy_node</a> <a id="Item9" onkeydown="return searchResults.Nav(event,9)" onkeypress="return searchResults.Nav(event,9)" onkeyup="return searchResults.Nav(event,9)" class="SRSymbol" href="../group__cluster.html#ga6ddddcd505b1f763c339e81fc143e079" target="_parent">_AI_get_min_hierarchy_node</a>
<span class="SRScope">cluster.c</span> <span class="SRScope">cluster.c</span>
</div> </div>
</div> </div>
<div class="SRResult" id="SR__5fai_5fhyperalert_5ffrom_5fxml"> <div class="SRResult" id="SR__5fai_5fhyperalert_5ffrom_5fxml">
<div class="SREntry"> <div class="SREntry">
<a id="Item7" onkeydown="return searchResults.Nav(event,7)" onkeypress="return searchResults.Nav(event,7)" onkeyup="return searchResults.Nav(event,7)" class="SRSymbol" href="../group__correlation.html#ga929e5c17fdb247a998d83ed6a4ae5a65" target="_parent">_AI_hyperalert_from_XML</a> <a id="Item10" onkeydown="return searchResults.Nav(event,10)" onkeypress="return searchResults.Nav(event,10)" onkeyup="return searchResults.Nav(event,10)" class="SRSymbol" href="../group__correlation.html#ga929e5c17fdb247a998d83ed6a4ae5a65" target="_parent">_AI_hyperalert_from_XML</a>
<span class="SRScope">correlation.c</span> <span class="SRScope">correlation.c</span>
</div> </div>
</div> </div>
<div class="SRResult" id="SR__5fai_5fmacro_5fsubst"> <div class="SRResult" id="SR__5fai_5fmacro_5fsubst">
<div class="SREntry"> <div class="SREntry">
<a id="Item8" onkeydown="return searchResults.Nav(event,8)" onkeypress="return searchResults.Nav(event,8)" onkeyup="return searchResults.Nav(event,8)" class="SRSymbol" href="../group__correlation.html#ga0d094eae1d014d89a2de21263fa747da" target="_parent">_AI_macro_subst</a> <a id="Item11" onkeydown="return searchResults.Nav(event,11)" onkeypress="return searchResults.Nav(event,11)" onkeyup="return searchResults.Nav(event,11)" class="SRSymbol" href="../group__correlation.html#ga70a4aaf8b689472dad62ba7a9bbde1a6" target="_parent">_AI_macro_subst</a>
<span class="SRScope">correlation.c</span> <span class="SRScope">correlation.c</span>
</div> </div>
</div> </div>
<div class="SRResult" id="SR__5fai_5fmerge_5falerts"> <div class="SRResult" id="SR__5fai_5fmerge_5falerts">
<div class="SREntry"> <div class="SREntry">
<a id="Item9" onkeydown="return searchResults.Nav(event,9)" onkeypress="return searchResults.Nav(event,9)" onkeyup="return searchResults.Nav(event,9)" class="SRSymbol" href="../group__cluster.html#ga8ce8e5a5d8954672297fa2dedb380dcd" target="_parent">_AI_merge_alerts</a> <a id="Item12" onkeydown="return searchResults.Nav(event,12)" onkeypress="return searchResults.Nav(event,12)" onkeyup="return searchResults.Nav(event,12)" class="SRSymbol" href="../group__cluster.html#ga8ce8e5a5d8954672297fa2dedb380dcd" target="_parent">_AI_merge_alerts</a>
<span class="SRScope">cluster.c</span> <span class="SRScope">cluster.c</span>
</div> </div>
</div> </div>
<div class="SRResult" id="SR__5fai_5fprint_5fclustered_5falerts"> <div class="SRResult" id="SR__5fai_5fprint_5fclustered_5falerts">
<div class="SREntry"> <div class="SREntry">
<a id="Item10" onkeydown="return searchResults.Nav(event,10)" onkeypress="return searchResults.Nav(event,10)" onkeyup="return searchResults.Nav(event,10)" class="SRSymbol" href="../group__cluster.html#ga7d151880080470b542e99643dc0426a7" target="_parent">_AI_print_clustered_alerts</a> <a id="Item13" onkeydown="return searchResults.Nav(event,13)" onkeypress="return searchResults.Nav(event,13)" onkeyup="return searchResults.Nav(event,13)" class="SRSymbol" href="../group__cluster.html#ga7d151880080470b542e99643dc0426a7" target="_parent">_AI_print_clustered_alerts</a>
<span class="SRScope">cluster.c</span> <span class="SRScope">cluster.c</span>
</div> </div>
</div> </div>
<div class="SRResult" id="SR__5fai_5fprint_5fcorrelated_5falerts">
<div class="SREntry">
<a id="Item14" onkeydown="return searchResults.Nav(event,14)" onkeypress="return searchResults.Nav(event,14)" onkeyup="return searchResults.Nav(event,14)" class="SRSymbol" href="../group__correlation.html#ga4267a39fa1a5ac035015823bca43288e" target="_parent">_AI_print_correlated_alerts</a>
<span class="SRScope">correlation.c</span>
</div>
</div>
<div class="SRResult" id="SR__5fai_5fstream_5ffree"> <div class="SRResult" id="SR__5fai_5fstream_5ffree">
<div class="SREntry"> <div class="SREntry">
<a id="Item11" onkeydown="return searchResults.Nav(event,11)" onkeypress="return searchResults.Nav(event,11)" onkeyup="return searchResults.Nav(event,11)" class="SRSymbol" href="../group__stream.html#ga80016adf701c717a6ebfb5b15b8a5749" target="_parent">_AI_stream_free</a> <a id="Item15" onkeydown="return searchResults.Nav(event,15)" onkeypress="return searchResults.Nav(event,15)" onkeyup="return searchResults.Nav(event,15)" class="SRSymbol" href="../group__stream.html#ga80016adf701c717a6ebfb5b15b8a5749" target="_parent">_AI_stream_free</a>
<span class="SRScope">stream.c</span> <span class="SRScope">stream.c</span>
</div> </div>
</div> </div>
<div class="SRResult" id="SR__5fheuristic_5ffunc"> <div class="SRResult" id="SR__5fheuristic_5ffunc">
<div class="SREntry"> <div class="SREntry">
<a id="Item12" onkeydown="return searchResults.Nav(event,12)" onkeypress="return searchResults.Nav(event,12)" onkeyup="return searchResults.Nav(event,12)" class="SRSymbol" href="../group__cluster.html#ga81f5fa721719fdb281595a568eef2101" target="_parent">_heuristic_func</a> <a id="Item16" onkeydown="return searchResults.Nav(event,16)" onkeypress="return searchResults.Nav(event,16)" onkeyup="return searchResults.Nav(event,16)" class="SRSymbol" href="../group__cluster.html#ga81f5fa721719fdb281595a568eef2101" target="_parent">_heuristic_func</a>
<span class="SRScope">cluster.c</span> <span class="SRScope">cluster.c</span>
</div> </div>
</div> </div>
<div class="SRResult" id="SR__5fhierarchy_5fnode_5fappend"> <div class="SRResult" id="SR__5fhierarchy_5fnode_5fappend">
<div class="SREntry"> <div class="SREntry">
<a id="Item13" onkeydown="return searchResults.Nav(event,13)" onkeypress="return searchResults.Nav(event,13)" onkeyup="return searchResults.Nav(event,13)" class="SRSymbol" href="../group__cluster.html#ga5601a1f603d9c870ef6e2df192e30c30" target="_parent">_hierarchy_node_append</a> <a id="Item17" onkeydown="return searchResults.Nav(event,17)" onkeypress="return searchResults.Nav(event,17)" onkeyup="return searchResults.Nav(event,17)" class="SRSymbol" href="../group__cluster.html#ga5601a1f603d9c870ef6e2df192e30c30" target="_parent">_hierarchy_node_append</a>
<span class="SRScope">cluster.c</span> <span class="SRScope">cluster.c</span>
</div> </div>
</div> </div>
<div class="SRResult" id="SR__5fhierarchy_5fnode_5fnew"> <div class="SRResult" id="SR__5fhierarchy_5fnode_5fnew">
<div class="SREntry"> <div class="SREntry">
<a id="Item14" onkeydown="return searchResults.Nav(event,14)" onkeypress="return searchResults.Nav(event,14)" onkeyup="return searchResults.Nav(event,14)" class="SRSymbol" href="../group__cluster.html#ga2f1a22cfea64e4669da0467620c3e3b3" target="_parent">_hierarchy_node_new</a> <a id="Item18" onkeydown="return searchResults.Nav(event,18)" onkeypress="return searchResults.Nav(event,18)" onkeyup="return searchResults.Nav(event,18)" class="SRSymbol" href="../group__cluster.html#ga2f1a22cfea64e4669da0467620c3e3b3" target="_parent">_hierarchy_node_new</a>
<span class="SRScope">cluster.c</span> <span class="SRScope">cluster.c</span>
</div> </div>
</div> </div>

View file

@ -9,8 +9,8 @@
<div class="SRStatus" id="Loading">Loading...</div> <div class="SRStatus" id="Loading">Loading...</div>
<div class="SRResult" id="SR_a"> <div class="SRResult" id="SR_a">
<div class="SREntry"> <div class="SREntry">
<a id="Item0" onkeydown="return searchResults.Nav(event,0)" onkeypress="return searchResults.Nav(event,0)" onkeyup="return searchResults.Nav(event,0)" class="SRSymbol" href="../structAI__alert__correlation.html#a8737f171e1c1b2305c8fe77101d6aeb7" target="_parent">a</a> <a id="Item0" onkeydown="return searchResults.Nav(event,0)" onkeypress="return searchResults.Nav(event,0)" onkeyup="return searchResults.Nav(event,0)" class="SRSymbol" href="../structAI__alert__correlation__key.html#a774daec9332da25835a0904d853acadb" target="_parent">a</a>
<span class="SRScope">AI_alert_correlation</span> <span class="SRScope">AI_alert_correlation_key</span>
</div> </div>
</div> </div>
<div class="SRResult" id="SR_alert_5ffp"> <div class="SRResult" id="SR_alert_5ffp">

View file

@ -9,8 +9,8 @@
<div class="SRStatus" id="Loading">Loading...</div> <div class="SRStatus" id="Loading">Loading...</div>
<div class="SRResult" id="SR_b"> <div class="SRResult" id="SR_b">
<div class="SREntry"> <div class="SREntry">
<a id="Item0" onkeydown="return searchResults.Nav(event,0)" onkeypress="return searchResults.Nav(event,0)" onkeyup="return searchResults.Nav(event,0)" class="SRSymbol" href="../structAI__alert__correlation.html#a478f1a6f18f9c083b203efdf776379cd" target="_parent">b</a> <a id="Item0" onkeydown="return searchResults.Nav(event,0)" onkeypress="return searchResults.Nav(event,0)" onkeyup="return searchResults.Nav(event,0)" class="SRSymbol" href="../structAI__alert__correlation__key.html#a5805dec6499a83b818091b4f21c715dc" target="_parent">b</a>
<span class="SRScope">AI_alert_correlation</span> <span class="SRScope">AI_alert_correlation_key</span>
</div> </div>
</div> </div>
<div class="SRStatus" id="Searching">Searching...</div> <div class="SRStatus" id="Searching">Searching...</div>

View file

@ -31,33 +31,45 @@
<span class="SRScope">correlation.c</span> <span class="SRScope">correlation.c</span>
</div> </div>
</div> </div>
<div class="SRResult" id="SR_corr_5falerts_5fdir">
<div class="SREntry">
<a id="Item4" onkeydown="return searchResults.Nav(event,4)" onkeypress="return searchResults.Nav(event,4)" onkeyup="return searchResults.Nav(event,4)" class="SRSymbol" href="../structAI__config.html#ae68f5489e2ec9ea1408f98fe36d050c9" target="_parent">corr_alerts_dir</a>
<span class="SRScope">AI_config</span>
</div>
</div>
<div class="SRResult" id="SR_corr_5frules_5fdir"> <div class="SRResult" id="SR_corr_5frules_5fdir">
<div class="SREntry"> <div class="SREntry">
<a id="Item4" onkeydown="return searchResults.Nav(event,4)" onkeypress="return searchResults.Nav(event,4)" onkeyup="return searchResults.Nav(event,4)" class="SRSymbol" href="../structAI__config.html#ab7ea93bbe72b85c4019b4f5656ad62fc" target="_parent">corr_rules_dir</a> <a id="Item5" onkeydown="return searchResults.Nav(event,5)" onkeypress="return searchResults.Nav(event,5)" onkeyup="return searchResults.Nav(event,5)" class="SRSymbol" href="../structAI__config.html#ab7ea93bbe72b85c4019b4f5656ad62fc" target="_parent">corr_rules_dir</a>
<span class="SRScope">AI_config</span> <span class="SRScope">AI_config</span>
</div> </div>
</div> </div>
<div class="SRResult" id="SR_correlation"> <div class="SRResult" id="SR_correlation">
<div class="SREntry"> <div class="SREntry">
<a id="Item5" onkeydown="return searchResults.Nav(event,5)" onkeypress="return searchResults.Nav(event,5)" onkeyup="return searchResults.Nav(event,5)" class="SRSymbol" href="../structAI__alert__correlation.html#aad417b2126ae26d7576f006a3dbcdc81" target="_parent">correlation</a> <a id="Item6" onkeydown="return searchResults.Nav(event,6)" onkeypress="return searchResults.Nav(event,6)" onkeyup="return searchResults.Nav(event,6)" class="SRSymbol" href="../structAI__alert__correlation.html#aad417b2126ae26d7576f006a3dbcdc81" target="_parent">correlation</a>
<span class="SRScope">AI_alert_correlation</span> <span class="SRScope">AI_alert_correlation</span>
</div> </div>
</div> </div>
<div class="SRResult" id="SR_correlation_5ftable"> <div class="SRResult" id="SR_correlation_5ftable">
<div class="SREntry"> <div class="SREntry">
<a id="Item6" onkeydown="return searchResults.Nav(event,6)" onkeypress="return searchResults.Nav(event,6)" onkeyup="return searchResults.Nav(event,6)" class="SRSymbol" href="../group__correlation.html#ga701934a296c51f2397d24e8bf4a9f021" target="_parent">correlation_table</a> <a id="Item7" onkeydown="return searchResults.Nav(event,7)" onkeypress="return searchResults.Nav(event,7)" onkeyup="return searchResults.Nav(event,7)" class="SRSymbol" href="../group__correlation.html#ga701934a296c51f2397d24e8bf4a9f021" target="_parent">correlation_table</a>
<span class="SRScope">correlation.c</span> <span class="SRScope">correlation.c</span>
</div> </div>
</div> </div>
<div class="SRResult" id="SR_correlationgraphinterval"> <div class="SRResult" id="SR_correlationgraphinterval">
<div class="SREntry"> <div class="SREntry">
<a id="Item7" onkeydown="return searchResults.Nav(event,7)" onkeypress="return searchResults.Nav(event,7)" onkeyup="return searchResults.Nav(event,7)" class="SRSymbol" href="../structAI__config.html#aa736375e57a59936e2e782b7cd200e41" target="_parent">correlationGraphInterval</a> <a id="Item8" onkeydown="return searchResults.Nav(event,8)" onkeypress="return searchResults.Nav(event,8)" onkeyup="return searchResults.Nav(event,8)" class="SRSymbol" href="../structAI__config.html#aa736375e57a59936e2e782b7cd200e41" target="_parent">correlationGraphInterval</a>
<span class="SRScope">AI_config</span>
</div>
</div>
<div class="SRResult" id="SR_correlationthresholdcoefficient">
<div class="SREntry">
<a id="Item9" onkeydown="return searchResults.Nav(event,9)" onkeypress="return searchResults.Nav(event,9)" onkeyup="return searchResults.Nav(event,9)" class="SRSymbol" href="../structAI__config.html#adf6ef0faedfb4dea0a1353e781b14883" target="_parent">correlationThresholdCoefficient</a>
<span class="SRScope">AI_config</span> <span class="SRScope">AI_config</span>
</div> </div>
</div> </div>
<div class="SRResult" id="SR_count"> <div class="SRResult" id="SR_count">
<div class="SREntry"> <div class="SREntry">
<a id="Item8" onkeydown="return searchResults.Nav(event,8)" onkeypress="return searchResults.Nav(event,8)" onkeyup="return searchResults.Nav(event,8)" class="SRSymbol" href="../structattribute__value.html#a5579c0304c2e9ab488ac94905b385045" target="_parent">count</a> <a id="Item10" onkeydown="return searchResults.Nav(event,10)" onkeypress="return searchResults.Nav(event,10)" onkeyup="return searchResults.Nav(event,10)" class="SRSymbol" href="../structattribute__value.html#a5579c0304c2e9ab488ac94905b385045" target="_parent">count</a>
<span class="SRScope">attribute_value</span> <span class="SRScope">attribute_value</span>
</div> </div>
</div> </div>

View file

@ -37,15 +37,21 @@
<span class="SRScope">AI_config</span> <span class="SRScope">AI_config</span>
</div> </div>
</div> </div>
<div class="SRResult" id="SR_derived_5falerts">
<div class="SREntry">
<a id="Item5" onkeydown="return searchResults.Nav(event,5)" onkeypress="return searchResults.Nav(event,5)" onkeyup="return searchResults.Nav(event,5)" class="SRSymbol" href="../struct__AI__snort__alert.html#aac5e4078600ed17532db1f3d78165390" target="_parent">derived_alerts</a>
<span class="SRScope">_AI_snort_alert</span>
</div>
</div>
<div class="SRResult" id="SR_desc"> <div class="SRResult" id="SR_desc">
<div class="SREntry"> <div class="SREntry">
<a id="Item5" onkeydown="return searchResults.Nav(event,5)" onkeypress="return searchResults.Nav(event,5)" onkeyup="return searchResults.Nav(event,5)" class="SRSymbol" href="../struct__AI__snort__alert.html#ac0902d7c756ec675fb06347ce4706135" target="_parent">desc</a> <a id="Item6" onkeydown="return searchResults.Nav(event,6)" onkeypress="return searchResults.Nav(event,6)" onkeyup="return searchResults.Nav(event,6)" class="SRSymbol" href="../struct__AI__snort__alert.html#ac0902d7c756ec675fb06347ce4706135" target="_parent">desc</a>
<span class="SRScope">_AI_snort_alert</span> <span class="SRScope">_AI_snort_alert</span>
</div> </div>
</div> </div>
<div class="SRResult" id="SR_dst_5fport"> <div class="SRResult" id="SR_dst_5fport">
<div class="SREntry"> <div class="SREntry">
<a id="Item6" onkeydown="return searchResults.Nav(event,6)" onkeypress="return searchResults.Nav(event,6)" onkeyup="return searchResults.Nav(event,6)" class="SRSymbol" href="../structpkt__key.html#af77f5eb1f4cd88b43fe99fd73553351d" target="_parent">dst_port</a> <a id="Item7" onkeydown="return searchResults.Nav(event,7)" onkeypress="return searchResults.Nav(event,7)" onkeyup="return searchResults.Nav(event,7)" class="SRSymbol" href="../structpkt__key.html#af77f5eb1f4cd88b43fe99fd73553351d" target="_parent">dst_port</a>
<span class="SRScope">pkt_key</span> <span class="SRScope">pkt_key</span>
</div> </div>
</div> </div>

View file

@ -12,8 +12,9 @@
<a id="Item0" onkeydown="return searchResults.Nav(event,0)" onkeypress="return searchResults.Nav(event,0)" onkeyup="return searchResults.Nav(event,0)" class="SRSymbol" href="javascript:searchResults.Toggle('SR_key')">key</a> <a id="Item0" onkeydown="return searchResults.Nav(event,0)" onkeypress="return searchResults.Nav(event,0)" onkeyup="return searchResults.Nav(event,0)" class="SRSymbol" href="javascript:searchResults.Toggle('SR_key')">key</a>
<div class="SRChildren"> <div class="SRChildren">
<a id="Item0_c0" onkeydown="return searchResults.NavChild(event,0,0)" onkeypress="return searchResults.NavChild(event,0,0)" onkeyup="return searchResults.NavChild(event,0,0)" class="SRScope" href="../structattribute__value.html#aa8b5ae41c150e4fefb800d3b1924278d" target="_parent">attribute_value::key()</a> <a id="Item0_c0" onkeydown="return searchResults.NavChild(event,0,0)" onkeypress="return searchResults.NavChild(event,0,0)" onkeyup="return searchResults.NavChild(event,0,0)" class="SRScope" href="../structattribute__value.html#aa8b5ae41c150e4fefb800d3b1924278d" target="_parent">attribute_value::key()</a>
<a id="Item0_c1" onkeydown="return searchResults.NavChild(event,0,1)" onkeypress="return searchResults.NavChild(event,0,1)" onkeyup="return searchResults.NavChild(event,0,1)" class="SRScope" href="../structpkt__info.html#a231d4734d3c62292b06eb9ea4b49c339" target="_parent">pkt_info::key()</a> <a id="Item0_c1" onkeydown="return searchResults.NavChild(event,0,1)" onkeypress="return searchResults.NavChild(event,0,1)" onkeyup="return searchResults.NavChild(event,0,1)" class="SRScope" href="../structAI__alert__correlation.html#a4e27da4922a1d44497634c8e5968d870" target="_parent">AI_alert_correlation::key()</a>
<a id="Item0_c2" onkeydown="return searchResults.NavChild(event,0,2)" onkeypress="return searchResults.NavChild(event,0,2)" onkeyup="return searchResults.NavChild(event,0,2)" class="SRScope" href="../structAI__hyperalert__info.html#a9d461da8f00415ef03b24edb3bbd6cf8" target="_parent">AI_hyperalert_info::key()</a> <a id="Item0_c2" onkeydown="return searchResults.NavChild(event,0,2)" onkeypress="return searchResults.NavChild(event,0,2)" onkeyup="return searchResults.NavChild(event,0,2)" class="SRScope" href="../structpkt__info.html#a231d4734d3c62292b06eb9ea4b49c339" target="_parent">pkt_info::key()</a>
<a id="Item0_c3" onkeydown="return searchResults.NavChild(event,0,3)" onkeypress="return searchResults.NavChild(event,0,3)" onkeyup="return searchResults.NavChild(event,0,3)" class="SRScope" href="../structAI__hyperalert__info.html#a9d461da8f00415ef03b24edb3bbd6cf8" target="_parent">AI_hyperalert_info::key()</a>
</div> </div>
</div> </div>
</div> </div>

View file

@ -7,30 +7,36 @@
<body class="SRPage"> <body class="SRPage">
<div id="SRIndex"> <div id="SRIndex">
<div class="SRStatus" id="Loading">Loading...</div> <div class="SRStatus" id="Loading">Loading...</div>
<div class="SRResult" id="SR_n_5fderived_5falerts">
<div class="SREntry">
<a id="Item0" onkeydown="return searchResults.Nav(event,0)" onkeypress="return searchResults.Nav(event,0)" onkeyup="return searchResults.Nav(event,0)" class="SRSymbol" href="../struct__AI__snort__alert.html#a1f2d5e8cfd0e6321b977173d1e90cb68" target="_parent">n_derived_alerts</a>
<span class="SRScope">_AI_snort_alert</span>
</div>
</div>
<div class="SRResult" id="SR_n_5fpostconds"> <div class="SRResult" id="SR_n_5fpostconds">
<div class="SREntry"> <div class="SREntry">
<a id="Item0" onkeydown="return searchResults.Nav(event,0)" onkeypress="return searchResults.Nav(event,0)" onkeyup="return searchResults.Nav(event,0)" class="SRSymbol" href="../structAI__hyperalert__info.html#a73322b6cad3e883abed03b62c6c21719" target="_parent">n_postconds</a> <a id="Item1" onkeydown="return searchResults.Nav(event,1)" onkeypress="return searchResults.Nav(event,1)" onkeyup="return searchResults.Nav(event,1)" class="SRSymbol" href="../structAI__hyperalert__info.html#a73322b6cad3e883abed03b62c6c21719" target="_parent">n_postconds</a>
<span class="SRScope">AI_hyperalert_info</span> <span class="SRScope">AI_hyperalert_info</span>
</div> </div>
</div> </div>
<div class="SRResult" id="SR_n_5fpreconds"> <div class="SRResult" id="SR_n_5fpreconds">
<div class="SREntry"> <div class="SREntry">
<a id="Item1" onkeydown="return searchResults.Nav(event,1)" onkeypress="return searchResults.Nav(event,1)" onkeyup="return searchResults.Nav(event,1)" class="SRSymbol" href="../structAI__hyperalert__info.html#a616c16f364dbb2d726e88df6b364ea40" target="_parent">n_preconds</a> <a id="Item2" onkeydown="return searchResults.Nav(event,2)" onkeypress="return searchResults.Nav(event,2)" onkeyup="return searchResults.Nav(event,2)" class="SRSymbol" href="../structAI__hyperalert__info.html#a616c16f364dbb2d726e88df6b364ea40" target="_parent">n_preconds</a>
<span class="SRScope">AI_hyperalert_info</span> <span class="SRScope">AI_hyperalert_info</span>
</div> </div>
</div> </div>
<div class="SRResult" id="SR_nchildren"> <div class="SRResult" id="SR_nchildren">
<div class="SREntry"> <div class="SREntry">
<a id="Item2" onkeydown="return searchResults.Nav(event,2)" onkeypress="return searchResults.Nav(event,2)" onkeyup="return searchResults.Nav(event,2)" class="SRSymbol" href="../struct__hierarchy__node.html#a849256ce1039e2cefaaf64d91171be0a" target="_parent">nchildren</a> <a id="Item3" onkeydown="return searchResults.Nav(event,3)" onkeypress="return searchResults.Nav(event,3)" onkeyup="return searchResults.Nav(event,3)" class="SRSymbol" href="../struct__hierarchy__node.html#a849256ce1039e2cefaaf64d91171be0a" target="_parent">nchildren</a>
<span class="SRScope">_hierarchy_node</span> <span class="SRScope">_hierarchy_node</span>
</div> </div>
</div> </div>
<div class="SRResult" id="SR_next"> <div class="SRResult" id="SR_next">
<div class="SREntry"> <div class="SREntry">
<a id="Item3" onkeydown="return searchResults.Nav(event,3)" onkeypress="return searchResults.Nav(event,3)" onkeyup="return searchResults.Nav(event,3)" class="SRSymbol" href="javascript:searchResults.Toggle('SR_next')">next</a> <a id="Item4" onkeydown="return searchResults.Nav(event,4)" onkeypress="return searchResults.Nav(event,4)" onkeyup="return searchResults.Nav(event,4)" class="SRSymbol" href="javascript:searchResults.Toggle('SR_next')">next</a>
<div class="SRChildren"> <div class="SRChildren">
<a id="Item3_c0" onkeydown="return searchResults.NavChild(event,3,0)" onkeypress="return searchResults.NavChild(event,3,0)" onkeyup="return searchResults.NavChild(event,3,0)" class="SRScope" href="../structpkt__info.html#a5ee3c51f2ca5768b94819182641ef168" target="_parent">pkt_info::next()</a> <a id="Item4_c0" onkeydown="return searchResults.NavChild(event,4,0)" onkeypress="return searchResults.NavChild(event,4,0)" onkeyup="return searchResults.NavChild(event,4,0)" class="SRScope" href="../structpkt__info.html#a5ee3c51f2ca5768b94819182641ef168" target="_parent">pkt_info::next()</a>
<a id="Item3_c1" onkeydown="return searchResults.NavChild(event,3,1)" onkeypress="return searchResults.NavChild(event,3,1)" onkeyup="return searchResults.NavChild(event,3,1)" class="SRScope" href="../struct__AI__snort__alert.html#aa8336d4b3359015ed8ea312ca1fd1173" target="_parent">_AI_snort_alert::next()</a> <a id="Item4_c1" onkeydown="return searchResults.NavChild(event,4,1)" onkeypress="return searchResults.NavChild(event,4,1)" onkeyup="return searchResults.NavChild(event,4,1)" class="SRScope" href="../struct__AI__snort__alert.html#aa8336d4b3359015ed8ea312ca1fd1173" target="_parent">_AI_snort_alert::next()</a>
</div> </div>
</div> </div>
</div> </div>

View file

@ -31,9 +31,15 @@
<span class="SRScope">AI_hyperalert_info</span> <span class="SRScope">AI_hyperalert_info</span>
</div> </div>
</div> </div>
<div class="SRResult" id="SR_previous_5fcorrelated">
<div class="SREntry">
<a id="Item4" onkeydown="return searchResults.Nav(event,4)" onkeypress="return searchResults.Nav(event,4)" onkeyup="return searchResults.Nav(event,4)" class="SRSymbol" href="../struct__AI__snort__alert.html#a55a5488c7ee7706ded4c16b1235fd9c7" target="_parent">previous_correlated</a>
<span class="SRScope">_AI_snort_alert</span>
</div>
</div>
<div class="SRResult" id="SR_priority"> <div class="SRResult" id="SR_priority">
<div class="SREntry"> <div class="SREntry">
<a id="Item4" onkeydown="return searchResults.Nav(event,4)" onkeypress="return searchResults.Nav(event,4)" onkeyup="return searchResults.Nav(event,4)" class="SRSymbol" href="../struct__AI__snort__alert.html#a25661fa4e212c5e30af5e6a892985ec9" target="_parent">priority</a> <a id="Item5" onkeydown="return searchResults.Nav(event,5)" onkeypress="return searchResults.Nav(event,5)" onkeyup="return searchResults.Nav(event,5)" class="SRSymbol" href="../struct__AI__snort__alert.html#a25661fa4e212c5e30af5e6a892985ec9" target="_parent">priority</a>
<span class="SRScope">_AI_snort_alert</span> <span class="SRScope">_AI_snort_alert</span>
</div> </div>
</div> </div>

View file

@ -149,7 +149,7 @@ Functions</h2></td></tr>
</iframe> </iframe>
</div> </div>
<hr class="footer"/><address class="footer"><small>Generated on Sat Sep 11 2010 12:45:18 for Snort AI preprocessor module by&nbsp; <hr class="footer"/><address class="footer"><small>Generated on Tue Sep 14 2010 19:23:42 for Snort AI preprocessor module by&nbsp;
<a href="http://www.doxygen.org/index.html"> <a href="http://www.doxygen.org/index.html">
<img class="footer" src="doxygen.png" alt="doxygen"/></a> 1.7.1 </small></address> <img class="footer" src="doxygen.png" alt="doxygen"/></a> 1.7.1 </small></address>
</body> </body>

View file

@ -78,7 +78,7 @@ var searchBox = new SearchBox("searchBox", "search",false,'Search');
</iframe> </iframe>
</div> </div>
<hr class="footer"/><address class="footer"><small>Generated on Sat Sep 11 2010 12:45:18 for Snort AI preprocessor module by&nbsp; <hr class="footer"/><address class="footer"><small>Generated on Tue Sep 14 2010 19:23:42 for Snort AI preprocessor module by&nbsp;
<a href="http://www.doxygen.org/index.html"> <a href="http://www.doxygen.org/index.html">
<img class="footer" src="doxygen.png" alt="doxygen"/></a> 1.7.1 </small></address> <img class="footer" src="doxygen.png" alt="doxygen"/></a> 1.7.1 </small></address>
</body> </body>

View file

@ -89,7 +89,7 @@ Variables</h2></td></tr>
</iframe> </iframe>
</div> </div>
<hr class="footer"/><address class="footer"><small>Generated on Sat Sep 11 2010 12:45:18 for Snort AI preprocessor module by&nbsp; <hr class="footer"/><address class="footer"><small>Generated on Tue Sep 14 2010 19:23:42 for Snort AI preprocessor module by&nbsp;
<a href="http://www.doxygen.org/index.html"> <a href="http://www.doxygen.org/index.html">
<img class="footer" src="doxygen.png" alt="doxygen"/></a> 1.7.1 </small></address> <img class="footer" src="doxygen.png" alt="doxygen"/></a> 1.7.1 </small></address>
</body> </body>

View file

@ -83,6 +83,8 @@ Defines</h2></td></tr>
<tr><td class="memItemLeft" align="right" valign="top">#define&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="spp__ai_8h.html#a6d9bf552c32371e0144dc6a6209c7e4a">DEFAULT_ALERT_LOG_FILE</a>&nbsp;&nbsp;&nbsp;&quot;/var/log/snort/alert&quot;</td></tr> <tr><td class="memItemLeft" align="right" valign="top">#define&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="spp__ai_8h.html#a6d9bf552c32371e0144dc6a6209c7e4a">DEFAULT_ALERT_LOG_FILE</a>&nbsp;&nbsp;&nbsp;&quot;/var/log/snort/alert&quot;</td></tr>
<tr><td class="memItemLeft" align="right" valign="top">#define&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="spp__ai_8h.html#a803dc913297ccdace9e604dbfecda97d">DEFAULT_CLUSTER_LOG_FILE</a>&nbsp;&nbsp;&nbsp;&quot;/var/log/snort/cluster_alert&quot;</td></tr> <tr><td class="memItemLeft" align="right" valign="top">#define&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="spp__ai_8h.html#a803dc913297ccdace9e604dbfecda97d">DEFAULT_CLUSTER_LOG_FILE</a>&nbsp;&nbsp;&nbsp;&quot;/var/log/snort/cluster_alert&quot;</td></tr>
<tr><td class="memItemLeft" align="right" valign="top">#define&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="spp__ai_8h.html#a89448386cad5d5533992ae7ee84f4f1d">DEFAULT_CORR_RULES_DIR</a>&nbsp;&nbsp;&nbsp;&quot;/etc/snort/corr_rules&quot;</td></tr> <tr><td class="memItemLeft" align="right" valign="top">#define&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="spp__ai_8h.html#a89448386cad5d5533992ae7ee84f4f1d">DEFAULT_CORR_RULES_DIR</a>&nbsp;&nbsp;&nbsp;&quot;/etc/snort/corr_rules&quot;</td></tr>
<tr><td class="memItemLeft" align="right" valign="top">#define&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="spp__ai_8h.html#a7bbeccba60012abcc98db33d39294829">DEFAULT_CORR_ALERTS_DIR</a>&nbsp;&nbsp;&nbsp;&quot;/var/log/snort/correlated_alerts&quot;</td></tr>
<tr><td class="memItemLeft" align="right" valign="top">#define&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="spp__ai_8h.html#aaedb0b7dc2bdf8d44d3fee2189a55a19">DEFAULT_CORR_THRESHOLD</a>&nbsp;&nbsp;&nbsp;0.5</td></tr>
<tr><td colspan="2"><h2><a name="typedef-members"></a> <tr><td colspan="2"><h2><a name="typedef-members"></a>
Typedefs</h2></td></tr> Typedefs</h2></td></tr>
<tr><td class="memItemLeft" align="right" valign="top">typedef unsigned char&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="spp__ai_8h.html#aba7bc1797add20fe3efdf37ced1182c5">uint8_t</a></td></tr> <tr><td class="memItemLeft" align="right" valign="top">typedef unsigned char&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="spp__ai_8h.html#aba7bc1797add20fe3efdf37ced1182c5">uint8_t</a></td></tr>
@ -193,6 +195,20 @@ Variables</h2></td></tr>
<div class="memdoc"> <div class="memdoc">
<p>Default path to Snort's clustered alerts file </p> <p>Default path to Snort's clustered alerts file </p>
</div>
</div>
<a class="anchor" id="a7bbeccba60012abcc98db33d39294829"></a><!-- doxytag: member="spp_ai.h::DEFAULT_CORR_ALERTS_DIR" ref="a7bbeccba60012abcc98db33d39294829" args="" -->
<div class="memitem">
<div class="memproto">
<table class="memname">
<tr>
<td class="memname">#define DEFAULT_CORR_ALERTS_DIR&nbsp;&nbsp;&nbsp;&quot;/var/log/snort/correlated_alerts&quot;</td>
</tr>
</table>
</div>
<div class="memdoc">
<p>Default directory for placing correlated alerts information (.dot and possibly .png files) </p>
</div> </div>
</div> </div>
<a class="anchor" id="a89448386cad5d5533992ae7ee84f4f1d"></a><!-- doxytag: member="spp_ai.h::DEFAULT_CORR_RULES_DIR" ref="a89448386cad5d5533992ae7ee84f4f1d" args="" --> <a class="anchor" id="a89448386cad5d5533992ae7ee84f4f1d"></a><!-- doxytag: member="spp_ai.h::DEFAULT_CORR_RULES_DIR" ref="a89448386cad5d5533992ae7ee84f4f1d" args="" -->
@ -207,6 +223,20 @@ Variables</h2></td></tr>
<div class="memdoc"> <div class="memdoc">
<p>Default path to alert correlation rules directory </p> <p>Default path to alert correlation rules directory </p>
</div>
</div>
<a class="anchor" id="aaedb0b7dc2bdf8d44d3fee2189a55a19"></a><!-- doxytag: member="spp_ai.h::DEFAULT_CORR_THRESHOLD" ref="aaedb0b7dc2bdf8d44d3fee2189a55a19" args="" -->
<div class="memitem">
<div class="memproto">
<table class="memname">
<tr>
<td class="memname">#define DEFAULT_CORR_THRESHOLD&nbsp;&nbsp;&nbsp;0.5</td>
</tr>
</table>
</div>
<div class="memdoc">
<p>Default correlation threshold coefficient for correlating two hyperalerts </p>
</div> </div>
</div> </div>
<a class="anchor" id="a3c4984a0ee515fbc091ac6e33b05e310"></a><!-- doxytag: member="spp_ai.h::DEFAULT_DATABASE_INTERVAL" ref="a3c4984a0ee515fbc091ac6e33b05e310" args="" --> <a class="anchor" id="a3c4984a0ee515fbc091ac6e33b05e310"></a><!-- doxytag: member="spp_ai.h::DEFAULT_DATABASE_INTERVAL" ref="a3c4984a0ee515fbc091ac6e33b05e310" args="" -->
@ -427,7 +457,7 @@ Variables</h2></td></tr>
</iframe> </iframe>
</div> </div>
<hr class="footer"/><address class="footer"><small>Generated on Sat Sep 11 2010 12:45:18 for Snort AI preprocessor module by&nbsp; <hr class="footer"/><address class="footer"><small>Generated on Tue Sep 14 2010 19:23:42 for Snort AI preprocessor module by&nbsp;
<a href="http://www.doxygen.org/index.html"> <a href="http://www.doxygen.org/index.html">
<img class="footer" src="doxygen.png" alt="doxygen"/></a> 1.7.1 </small></address> <img class="footer" src="doxygen.png" alt="doxygen"/></a> 1.7.1 </small></address>
</body> </body>

View file

@ -97,171 +97,187 @@ var searchBox = new SearchBox("searchBox", "search",false,'Search');
<a name="l00053"></a>00053 <span class="preprocessor"></span> <a name="l00053"></a>00053 <span class="preprocessor"></span>
<a name="l00055"></a><a class="code" href="spp__ai_8h.html#a89448386cad5d5533992ae7ee84f4f1d">00055</a> <span class="preprocessor">#define DEFAULT_CORR_RULES_DIR &quot;/etc/snort/corr_rules&quot;</span> <a name="l00055"></a><a class="code" href="spp__ai_8h.html#a89448386cad5d5533992ae7ee84f4f1d">00055</a> <span class="preprocessor">#define DEFAULT_CORR_RULES_DIR &quot;/etc/snort/corr_rules&quot;</span>
<a name="l00056"></a>00056 <span class="preprocessor"></span> <a name="l00056"></a>00056 <span class="preprocessor"></span>
<a name="l00057"></a>00057 <span class="keyword">extern</span> DynamicPreprocessorData <a class="code" href="spp__ai_8h.html#ab46420126c43c1aac5eabc5db266a71c">_dpd</a>; <a name="l00058"></a><a class="code" href="spp__ai_8h.html#a7bbeccba60012abcc98db33d39294829">00058</a> <span class="preprocessor">#define DEFAULT_CORR_ALERTS_DIR &quot;/var/log/snort/correlated_alerts&quot;</span>
<a name="l00058"></a><a class="code" href="spp__ai_8h.html#aba7bc1797add20fe3efdf37ced1182c5">00058</a> <span class="keyword">typedef</span> <span class="keywordtype">unsigned</span> <span class="keywordtype">char</span> uint8_t; <a name="l00059"></a>00059 <span class="preprocessor"></span>
<a name="l00059"></a><a class="code" href="spp__ai_8h.html#a273cf69d639a59973b6019625df33e30">00059</a> <span class="keyword">typedef</span> <span class="keywordtype">unsigned</span> <span class="keywordtype">short</span> uint16_t; <a name="l00061"></a><a class="code" href="spp__ai_8h.html#aaedb0b7dc2bdf8d44d3fee2189a55a19">00061</a> <span class="preprocessor">#define DEFAULT_CORR_THRESHOLD 0.5</span>
<a name="l00060"></a><a class="code" href="spp__ai_8h.html#a435d1572bf3f880d55459d9805097f62">00060</a> <span class="keyword">typedef</span> <span class="keywordtype">unsigned</span> <span class="keywordtype">int</span> uint32_t; <a name="l00062"></a>00062 <span class="preprocessor"></span>
<a name="l00061"></a>00061 <a name="l00063"></a>00063 <span class="keyword">extern</span> DynamicPreprocessorData <a class="code" href="spp__ai_8h.html#ab46420126c43c1aac5eabc5db266a71c">_dpd</a>;
<a name="l00062"></a><a class="code" href="spp__ai_8h.html#a3e5b8192e7d9ffaf3542f1210aec18dda08f175a5505a10b9ed657defeb050e4b">00062</a> <span class="keyword">typedef</span> <span class="keyword">enum</span> { <span class="keyword">false</span>, <span class="keyword">true</span> } BOOL; <a name="l00064"></a><a class="code" href="spp__ai_8h.html#aba7bc1797add20fe3efdf37ced1182c5">00064</a> <span class="keyword">typedef</span> <span class="keywordtype">unsigned</span> <span class="keywordtype">char</span> uint8_t;
<a name="l00063"></a>00063 <a name="l00065"></a><a class="code" href="spp__ai_8h.html#a273cf69d639a59973b6019625df33e30">00065</a> <span class="keyword">typedef</span> <span class="keywordtype">unsigned</span> <span class="keywordtype">short</span> uint16_t;
<a name="l00064"></a>00064 <span class="comment">/*****************************************************************/</span> <a name="l00066"></a><a class="code" href="spp__ai_8h.html#a435d1572bf3f880d55459d9805097f62">00066</a> <span class="keyword">typedef</span> <span class="keywordtype">unsigned</span> <span class="keywordtype">int</span> uint32_t;
<a name="l00066"></a><a class="code" href="spp__ai_8h.html#ae2ff3c6586aa2ab211a102abfde86640">00066</a> <span class="keyword">typedef</span> <span class="keyword">enum</span> { <a name="l00067"></a>00067
<a name="l00067"></a><a class="code" href="spp__ai_8h.html#ae2ff3c6586aa2ab211a102abfde86640ac1335c508143eb06843af2ce5ff3027b">00067</a> none, src_addr, dst_addr, src_port, dst_port, <a class="code" href="spp__ai_8h.html#ae2ff3c6586aa2ab211a102abfde86640ab16bb5c4b330d5db02e2d852cd2ba451">CLUSTER_TYPES</a> <a name="l00068"></a><a class="code" href="spp__ai_8h.html#a3e5b8192e7d9ffaf3542f1210aec18dda08f175a5505a10b9ed657defeb050e4b">00068</a> <span class="keyword">typedef</span> <span class="keyword">enum</span> { <span class="keyword">false</span>, <span class="keyword">true</span> } BOOL;
<a name="l00068"></a>00068 } cluster_type; <a name="l00069"></a>00069
<a name="l00069"></a>00069 <span class="comment">/*****************************************************************/</span> <a name="l00070"></a>00070 <span class="comment">/*****************************************************************/</span>
<a name="l00071"></a><a class="code" href="structpkt__key.html">00071</a> <span class="keyword">struct </span><a class="code" href="structpkt__key.html">pkt_key</a> <a name="l00072"></a><a class="code" href="spp__ai_8h.html#ae2ff3c6586aa2ab211a102abfde86640">00072</a> <span class="keyword">typedef</span> <span class="keyword">enum</span> {
<a name="l00072"></a>00072 { <a name="l00073"></a><a class="code" href="spp__ai_8h.html#ae2ff3c6586aa2ab211a102abfde86640ac1335c508143eb06843af2ce5ff3027b">00073</a> none, src_addr, dst_addr, src_port, dst_port, <a class="code" href="spp__ai_8h.html#ae2ff3c6586aa2ab211a102abfde86640ab16bb5c4b330d5db02e2d852cd2ba451">CLUSTER_TYPES</a>
<a name="l00073"></a><a class="code" href="structpkt__key.html#a3a091c20dafb8b3f689db00c5b2f8ddb">00073</a> <a class="code" href="spp__ai_8h.html#a435d1572bf3f880d55459d9805097f62">uint32_t</a> <a class="code" href="structpkt__key.html#a3a091c20dafb8b3f689db00c5b2f8ddb">src_ip</a>; <a name="l00074"></a>00074 } cluster_type;
<a name="l00074"></a><a class="code" href="structpkt__key.html#af77f5eb1f4cd88b43fe99fd73553351d">00074</a> <a class="code" href="spp__ai_8h.html#a273cf69d639a59973b6019625df33e30">uint16_t</a> <a class="code" href="structpkt__key.html#af77f5eb1f4cd88b43fe99fd73553351d">dst_port</a>; <a name="l00075"></a>00075 <span class="comment">/*****************************************************************/</span>
<a name="l00075"></a>00075 }; <a name="l00077"></a><a class="code" href="structpkt__key.html">00077</a> <span class="keyword">struct </span><a class="code" href="structpkt__key.html">pkt_key</a>
<a name="l00076"></a>00076 <span class="comment">/*****************************************************************/</span> <a name="l00078"></a>00078 {
<a name="l00078"></a><a class="code" href="structpkt__info.html">00078</a> <span class="keyword">struct </span><a class="code" href="structpkt__info.html">pkt_info</a> <a name="l00079"></a><a class="code" href="structpkt__key.html#a3a091c20dafb8b3f689db00c5b2f8ddb">00079</a> <a class="code" href="spp__ai_8h.html#a435d1572bf3f880d55459d9805097f62">uint32_t</a> <a class="code" href="structpkt__key.html#a3a091c20dafb8b3f689db00c5b2f8ddb">src_ip</a>;
<a name="l00079"></a>00079 { <a name="l00080"></a><a class="code" href="structpkt__key.html#af77f5eb1f4cd88b43fe99fd73553351d">00080</a> <a class="code" href="spp__ai_8h.html#a273cf69d639a59973b6019625df33e30">uint16_t</a> <a class="code" href="structpkt__key.html#af77f5eb1f4cd88b43fe99fd73553351d">dst_port</a>;
<a name="l00081"></a><a class="code" href="structpkt__info.html#a231d4734d3c62292b06eb9ea4b49c339">00081</a> <span class="keyword">struct </span><a class="code" href="structpkt__key.html">pkt_key</a> <a class="code" href="structpkt__info.html#a231d4734d3c62292b06eb9ea4b49c339">key</a>; <a name="l00081"></a>00081 };
<a name="l00082"></a>00082 <a name="l00082"></a>00082 <span class="comment">/*****************************************************************/</span>
<a name="l00084"></a><a class="code" href="structpkt__info.html#a7f5090443f21e6290f0439f1bb872e92">00084</a> time_t <a class="code" href="structpkt__info.html#a7f5090443f21e6290f0439f1bb872e92">timestamp</a>; <a name="l00084"></a><a class="code" href="structpkt__info.html">00084</a> <span class="keyword">struct </span><a class="code" href="structpkt__info.html">pkt_info</a>
<a name="l00085"></a>00085 <a name="l00085"></a>00085 {
<a name="l00087"></a><a class="code" href="structpkt__info.html#a8d5ebd04a32067b05387e5c5056fe168">00087</a> SFSnortPacket* <a class="code" href="structpkt__info.html#a8d5ebd04a32067b05387e5c5056fe168">pkt</a>; <a name="l00087"></a><a class="code" href="structpkt__info.html#a231d4734d3c62292b06eb9ea4b49c339">00087</a> <span class="keyword">struct </span><a class="code" href="structpkt__key.html">pkt_key</a> <a class="code" href="structpkt__info.html#a231d4734d3c62292b06eb9ea4b49c339">key</a>;
<a name="l00088"></a>00088 <a name="l00088"></a>00088
<a name="l00090"></a><a class="code" href="structpkt__info.html#a5ee3c51f2ca5768b94819182641ef168">00090</a> <span class="keyword">struct </span><a class="code" href="structpkt__info.html">pkt_info</a>* <a class="code" href="structpkt__info.html#a5ee3c51f2ca5768b94819182641ef168">next</a>; <a name="l00090"></a><a class="code" href="structpkt__info.html#a7f5090443f21e6290f0439f1bb872e92">00090</a> time_t <a class="code" href="structpkt__info.html#a7f5090443f21e6290f0439f1bb872e92">timestamp</a>;
<a name="l00091"></a>00091 <a name="l00091"></a>00091
<a name="l00093"></a><a class="code" href="structpkt__info.html#ac7ff78ea5faf333fc91f92e3085ea7c9">00093</a> <a class="code" href="spp__ai_8h.html#a3e5b8192e7d9ffaf3542f1210aec18dd">BOOL</a> <a class="code" href="structpkt__info.html#ac7ff78ea5faf333fc91f92e3085ea7c9">observed</a>; <a name="l00093"></a><a class="code" href="structpkt__info.html#a8d5ebd04a32067b05387e5c5056fe168">00093</a> SFSnortPacket* <a class="code" href="structpkt__info.html#a8d5ebd04a32067b05387e5c5056fe168">pkt</a>;
<a name="l00094"></a>00094 <a name="l00094"></a>00094
<a name="l00096"></a><a class="code" href="structpkt__info.html#a264e90d4b5d490de040f38c1072e142f">00096</a> UT_hash_handle <a class="code" href="structpkt__info.html#a264e90d4b5d490de040f38c1072e142f">hh</a>; <a name="l00096"></a><a class="code" href="structpkt__info.html#a5ee3c51f2ca5768b94819182641ef168">00096</a> <span class="keyword">struct </span><a class="code" href="structpkt__info.html">pkt_info</a>* <a class="code" href="structpkt__info.html#a5ee3c51f2ca5768b94819182641ef168">next</a>;
<a name="l00097"></a>00097 }; <a name="l00097"></a>00097
<a name="l00098"></a>00098 <span class="comment">/*****************************************************************/</span> <a name="l00099"></a><a class="code" href="structpkt__info.html#ac7ff78ea5faf333fc91f92e3085ea7c9">00099</a> <a class="code" href="spp__ai_8h.html#a3e5b8192e7d9ffaf3542f1210aec18dd">BOOL</a> <a class="code" href="structpkt__info.html#ac7ff78ea5faf333fc91f92e3085ea7c9">observed</a>;
<a name="l00099"></a>00099 <span class="comment">/* Data type containing the configuration of the module */</span> <a name="l00100"></a>00100
<a name="l00100"></a><a class="code" href="structAI__config.html">00100</a> <span class="keyword">typedef</span> <span class="keyword">struct</span> <a name="l00102"></a><a class="code" href="structpkt__info.html#a264e90d4b5d490de040f38c1072e142f">00102</a> UT_hash_handle <a class="code" href="structpkt__info.html#a264e90d4b5d490de040f38c1072e142f">hh</a>;
<a name="l00101"></a>00101 { <a name="l00103"></a>00103 };
<a name="l00103"></a><a class="code" href="structAI__config.html#a9f7680615027d4fb74b4aa144a7028a4">00103</a> <span class="keywordtype">unsigned</span> <span class="keywordtype">long</span> hashCleanupInterval; <a name="l00104"></a>00104 <span class="comment">/*****************************************************************/</span>
<a name="l00104"></a>00104 <a name="l00105"></a>00105 <span class="comment">/* Data type containing the configuration of the module */</span>
<a name="l00106"></a><a class="code" href="structAI__config.html#abbe77d5f94b8c5164bea47acba09c98b">00106</a> <span class="keywordtype">unsigned</span> <span class="keywordtype">long</span> streamExpireInterval; <a name="l00106"></a><a class="code" href="structAI__config.html">00106</a> <span class="keyword">typedef</span> <span class="keyword">struct</span>
<a name="l00107"></a>00107 <a name="l00107"></a>00107 {
<a name="l00109"></a><a class="code" href="structAI__config.html#a7d0d098b8263aa3d8415b11d1ec7f93d">00109</a> <span class="keywordtype">unsigned</span> <span class="keywordtype">long</span> alertClusteringInterval; <a name="l00109"></a><a class="code" href="structAI__config.html#a9f7680615027d4fb74b4aa144a7028a4">00109</a> <span class="keywordtype">unsigned</span> <span class="keywordtype">long</span> hashCleanupInterval;
<a name="l00110"></a>00110 <a name="l00110"></a>00110
<a name="l00112"></a><a class="code" href="structAI__config.html#ae6ca715cab1d90b70c3aad443133c263">00112</a> <span class="keywordtype">unsigned</span> <span class="keywordtype">long</span> databaseParsingInterval; <a name="l00112"></a><a class="code" href="structAI__config.html#abbe77d5f94b8c5164bea47acba09c98b">00112</a> <span class="keywordtype">unsigned</span> <span class="keywordtype">long</span> streamExpireInterval;
<a name="l00113"></a>00113 <a name="l00113"></a>00113
<a name="l00115"></a><a class="code" href="structAI__config.html#aa736375e57a59936e2e782b7cd200e41">00115</a> <span class="keywordtype">unsigned</span> <span class="keywordtype">long</span> correlationGraphInterval; <a name="l00115"></a><a class="code" href="structAI__config.html#a7d0d098b8263aa3d8415b11d1ec7f93d">00115</a> <span class="keywordtype">unsigned</span> <span class="keywordtype">long</span> alertClusteringInterval;
<a name="l00116"></a>00116 <a name="l00116"></a>00116
<a name="l00118"></a><a class="code" href="structAI__config.html#a2efa9590d7eea6dce8b5dd9aa76ed8ca">00118</a> <span class="keywordtype">char</span> alertfile[1024]; <a name="l00118"></a><a class="code" href="structAI__config.html#ae6ca715cab1d90b70c3aad443133c263">00118</a> <span class="keywordtype">unsigned</span> <span class="keywordtype">long</span> databaseParsingInterval;
<a name="l00119"></a>00119 <a name="l00119"></a>00119
<a name="l00121"></a><a class="code" href="structAI__config.html#a6da02a3f7116fd3810a41b738e8883a3">00121</a> <span class="keywordtype">char</span> clusterfile[1024]; <a name="l00121"></a><a class="code" href="structAI__config.html#aa736375e57a59936e2e782b7cd200e41">00121</a> <span class="keywordtype">unsigned</span> <span class="keywordtype">long</span> correlationGraphInterval;
<a name="l00122"></a>00122 <a name="l00122"></a>00122
<a name="l00124"></a><a class="code" href="structAI__config.html#ab7ea93bbe72b85c4019b4f5656ad62fc">00124</a> <span class="keywordtype">char</span> corr_rules_dir[1024]; <a name="l00131"></a><a class="code" href="structAI__config.html#adf6ef0faedfb4dea0a1353e781b14883">00131</a> <span class="keywordtype">double</span> correlationThresholdCoefficient;
<a name="l00125"></a>00125 <a name="l00132"></a>00132
<a name="l00127"></a><a class="code" href="structAI__config.html#ac8a93607f12106e2f5c9b43af27107da">00127</a> <span class="keywordtype">char</span> dbname[256]; <a name="l00134"></a><a class="code" href="structAI__config.html#a2efa9590d7eea6dce8b5dd9aa76ed8ca">00134</a> <span class="keywordtype">char</span> alertfile[1024];
<a name="l00128"></a>00128 <a name="l00135"></a>00135
<a name="l00130"></a><a class="code" href="structAI__config.html#aa004adebfdafb6d14092aecd7f4912b0">00130</a> <span class="keywordtype">char</span> dbuser[256]; <a name="l00137"></a><a class="code" href="structAI__config.html#a6da02a3f7116fd3810a41b738e8883a3">00137</a> <span class="keywordtype">char</span> clusterfile[1024];
<a name="l00131"></a>00131 <a name="l00138"></a>00138
<a name="l00133"></a><a class="code" href="structAI__config.html#aa1cda349763faf60b2ebdbf2d187ae7d">00133</a> <span class="keywordtype">char</span> dbpass[256]; <a name="l00140"></a><a class="code" href="structAI__config.html#ab7ea93bbe72b85c4019b4f5656ad62fc">00140</a> <span class="keywordtype">char</span> corr_rules_dir[1024];
<a name="l00134"></a>00134 <a name="l00141"></a>00141
<a name="l00136"></a><a class="code" href="structAI__config.html#a8e56f1a1b2095d3d329c8068ea0f3aab">00136</a> <span class="keywordtype">char</span> dbhost[256]; <a name="l00143"></a><a class="code" href="structAI__config.html#ae68f5489e2ec9ea1408f98fe36d050c9">00143</a> <span class="keywordtype">char</span> corr_alerts_dir[1024];
<a name="l00137"></a>00137 } <a class="code" href="structAI__config.html">AI_config</a>; <a name="l00144"></a>00144
<a name="l00138"></a>00138 <span class="comment">/*****************************************************************/</span> <a name="l00146"></a><a class="code" href="structAI__config.html#ac8a93607f12106e2f5c9b43af27107da">00146</a> <span class="keywordtype">char</span> dbname[256];
<a name="l00140"></a><a class="code" href="struct__hierarchy__node.html">00140</a> <span class="keyword">typedef</span> <span class="keyword">struct </span><a class="code" href="struct__hierarchy__node.html">_hierarchy_node</a> <a name="l00147"></a>00147
<a name="l00141"></a>00141 { <a name="l00149"></a><a class="code" href="structAI__config.html#aa004adebfdafb6d14092aecd7f4912b0">00149</a> <span class="keywordtype">char</span> dbuser[256];
<a name="l00142"></a><a class="code" href="struct__hierarchy__node.html#a3b18e3ddfa2212c5e4ff9c0b4bde4296">00142</a> <a class="code" href="spp__ai_8h.html#ae2ff3c6586aa2ab211a102abfde86640">cluster_type</a> <a class="code" href="struct__hierarchy__node.html#a3b18e3ddfa2212c5e4ff9c0b4bde4296">type</a>; <a name="l00150"></a>00150
<a name="l00143"></a><a class="code" href="struct__hierarchy__node.html#ae498f6fd14ca058a3ae0a95d5425451a">00143</a> <span class="keywordtype">char</span> <a class="code" href="struct__hierarchy__node.html#ae498f6fd14ca058a3ae0a95d5425451a">label</a>[256]; <a name="l00152"></a><a class="code" href="structAI__config.html#aa1cda349763faf60b2ebdbf2d187ae7d">00152</a> <span class="keywordtype">char</span> dbpass[256];
<a name="l00144"></a><a class="code" href="struct__hierarchy__node.html#a13ceebd7b435b9ef347fb90d9e6bbfe4">00144</a> <span class="keywordtype">int</span> <a class="code" href="struct__hierarchy__node.html#a13ceebd7b435b9ef347fb90d9e6bbfe4">min_val</a>; <a name="l00153"></a>00153
<a name="l00145"></a><a class="code" href="struct__hierarchy__node.html#a79ea88029938dc30ab8f159405d12c87">00145</a> <span class="keywordtype">int</span> <a class="code" href="struct__hierarchy__node.html#a79ea88029938dc30ab8f159405d12c87">max_val</a>; <a name="l00155"></a><a class="code" href="structAI__config.html#a8e56f1a1b2095d3d329c8068ea0f3aab">00155</a> <span class="keywordtype">char</span> dbhost[256];
<a name="l00146"></a><a class="code" href="struct__hierarchy__node.html#a849256ce1039e2cefaaf64d91171be0a">00146</a> <span class="keywordtype">int</span> <a class="code" href="struct__hierarchy__node.html#a849256ce1039e2cefaaf64d91171be0a">nchildren</a>; <a name="l00156"></a>00156 } <a class="code" href="structAI__config.html">AI_config</a>;
<a name="l00147"></a><a class="code" href="struct__hierarchy__node.html#a5c94c89d7e2aea393f1c550afb766bbe">00147</a> <span class="keyword">struct </span><a class="code" href="struct__hierarchy__node.html">_hierarchy_node</a> *<a class="code" href="struct__hierarchy__node.html#a5c94c89d7e2aea393f1c550afb766bbe">parent</a>; <a name="l00157"></a>00157 <span class="comment">/*****************************************************************/</span>
<a name="l00148"></a><a class="code" href="struct__hierarchy__node.html#afc23d4fe6426873164cdaab2f3d4f0cd">00148</a> <span class="keyword">struct </span><a class="code" href="struct__hierarchy__node.html">_hierarchy_node</a> **<a class="code" href="struct__hierarchy__node.html#afc23d4fe6426873164cdaab2f3d4f0cd">children</a>; <a name="l00159"></a><a class="code" href="struct__hierarchy__node.html">00159</a> <span class="keyword">typedef</span> <span class="keyword">struct </span><a class="code" href="struct__hierarchy__node.html">_hierarchy_node</a>
<a name="l00149"></a>00149 } <a class="code" href="struct__hierarchy__node.html">hierarchy_node</a>; <a name="l00160"></a>00160 {
<a name="l00150"></a>00150 <span class="comment">/*****************************************************************/</span> <a name="l00161"></a><a class="code" href="struct__hierarchy__node.html#a3b18e3ddfa2212c5e4ff9c0b4bde4296">00161</a> <a class="code" href="spp__ai_8h.html#ae2ff3c6586aa2ab211a102abfde86640">cluster_type</a> <a class="code" href="struct__hierarchy__node.html#a3b18e3ddfa2212c5e4ff9c0b4bde4296">type</a>;
<a name="l00152"></a><a class="code" href="structAI__hyperalert__key.html">00152</a> <span class="keyword">typedef</span> <span class="keyword">struct</span> <a name="l00162"></a><a class="code" href="struct__hierarchy__node.html#ae498f6fd14ca058a3ae0a95d5425451a">00162</a> <span class="keywordtype">char</span> <a class="code" href="struct__hierarchy__node.html#ae498f6fd14ca058a3ae0a95d5425451a">label</a>[256];
<a name="l00153"></a>00153 { <a name="l00163"></a><a class="code" href="struct__hierarchy__node.html#a13ceebd7b435b9ef347fb90d9e6bbfe4">00163</a> <span class="keywordtype">int</span> <a class="code" href="struct__hierarchy__node.html#a13ceebd7b435b9ef347fb90d9e6bbfe4">min_val</a>;
<a name="l00154"></a><a class="code" href="structAI__hyperalert__key.html#a711afeb45b534480e85bf9abe569a602">00154</a> <span class="keywordtype">unsigned</span> <span class="keywordtype">int</span> gid; <a name="l00164"></a><a class="code" href="struct__hierarchy__node.html#a79ea88029938dc30ab8f159405d12c87">00164</a> <span class="keywordtype">int</span> <a class="code" href="struct__hierarchy__node.html#a79ea88029938dc30ab8f159405d12c87">max_val</a>;
<a name="l00155"></a><a class="code" href="structAI__hyperalert__key.html#a854676c9125ae0aeaeaef2b201ce542f">00155</a> <span class="keywordtype">unsigned</span> <span class="keywordtype">int</span> sid; <a name="l00165"></a><a class="code" href="struct__hierarchy__node.html#a849256ce1039e2cefaaf64d91171be0a">00165</a> <span class="keywordtype">int</span> <a class="code" href="struct__hierarchy__node.html#a849256ce1039e2cefaaf64d91171be0a">nchildren</a>;
<a name="l00156"></a><a class="code" href="structAI__hyperalert__key.html#a3aa6fed74469f1f2c08573c5d7298670">00156</a> <span class="keywordtype">unsigned</span> <span class="keywordtype">int</span> rev; <a name="l00166"></a><a class="code" href="struct__hierarchy__node.html#a5c94c89d7e2aea393f1c550afb766bbe">00166</a> <span class="keyword">struct </span><a class="code" href="struct__hierarchy__node.html">_hierarchy_node</a> *<a class="code" href="struct__hierarchy__node.html#a5c94c89d7e2aea393f1c550afb766bbe">parent</a>;
<a name="l00157"></a>00157 } <a class="code" href="structAI__hyperalert__key.html">AI_hyperalert_key</a>; <a name="l00167"></a><a class="code" href="struct__hierarchy__node.html#afc23d4fe6426873164cdaab2f3d4f0cd">00167</a> <span class="keyword">struct </span><a class="code" href="struct__hierarchy__node.html">_hierarchy_node</a> **<a class="code" href="struct__hierarchy__node.html#afc23d4fe6426873164cdaab2f3d4f0cd">children</a>;
<a name="l00158"></a>00158 <span class="comment">/*****************************************************************/</span> <a name="l00168"></a>00168 } <a class="code" href="struct__hierarchy__node.html">hierarchy_node</a>;
<a name="l00160"></a><a class="code" href="structAI__hyperalert__info.html">00160</a> <span class="keyword">typedef</span> <span class="keyword">struct</span> <a name="l00169"></a>00169 <span class="comment">/*****************************************************************/</span>
<a name="l00161"></a>00161 { <a name="l00171"></a><a class="code" href="structAI__hyperalert__key.html">00171</a> <span class="keyword">typedef</span> <span class="keyword">struct</span>
<a name="l00163"></a><a class="code" href="structAI__hyperalert__info.html#a9d461da8f00415ef03b24edb3bbd6cf8">00163</a> <a class="code" href="structAI__hyperalert__key.html">AI_hyperalert_key</a> key; <a name="l00172"></a>00172 {
<a name="l00164"></a>00164 <a name="l00173"></a><a class="code" href="structAI__hyperalert__key.html#a711afeb45b534480e85bf9abe569a602">00173</a> <span class="keywordtype">unsigned</span> <span class="keywordtype">int</span> gid;
<a name="l00166"></a><a class="code" href="structAI__hyperalert__info.html#a8ac4e028c47a98a8be5afd4363164031">00166</a> <span class="keywordtype">char</span> **preconds; <a name="l00174"></a><a class="code" href="structAI__hyperalert__key.html#a854676c9125ae0aeaeaef2b201ce542f">00174</a> <span class="keywordtype">unsigned</span> <span class="keywordtype">int</span> sid;
<a name="l00167"></a>00167 <a name="l00175"></a><a class="code" href="structAI__hyperalert__key.html#a3aa6fed74469f1f2c08573c5d7298670">00175</a> <span class="keywordtype">unsigned</span> <span class="keywordtype">int</span> rev;
<a name="l00169"></a><a class="code" href="structAI__hyperalert__info.html#a616c16f364dbb2d726e88df6b364ea40">00169</a> <span class="keywordtype">unsigned</span> <span class="keywordtype">int</span> n_preconds; <a name="l00176"></a>00176 } <a class="code" href="structAI__hyperalert__key.html">AI_hyperalert_key</a>;
<a name="l00170"></a>00170 <a name="l00177"></a>00177 <span class="comment">/*****************************************************************/</span>
<a name="l00172"></a><a class="code" href="structAI__hyperalert__info.html#a6a63385397bf814153d7bb20b52840d9">00172</a> <span class="keywordtype">char</span> **postconds; <a name="l00179"></a><a class="code" href="structAI__hyperalert__info.html">00179</a> <span class="keyword">typedef</span> <span class="keyword">struct</span>
<a name="l00173"></a>00173 <a name="l00180"></a>00180 {
<a name="l00175"></a><a class="code" href="structAI__hyperalert__info.html#a73322b6cad3e883abed03b62c6c21719">00175</a> <span class="keywordtype">unsigned</span> <span class="keywordtype">int</span> n_postconds; <a name="l00182"></a><a class="code" href="structAI__hyperalert__info.html#a9d461da8f00415ef03b24edb3bbd6cf8">00182</a> <a class="code" href="structAI__hyperalert__key.html">AI_hyperalert_key</a> key;
<a name="l00176"></a>00176 <a name="l00183"></a>00183
<a name="l00178"></a><a class="code" href="structAI__hyperalert__info.html#a6915bec67d383f374e758b44f50b48ff">00178</a> UT_hash_handle hh; <a name="l00185"></a><a class="code" href="structAI__hyperalert__info.html#a8ac4e028c47a98a8be5afd4363164031">00185</a> <span class="keywordtype">char</span> **preconds;
<a name="l00179"></a>00179 } <a class="code" href="structAI__hyperalert__info.html">AI_hyperalert_info</a>; <a name="l00186"></a>00186
<a name="l00180"></a>00180 <span class="comment">/*****************************************************************/</span> <a name="l00188"></a><a class="code" href="structAI__hyperalert__info.html#a616c16f364dbb2d726e88df6b364ea40">00188</a> <span class="keywordtype">unsigned</span> <span class="keywordtype">int</span> n_preconds;
<a name="l00182"></a><a class="code" href="struct__AI__snort__alert.html">00182</a> <span class="keyword">typedef</span> <span class="keyword">struct </span><a class="code" href="struct__AI__snort__alert.html">_AI_snort_alert</a> { <a name="l00189"></a>00189
<a name="l00183"></a>00183 <span class="comment">/* Identifiers of the alert */</span> <a name="l00191"></a><a class="code" href="structAI__hyperalert__info.html#a6a63385397bf814153d7bb20b52840d9">00191</a> <span class="keywordtype">char</span> **postconds;
<a name="l00184"></a><a class="code" href="struct__AI__snort__alert.html#af8408be5da59cda853442dd13465c0f6">00184</a> <span class="keywordtype">unsigned</span> <span class="keywordtype">int</span> <a class="code" href="struct__AI__snort__alert.html#af8408be5da59cda853442dd13465c0f6">gid</a>; <a name="l00192"></a>00192
<a name="l00185"></a><a class="code" href="struct__AI__snort__alert.html#a3349aa68d2234f8ffd897367c3a8a137">00185</a> <span class="keywordtype">unsigned</span> <span class="keywordtype">int</span> <a class="code" href="struct__AI__snort__alert.html#a3349aa68d2234f8ffd897367c3a8a137">sid</a>; <a name="l00194"></a><a class="code" href="structAI__hyperalert__info.html#a73322b6cad3e883abed03b62c6c21719">00194</a> <span class="keywordtype">unsigned</span> <span class="keywordtype">int</span> n_postconds;
<a name="l00186"></a><a class="code" href="struct__AI__snort__alert.html#a864d3baa48586d6a31639f4cd27d9d37">00186</a> <span class="keywordtype">unsigned</span> <span class="keywordtype">int</span> <a class="code" href="struct__AI__snort__alert.html#a864d3baa48586d6a31639f4cd27d9d37">rev</a>;
<a name="l00187"></a>00187
<a name="l00188"></a>00188 <span class="comment">/* Snort priority, description,</span>
<a name="l00189"></a>00189 <span class="comment"> * classification and timestamp</span>
<a name="l00190"></a>00190 <span class="comment"> * of the alert */</span>
<a name="l00191"></a><a class="code" href="struct__AI__snort__alert.html#a25661fa4e212c5e30af5e6a892985ec9">00191</a> <span class="keywordtype">unsigned</span> <span class="keywordtype">short</span> <a class="code" href="struct__AI__snort__alert.html#a25661fa4e212c5e30af5e6a892985ec9">priority</a>;
<a name="l00192"></a><a class="code" href="struct__AI__snort__alert.html#ac0902d7c756ec675fb06347ce4706135">00192</a> <span class="keywordtype">char</span> *<a class="code" href="struct__AI__snort__alert.html#ac0902d7c756ec675fb06347ce4706135">desc</a>;
<a name="l00193"></a><a class="code" href="struct__AI__snort__alert.html#aa89585e14acb2c4e684a1552d322632f">00193</a> <span class="keywordtype">char</span> *<a class="code" href="struct__AI__snort__alert.html#aa89585e14acb2c4e684a1552d322632f">classification</a>;
<a name="l00194"></a><a class="code" href="struct__AI__snort__alert.html#a10a67f60ca3da339a2104849a0b2ac19">00194</a> time_t <a class="code" href="struct__AI__snort__alert.html#a10a67f60ca3da339a2104849a0b2ac19">timestamp</a>;
<a name="l00195"></a>00195 <a name="l00195"></a>00195
<a name="l00196"></a>00196 <span class="comment">/* IP header information */</span> <a name="l00197"></a><a class="code" href="structAI__hyperalert__info.html#a6915bec67d383f374e758b44f50b48ff">00197</a> UT_hash_handle hh;
<a name="l00197"></a><a class="code" href="struct__AI__snort__alert.html#a3f3c47f9baf3229d067504a85873b416">00197</a> <a class="code" href="spp__ai_8h.html#aba7bc1797add20fe3efdf37ced1182c5">uint8_t</a> <a class="code" href="struct__AI__snort__alert.html#a3f3c47f9baf3229d067504a85873b416">ip_tos</a>; <a name="l00198"></a>00198 } <a class="code" href="structAI__hyperalert__info.html">AI_hyperalert_info</a>;
<a name="l00198"></a><a class="code" href="struct__AI__snort__alert.html#ad3ffe99036513d5f33b94d22fb84f8f1">00198</a> <a class="code" href="spp__ai_8h.html#a273cf69d639a59973b6019625df33e30">uint16_t</a> <a class="code" href="struct__AI__snort__alert.html#ad3ffe99036513d5f33b94d22fb84f8f1">ip_len</a>; <a name="l00199"></a>00199 <span class="comment">/*****************************************************************/</span>
<a name="l00199"></a><a class="code" href="struct__AI__snort__alert.html#a2fc673dec85a7b49dd16ac7c0bb1bb78">00199</a> <a class="code" href="spp__ai_8h.html#a273cf69d639a59973b6019625df33e30">uint16_t</a> <a class="code" href="struct__AI__snort__alert.html#a2fc673dec85a7b49dd16ac7c0bb1bb78">ip_id</a>; <a name="l00201"></a><a class="code" href="struct__AI__snort__alert.html">00201</a> <span class="keyword">typedef</span> <span class="keyword">struct </span><a class="code" href="struct__AI__snort__alert.html">_AI_snort_alert</a> {
<a name="l00200"></a><a class="code" href="struct__AI__snort__alert.html#a3c9bbe84ec696cd58668a45799a66600">00200</a> <a class="code" href="spp__ai_8h.html#aba7bc1797add20fe3efdf37ced1182c5">uint8_t</a> <a class="code" href="struct__AI__snort__alert.html#a3c9bbe84ec696cd58668a45799a66600">ip_ttl</a>; <a name="l00202"></a>00202 <span class="comment">/* Identifiers of the alert */</span>
<a name="l00201"></a><a class="code" href="struct__AI__snort__alert.html#a5ea7b250ac1c472f3ab57565b6df2536">00201</a> <a class="code" href="spp__ai_8h.html#aba7bc1797add20fe3efdf37ced1182c5">uint8_t</a> <a class="code" href="struct__AI__snort__alert.html#a5ea7b250ac1c472f3ab57565b6df2536">ip_proto</a>; <a name="l00203"></a><a class="code" href="struct__AI__snort__alert.html#af8408be5da59cda853442dd13465c0f6">00203</a> <span class="keywordtype">unsigned</span> <span class="keywordtype">int</span> <a class="code" href="struct__AI__snort__alert.html#af8408be5da59cda853442dd13465c0f6">gid</a>;
<a name="l00202"></a><a class="code" href="struct__AI__snort__alert.html#a194117c57a52933d16a97838562bb611">00202</a> <a class="code" href="spp__ai_8h.html#a435d1572bf3f880d55459d9805097f62">uint32_t</a> <a class="code" href="struct__AI__snort__alert.html#a194117c57a52933d16a97838562bb611">ip_src_addr</a>; <a name="l00204"></a><a class="code" href="struct__AI__snort__alert.html#a3349aa68d2234f8ffd897367c3a8a137">00204</a> <span class="keywordtype">unsigned</span> <span class="keywordtype">int</span> <a class="code" href="struct__AI__snort__alert.html#a3349aa68d2234f8ffd897367c3a8a137">sid</a>;
<a name="l00203"></a><a class="code" href="struct__AI__snort__alert.html#a754ca683593c838e4032fa8c13b1512b">00203</a> <a class="code" href="spp__ai_8h.html#a435d1572bf3f880d55459d9805097f62">uint32_t</a> <a class="code" href="struct__AI__snort__alert.html#a754ca683593c838e4032fa8c13b1512b">ip_dst_addr</a>; <a name="l00205"></a><a class="code" href="struct__AI__snort__alert.html#a864d3baa48586d6a31639f4cd27d9d37">00205</a> <span class="keywordtype">unsigned</span> <span class="keywordtype">int</span> <a class="code" href="struct__AI__snort__alert.html#a864d3baa48586d6a31639f4cd27d9d37">rev</a>;
<a name="l00204"></a>00204 <a name="l00206"></a>00206
<a name="l00205"></a>00205 <span class="comment">/* TCP header information */</span> <a name="l00207"></a>00207 <span class="comment">/* Snort priority, description,</span>
<a name="l00206"></a><a class="code" href="struct__AI__snort__alert.html#a4d4cbdbd9675f4c43545547f55174cb7">00206</a> <a class="code" href="spp__ai_8h.html#a273cf69d639a59973b6019625df33e30">uint16_t</a> <a class="code" href="struct__AI__snort__alert.html#a4d4cbdbd9675f4c43545547f55174cb7">tcp_src_port</a>; <a name="l00208"></a>00208 <span class="comment"> * classification and timestamp</span>
<a name="l00207"></a><a class="code" href="struct__AI__snort__alert.html#aaca31cb67d48ffc3bfd1227686d5f5a4">00207</a> <a class="code" href="spp__ai_8h.html#a273cf69d639a59973b6019625df33e30">uint16_t</a> <a class="code" href="struct__AI__snort__alert.html#aaca31cb67d48ffc3bfd1227686d5f5a4">tcp_dst_port</a>; <a name="l00209"></a>00209 <span class="comment"> * of the alert */</span>
<a name="l00208"></a><a class="code" href="struct__AI__snort__alert.html#ad6edf59fccea55bf5f940bf36117020b">00208</a> <a class="code" href="spp__ai_8h.html#a435d1572bf3f880d55459d9805097f62">uint32_t</a> <a class="code" href="struct__AI__snort__alert.html#ad6edf59fccea55bf5f940bf36117020b">tcp_seq</a>; <a name="l00210"></a><a class="code" href="struct__AI__snort__alert.html#a25661fa4e212c5e30af5e6a892985ec9">00210</a> <span class="keywordtype">unsigned</span> <span class="keywordtype">short</span> <a class="code" href="struct__AI__snort__alert.html#a25661fa4e212c5e30af5e6a892985ec9">priority</a>;
<a name="l00209"></a><a class="code" href="struct__AI__snort__alert.html#a8aac577224a4325ec50511c6d79b4b79">00209</a> <a class="code" href="spp__ai_8h.html#a435d1572bf3f880d55459d9805097f62">uint32_t</a> <a class="code" href="struct__AI__snort__alert.html#a8aac577224a4325ec50511c6d79b4b79">tcp_ack</a>; <a name="l00211"></a><a class="code" href="struct__AI__snort__alert.html#ac0902d7c756ec675fb06347ce4706135">00211</a> <span class="keywordtype">char</span> *<a class="code" href="struct__AI__snort__alert.html#ac0902d7c756ec675fb06347ce4706135">desc</a>;
<a name="l00210"></a><a class="code" href="struct__AI__snort__alert.html#aa643f11db93b70242b57f0a04775e507">00210</a> <a class="code" href="spp__ai_8h.html#aba7bc1797add20fe3efdf37ced1182c5">uint8_t</a> <a class="code" href="struct__AI__snort__alert.html#aa643f11db93b70242b57f0a04775e507">tcp_flags</a>; <a name="l00212"></a><a class="code" href="struct__AI__snort__alert.html#aa89585e14acb2c4e684a1552d322632f">00212</a> <span class="keywordtype">char</span> *<a class="code" href="struct__AI__snort__alert.html#aa89585e14acb2c4e684a1552d322632f">classification</a>;
<a name="l00211"></a><a class="code" href="struct__AI__snort__alert.html#a1687fccc26bb211591db8b36ffec5348">00211</a> <a class="code" href="spp__ai_8h.html#a273cf69d639a59973b6019625df33e30">uint16_t</a> <a class="code" href="struct__AI__snort__alert.html#a1687fccc26bb211591db8b36ffec5348">tcp_window</a>; <a name="l00213"></a><a class="code" href="struct__AI__snort__alert.html#a10a67f60ca3da339a2104849a0b2ac19">00213</a> time_t <a class="code" href="struct__AI__snort__alert.html#a10a67f60ca3da339a2104849a0b2ac19">timestamp</a>;
<a name="l00212"></a><a class="code" href="struct__AI__snort__alert.html#ab7e0507050b8e475fea7a4b26c768857">00212</a> <a class="code" href="spp__ai_8h.html#a273cf69d639a59973b6019625df33e30">uint16_t</a> <a class="code" href="struct__AI__snort__alert.html#ab7e0507050b8e475fea7a4b26c768857">tcp_len</a>; <a name="l00214"></a>00214
<a name="l00213"></a>00213 <a name="l00215"></a>00215 <span class="comment">/* IP header information */</span>
<a name="l00216"></a><a class="code" href="struct__AI__snort__alert.html#a09dfe0a841fd3912ec78060d4547cb31">00216</a> <span class="keyword">struct </span><a class="code" href="structpkt__info.html">pkt_info</a> *<a class="code" href="struct__AI__snort__alert.html#a09dfe0a841fd3912ec78060d4547cb31">stream</a>; <a name="l00216"></a><a class="code" href="struct__AI__snort__alert.html#a3f3c47f9baf3229d067504a85873b416">00216</a> <a class="code" href="spp__ai_8h.html#aba7bc1797add20fe3efdf37ced1182c5">uint8_t</a> <a class="code" href="struct__AI__snort__alert.html#a3f3c47f9baf3229d067504a85873b416">ip_tos</a>;
<a name="l00217"></a>00217 <a name="l00217"></a><a class="code" href="struct__AI__snort__alert.html#ad3ffe99036513d5f33b94d22fb84f8f1">00217</a> <a class="code" href="spp__ai_8h.html#a273cf69d639a59973b6019625df33e30">uint16_t</a> <a class="code" href="struct__AI__snort__alert.html#ad3ffe99036513d5f33b94d22fb84f8f1">ip_len</a>;
<a name="l00220"></a><a class="code" href="struct__AI__snort__alert.html#aa8336d4b3359015ed8ea312ca1fd1173">00220</a> <span class="keyword">struct </span><a class="code" href="struct__AI__snort__alert.html">_AI_snort_alert</a> *<a class="code" href="struct__AI__snort__alert.html#aa8336d4b3359015ed8ea312ca1fd1173">next</a>; <a name="l00218"></a><a class="code" href="struct__AI__snort__alert.html#a2fc673dec85a7b49dd16ac7c0bb1bb78">00218</a> <a class="code" href="spp__ai_8h.html#a273cf69d639a59973b6019625df33e30">uint16_t</a> <a class="code" href="struct__AI__snort__alert.html#a2fc673dec85a7b49dd16ac7c0bb1bb78">ip_id</a>;
<a name="l00221"></a>00221 <a name="l00219"></a><a class="code" href="struct__AI__snort__alert.html#a3c9bbe84ec696cd58668a45799a66600">00219</a> <a class="code" href="spp__ai_8h.html#aba7bc1797add20fe3efdf37ced1182c5">uint8_t</a> <a class="code" href="struct__AI__snort__alert.html#a3c9bbe84ec696cd58668a45799a66600">ip_ttl</a>;
<a name="l00224"></a><a class="code" href="struct__AI__snort__alert.html#ac53765584296ead1328eabfaba8a3aed">00224</a> <a class="code" href="struct__hierarchy__node.html">hierarchy_node</a> *<a class="code" href="struct__AI__snort__alert.html#ac53765584296ead1328eabfaba8a3aed">h_node</a>[CLUSTER_TYPES]; <a name="l00220"></a><a class="code" href="struct__AI__snort__alert.html#a5ea7b250ac1c472f3ab57565b6df2536">00220</a> <a class="code" href="spp__ai_8h.html#aba7bc1797add20fe3efdf37ced1182c5">uint8_t</a> <a class="code" href="struct__AI__snort__alert.html#a5ea7b250ac1c472f3ab57565b6df2536">ip_proto</a>;
<a name="l00225"></a>00225 <a name="l00221"></a><a class="code" href="struct__AI__snort__alert.html#a194117c57a52933d16a97838562bb611">00221</a> <a class="code" href="spp__ai_8h.html#a435d1572bf3f880d55459d9805097f62">uint32_t</a> <a class="code" href="struct__AI__snort__alert.html#a194117c57a52933d16a97838562bb611">ip_src_addr</a>;
<a name="l00229"></a><a class="code" href="struct__AI__snort__alert.html#a285aff12d6bac03c316ccc5305d28e53">00229</a> <span class="keywordtype">unsigned</span> <span class="keywordtype">int</span> <a class="code" href="struct__AI__snort__alert.html#a285aff12d6bac03c316ccc5305d28e53">grouped_alarms_count</a>; <a name="l00222"></a><a class="code" href="struct__AI__snort__alert.html#a754ca683593c838e4032fa8c13b1512b">00222</a> <a class="code" href="spp__ai_8h.html#a435d1572bf3f880d55459d9805097f62">uint32_t</a> <a class="code" href="struct__AI__snort__alert.html#a754ca683593c838e4032fa8c13b1512b">ip_dst_addr</a>;
<a name="l00230"></a>00230 <a name="l00223"></a>00223
<a name="l00233"></a><a class="code" href="struct__AI__snort__alert.html#ac101de15b4f9451f235b82122f77b62a">00233</a> <a class="code" href="structAI__hyperalert__info.html">AI_hyperalert_info</a> *<a class="code" href="struct__AI__snort__alert.html#ac101de15b4f9451f235b82122f77b62a">hyperalert</a>; <a name="l00224"></a>00224 <span class="comment">/* TCP header information */</span>
<a name="l00234"></a>00234 } <a class="code" href="struct__AI__snort__alert.html">AI_snort_alert</a>; <a name="l00225"></a><a class="code" href="struct__AI__snort__alert.html#a4d4cbdbd9675f4c43545547f55174cb7">00225</a> <a class="code" href="spp__ai_8h.html#a273cf69d639a59973b6019625df33e30">uint16_t</a> <a class="code" href="struct__AI__snort__alert.html#a4d4cbdbd9675f4c43545547f55174cb7">tcp_src_port</a>;
<a name="l00235"></a>00235 <span class="comment">/*****************************************************************/</span> <a name="l00226"></a><a class="code" href="struct__AI__snort__alert.html#aaca31cb67d48ffc3bfd1227686d5f5a4">00226</a> <a class="code" href="spp__ai_8h.html#a273cf69d639a59973b6019625df33e30">uint16_t</a> <a class="code" href="struct__AI__snort__alert.html#aaca31cb67d48ffc3bfd1227686d5f5a4">tcp_dst_port</a>;
<a name="l00227"></a><a class="code" href="struct__AI__snort__alert.html#ad6edf59fccea55bf5f940bf36117020b">00227</a> <a class="code" href="spp__ai_8h.html#a435d1572bf3f880d55459d9805097f62">uint32_t</a> <a class="code" href="struct__AI__snort__alert.html#ad6edf59fccea55bf5f940bf36117020b">tcp_seq</a>;
<a name="l00228"></a><a class="code" href="struct__AI__snort__alert.html#a8aac577224a4325ec50511c6d79b4b79">00228</a> <a class="code" href="spp__ai_8h.html#a435d1572bf3f880d55459d9805097f62">uint32_t</a> <a class="code" href="struct__AI__snort__alert.html#a8aac577224a4325ec50511c6d79b4b79">tcp_ack</a>;
<a name="l00229"></a><a class="code" href="struct__AI__snort__alert.html#aa643f11db93b70242b57f0a04775e507">00229</a> <a class="code" href="spp__ai_8h.html#aba7bc1797add20fe3efdf37ced1182c5">uint8_t</a> <a class="code" href="struct__AI__snort__alert.html#aa643f11db93b70242b57f0a04775e507">tcp_flags</a>;
<a name="l00230"></a><a class="code" href="struct__AI__snort__alert.html#a1687fccc26bb211591db8b36ffec5348">00230</a> <a class="code" href="spp__ai_8h.html#a273cf69d639a59973b6019625df33e30">uint16_t</a> <a class="code" href="struct__AI__snort__alert.html#a1687fccc26bb211591db8b36ffec5348">tcp_window</a>;
<a name="l00231"></a><a class="code" href="struct__AI__snort__alert.html#ab7e0507050b8e475fea7a4b26c768857">00231</a> <a class="code" href="spp__ai_8h.html#a273cf69d639a59973b6019625df33e30">uint16_t</a> <a class="code" href="struct__AI__snort__alert.html#ab7e0507050b8e475fea7a4b26c768857">tcp_len</a>;
<a name="l00232"></a>00232
<a name="l00235"></a><a class="code" href="struct__AI__snort__alert.html#a09dfe0a841fd3912ec78060d4547cb31">00235</a> <span class="keyword">struct </span><a class="code" href="structpkt__info.html">pkt_info</a> *<a class="code" href="struct__AI__snort__alert.html#a09dfe0a841fd3912ec78060d4547cb31">stream</a>;
<a name="l00236"></a>00236 <a name="l00236"></a>00236
<a name="l00237"></a>00237 <span class="keywordtype">int</span> <a class="code" href="group__regex.html#ga35f57c052a7de1ded54b67a1f7819791" title="Check if a string matches a regular expression.">preg_match</a> ( <span class="keyword">const</span> <span class="keywordtype">char</span>*, <span class="keywordtype">char</span>*, <span class="keywordtype">char</span>***, <span class="keywordtype">int</span>* ); <a name="l00239"></a><a class="code" href="struct__AI__snort__alert.html#aa8336d4b3359015ed8ea312ca1fd1173">00239</a> <span class="keyword">struct </span><a class="code" href="struct__AI__snort__alert.html">_AI_snort_alert</a> *<a class="code" href="struct__AI__snort__alert.html#aa8336d4b3359015ed8ea312ca1fd1173">next</a>;
<a name="l00238"></a>00238 <span class="keywordtype">char</span>* <a class="code" href="group__regex.html#ga736ba1abdc4938cbb1bf5861e7dbfd50" title="Replace the content of &amp;#39;orig&amp;#39; in &amp;#39;str&amp;#39; with &amp;#39;rep&amp;#39;.">str_replace</a> ( <span class="keywordtype">char</span> *str, <span class="keywordtype">char</span> *orig, <span class="keywordtype">char</span> *rep );
<a name="l00239"></a>00239 <span class="keywordtype">char</span>* <a class="code" href="group__regex.html#gaff6c55cd04fc08dd582e244590dc25a4" title="Replace all of the occurrences of &amp;#39;orig&amp;#39; in &amp;#39;str&amp;#39; with &amp;#39;rep&amp;#39;.">str_replace_all</a> ( <span class="keywordtype">char</span> *str, <span class="keywordtype">char</span> *orig, <span class="keywordtype">char</span> *rep );
<a name="l00240"></a>00240 <a name="l00240"></a>00240
<a name="l00241"></a>00241 <span class="keywordtype">void</span>* <a class="code" href="group__stream.html#ga24b1131374e5059564b8a12380c4eb75" title="Thread called for cleaning up the hash table from the traffic streams older than a certain threshold...">AI_hashcleanup_thread</a> ( <span class="keywordtype">void</span>* ); <a name="l00243"></a><a class="code" href="struct__AI__snort__alert.html#ac53765584296ead1328eabfaba8a3aed">00243</a> <a class="code" href="struct__hierarchy__node.html">hierarchy_node</a> *<a class="code" href="struct__AI__snort__alert.html#ac53765584296ead1328eabfaba8a3aed">h_node</a>[CLUSTER_TYPES];
<a name="l00242"></a>00242 <span class="keywordtype">void</span>* <a class="code" href="group__alert__parser.html#ga5aab8d9bdf0e92a51731442fd787f61f" title="Thread for parsing Snort&amp;#39;s alert file.">AI_file_alertparser_thread</a> ( <span class="keywordtype">void</span>* );
<a name="l00243"></a>00243 <span class="keywordtype">void</span>* <a class="code" href="group__correlation.html#ga939353a4e15de7a8f4145ab986f584be" title="Thread for correlating clustered alerts.">AI_alert_correlation_thread</a> ( <span class="keywordtype">void</span>* );
<a name="l00244"></a>00244 <a name="l00244"></a>00244
<a name="l00245"></a>00245 <span class="preprocessor">#ifdef ENABLE_DB</span> <a name="l00248"></a><a class="code" href="struct__AI__snort__alert.html#a285aff12d6bac03c316ccc5305d28e53">00248</a> <span class="keywordtype">unsigned</span> <span class="keywordtype">int</span> <a class="code" href="struct__AI__snort__alert.html#a285aff12d6bac03c316ccc5305d28e53">grouped_alarms_count</a>;
<a name="l00246"></a>00246 <span class="preprocessor"></span><a class="code" href="struct__AI__snort__alert.html">AI_snort_alert</a>* AI_db_get_alerts ( <span class="keywordtype">void</span> ); <a name="l00249"></a>00249
<a name="l00247"></a>00247 <span class="keywordtype">void</span> AI_db_free_alerts ( <a class="code" href="struct__AI__snort__alert.html">AI_snort_alert</a> *node ); <a name="l00252"></a><a class="code" href="struct__AI__snort__alert.html#ac101de15b4f9451f235b82122f77b62a">00252</a> <a class="code" href="structAI__hyperalert__info.html">AI_hyperalert_info</a> *<a class="code" href="struct__AI__snort__alert.html#ac101de15b4f9451f235b82122f77b62a">hyperalert</a>;
<a name="l00248"></a>00248 <span class="keywordtype">void</span>* AI_db_alertparser_thread ( <span class="keywordtype">void</span>* ); <a name="l00253"></a>00253
<a name="l00249"></a>00249 <span class="preprocessor">#endif</span> <a name="l00254"></a>00254 <span class="comment">/* &#39;Parent&#39; correlated alert in the chain,</span>
<a name="l00250"></a>00250 <span class="preprocessor"></span> <a name="l00255"></a>00255 <span class="comment"> * if any*/</span>
<a name="l00251"></a>00251 <span class="keywordtype">void</span> <a class="code" href="group__stream.html#ga7d71c5645b9baff7b6c4b9a181bf80c5" title="Function called for appending a new packet to the hash table, creating a new stream or appending it t...">AI_pkt_enqueue</a> ( SFSnortPacket* ); <a name="l00256"></a><a class="code" href="struct__AI__snort__alert.html#a55a5488c7ee7706ded4c16b1235fd9c7">00256</a> <span class="keyword">struct </span><a class="code" href="struct__AI__snort__alert.html">_AI_snort_alert</a> *<a class="code" href="struct__AI__snort__alert.html#a55a5488c7ee7706ded4c16b1235fd9c7">previous_correlated</a>;
<a name="l00252"></a>00252 <span class="keywordtype">void</span> <a class="code" href="group__stream.html#ga8749989cee2ac05a7de058faac280c02" title="Set the flag &amp;quot;observed&amp;quot; on a stream associated to a security alert, so that it won&amp;#39;t be...">AI_set_stream_observed</a> ( <span class="keyword">struct</span> <a class="code" href="structpkt__key.html">pkt_key</a> key ); <a name="l00257"></a>00257
<a name="l00253"></a>00253 <span class="keywordtype">void</span> <a class="code" href="group__cluster.html#ga1445818b37483f78cc3fb2890155842c" title="Build the clustering hierarchy trees.">AI_hierarchies_build</a> ( <a class="code" href="structAI__config.html">AI_config</a>*, <a class="code" href="struct__hierarchy__node.html">hierarchy_node</a>**, <span class="keywordtype">int</span> ); <a name="l00260"></a><a class="code" href="struct__AI__snort__alert.html#aac5e4078600ed17532db1f3d78165390">00260</a> <span class="keyword">struct </span><a class="code" href="struct__AI__snort__alert.html">_AI_snort_alert</a> **<a class="code" href="struct__AI__snort__alert.html#aac5e4078600ed17532db1f3d78165390">derived_alerts</a>;
<a name="l00254"></a>00254 <span class="keywordtype">void</span> <a class="code" href="group__alert__parser.html#ga270e86669a0aa64a8da37bc16cda645b" title="Deallocate the memory of a log alert linked list.">AI_free_alerts</a> ( <a class="code" href="struct__AI__snort__alert.html">AI_snort_alert</a> *node ); <a name="l00261"></a>00261
<a name="l00255"></a>00255 <a name="l00263"></a><a class="code" href="struct__AI__snort__alert.html#a1f2d5e8cfd0e6321b977173d1e90cb68">00263</a> <span class="keywordtype">unsigned</span> <span class="keywordtype">int</span> <a class="code" href="struct__AI__snort__alert.html#a1f2d5e8cfd0e6321b977173d1e90cb68">n_derived_alerts</a>;
<a name="l00256"></a>00256 <span class="keyword">struct </span><a class="code" href="structpkt__info.html">pkt_info</a>* <a class="code" href="group__stream.html#ga2efedcabbfd12c5345f0c93a3dd4735c" title="Get a TCP stream by key.">AI_get_stream_by_key</a> ( <span class="keyword">struct</span> <a class="code" href="structpkt__key.html">pkt_key</a> ); <a name="l00264"></a>00264 } <a class="code" href="struct__AI__snort__alert.html">AI_snort_alert</a>;
<a name="l00257"></a>00257 <a class="code" href="struct__AI__snort__alert.html">AI_snort_alert</a>* <a class="code" href="group__alert__parser.html#ga99474495643197b3075ac22ec6f6c70f" title="Return the alerts parsed so far as a linked list.">AI_get_alerts</a> ( <span class="keywordtype">void</span> ); <a name="l00265"></a>00265 <span class="comment">/*****************************************************************/</span>
<a name="l00258"></a>00258 <a class="code" href="struct__AI__snort__alert.html">AI_snort_alert</a>* <a class="code" href="group__cluster.html#ga2553c678eeb83282c230d649a0e8fcd4" title="Return the alerts parsed so far as a linked list.">AI_get_clustered_alerts</a> ( <span class="keywordtype">void</span> ); <a name="l00266"></a>00266
<a name="l00259"></a>00259 <a name="l00267"></a>00267 <span class="keywordtype">int</span> <a class="code" href="group__regex.html#ga35f57c052a7de1ded54b67a1f7819791" title="Check if a string matches a regular expression.">preg_match</a> ( <span class="keyword">const</span> <span class="keywordtype">char</span>*, <span class="keywordtype">char</span>*, <span class="keywordtype">char</span>***, <span class="keywordtype">int</span>* );
<a name="l00261"></a><a class="code" href="spp__ai_8h.html#ab184b676360ce03035801284a2bd1ea7">00261</a> <a class="code" href="struct__AI__snort__alert.html">AI_snort_alert</a>* (*get_alerts)(void); <a name="l00268"></a>00268 <span class="keywordtype">char</span>* <a class="code" href="group__regex.html#ga736ba1abdc4938cbb1bf5861e7dbfd50" title="Replace the content of &amp;#39;orig&amp;#39; in &amp;#39;str&amp;#39; with &amp;#39;rep&amp;#39;.">str_replace</a> ( <span class="keywordtype">char</span> *str, <span class="keywordtype">char</span> *orig, <span class="keywordtype">char</span> *rep );
<a name="l00262"></a>00262 <a name="l00269"></a>00269 <span class="keywordtype">char</span>* <a class="code" href="group__regex.html#gaff6c55cd04fc08dd582e244590dc25a4" title="Replace all of the occurrences of &amp;#39;orig&amp;#39; in &amp;#39;str&amp;#39; with &amp;#39;rep&amp;#39;.">str_replace_all</a> ( <span class="keywordtype">char</span> *str, <span class="keywordtype">char</span> *orig, <span class="keywordtype">char</span> *rep );
<a name="l00263"></a>00263 <span class="preprocessor">#endif </span><span class="comment">/* _SPP_AI_H */</span> <a name="l00270"></a>00270
<a name="l00264"></a>00264 <a name="l00271"></a>00271 <span class="keywordtype">void</span>* <a class="code" href="group__stream.html#ga24b1131374e5059564b8a12380c4eb75" title="Thread called for cleaning up the hash table from the traffic streams older than a certain threshold...">AI_hashcleanup_thread</a> ( <span class="keywordtype">void</span>* );
<a name="l00272"></a>00272 <span class="keywordtype">void</span>* <a class="code" href="group__alert__parser.html#ga5aab8d9bdf0e92a51731442fd787f61f" title="Thread for parsing Snort&amp;#39;s alert file.">AI_file_alertparser_thread</a> ( <span class="keywordtype">void</span>* );
<a name="l00273"></a>00273 <span class="keywordtype">void</span>* <a class="code" href="group__correlation.html#ga939353a4e15de7a8f4145ab986f584be" title="Thread for correlating clustered alerts.">AI_alert_correlation_thread</a> ( <span class="keywordtype">void</span>* );
<a name="l00274"></a>00274
<a name="l00275"></a>00275 <span class="preprocessor">#ifdef HAVE_LIBMYSQLCLIENT</span>
<a name="l00276"></a>00276 <span class="preprocessor"></span><a class="code" href="struct__AI__snort__alert.html">AI_snort_alert</a>* AI_db_get_alerts ( <span class="keywordtype">void</span> );
<a name="l00277"></a>00277 <span class="keywordtype">void</span> AI_db_free_alerts ( <a class="code" href="struct__AI__snort__alert.html">AI_snort_alert</a> *node );
<a name="l00278"></a>00278 <span class="keywordtype">void</span>* AI_db_alertparser_thread ( <span class="keywordtype">void</span>* );
<a name="l00279"></a>00279 <span class="preprocessor">#endif</span>
<a name="l00280"></a>00280 <span class="preprocessor"></span>
<a name="l00281"></a>00281 <span class="keywordtype">void</span> <a class="code" href="group__stream.html#ga7d71c5645b9baff7b6c4b9a181bf80c5" title="Function called for appending a new packet to the hash table, creating a new stream or appending it t...">AI_pkt_enqueue</a> ( SFSnortPacket* );
<a name="l00282"></a>00282 <span class="keywordtype">void</span> <a class="code" href="group__stream.html#ga8749989cee2ac05a7de058faac280c02" title="Set the flag &amp;quot;observed&amp;quot; on a stream associated to a security alert, so that it won&amp;#39;t be...">AI_set_stream_observed</a> ( <span class="keyword">struct</span> <a class="code" href="structpkt__key.html">pkt_key</a> key );
<a name="l00283"></a>00283 <span class="keywordtype">void</span> <a class="code" href="group__cluster.html#ga1445818b37483f78cc3fb2890155842c" title="Build the clustering hierarchy trees.">AI_hierarchies_build</a> ( <a class="code" href="structAI__config.html">AI_config</a>*, <a class="code" href="struct__hierarchy__node.html">hierarchy_node</a>**, <span class="keywordtype">int</span> );
<a name="l00284"></a>00284 <span class="keywordtype">void</span> <a class="code" href="group__alert__parser.html#ga270e86669a0aa64a8da37bc16cda645b" title="Deallocate the memory of a log alert linked list.">AI_free_alerts</a> ( <a class="code" href="struct__AI__snort__alert.html">AI_snort_alert</a> *node );
<a name="l00285"></a>00285
<a name="l00286"></a>00286 <span class="keyword">struct </span><a class="code" href="structpkt__info.html">pkt_info</a>* <a class="code" href="group__stream.html#ga2efedcabbfd12c5345f0c93a3dd4735c" title="Get a TCP stream by key.">AI_get_stream_by_key</a> ( <span class="keyword">struct</span> <a class="code" href="structpkt__key.html">pkt_key</a> );
<a name="l00287"></a>00287 <a class="code" href="struct__AI__snort__alert.html">AI_snort_alert</a>* <a class="code" href="group__alert__parser.html#ga99474495643197b3075ac22ec6f6c70f" title="Return the alerts parsed so far as a linked list.">AI_get_alerts</a> ( <span class="keywordtype">void</span> );
<a name="l00288"></a>00288 <a class="code" href="struct__AI__snort__alert.html">AI_snort_alert</a>* <a class="code" href="group__cluster.html#ga2553c678eeb83282c230d649a0e8fcd4" title="Return the alerts parsed so far as a linked list.">AI_get_clustered_alerts</a> ( <span class="keywordtype">void</span> );
<a name="l00289"></a>00289
<a name="l00291"></a><a class="code" href="spp__ai_8h.html#ab184b676360ce03035801284a2bd1ea7">00291</a> <a class="code" href="struct__AI__snort__alert.html">AI_snort_alert</a>* (*get_alerts)(void);
<a name="l00292"></a>00292
<a name="l00293"></a>00293 <span class="preprocessor">#endif </span><span class="comment">/* _SPP_AI_H */</span>
<a name="l00294"></a>00294
</pre></div></div> </pre></div></div>
</div> </div>
<!--- window showing the filter options --> <!--- window showing the filter options -->
@ -278,7 +294,7 @@ var searchBox = new SearchBox("searchBox", "search",false,'Search');
</iframe> </iframe>
</div> </div>
<hr class="footer"/><address class="footer"><small>Generated on Sat Sep 11 2010 12:45:18 for Snort AI preprocessor module by&nbsp; <hr class="footer"/><address class="footer"><small>Generated on Tue Sep 14 2010 19:23:42 for Snort AI preprocessor module by&nbsp;
<a href="http://www.doxygen.org/index.html"> <a href="http://www.doxygen.org/index.html">
<img class="footer" src="doxygen.png" alt="doxygen"/></a> 1.7.1 </small></address> <img class="footer" src="doxygen.png" alt="doxygen"/></a> 1.7.1 </small></address>
</body> </body>

View file

@ -134,7 +134,7 @@ Variables</h2></td></tr>
</iframe> </iframe>
</div> </div>
<hr class="footer"/><address class="footer"><small>Generated on Sat Sep 11 2010 12:45:18 for Snort AI preprocessor module by&nbsp; <hr class="footer"/><address class="footer"><small>Generated on Tue Sep 14 2010 19:23:42 for Snort AI preprocessor module by&nbsp;
<a href="http://www.doxygen.org/index.html"> <a href="http://www.doxygen.org/index.html">
<img class="footer" src="doxygen.png" alt="doxygen"/></a> 1.7.1 </small></address> <img class="footer" src="doxygen.png" alt="doxygen"/></a> 1.7.1 </small></address>
</body> </body>

View file

@ -59,42 +59,13 @@ var searchBox = new SearchBox("searchBox", "search",false,'Search');
<!-- doxytag: class="AI_alert_correlation" --><table class="memberdecls"> <!-- doxytag: class="AI_alert_correlation" --><table class="memberdecls">
<tr><td colspan="2"><h2><a name="pub-attribs"></a> <tr><td colspan="2"><h2><a name="pub-attribs"></a>
Data Fields</h2></td></tr> Data Fields</h2></td></tr>
<tr><td class="memItemLeft" align="right" valign="top"><a class="el" href="struct__AI__snort__alert.html">AI_snort_alert</a> *&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="structAI__alert__correlation.html#a8737f171e1c1b2305c8fe77101d6aeb7">a</a></td></tr> <tr><td class="memItemLeft" align="right" valign="top"><a class="el" href="structAI__alert__correlation__key.html">AI_alert_correlation_key</a>&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="structAI__alert__correlation.html#a4e27da4922a1d44497634c8e5968d870">key</a></td></tr>
<tr><td class="memItemLeft" align="right" valign="top"><a class="el" href="struct__AI__snort__alert.html">AI_snort_alert</a> *&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="structAI__alert__correlation.html#a478f1a6f18f9c083b203efdf776379cd">b</a></td></tr>
<tr><td class="memItemLeft" align="right" valign="top">double&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="structAI__alert__correlation.html#aad417b2126ae26d7576f006a3dbcdc81">correlation</a></td></tr> <tr><td class="memItemLeft" align="right" valign="top">double&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="structAI__alert__correlation.html#aad417b2126ae26d7576f006a3dbcdc81">correlation</a></td></tr>
<tr><td class="memItemLeft" align="right" valign="top">UT_hash_handle&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="structAI__alert__correlation.html#ad3020a87936a2193a92f09331401ad42">hh</a></td></tr> <tr><td class="memItemLeft" align="right" valign="top">UT_hash_handle&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="structAI__alert__correlation.html#ad3020a87936a2193a92f09331401ad42">hh</a></td></tr>
</table> </table>
<hr/><a name="_details"></a><h2>Detailed Description</h2> <hr/><a name="_details"></a><h2>Detailed Description</h2>
<p>Struct representing the correlation between all the couples of alerts </p> <p>Struct representing the correlation between all the couples of alerts </p>
<hr/><h2>Field Documentation</h2> <hr/><h2>Field Documentation</h2>
<a class="anchor" id="a8737f171e1c1b2305c8fe77101d6aeb7"></a><!-- doxytag: member="AI_alert_correlation::a" ref="a8737f171e1c1b2305c8fe77101d6aeb7" args="" -->
<div class="memitem">
<div class="memproto">
<table class="memname">
<tr>
<td class="memname"><a class="el" href="struct__AI__snort__alert.html">AI_snort_alert</a>* <a class="el" href="structAI__alert__correlation.html#a8737f171e1c1b2305c8fe77101d6aeb7">AI_alert_correlation::a</a></td>
</tr>
</table>
</div>
<div class="memdoc">
<p>First alert </p>
</div>
</div>
<a class="anchor" id="a478f1a6f18f9c083b203efdf776379cd"></a><!-- doxytag: member="AI_alert_correlation::b" ref="a478f1a6f18f9c083b203efdf776379cd" args="" -->
<div class="memitem">
<div class="memproto">
<table class="memname">
<tr>
<td class="memname"><a class="el" href="struct__AI__snort__alert.html">AI_snort_alert</a>* <a class="el" href="structAI__alert__correlation.html#a478f1a6f18f9c083b203efdf776379cd">AI_alert_correlation::b</a></td>
</tr>
</table>
</div>
<div class="memdoc">
<p>Second alert </p>
</div>
</div>
<a class="anchor" id="aad417b2126ae26d7576f006a3dbcdc81"></a><!-- doxytag: member="AI_alert_correlation::correlation" ref="aad417b2126ae26d7576f006a3dbcdc81" args="" --> <a class="anchor" id="aad417b2126ae26d7576f006a3dbcdc81"></a><!-- doxytag: member="AI_alert_correlation::correlation" ref="aad417b2126ae26d7576f006a3dbcdc81" args="" -->
<div class="memitem"> <div class="memitem">
<div class="memproto"> <div class="memproto">
@ -121,6 +92,20 @@ Data Fields</h2></td></tr>
<div class="memdoc"> <div class="memdoc">
<p>Make the struct 'hashable' </p> <p>Make the struct 'hashable' </p>
</div>
</div>
<a class="anchor" id="a4e27da4922a1d44497634c8e5968d870"></a><!-- doxytag: member="AI_alert_correlation::key" ref="a4e27da4922a1d44497634c8e5968d870" args="" -->
<div class="memitem">
<div class="memproto">
<table class="memname">
<tr>
<td class="memname"><a class="el" href="structAI__alert__correlation__key.html">AI_alert_correlation_key</a> <a class="el" href="structAI__alert__correlation.html#a4e27da4922a1d44497634c8e5968d870">AI_alert_correlation::key</a></td>
</tr>
</table>
</div>
<div class="memdoc">
<p>Hash key </p>
</div> </div>
</div> </div>
<hr/>The documentation for this struct was generated from the following file:<ul> <hr/>The documentation for this struct was generated from the following file:<ul>
@ -141,7 +126,7 @@ Data Fields</h2></td></tr>
</iframe> </iframe>
</div> </div>
<hr class="footer"/><address class="footer"><small>Generated on Sat Sep 11 2010 12:45:18 for Snort AI preprocessor module by&nbsp; <hr class="footer"/><address class="footer"><small>Generated on Tue Sep 14 2010 19:23:42 for Snort AI preprocessor module by&nbsp;
<a href="http://www.doxygen.org/index.html"> <a href="http://www.doxygen.org/index.html">
<img class="footer" src="doxygen.png" alt="doxygen"/></a> 1.7.1 </small></address> <img class="footer" src="doxygen.png" alt="doxygen"/></a> 1.7.1 </small></address>
</body> </body>

View file

@ -0,0 +1,118 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/xhtml;charset=UTF-8"/>
<title>Snort AI preprocessor module: AI_alert_correlation_key Struct Reference</title>
<link href="tabs.css" rel="stylesheet" type="text/css"/>
<link href="search/search.css" rel="stylesheet" type="text/css"/>
<script type="text/javaScript" src="search/search.js"></script>
<link href="doxygen.css" rel="stylesheet" type="text/css"/>
</head>
<body onload='searchBox.OnSelectItem(0);'>
<!-- Generated by Doxygen 1.7.1 -->
<script type="text/javascript"><!--
var searchBox = new SearchBox("searchBox", "search",false,'Search');
--></script>
<div class="navigation" id="top">
<div class="tabs">
<ul class="tablist">
<li><a href="index.html"><span>Main&nbsp;Page</span></a></li>
<li><a href="modules.html"><span>Modules</span></a></li>
<li class="current"><a href="annotated.html"><span>Data&nbsp;Structures</span></a></li>
<li><a href="files.html"><span>Files</span></a></li>
<li id="searchli">
<div id="MSearchBox" class="MSearchBoxInactive">
<span class="left">
<img id="MSearchSelect" src="search/mag_sel.png"
onmouseover="return searchBox.OnSearchSelectShow()"
onmouseout="return searchBox.OnSearchSelectHide()"
alt=""/>
<input type="text" id="MSearchField" value="Search" accesskey="S"
onfocus="searchBox.OnSearchFieldFocus(true)"
onblur="searchBox.OnSearchFieldFocus(false)"
onkeyup="searchBox.OnSearchFieldChange(event)"/>
</span><span class="right">
<a id="MSearchClose" href="javascript:searchBox.CloseResultsWindow()"><img id="MSearchCloseImg" border="0" src="search/close.png" alt=""/></a>
</span>
</div>
</li>
</ul>
</div>
<div class="tabs2">
<ul class="tablist">
<li><a href="annotated.html"><span>Data&nbsp;Structures</span></a></li>
<li><a href="classes.html"><span>Data&nbsp;Structure&nbsp;Index</span></a></li>
<li><a href="functions.html"><span>Data&nbsp;Fields</span></a></li>
</ul>
</div>
</div>
<div class="header">
<div class="summary">
<a href="#pub-attribs">Data Fields</a> </div>
<div class="headertitle">
<h1>AI_alert_correlation_key Struct Reference<br/>
<small>
[<a class="el" href="group__correlation.html">Module for the correlation of hyperalerts</a>]</small>
</h1> </div>
</div>
<div class="contents">
<!-- doxytag: class="AI_alert_correlation_key" --><table class="memberdecls">
<tr><td colspan="2"><h2><a name="pub-attribs"></a>
Data Fields</h2></td></tr>
<tr><td class="memItemLeft" align="right" valign="top"><a class="el" href="struct__AI__snort__alert.html">AI_snort_alert</a> *&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="structAI__alert__correlation__key.html#a774daec9332da25835a0904d853acadb">a</a></td></tr>
<tr><td class="memItemLeft" align="right" valign="top"><a class="el" href="struct__AI__snort__alert.html">AI_snort_alert</a> *&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="structAI__alert__correlation__key.html#a5805dec6499a83b818091b4f21c715dc">b</a></td></tr>
</table>
<hr/><a name="_details"></a><h2>Detailed Description</h2>
<p>Key for the correlation hash table </p>
<hr/><h2>Field Documentation</h2>
<a class="anchor" id="a774daec9332da25835a0904d853acadb"></a><!-- doxytag: member="AI_alert_correlation_key::a" ref="a774daec9332da25835a0904d853acadb" args="" -->
<div class="memitem">
<div class="memproto">
<table class="memname">
<tr>
<td class="memname"><a class="el" href="struct__AI__snort__alert.html">AI_snort_alert</a>* <a class="el" href="structAI__alert__correlation__key.html#a774daec9332da25835a0904d853acadb">AI_alert_correlation_key::a</a></td>
</tr>
</table>
</div>
<div class="memdoc">
<p>First alert </p>
</div>
</div>
<a class="anchor" id="a5805dec6499a83b818091b4f21c715dc"></a><!-- doxytag: member="AI_alert_correlation_key::b" ref="a5805dec6499a83b818091b4f21c715dc" args="" -->
<div class="memitem">
<div class="memproto">
<table class="memname">
<tr>
<td class="memname"><a class="el" href="struct__AI__snort__alert.html">AI_snort_alert</a>* <a class="el" href="structAI__alert__correlation__key.html#a5805dec6499a83b818091b4f21c715dc">AI_alert_correlation_key::b</a></td>
</tr>
</table>
</div>
<div class="memdoc">
<p>Second alert </p>
</div>
</div>
<hr/>The documentation for this struct was generated from the following file:<ul>
<li><a class="el" href="correlation_8c.html">correlation.c</a></li>
</ul>
</div>
<!--- window showing the filter options -->
<div id="MSearchSelectWindow"
onmouseover="return searchBox.OnSearchSelectShow()"
onmouseout="return searchBox.OnSearchSelectHide()"
onkeydown="return searchBox.OnSearchSelectKey(event)">
<a class="SelectItem" href="javascript:void(0)" onclick="searchBox.OnSelectItem(0)"><span class="SelectionMark">&nbsp;</span>All</a><a class="SelectItem" href="javascript:void(0)" onclick="searchBox.OnSelectItem(1)"><span class="SelectionMark">&nbsp;</span>Data Structures</a><a class="SelectItem" href="javascript:void(0)" onclick="searchBox.OnSelectItem(2)"><span class="SelectionMark">&nbsp;</span>Files</a><a class="SelectItem" href="javascript:void(0)" onclick="searchBox.OnSelectItem(3)"><span class="SelectionMark">&nbsp;</span>Functions</a><a class="SelectItem" href="javascript:void(0)" onclick="searchBox.OnSelectItem(4)"><span class="SelectionMark">&nbsp;</span>Variables</a><a class="SelectItem" href="javascript:void(0)" onclick="searchBox.OnSelectItem(5)"><span class="SelectionMark">&nbsp;</span>Typedefs</a><a class="SelectItem" href="javascript:void(0)" onclick="searchBox.OnSelectItem(6)"><span class="SelectionMark">&nbsp;</span>Enumerations</a><a class="SelectItem" href="javascript:void(0)" onclick="searchBox.OnSelectItem(7)"><span class="SelectionMark">&nbsp;</span>Enumerator</a><a class="SelectItem" href="javascript:void(0)" onclick="searchBox.OnSelectItem(8)"><span class="SelectionMark">&nbsp;</span>Defines</a></div>
<!-- iframe showing the search results (closed by default) -->
<div id="MSearchResultsWindow">
<iframe src="" frameborder="0"
name="MSearchResults" id="MSearchResults">
</iframe>
</div>
<hr class="footer"/><address class="footer"><small>Generated on Tue Sep 14 2010 19:23:42 for Snort AI preprocessor module by&nbsp;
<a href="http://www.doxygen.org/index.html">
<img class="footer" src="doxygen.png" alt="doxygen"/></a> 1.7.1 </small></address>
</body>
</html>

View file

@ -63,9 +63,11 @@ Data Fields</h2></td></tr>
<tr><td class="memItemLeft" align="right" valign="top">unsigned long&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="structAI__config.html#a7d0d098b8263aa3d8415b11d1ec7f93d">alertClusteringInterval</a></td></tr> <tr><td class="memItemLeft" align="right" valign="top">unsigned long&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="structAI__config.html#a7d0d098b8263aa3d8415b11d1ec7f93d">alertClusteringInterval</a></td></tr>
<tr><td class="memItemLeft" align="right" valign="top">unsigned long&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="structAI__config.html#ae6ca715cab1d90b70c3aad443133c263">databaseParsingInterval</a></td></tr> <tr><td class="memItemLeft" align="right" valign="top">unsigned long&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="structAI__config.html#ae6ca715cab1d90b70c3aad443133c263">databaseParsingInterval</a></td></tr>
<tr><td class="memItemLeft" align="right" valign="top">unsigned long&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="structAI__config.html#aa736375e57a59936e2e782b7cd200e41">correlationGraphInterval</a></td></tr> <tr><td class="memItemLeft" align="right" valign="top">unsigned long&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="structAI__config.html#aa736375e57a59936e2e782b7cd200e41">correlationGraphInterval</a></td></tr>
<tr><td class="memItemLeft" align="right" valign="top">double&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="structAI__config.html#adf6ef0faedfb4dea0a1353e781b14883">correlationThresholdCoefficient</a></td></tr>
<tr><td class="memItemLeft" align="right" valign="top">char&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="structAI__config.html#a2efa9590d7eea6dce8b5dd9aa76ed8ca">alertfile</a> [1024]</td></tr> <tr><td class="memItemLeft" align="right" valign="top">char&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="structAI__config.html#a2efa9590d7eea6dce8b5dd9aa76ed8ca">alertfile</a> [1024]</td></tr>
<tr><td class="memItemLeft" align="right" valign="top">char&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="structAI__config.html#a6da02a3f7116fd3810a41b738e8883a3">clusterfile</a> [1024]</td></tr> <tr><td class="memItemLeft" align="right" valign="top">char&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="structAI__config.html#a6da02a3f7116fd3810a41b738e8883a3">clusterfile</a> [1024]</td></tr>
<tr><td class="memItemLeft" align="right" valign="top">char&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="structAI__config.html#ab7ea93bbe72b85c4019b4f5656ad62fc">corr_rules_dir</a> [1024]</td></tr> <tr><td class="memItemLeft" align="right" valign="top">char&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="structAI__config.html#ab7ea93bbe72b85c4019b4f5656ad62fc">corr_rules_dir</a> [1024]</td></tr>
<tr><td class="memItemLeft" align="right" valign="top">char&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="structAI__config.html#ae68f5489e2ec9ea1408f98fe36d050c9">corr_alerts_dir</a> [1024]</td></tr>
<tr><td class="memItemLeft" align="right" valign="top">char&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="structAI__config.html#ac8a93607f12106e2f5c9b43af27107da">dbname</a> [256]</td></tr> <tr><td class="memItemLeft" align="right" valign="top">char&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="structAI__config.html#ac8a93607f12106e2f5c9b43af27107da">dbname</a> [256]</td></tr>
<tr><td class="memItemLeft" align="right" valign="top">char&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="structAI__config.html#aa004adebfdafb6d14092aecd7f4912b0">dbuser</a> [256]</td></tr> <tr><td class="memItemLeft" align="right" valign="top">char&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="structAI__config.html#aa004adebfdafb6d14092aecd7f4912b0">dbuser</a> [256]</td></tr>
<tr><td class="memItemLeft" align="right" valign="top">char&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="structAI__config.html#aa1cda349763faf60b2ebdbf2d187ae7d">dbpass</a> [256]</td></tr> <tr><td class="memItemLeft" align="right" valign="top">char&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="structAI__config.html#aa1cda349763faf60b2ebdbf2d187ae7d">dbpass</a> [256]</td></tr>
@ -112,6 +114,20 @@ Data Fields</h2></td></tr>
<div class="memdoc"> <div class="memdoc">
<p>Clustered alerts file </p> <p>Clustered alerts file </p>
</div>
</div>
<a class="anchor" id="ae68f5489e2ec9ea1408f98fe36d050c9"></a><!-- doxytag: member="AI_config::corr_alerts_dir" ref="ae68f5489e2ec9ea1408f98fe36d050c9" args="[1024]" -->
<div class="memitem">
<div class="memproto">
<table class="memname">
<tr>
<td class="memname">char <a class="el" href="structAI__config.html#ae68f5489e2ec9ea1408f98fe36d050c9">AI_config::corr_alerts_dir</a>[1024]</td>
</tr>
</table>
</div>
<div class="memdoc">
<p>Directory where the correlated alerts' information will be placed </p>
</div> </div>
</div> </div>
<a class="anchor" id="ab7ea93bbe72b85c4019b4f5656ad62fc"></a><!-- doxytag: member="AI_config::corr_rules_dir" ref="ab7ea93bbe72b85c4019b4f5656ad62fc" args="[1024]" --> <a class="anchor" id="ab7ea93bbe72b85c4019b4f5656ad62fc"></a><!-- doxytag: member="AI_config::corr_rules_dir" ref="ab7ea93bbe72b85c4019b4f5656ad62fc" args="[1024]" -->
@ -140,6 +156,20 @@ Data Fields</h2></td></tr>
<div class="memdoc"> <div class="memdoc">
<p>Interval in seconds for running the thread for building alert correlation graphs </p> <p>Interval in seconds for running the thread for building alert correlation graphs </p>
</div>
</div>
<a class="anchor" id="adf6ef0faedfb4dea0a1353e781b14883"></a><!-- doxytag: member="AI_config::correlationThresholdCoefficient" ref="adf6ef0faedfb4dea0a1353e781b14883" args="" -->
<div class="memitem">
<div class="memproto">
<table class="memname">
<tr>
<td class="memname">double <a class="el" href="structAI__config.html#adf6ef0faedfb4dea0a1353e781b14883">AI_config::correlationThresholdCoefficient</a></td>
</tr>
</table>
</div>
<div class="memdoc">
<p>Correlation threshold coefficient for correlating two hyperalerts. Two hyperalerts are 'correlated' to each other in a multi-step attack graph if and only if their correlation value is &gt;= m + ks, where m is the average correlation coefficient, s is the standard deviation over this coefficient, and k is this threshold coefficient. Its value can be &gt;= 0. A value in [0,1] is strongly suggested, but this value mostly depends on how accurate the correlation rules where defined. Be careful, defining a correlation coefficient &gt; or &gt;&gt; 1 no correlation may occur at all! </p>
</div> </div>
</div> </div>
<a class="anchor" id="ae6ca715cab1d90b70c3aad443133c263"></a><!-- doxytag: member="AI_config::databaseParsingInterval" ref="ae6ca715cab1d90b70c3aad443133c263" args="" --> <a class="anchor" id="ae6ca715cab1d90b70c3aad443133c263"></a><!-- doxytag: member="AI_config::databaseParsingInterval" ref="ae6ca715cab1d90b70c3aad443133c263" args="" -->
@ -258,7 +288,7 @@ Data Fields</h2></td></tr>
</iframe> </iframe>
</div> </div>
<hr class="footer"/><address class="footer"><small>Generated on Sat Sep 11 2010 12:45:18 for Snort AI preprocessor module by&nbsp; <hr class="footer"/><address class="footer"><small>Generated on Tue Sep 14 2010 19:23:42 for Snort AI preprocessor module by&nbsp;
<a href="http://www.doxygen.org/index.html"> <a href="http://www.doxygen.org/index.html">
<img class="footer" src="doxygen.png" alt="doxygen"/></a> 1.7.1 </small></address> <img class="footer" src="doxygen.png" alt="doxygen"/></a> 1.7.1 </small></address>
</body> </body>

View file

@ -170,7 +170,7 @@ Data Fields</h2></td></tr>
</iframe> </iframe>
</div> </div>
<hr class="footer"/><address class="footer"><small>Generated on Sat Sep 11 2010 12:45:18 for Snort AI preprocessor module by&nbsp; <hr class="footer"/><address class="footer"><small>Generated on Tue Sep 14 2010 19:23:42 for Snort AI preprocessor module by&nbsp;
<a href="http://www.doxygen.org/index.html"> <a href="http://www.doxygen.org/index.html">
<img class="footer" src="doxygen.png" alt="doxygen"/></a> 1.7.1 </small></address> <img class="footer" src="doxygen.png" alt="doxygen"/></a> 1.7.1 </small></address>
</body> </body>

View file

@ -122,7 +122,7 @@ Data Fields</h2></td></tr>
</iframe> </iframe>
</div> </div>
<hr class="footer"/><address class="footer"><small>Generated on Sat Sep 11 2010 12:45:18 for Snort AI preprocessor module by&nbsp; <hr class="footer"/><address class="footer"><small>Generated on Tue Sep 14 2010 19:23:42 for Snort AI preprocessor module by&nbsp;
<a href="http://www.doxygen.org/index.html"> <a href="http://www.doxygen.org/index.html">
<img class="footer" src="doxygen.png" alt="doxygen"/></a> 1.7.1 </small></address> <img class="footer" src="doxygen.png" alt="doxygen"/></a> 1.7.1 </small></address>
</body> </body>

View file

@ -84,6 +84,9 @@ Data Fields</h2></td></tr>
<tr><td class="memItemLeft" align="right" valign="top"><a class="el" href="struct__hierarchy__node.html">hierarchy_node</a> *&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="struct__AI__snort__alert.html#ac53765584296ead1328eabfaba8a3aed">h_node</a> [CLUSTER_TYPES]</td></tr> <tr><td class="memItemLeft" align="right" valign="top"><a class="el" href="struct__hierarchy__node.html">hierarchy_node</a> *&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="struct__AI__snort__alert.html#ac53765584296ead1328eabfaba8a3aed">h_node</a> [CLUSTER_TYPES]</td></tr>
<tr><td class="memItemLeft" align="right" valign="top">unsigned int&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="struct__AI__snort__alert.html#a285aff12d6bac03c316ccc5305d28e53">grouped_alarms_count</a></td></tr> <tr><td class="memItemLeft" align="right" valign="top">unsigned int&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="struct__AI__snort__alert.html#a285aff12d6bac03c316ccc5305d28e53">grouped_alarms_count</a></td></tr>
<tr><td class="memItemLeft" align="right" valign="top"><a class="el" href="structAI__hyperalert__info.html">AI_hyperalert_info</a> *&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="struct__AI__snort__alert.html#ac101de15b4f9451f235b82122f77b62a">hyperalert</a></td></tr> <tr><td class="memItemLeft" align="right" valign="top"><a class="el" href="structAI__hyperalert__info.html">AI_hyperalert_info</a> *&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="struct__AI__snort__alert.html#ac101de15b4f9451f235b82122f77b62a">hyperalert</a></td></tr>
<tr><td class="memItemLeft" align="right" valign="top">struct <a class="el" href="struct__AI__snort__alert.html">_AI_snort_alert</a> *&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="struct__AI__snort__alert.html#a55a5488c7ee7706ded4c16b1235fd9c7">previous_correlated</a></td></tr>
<tr><td class="memItemLeft" align="right" valign="top">struct <a class="el" href="struct__AI__snort__alert.html">_AI_snort_alert</a> **&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="struct__AI__snort__alert.html#aac5e4078600ed17532db1f3d78165390">derived_alerts</a></td></tr>
<tr><td class="memItemLeft" align="right" valign="top">unsigned int&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="struct__AI__snort__alert.html#a1f2d5e8cfd0e6321b977173d1e90cb68">n_derived_alerts</a></td></tr>
</table> </table>
<hr/><a name="_details"></a><h2>Detailed Description</h2> <hr/><a name="_details"></a><h2>Detailed Description</h2>
<p>Data type for Snort alerts </p> <p>Data type for Snort alerts </p>
@ -99,6 +102,20 @@ Data Fields</h2></td></tr>
</div> </div>
<div class="memdoc"> <div class="memdoc">
</div>
</div>
<a class="anchor" id="aac5e4078600ed17532db1f3d78165390"></a><!-- doxytag: member="_AI_snort_alert::derived_alerts" ref="aac5e4078600ed17532db1f3d78165390" args="" -->
<div class="memitem">
<div class="memproto">
<table class="memname">
<tr>
<td class="memname">struct <a class="el" href="struct__AI__snort__alert.html">_AI_snort_alert</a>** <a class="el" href="struct__AI__snort__alert.html#aac5e4078600ed17532db1f3d78165390">_AI_snort_alert::derived_alerts</a></td>
</tr>
</table>
</div>
<div class="memdoc">
<p>Array of directly correlated 'derived' alerts from the current one, if any </p>
</div> </div>
</div> </div>
<a class="anchor" id="ac0902d7c756ec675fb06347ce4706135"></a><!-- doxytag: member="_AI_snort_alert::desc" ref="ac0902d7c756ec675fb06347ce4706135" args="" --> <a class="anchor" id="ac0902d7c756ec675fb06347ce4706135"></a><!-- doxytag: member="_AI_snort_alert::desc" ref="ac0902d7c756ec675fb06347ce4706135" args="" -->
@ -258,6 +275,20 @@ Data Fields</h2></td></tr>
</div> </div>
<div class="memdoc"> <div class="memdoc">
</div>
</div>
<a class="anchor" id="a1f2d5e8cfd0e6321b977173d1e90cb68"></a><!-- doxytag: member="_AI_snort_alert::n_derived_alerts" ref="a1f2d5e8cfd0e6321b977173d1e90cb68" args="" -->
<div class="memitem">
<div class="memproto">
<table class="memname">
<tr>
<td class="memname">unsigned int <a class="el" href="struct__AI__snort__alert.html#a1f2d5e8cfd0e6321b977173d1e90cb68">_AI_snort_alert::n_derived_alerts</a></td>
</tr>
</table>
</div>
<div class="memdoc">
<p>Number of derived alerts </p>
</div> </div>
</div> </div>
<a class="anchor" id="aa8336d4b3359015ed8ea312ca1fd1173"></a><!-- doxytag: member="_AI_snort_alert::next" ref="aa8336d4b3359015ed8ea312ca1fd1173" args="" --> <a class="anchor" id="aa8336d4b3359015ed8ea312ca1fd1173"></a><!-- doxytag: member="_AI_snort_alert::next" ref="aa8336d4b3359015ed8ea312ca1fd1173" args="" -->
@ -272,6 +303,19 @@ Data Fields</h2></td></tr>
<div class="memdoc"> <div class="memdoc">
<p>Pointer to the next alert in the log, if any </p> <p>Pointer to the next alert in the log, if any </p>
</div>
</div>
<a class="anchor" id="a55a5488c7ee7706ded4c16b1235fd9c7"></a><!-- doxytag: member="_AI_snort_alert::previous_correlated" ref="a55a5488c7ee7706ded4c16b1235fd9c7" args="" -->
<div class="memitem">
<div class="memproto">
<table class="memname">
<tr>
<td class="memname">struct <a class="el" href="struct__AI__snort__alert.html">_AI_snort_alert</a>* <a class="el" href="struct__AI__snort__alert.html#a55a5488c7ee7706ded4c16b1235fd9c7">_AI_snort_alert::previous_correlated</a></td>
</tr>
</table>
</div>
<div class="memdoc">
</div> </div>
</div> </div>
<a class="anchor" id="a25661fa4e212c5e30af5e6a892985ec9"></a><!-- doxytag: member="_AI_snort_alert::priority" ref="a25661fa4e212c5e30af5e6a892985ec9" args="" --> <a class="anchor" id="a25661fa4e212c5e30af5e6a892985ec9"></a><!-- doxytag: member="_AI_snort_alert::priority" ref="a25661fa4e212c5e30af5e6a892985ec9" args="" -->
@ -449,7 +493,7 @@ Data Fields</h2></td></tr>
</iframe> </iframe>
</div> </div>
<hr class="footer"/><address class="footer"><small>Generated on Sat Sep 11 2010 12:45:18 for Snort AI preprocessor module by&nbsp; <hr class="footer"/><address class="footer"><small>Generated on Tue Sep 14 2010 19:23:42 for Snort AI preprocessor module by&nbsp;
<a href="http://www.doxygen.org/index.html"> <a href="http://www.doxygen.org/index.html">
<img class="footer" src="doxygen.png" alt="doxygen"/></a> 1.7.1 </small></address> <img class="footer" src="doxygen.png" alt="doxygen"/></a> 1.7.1 </small></address>
</body> </body>

View file

@ -178,7 +178,7 @@ Data Fields</h2></td></tr>
</iframe> </iframe>
</div> </div>
<hr class="footer"/><address class="footer"><small>Generated on Sat Sep 11 2010 12:45:18 for Snort AI preprocessor module by&nbsp; <hr class="footer"/><address class="footer"><small>Generated on Tue Sep 14 2010 19:23:42 for Snort AI preprocessor module by&nbsp;
<a href="http://www.doxygen.org/index.html"> <a href="http://www.doxygen.org/index.html">
<img class="footer" src="doxygen.png" alt="doxygen"/></a> 1.7.1 </small></address> <img class="footer" src="doxygen.png" alt="doxygen"/></a> 1.7.1 </small></address>
</body> </body>

View file

@ -109,7 +109,7 @@ Data Fields</h2></td></tr>
</iframe> </iframe>
</div> </div>
<hr class="footer"/><address class="footer"><small>Generated on Sat Sep 11 2010 12:45:18 for Snort AI preprocessor module by&nbsp; <hr class="footer"/><address class="footer"><small>Generated on Tue Sep 14 2010 19:23:42 for Snort AI preprocessor module by&nbsp;
<a href="http://www.doxygen.org/index.html"> <a href="http://www.doxygen.org/index.html">
<img class="footer" src="doxygen.png" alt="doxygen"/></a> 1.7.1 </small></address> <img class="footer" src="doxygen.png" alt="doxygen"/></a> 1.7.1 </small></address>
</body> </body>

View file

@ -137,7 +137,7 @@ Data Fields</h2></td></tr>
</iframe> </iframe>
</div> </div>
<hr class="footer"/><address class="footer"><small>Generated on Sat Sep 11 2010 12:45:18 for Snort AI preprocessor module by&nbsp; <hr class="footer"/><address class="footer"><small>Generated on Tue Sep 14 2010 19:23:42 for Snort AI preprocessor module by&nbsp;
<a href="http://www.doxygen.org/index.html"> <a href="http://www.doxygen.org/index.html">
<img class="footer" src="doxygen.png" alt="doxygen"/></a> 1.7.1 </small></address> <img class="footer" src="doxygen.png" alt="doxygen"/></a> 1.7.1 </small></address>
</body> </body>

View file

@ -170,7 +170,7 @@ Data Fields</h2></td></tr>
</iframe> </iframe>
</div> </div>
<hr class="footer"/><address class="footer"><small>Generated on Sat Sep 11 2010 12:45:18 for Snort AI preprocessor module by&nbsp; <hr class="footer"/><address class="footer"><small>Generated on Tue Sep 14 2010 19:23:42 for Snort AI preprocessor module by&nbsp;
<a href="http://www.doxygen.org/index.html"> <a href="http://www.doxygen.org/index.html">
<img class="footer" src="doxygen.png" alt="doxygen"/></a> 1.7.1 </small></address> <img class="footer" src="doxygen.png" alt="doxygen"/></a> 1.7.1 </small></address>
</body> </body>

View file

@ -108,7 +108,7 @@ Data Fields</h2></td></tr>
</iframe> </iframe>
</div> </div>
<hr class="footer"/><address class="footer"><small>Generated on Sat Sep 11 2010 12:45:18 for Snort AI preprocessor module by&nbsp; <hr class="footer"/><address class="footer"><small>Generated on Tue Sep 14 2010 19:23:42 for Snort AI preprocessor module by&nbsp;
<a href="http://www.doxygen.org/index.html"> <a href="http://www.doxygen.org/index.html">
<img class="footer" src="doxygen.png" alt="doxygen"/></a> 1.7.1 </small></address> <img class="footer" src="doxygen.png" alt="doxygen"/></a> 1.7.1 </small></address>
</body> </body>

View file

@ -3,6 +3,7 @@ Here are the data structures with brief descriptions:\begin{DoxyCompactList}
\item\contentsline{section}{\hyperlink{struct__AI__snort__alert}{\_\-AI\_\-snort\_\-alert} }{\pageref{struct__AI__snort__alert}}{} \item\contentsline{section}{\hyperlink{struct__AI__snort__alert}{\_\-AI\_\-snort\_\-alert} }{\pageref{struct__AI__snort__alert}}{}
\item\contentsline{section}{\hyperlink{struct__hierarchy__node}{\_\-hierarchy\_\-node} }{\pageref{struct__hierarchy__node}}{} \item\contentsline{section}{\hyperlink{struct__hierarchy__node}{\_\-hierarchy\_\-node} }{\pageref{struct__hierarchy__node}}{}
\item\contentsline{section}{\hyperlink{structAI__alert__correlation}{AI\_\-alert\_\-correlation} }{\pageref{structAI__alert__correlation}}{} \item\contentsline{section}{\hyperlink{structAI__alert__correlation}{AI\_\-alert\_\-correlation} }{\pageref{structAI__alert__correlation}}{}
\item\contentsline{section}{\hyperlink{structAI__alert__correlation__key}{AI\_\-alert\_\-correlation\_\-key} }{\pageref{structAI__alert__correlation__key}}{}
\item\contentsline{section}{\hyperlink{structAI__config}{AI\_\-config} }{\pageref{structAI__config}}{} \item\contentsline{section}{\hyperlink{structAI__config}{AI\_\-config} }{\pageref{structAI__config}}{}
\item\contentsline{section}{\hyperlink{structAI__hyperalert__info}{AI\_\-hyperalert\_\-info} }{\pageref{structAI__hyperalert__info}}{} \item\contentsline{section}{\hyperlink{structAI__hyperalert__info}{AI\_\-hyperalert\_\-info} }{\pageref{structAI__hyperalert__info}}{}
\item\contentsline{section}{\hyperlink{structAI__hyperalert__key}{AI\_\-hyperalert\_\-key} }{\pageref{structAI__hyperalert__key}}{} \item\contentsline{section}{\hyperlink{structAI__hyperalert__key}{AI\_\-hyperalert\_\-key} }{\pageref{structAI__hyperalert__key}}{}

View file

@ -3,13 +3,21 @@
\label{correlation_8c}\index{correlation.c@{correlation.c}} \label{correlation_8c}\index{correlation.c@{correlation.c}}
} }
{\ttfamily \#include \char`\"{}spp\_\-ai.h\char`\"{}}\par {\ttfamily \#include \char`\"{}spp\_\-ai.h\char`\"{}}\par
{\ttfamily \#include $<$stdio.h$>$}\par
{\ttfamily \#include $<$stdlib.h$>$}\par
{\ttfamily \#include $<$string.h$>$}\par
{\ttfamily \#include $<$unistd.h$>$}\par {\ttfamily \#include $<$unistd.h$>$}\par
{\ttfamily \#include $<$time.h$>$}\par
{\ttfamily \#include $<$math.h$>$}\par
{\ttfamily \#include $<$alloca.h$>$}\par
{\ttfamily \#include $<$sys/stat.h$>$}\par {\ttfamily \#include $<$sys/stat.h$>$}\par
{\ttfamily \#include $<$pthread.h$>$}\par {\ttfamily \#include $<$pthread.h$>$}\par
{\ttfamily \#include $<$libxml/xmlreader.h$>$}\par {\ttfamily \#include $<$libxml/xmlreader.h$>$}\par
\subsection*{Data Structures} \subsection*{Data Structures}
\begin{DoxyCompactItemize} \begin{DoxyCompactItemize}
\item \item
struct \hyperlink{structAI__alert__correlation__key}{AI\_\-alert\_\-correlation\_\-key}
\item
struct \hyperlink{structAI__alert__correlation}{AI\_\-alert\_\-correlation} struct \hyperlink{structAI__alert__correlation}{AI\_\-alert\_\-correlation}
\end{DoxyCompactItemize} \end{DoxyCompactItemize}
\subsection*{Enumerations} \subsection*{Enumerations}
@ -27,9 +35,17 @@ enum \{ \par
\subsection*{Functions} \subsection*{Functions}
\begin{DoxyCompactItemize} \begin{DoxyCompactItemize}
\item \item
double \hyperlink{group__correlation_ga130e82017fc0abcb76b1a7740ae2f4df}{\_\-AI\_\-correlation\_\-coefficient} (\hyperlink{struct__AI__snort__alert}{AI\_\-snort\_\-alert} $\ast$a, \hyperlink{struct__AI__snort__alert}{AI\_\-snort\_\-alert} $\ast$b) PRIVATE void \hyperlink{group__correlation_ga9bcb94264ffe30f113f3fb7287b774e3}{\_\-AI\_\-correlation\_\-table\_\-cleanup} ()
\begin{DoxyCompactList}\small\item\em Clean up the correlation hash table. \item\end{DoxyCompactList}\item
PRIVATE void \hyperlink{group__correlation_ga4267a39fa1a5ac035015823bca43288e}{\_\-AI\_\-print\_\-correlated\_\-alerts} (\hyperlink{structAI__alert__correlation}{AI\_\-alert\_\-correlation} $\ast$corr, FILE $\ast$fp)
\begin{DoxyCompactList}\small\item\em Recursively write a flow of correlated alerts to a .dot file, ready for being rendered as graph. \item\end{DoxyCompactList}\item
PRIVATE char $\ast$ \hyperlink{group__correlation_ga7a1b2d01f526f24ea91d7f08bdefd4fe}{\_\-AI\_\-get\_\-function\_\-name} (const char $\ast$orig\_\-stmt)
\begin{DoxyCompactList}\small\item\em Get the name of the function called by a pre-\/condition or post-\/condition predicate. \item\end{DoxyCompactList}\item
PRIVATE char $\ast$$\ast$ \hyperlink{group__correlation_gab716702cd226ab2ad957234a92da6e4a}{\_\-AI\_\-get\_\-function\_\-arguments} (char $\ast$orig\_\-stmt, int $\ast$n\_\-args)
\begin{DoxyCompactList}\small\item\em Get the arguments passed to a function predicate in a pre-\/condition or post-\/condition (comma-\/separated values). \item\end{DoxyCompactList}\item
PRIVATE double \hyperlink{group__correlation_ga9cb283b28a66829574add58a251b93c6}{\_\-AI\_\-correlation\_\-coefficient} (\hyperlink{struct__AI__snort__alert}{AI\_\-snort\_\-alert} $\ast$a, \hyperlink{struct__AI__snort__alert}{AI\_\-snort\_\-alert} $\ast$b)
\begin{DoxyCompactList}\small\item\em Compute the correlation coefficient between two alerts, as INTERSECTION(pre(B), post(A) / UNION(pre(B), post(A)). \item\end{DoxyCompactList}\item \begin{DoxyCompactList}\small\item\em Compute the correlation coefficient between two alerts, as INTERSECTION(pre(B), post(A) / UNION(pre(B), post(A)). \item\end{DoxyCompactList}\item
void \hyperlink{group__correlation_ga0d094eae1d014d89a2de21263fa747da}{\_\-AI\_\-macro\_\-subst} (\hyperlink{struct__AI__snort__alert}{AI\_\-snort\_\-alert} $\ast$$\ast$alert) PRIVATE void \hyperlink{group__correlation_ga70a4aaf8b689472dad62ba7a9bbde1a6}{\_\-AI\_\-macro\_\-subst} (\hyperlink{struct__AI__snort__alert}{AI\_\-snort\_\-alert} $\ast$$\ast$alert)
\begin{DoxyCompactList}\small\item\em Substitute the macros in hyperalert pre-\/conditions and post-\/conditions with their associated values. \item\end{DoxyCompactList}\item \begin{DoxyCompactList}\small\item\em Substitute the macros in hyperalert pre-\/conditions and post-\/conditions with their associated values. \item\end{DoxyCompactList}\item
PRIVATE \hyperlink{structAI__hyperalert__info}{AI\_\-hyperalert\_\-info} $\ast$ \hyperlink{group__correlation_ga929e5c17fdb247a998d83ed6a4ae5a65}{\_\-AI\_\-hyperalert\_\-from\_\-XML} (\hyperlink{structAI__hyperalert__key}{AI\_\-hyperalert\_\-key} key) PRIVATE \hyperlink{structAI__hyperalert__info}{AI\_\-hyperalert\_\-info} $\ast$ \hyperlink{group__correlation_ga929e5c17fdb247a998d83ed6a4ae5a65}{\_\-AI\_\-hyperalert\_\-from\_\-XML} (\hyperlink{structAI__hyperalert__key}{AI\_\-hyperalert\_\-key} key)
\begin{DoxyCompactList}\small\item\em Parse info about a hyperalert from a correlation XML file, if it exists. \item\end{DoxyCompactList}\item \begin{DoxyCompactList}\small\item\em Parse info about a hyperalert from a correlation XML file, if it exists. \item\end{DoxyCompactList}\item

View file

@ -27,9 +27,9 @@
\fancyplain{}{\bfseries\thepage}% \fancyplain{}{\bfseries\thepage}%
} }
\rfoot[\fancyplain{}{\bfseries\scriptsize% \rfoot[\fancyplain{}{\bfseries\scriptsize%
Generated on Sat Sep 11 2010 12:45:18 for Snort AI preprocessor module by Doxygen }]{} Generated on Tue Sep 14 2010 19:23:42 for Snort AI preprocessor module by Doxygen }]{}
\lfoot[]{\fancyplain{}{\bfseries\scriptsize% \lfoot[]{\fancyplain{}{\bfseries\scriptsize%
Generated on Sat Sep 11 2010 12:45:18 for Snort AI preprocessor module by Doxygen }} Generated on Tue Sep 14 2010 19:23:42 for Snort AI preprocessor module by Doxygen }}
\cfoot{} \cfoot{}
%---------- Internal commands used in this style file ---------------- %---------- Internal commands used in this style file ----------------

View file

@ -5,6 +5,8 @@
\subsection*{Data Structures} \subsection*{Data Structures}
\begin{DoxyCompactItemize} \begin{DoxyCompactItemize}
\item \item
struct \hyperlink{structAI__alert__correlation__key}{AI\_\-alert\_\-correlation\_\-key}
\item
struct \hyperlink{structAI__alert__correlation}{AI\_\-alert\_\-correlation} struct \hyperlink{structAI__alert__correlation}{AI\_\-alert\_\-correlation}
\end{DoxyCompactItemize} \end{DoxyCompactItemize}
\subsection*{Enumerations} \subsection*{Enumerations}
@ -22,9 +24,17 @@ enum \{ \par
\subsection*{Functions} \subsection*{Functions}
\begin{DoxyCompactItemize} \begin{DoxyCompactItemize}
\item \item
double \hyperlink{group__correlation_ga130e82017fc0abcb76b1a7740ae2f4df}{\_\-AI\_\-correlation\_\-coefficient} (\hyperlink{struct__AI__snort__alert}{AI\_\-snort\_\-alert} $\ast$a, \hyperlink{struct__AI__snort__alert}{AI\_\-snort\_\-alert} $\ast$b) PRIVATE void \hyperlink{group__correlation_ga9bcb94264ffe30f113f3fb7287b774e3}{\_\-AI\_\-correlation\_\-table\_\-cleanup} ()
\begin{DoxyCompactList}\small\item\em Clean up the correlation hash table. \item\end{DoxyCompactList}\item
PRIVATE void \hyperlink{group__correlation_ga4267a39fa1a5ac035015823bca43288e}{\_\-AI\_\-print\_\-correlated\_\-alerts} (\hyperlink{structAI__alert__correlation}{AI\_\-alert\_\-correlation} $\ast$corr, FILE $\ast$fp)
\begin{DoxyCompactList}\small\item\em Recursively write a flow of correlated alerts to a .dot file, ready for being rendered as graph. \item\end{DoxyCompactList}\item
PRIVATE char $\ast$ \hyperlink{group__correlation_ga7a1b2d01f526f24ea91d7f08bdefd4fe}{\_\-AI\_\-get\_\-function\_\-name} (const char $\ast$orig\_\-stmt)
\begin{DoxyCompactList}\small\item\em Get the name of the function called by a pre-\/condition or post-\/condition predicate. \item\end{DoxyCompactList}\item
PRIVATE char $\ast$$\ast$ \hyperlink{group__correlation_gab716702cd226ab2ad957234a92da6e4a}{\_\-AI\_\-get\_\-function\_\-arguments} (char $\ast$orig\_\-stmt, int $\ast$n\_\-args)
\begin{DoxyCompactList}\small\item\em Get the arguments passed to a function predicate in a pre-\/condition or post-\/condition (comma-\/separated values). \item\end{DoxyCompactList}\item
PRIVATE double \hyperlink{group__correlation_ga9cb283b28a66829574add58a251b93c6}{\_\-AI\_\-correlation\_\-coefficient} (\hyperlink{struct__AI__snort__alert}{AI\_\-snort\_\-alert} $\ast$a, \hyperlink{struct__AI__snort__alert}{AI\_\-snort\_\-alert} $\ast$b)
\begin{DoxyCompactList}\small\item\em Compute the correlation coefficient between two alerts, as INTERSECTION(pre(B), post(A) / UNION(pre(B), post(A)). \item\end{DoxyCompactList}\item \begin{DoxyCompactList}\small\item\em Compute the correlation coefficient between two alerts, as INTERSECTION(pre(B), post(A) / UNION(pre(B), post(A)). \item\end{DoxyCompactList}\item
void \hyperlink{group__correlation_ga0d094eae1d014d89a2de21263fa747da}{\_\-AI\_\-macro\_\-subst} (\hyperlink{struct__AI__snort__alert}{AI\_\-snort\_\-alert} $\ast$$\ast$alert) PRIVATE void \hyperlink{group__correlation_ga70a4aaf8b689472dad62ba7a9bbde1a6}{\_\-AI\_\-macro\_\-subst} (\hyperlink{struct__AI__snort__alert}{AI\_\-snort\_\-alert} $\ast$$\ast$alert)
\begin{DoxyCompactList}\small\item\em Substitute the macros in hyperalert pre-\/conditions and post-\/conditions with their associated values. \item\end{DoxyCompactList}\item \begin{DoxyCompactList}\small\item\em Substitute the macros in hyperalert pre-\/conditions and post-\/conditions with their associated values. \item\end{DoxyCompactList}\item
PRIVATE \hyperlink{structAI__hyperalert__info}{AI\_\-hyperalert\_\-info} $\ast$ \hyperlink{group__correlation_ga929e5c17fdb247a998d83ed6a4ae5a65}{\_\-AI\_\-hyperalert\_\-from\_\-XML} (\hyperlink{structAI__hyperalert__key}{AI\_\-hyperalert\_\-key} key) PRIVATE \hyperlink{structAI__hyperalert__info}{AI\_\-hyperalert\_\-info} $\ast$ \hyperlink{group__correlation_ga929e5c17fdb247a998d83ed6a4ae5a65}{\_\-AI\_\-hyperalert\_\-from\_\-XML} (\hyperlink{structAI__hyperalert__key}{AI\_\-hyperalert\_\-key} key)
\begin{DoxyCompactList}\small\item\em Parse info about a hyperalert from a correlation XML file, if it exists. \item\end{DoxyCompactList}\item \begin{DoxyCompactList}\small\item\em Parse info about a hyperalert from a correlation XML file, if it exists. \item\end{DoxyCompactList}\item
@ -78,16 +88,16 @@ TAG\_\-NUM}
\subsection{Function Documentation} \subsection{Function Documentation}
\hypertarget{group__correlation_ga130e82017fc0abcb76b1a7740ae2f4df}{ \hypertarget{group__correlation_ga9cb283b28a66829574add58a251b93c6}{
\index{correlation@{correlation}!\_\-AI\_\-correlation\_\-coefficient@{\_\-AI\_\-correlation\_\-coefficient}} \index{correlation@{correlation}!\_\-AI\_\-correlation\_\-coefficient@{\_\-AI\_\-correlation\_\-coefficient}}
\index{\_\-AI\_\-correlation\_\-coefficient@{\_\-AI\_\-correlation\_\-coefficient}!correlation@{correlation}} \index{\_\-AI\_\-correlation\_\-coefficient@{\_\-AI\_\-correlation\_\-coefficient}!correlation@{correlation}}
\subsubsection[{\_\-AI\_\-correlation\_\-coefficient}]{\setlength{\rightskip}{0pt plus 5cm}double \_\-AI\_\-correlation\_\-coefficient ( \subsubsection[{\_\-AI\_\-correlation\_\-coefficient}]{\setlength{\rightskip}{0pt plus 5cm}PRIVATE double \_\-AI\_\-correlation\_\-coefficient (
\begin{DoxyParamCaption} \begin{DoxyParamCaption}
\item[{{\bf AI\_\-snort\_\-alert} $\ast$}]{ a, } \item[{{\bf AI\_\-snort\_\-alert} $\ast$}]{ a, }
\item[{{\bf AI\_\-snort\_\-alert} $\ast$}]{ b} \item[{{\bf AI\_\-snort\_\-alert} $\ast$}]{ b}
\end{DoxyParamCaption} \end{DoxyParamCaption}
)}} )}}
\label{group__correlation_ga130e82017fc0abcb76b1a7740ae2f4df} \label{group__correlation_ga9cb283b28a66829574add58a251b93c6}
Compute the correlation coefficient between two alerts, as INTERSECTION(pre(B), post(A) / UNION(pre(B), post(A)). Compute the correlation coefficient between two alerts, as INTERSECTION(pre(B), post(A) / UNION(pre(B), post(A)).
@ -98,6 +108,58 @@ Compute the correlation coefficient between two alerts, as INTERSECTION(pre(B),
\begin{DoxyReturn}{Returns} \begin{DoxyReturn}{Returns}
The correlation coefficient between A and B as coefficient in \mbox{[}0,1\mbox{]} The correlation coefficient between A and B as coefficient in \mbox{[}0,1\mbox{]}
\end{DoxyReturn} \end{DoxyReturn}
\hypertarget{group__correlation_ga9bcb94264ffe30f113f3fb7287b774e3}{
\index{correlation@{correlation}!\_\-AI\_\-correlation\_\-table\_\-cleanup@{\_\-AI\_\-correlation\_\-table\_\-cleanup}}
\index{\_\-AI\_\-correlation\_\-table\_\-cleanup@{\_\-AI\_\-correlation\_\-table\_\-cleanup}!correlation@{correlation}}
\subsubsection[{\_\-AI\_\-correlation\_\-table\_\-cleanup}]{\setlength{\rightskip}{0pt plus 5cm}PRIVATE void \_\-AI\_\-correlation\_\-table\_\-cleanup (
\begin{DoxyParamCaption}
{}
\end{DoxyParamCaption}
)}}
\label{group__correlation_ga9bcb94264ffe30f113f3fb7287b774e3}
Clean up the correlation hash table.
\hypertarget{group__correlation_gab716702cd226ab2ad957234a92da6e4a}{
\index{correlation@{correlation}!\_\-AI\_\-get\_\-function\_\-arguments@{\_\-AI\_\-get\_\-function\_\-arguments}}
\index{\_\-AI\_\-get\_\-function\_\-arguments@{\_\-AI\_\-get\_\-function\_\-arguments}!correlation@{correlation}}
\subsubsection[{\_\-AI\_\-get\_\-function\_\-arguments}]{\setlength{\rightskip}{0pt plus 5cm}PRIVATE char$\ast$$\ast$ \_\-AI\_\-get\_\-function\_\-arguments (
\begin{DoxyParamCaption}
\item[{char $\ast$}]{ orig\_\-stmt, }
\item[{int $\ast$}]{ n\_\-args}
\end{DoxyParamCaption}
)}}
\label{group__correlation_gab716702cd226ab2ad957234a92da6e4a}
Get the arguments passed to a function predicate in a pre-\/condition or post-\/condition (comma-\/separated values).
FUNCTION: \_\-AI\_\-get\_\-function\_\-arguments
\begin{DoxyParams}{Parameters}
\item[{\em origstmt}]Statement representing a pre-\/condition or post-\/condition \item[{\em n\_\-args}]Reference to an integer that will contain the number of arguments read \end{DoxyParams}
\begin{DoxyReturn}{Returns}
An array of strings containing the arguments of the function
\end{DoxyReturn}
\hypertarget{group__correlation_ga7a1b2d01f526f24ea91d7f08bdefd4fe}{
\index{correlation@{correlation}!\_\-AI\_\-get\_\-function\_\-name@{\_\-AI\_\-get\_\-function\_\-name}}
\index{\_\-AI\_\-get\_\-function\_\-name@{\_\-AI\_\-get\_\-function\_\-name}!correlation@{correlation}}
\subsubsection[{\_\-AI\_\-get\_\-function\_\-name}]{\setlength{\rightskip}{0pt plus 5cm}PRIVATE char$\ast$ \_\-AI\_\-get\_\-function\_\-name (
\begin{DoxyParamCaption}
\item[{const char $\ast$}]{ orig\_\-stmt}
\end{DoxyParamCaption}
)}}
\label{group__correlation_ga7a1b2d01f526f24ea91d7f08bdefd4fe}
Get the name of the function called by a pre-\/condition or post-\/condition predicate.
\begin{DoxyParams}{Parameters}
\item[{\em orig\_\-stmt}]Statement representing a pre-\/condition or post-\/condition \end{DoxyParams}
\begin{DoxyReturn}{Returns}
The name of the function called by that statement
\end{DoxyReturn}
\hypertarget{group__correlation_ga929e5c17fdb247a998d83ed6a4ae5a65}{ \hypertarget{group__correlation_ga929e5c17fdb247a998d83ed6a4ae5a65}{
\index{correlation@{correlation}!\_\-AI\_\-hyperalert\_\-from\_\-XML@{\_\-AI\_\-hyperalert\_\-from\_\-XML}} \index{correlation@{correlation}!\_\-AI\_\-hyperalert\_\-from\_\-XML@{\_\-AI\_\-hyperalert\_\-from\_\-XML}}
\index{\_\-AI\_\-hyperalert\_\-from\_\-XML@{\_\-AI\_\-hyperalert\_\-from\_\-XML}!correlation@{correlation}} \index{\_\-AI\_\-hyperalert\_\-from\_\-XML@{\_\-AI\_\-hyperalert\_\-from\_\-XML}!correlation@{correlation}}
@ -117,15 +179,15 @@ Parse info about a hyperalert from a correlation XML file, if it exists.
\begin{DoxyReturn}{Returns} \begin{DoxyReturn}{Returns}
A hyperalert structure containing the info about the current alert, if the XML file was found A hyperalert structure containing the info about the current alert, if the XML file was found
\end{DoxyReturn} \end{DoxyReturn}
\hypertarget{group__correlation_ga0d094eae1d014d89a2de21263fa747da}{ \hypertarget{group__correlation_ga70a4aaf8b689472dad62ba7a9bbde1a6}{
\index{correlation@{correlation}!\_\-AI\_\-macro\_\-subst@{\_\-AI\_\-macro\_\-subst}} \index{correlation@{correlation}!\_\-AI\_\-macro\_\-subst@{\_\-AI\_\-macro\_\-subst}}
\index{\_\-AI\_\-macro\_\-subst@{\_\-AI\_\-macro\_\-subst}!correlation@{correlation}} \index{\_\-AI\_\-macro\_\-subst@{\_\-AI\_\-macro\_\-subst}!correlation@{correlation}}
\subsubsection[{\_\-AI\_\-macro\_\-subst}]{\setlength{\rightskip}{0pt plus 5cm}void \_\-AI\_\-macro\_\-subst ( \subsubsection[{\_\-AI\_\-macro\_\-subst}]{\setlength{\rightskip}{0pt plus 5cm}PRIVATE void \_\-AI\_\-macro\_\-subst (
\begin{DoxyParamCaption} \begin{DoxyParamCaption}
\item[{{\bf AI\_\-snort\_\-alert} $\ast$$\ast$}]{ alert} \item[{{\bf AI\_\-snort\_\-alert} $\ast$$\ast$}]{ alert}
\end{DoxyParamCaption} \end{DoxyParamCaption}
)}} )}}
\label{group__correlation_ga0d094eae1d014d89a2de21263fa747da} \label{group__correlation_ga70a4aaf8b689472dad62ba7a9bbde1a6}
Substitute the macros in hyperalert pre-\/conditions and post-\/conditions with their associated values. Substitute the macros in hyperalert pre-\/conditions and post-\/conditions with their associated values.
@ -133,6 +195,23 @@ Substitute the macros in hyperalert pre-\/conditions and post-\/conditions with
\begin{DoxyParams}{Parameters} \begin{DoxyParams}{Parameters}
\item[{\em alert}]Reference to the hyperalert to work on \end{DoxyParams} \item[{\em alert}]Reference to the hyperalert to work on \end{DoxyParams}
\hypertarget{group__correlation_ga4267a39fa1a5ac035015823bca43288e}{
\index{correlation@{correlation}!\_\-AI\_\-print\_\-correlated\_\-alerts@{\_\-AI\_\-print\_\-correlated\_\-alerts}}
\index{\_\-AI\_\-print\_\-correlated\_\-alerts@{\_\-AI\_\-print\_\-correlated\_\-alerts}!correlation@{correlation}}
\subsubsection[{\_\-AI\_\-print\_\-correlated\_\-alerts}]{\setlength{\rightskip}{0pt plus 5cm}PRIVATE void \_\-AI\_\-print\_\-correlated\_\-alerts (
\begin{DoxyParamCaption}
\item[{{\bf AI\_\-alert\_\-correlation} $\ast$}]{ corr, }
\item[{FILE $\ast$}]{ fp}
\end{DoxyParamCaption}
)}}
\label{group__correlation_ga4267a39fa1a5ac035015823bca43288e}
Recursively write a flow of correlated alerts to a .dot file, ready for being rendered as graph.
\begin{DoxyParams}{Parameters}
\item[{\em corr\_\-alerts}]Correlated alerts \item[{\em fp}]File pointer \end{DoxyParams}
\hypertarget{group__correlation_ga939353a4e15de7a8f4145ab986f584be}{ \hypertarget{group__correlation_ga939353a4e15de7a8f4145ab986f584be}{
\index{correlation@{correlation}!AI\_\-alert\_\-correlation\_\-thread@{AI\_\-alert\_\-correlation\_\-thread}} \index{correlation@{correlation}!AI\_\-alert\_\-correlation\_\-thread@{AI\_\-alert\_\-correlation\_\-thread}}
\index{AI\_\-alert\_\-correlation\_\-thread@{AI\_\-alert\_\-correlation\_\-thread}!correlation@{correlation}} \index{AI\_\-alert\_\-correlation\_\-thread@{AI\_\-alert\_\-correlation\_\-thread}!correlation@{correlation}}

View file

@ -41,7 +41,7 @@
\vspace*{1cm} \vspace*{1cm}
{\large Generated by Doxygen 1.7.1}\\ {\large Generated by Doxygen 1.7.1}\\
\vspace*{0.5cm} \vspace*{0.5cm}
{\small Sat Sep 11 2010 12:45:18}\\ {\small Tue Sep 14 2010 19:23:42}\\
\end{center} \end{center}
\end{titlepage} \end{titlepage}
\clearemptydoublepage \clearemptydoublepage
@ -67,6 +67,7 @@
\input{struct__AI__snort__alert} \input{struct__AI__snort__alert}
\input{struct__hierarchy__node} \input{struct__hierarchy__node}
\input{structAI__alert__correlation} \input{structAI__alert__correlation}
\input{structAI__alert__correlation__key}
\input{structAI__config} \input{structAI__config}
\input{structAI__hyperalert__info} \input{structAI__hyperalert__info}
\input{structAI__hyperalert__key} \input{structAI__hyperalert__key}

View file

@ -42,6 +42,10 @@ struct \hyperlink{struct__AI__snort__alert}{\_\-AI\_\-snort\_\-alert}
\#define \hyperlink{spp__ai_8h_a803dc913297ccdace9e604dbfecda97d}{DEFAULT\_\-CLUSTER\_\-LOG\_\-FILE}~\char`\"{}/var/log/snort/cluster\_\-alert\char`\"{} \#define \hyperlink{spp__ai_8h_a803dc913297ccdace9e604dbfecda97d}{DEFAULT\_\-CLUSTER\_\-LOG\_\-FILE}~\char`\"{}/var/log/snort/cluster\_\-alert\char`\"{}
\item \item
\#define \hyperlink{spp__ai_8h_a89448386cad5d5533992ae7ee84f4f1d}{DEFAULT\_\-CORR\_\-RULES\_\-DIR}~\char`\"{}/etc/snort/corr\_\-rules\char`\"{} \#define \hyperlink{spp__ai_8h_a89448386cad5d5533992ae7ee84f4f1d}{DEFAULT\_\-CORR\_\-RULES\_\-DIR}~\char`\"{}/etc/snort/corr\_\-rules\char`\"{}
\item
\#define \hyperlink{spp__ai_8h_a7bbeccba60012abcc98db33d39294829}{DEFAULT\_\-CORR\_\-ALERTS\_\-DIR}~\char`\"{}/var/log/snort/correlated\_\-alerts\char`\"{}
\item
\#define \hyperlink{spp__ai_8h_aaedb0b7dc2bdf8d44d3fee2189a55a19}{DEFAULT\_\-CORR\_\-THRESHOLD}~0.5
\end{DoxyCompactItemize} \end{DoxyCompactItemize}
\subsection*{Typedefs} \subsection*{Typedefs}
\begin{DoxyCompactItemize} \begin{DoxyCompactItemize}
@ -132,12 +136,22 @@ Default path to Snort's log file \hypertarget{spp__ai_8h_a803dc913297ccdace9e604
\index{DEFAULT\_\-CLUSTER\_\-LOG\_\-FILE@{DEFAULT\_\-CLUSTER\_\-LOG\_\-FILE}!spp_ai.h@{spp\_\-ai.h}} \index{DEFAULT\_\-CLUSTER\_\-LOG\_\-FILE@{DEFAULT\_\-CLUSTER\_\-LOG\_\-FILE}!spp_ai.h@{spp\_\-ai.h}}
\subsubsection[{DEFAULT\_\-CLUSTER\_\-LOG\_\-FILE}]{\setlength{\rightskip}{0pt plus 5cm}\#define DEFAULT\_\-CLUSTER\_\-LOG\_\-FILE~\char`\"{}/var/log/snort/cluster\_\-alert\char`\"{}}} \subsubsection[{DEFAULT\_\-CLUSTER\_\-LOG\_\-FILE}]{\setlength{\rightskip}{0pt plus 5cm}\#define DEFAULT\_\-CLUSTER\_\-LOG\_\-FILE~\char`\"{}/var/log/snort/cluster\_\-alert\char`\"{}}}
\label{spp__ai_8h_a803dc913297ccdace9e604dbfecda97d} \label{spp__ai_8h_a803dc913297ccdace9e604dbfecda97d}
Default path to Snort's clustered alerts file \hypertarget{spp__ai_8h_a89448386cad5d5533992ae7ee84f4f1d}{ Default path to Snort's clustered alerts file \hypertarget{spp__ai_8h_a7bbeccba60012abcc98db33d39294829}{
\index{spp\_\-ai.h@{spp\_\-ai.h}!DEFAULT\_\-CORR\_\-ALERTS\_\-DIR@{DEFAULT\_\-CORR\_\-ALERTS\_\-DIR}}
\index{DEFAULT\_\-CORR\_\-ALERTS\_\-DIR@{DEFAULT\_\-CORR\_\-ALERTS\_\-DIR}!spp_ai.h@{spp\_\-ai.h}}
\subsubsection[{DEFAULT\_\-CORR\_\-ALERTS\_\-DIR}]{\setlength{\rightskip}{0pt plus 5cm}\#define DEFAULT\_\-CORR\_\-ALERTS\_\-DIR~\char`\"{}/var/log/snort/correlated\_\-alerts\char`\"{}}}
\label{spp__ai_8h_a7bbeccba60012abcc98db33d39294829}
Default directory for placing correlated alerts information (.dot and possibly .png files) \hypertarget{spp__ai_8h_a89448386cad5d5533992ae7ee84f4f1d}{
\index{spp\_\-ai.h@{spp\_\-ai.h}!DEFAULT\_\-CORR\_\-RULES\_\-DIR@{DEFAULT\_\-CORR\_\-RULES\_\-DIR}} \index{spp\_\-ai.h@{spp\_\-ai.h}!DEFAULT\_\-CORR\_\-RULES\_\-DIR@{DEFAULT\_\-CORR\_\-RULES\_\-DIR}}
\index{DEFAULT\_\-CORR\_\-RULES\_\-DIR@{DEFAULT\_\-CORR\_\-RULES\_\-DIR}!spp_ai.h@{spp\_\-ai.h}} \index{DEFAULT\_\-CORR\_\-RULES\_\-DIR@{DEFAULT\_\-CORR\_\-RULES\_\-DIR}!spp_ai.h@{spp\_\-ai.h}}
\subsubsection[{DEFAULT\_\-CORR\_\-RULES\_\-DIR}]{\setlength{\rightskip}{0pt plus 5cm}\#define DEFAULT\_\-CORR\_\-RULES\_\-DIR~\char`\"{}/etc/snort/corr\_\-rules\char`\"{}}} \subsubsection[{DEFAULT\_\-CORR\_\-RULES\_\-DIR}]{\setlength{\rightskip}{0pt plus 5cm}\#define DEFAULT\_\-CORR\_\-RULES\_\-DIR~\char`\"{}/etc/snort/corr\_\-rules\char`\"{}}}
\label{spp__ai_8h_a89448386cad5d5533992ae7ee84f4f1d} \label{spp__ai_8h_a89448386cad5d5533992ae7ee84f4f1d}
Default path to alert correlation rules directory \hypertarget{spp__ai_8h_a3c4984a0ee515fbc091ac6e33b05e310}{ Default path to alert correlation rules directory \hypertarget{spp__ai_8h_aaedb0b7dc2bdf8d44d3fee2189a55a19}{
\index{spp\_\-ai.h@{spp\_\-ai.h}!DEFAULT\_\-CORR\_\-THRESHOLD@{DEFAULT\_\-CORR\_\-THRESHOLD}}
\index{DEFAULT\_\-CORR\_\-THRESHOLD@{DEFAULT\_\-CORR\_\-THRESHOLD}!spp_ai.h@{spp\_\-ai.h}}
\subsubsection[{DEFAULT\_\-CORR\_\-THRESHOLD}]{\setlength{\rightskip}{0pt plus 5cm}\#define DEFAULT\_\-CORR\_\-THRESHOLD~0.5}}
\label{spp__ai_8h_aaedb0b7dc2bdf8d44d3fee2189a55a19}
Default correlation threshold coefficient for correlating two hyperalerts \hypertarget{spp__ai_8h_a3c4984a0ee515fbc091ac6e33b05e310}{
\index{spp\_\-ai.h@{spp\_\-ai.h}!DEFAULT\_\-DATABASE\_\-INTERVAL@{DEFAULT\_\-DATABASE\_\-INTERVAL}} \index{spp\_\-ai.h@{spp\_\-ai.h}!DEFAULT\_\-DATABASE\_\-INTERVAL@{DEFAULT\_\-DATABASE\_\-INTERVAL}}
\index{DEFAULT\_\-DATABASE\_\-INTERVAL@{DEFAULT\_\-DATABASE\_\-INTERVAL}!spp_ai.h@{spp\_\-ai.h}} \index{DEFAULT\_\-DATABASE\_\-INTERVAL@{DEFAULT\_\-DATABASE\_\-INTERVAL}!spp_ai.h@{spp\_\-ai.h}}
\subsubsection[{DEFAULT\_\-DATABASE\_\-INTERVAL}]{\setlength{\rightskip}{0pt plus 5cm}\#define DEFAULT\_\-DATABASE\_\-INTERVAL~30}} \subsubsection[{DEFAULT\_\-DATABASE\_\-INTERVAL}]{\setlength{\rightskip}{0pt plus 5cm}\#define DEFAULT\_\-DATABASE\_\-INTERVAL~30}}

View file

@ -5,9 +5,7 @@
\subsection*{Data Fields} \subsection*{Data Fields}
\begin{DoxyCompactItemize} \begin{DoxyCompactItemize}
\item \item
\hyperlink{struct__AI__snort__alert}{AI\_\-snort\_\-alert} $\ast$ \hyperlink{structAI__alert__correlation_a8737f171e1c1b2305c8fe77101d6aeb7}{a} \hyperlink{structAI__alert__correlation__key}{AI\_\-alert\_\-correlation\_\-key} \hyperlink{structAI__alert__correlation_a4e27da4922a1d44497634c8e5968d870}{key}
\item
\hyperlink{struct__AI__snort__alert}{AI\_\-snort\_\-alert} $\ast$ \hyperlink{structAI__alert__correlation_a478f1a6f18f9c083b203efdf776379cd}{b}
\item \item
double \hyperlink{structAI__alert__correlation_aad417b2126ae26d7576f006a3dbcdc81}{correlation} double \hyperlink{structAI__alert__correlation_aad417b2126ae26d7576f006a3dbcdc81}{correlation}
\item \item
@ -19,17 +17,7 @@ UT\_\-hash\_\-handle \hyperlink{structAI__alert__correlation_ad3020a87936a2193a9
Struct representing the correlation between all the couples of alerts Struct representing the correlation between all the couples of alerts
\subsection{Field Documentation} \subsection{Field Documentation}
\hypertarget{structAI__alert__correlation_a8737f171e1c1b2305c8fe77101d6aeb7}{ \hypertarget{structAI__alert__correlation_aad417b2126ae26d7576f006a3dbcdc81}{
\index{AI\_\-alert\_\-correlation@{AI\_\-alert\_\-correlation}!a@{a}}
\index{a@{a}!AI_alert_correlation@{AI\_\-alert\_\-correlation}}
\subsubsection[{a}]{\setlength{\rightskip}{0pt plus 5cm}{\bf AI\_\-snort\_\-alert}$\ast$ {\bf AI\_\-alert\_\-correlation::a}}}
\label{structAI__alert__correlation_a8737f171e1c1b2305c8fe77101d6aeb7}
First alert \hypertarget{structAI__alert__correlation_a478f1a6f18f9c083b203efdf776379cd}{
\index{AI\_\-alert\_\-correlation@{AI\_\-alert\_\-correlation}!b@{b}}
\index{b@{b}!AI_alert_correlation@{AI\_\-alert\_\-correlation}}
\subsubsection[{b}]{\setlength{\rightskip}{0pt plus 5cm}{\bf AI\_\-snort\_\-alert}$\ast$ {\bf AI\_\-alert\_\-correlation::b}}}
\label{structAI__alert__correlation_a478f1a6f18f9c083b203efdf776379cd}
Second alert \hypertarget{structAI__alert__correlation_aad417b2126ae26d7576f006a3dbcdc81}{
\index{AI\_\-alert\_\-correlation@{AI\_\-alert\_\-correlation}!correlation@{correlation}} \index{AI\_\-alert\_\-correlation@{AI\_\-alert\_\-correlation}!correlation@{correlation}}
\index{correlation@{correlation}!AI_alert_correlation@{AI\_\-alert\_\-correlation}} \index{correlation@{correlation}!AI_alert_correlation@{AI\_\-alert\_\-correlation}}
\subsubsection[{correlation}]{\setlength{\rightskip}{0pt plus 5cm}double {\bf AI\_\-alert\_\-correlation::correlation}}} \subsubsection[{correlation}]{\setlength{\rightskip}{0pt plus 5cm}double {\bf AI\_\-alert\_\-correlation::correlation}}}
@ -39,7 +27,12 @@ Correlation coefficient \hypertarget{structAI__alert__correlation_ad3020a87936a2
\index{hh@{hh}!AI_alert_correlation@{AI\_\-alert\_\-correlation}} \index{hh@{hh}!AI_alert_correlation@{AI\_\-alert\_\-correlation}}
\subsubsection[{hh}]{\setlength{\rightskip}{0pt plus 5cm}UT\_\-hash\_\-handle {\bf AI\_\-alert\_\-correlation::hh}}} \subsubsection[{hh}]{\setlength{\rightskip}{0pt plus 5cm}UT\_\-hash\_\-handle {\bf AI\_\-alert\_\-correlation::hh}}}
\label{structAI__alert__correlation_ad3020a87936a2193a92f09331401ad42} \label{structAI__alert__correlation_ad3020a87936a2193a92f09331401ad42}
Make the struct 'hashable' Make the struct 'hashable' \hypertarget{structAI__alert__correlation_a4e27da4922a1d44497634c8e5968d870}{
\index{AI\_\-alert\_\-correlation@{AI\_\-alert\_\-correlation}!key@{key}}
\index{key@{key}!AI_alert_correlation@{AI\_\-alert\_\-correlation}}
\subsubsection[{key}]{\setlength{\rightskip}{0pt plus 5cm}{\bf AI\_\-alert\_\-correlation\_\-key} {\bf AI\_\-alert\_\-correlation::key}}}
\label{structAI__alert__correlation_a4e27da4922a1d44497634c8e5968d870}
Hash key
The documentation for this struct was generated from the following file:\begin{DoxyCompactItemize} The documentation for this struct was generated from the following file:\begin{DoxyCompactItemize}
\item \item

View file

@ -0,0 +1,32 @@
\hypertarget{structAI__alert__correlation__key}{
\section{AI\_\-alert\_\-correlation\_\-key Struct Reference}
\label{structAI__alert__correlation__key}\index{AI\_\-alert\_\-correlation\_\-key@{AI\_\-alert\_\-correlation\_\-key}}
}
\subsection*{Data Fields}
\begin{DoxyCompactItemize}
\item
\hyperlink{struct__AI__snort__alert}{AI\_\-snort\_\-alert} $\ast$ \hyperlink{structAI__alert__correlation__key_a774daec9332da25835a0904d853acadb}{a}
\item
\hyperlink{struct__AI__snort__alert}{AI\_\-snort\_\-alert} $\ast$ \hyperlink{structAI__alert__correlation__key_a5805dec6499a83b818091b4f21c715dc}{b}
\end{DoxyCompactItemize}
\subsection{Detailed Description}
Key for the correlation hash table
\subsection{Field Documentation}
\hypertarget{structAI__alert__correlation__key_a774daec9332da25835a0904d853acadb}{
\index{AI\_\-alert\_\-correlation\_\-key@{AI\_\-alert\_\-correlation\_\-key}!a@{a}}
\index{a@{a}!AI_alert_correlation_key@{AI\_\-alert\_\-correlation\_\-key}}
\subsubsection[{a}]{\setlength{\rightskip}{0pt plus 5cm}{\bf AI\_\-snort\_\-alert}$\ast$ {\bf AI\_\-alert\_\-correlation\_\-key::a}}}
\label{structAI__alert__correlation__key_a774daec9332da25835a0904d853acadb}
First alert \hypertarget{structAI__alert__correlation__key_a5805dec6499a83b818091b4f21c715dc}{
\index{AI\_\-alert\_\-correlation\_\-key@{AI\_\-alert\_\-correlation\_\-key}!b@{b}}
\index{b@{b}!AI_alert_correlation_key@{AI\_\-alert\_\-correlation\_\-key}}
\subsubsection[{b}]{\setlength{\rightskip}{0pt plus 5cm}{\bf AI\_\-snort\_\-alert}$\ast$ {\bf AI\_\-alert\_\-correlation\_\-key::b}}}
\label{structAI__alert__correlation__key_a5805dec6499a83b818091b4f21c715dc}
Second alert
The documentation for this struct was generated from the following file:\begin{DoxyCompactItemize}
\item
\hyperlink{correlation_8c}{correlation.c}\end{DoxyCompactItemize}

View file

@ -19,12 +19,16 @@ unsigned long \hyperlink{structAI__config_ae6ca715cab1d90b70c3aad443133c263}{dat
\item \item
unsigned long \hyperlink{structAI__config_aa736375e57a59936e2e782b7cd200e41}{correlationGraphInterval} unsigned long \hyperlink{structAI__config_aa736375e57a59936e2e782b7cd200e41}{correlationGraphInterval}
\item \item
double \hyperlink{structAI__config_adf6ef0faedfb4dea0a1353e781b14883}{correlationThresholdCoefficient}
\item
char \hyperlink{structAI__config_a2efa9590d7eea6dce8b5dd9aa76ed8ca}{alertfile} \mbox{[}1024\mbox{]} char \hyperlink{structAI__config_a2efa9590d7eea6dce8b5dd9aa76ed8ca}{alertfile} \mbox{[}1024\mbox{]}
\item \item
char \hyperlink{structAI__config_a6da02a3f7116fd3810a41b738e8883a3}{clusterfile} \mbox{[}1024\mbox{]} char \hyperlink{structAI__config_a6da02a3f7116fd3810a41b738e8883a3}{clusterfile} \mbox{[}1024\mbox{]}
\item \item
char \hyperlink{structAI__config_ab7ea93bbe72b85c4019b4f5656ad62fc}{corr\_\-rules\_\-dir} \mbox{[}1024\mbox{]} char \hyperlink{structAI__config_ab7ea93bbe72b85c4019b4f5656ad62fc}{corr\_\-rules\_\-dir} \mbox{[}1024\mbox{]}
\item \item
char \hyperlink{structAI__config_ae68f5489e2ec9ea1408f98fe36d050c9}{corr\_\-alerts\_\-dir} \mbox{[}1024\mbox{]}
\item
char \hyperlink{structAI__config_ac8a93607f12106e2f5c9b43af27107da}{dbname} \mbox{[}256\mbox{]} char \hyperlink{structAI__config_ac8a93607f12106e2f5c9b43af27107da}{dbname} \mbox{[}256\mbox{]}
\item \item
char \hyperlink{structAI__config_aa004adebfdafb6d14092aecd7f4912b0}{dbuser} \mbox{[}256\mbox{]} char \hyperlink{structAI__config_aa004adebfdafb6d14092aecd7f4912b0}{dbuser} \mbox{[}256\mbox{]}
@ -51,7 +55,12 @@ Alert file \hypertarget{structAI__config_a6da02a3f7116fd3810a41b738e8883a3}{
\index{clusterfile@{clusterfile}!AI_config@{AI\_\-config}} \index{clusterfile@{clusterfile}!AI_config@{AI\_\-config}}
\subsubsection[{clusterfile}]{\setlength{\rightskip}{0pt plus 5cm}char {\bf AI\_\-config::clusterfile}\mbox{[}1024\mbox{]}}} \subsubsection[{clusterfile}]{\setlength{\rightskip}{0pt plus 5cm}char {\bf AI\_\-config::clusterfile}\mbox{[}1024\mbox{]}}}
\label{structAI__config_a6da02a3f7116fd3810a41b738e8883a3} \label{structAI__config_a6da02a3f7116fd3810a41b738e8883a3}
Clustered alerts file \hypertarget{structAI__config_ab7ea93bbe72b85c4019b4f5656ad62fc}{ Clustered alerts file \hypertarget{structAI__config_ae68f5489e2ec9ea1408f98fe36d050c9}{
\index{AI\_\-config@{AI\_\-config}!corr\_\-alerts\_\-dir@{corr\_\-alerts\_\-dir}}
\index{corr\_\-alerts\_\-dir@{corr\_\-alerts\_\-dir}!AI_config@{AI\_\-config}}
\subsubsection[{corr\_\-alerts\_\-dir}]{\setlength{\rightskip}{0pt plus 5cm}char {\bf AI\_\-config::corr\_\-alerts\_\-dir}\mbox{[}1024\mbox{]}}}
\label{structAI__config_ae68f5489e2ec9ea1408f98fe36d050c9}
Directory where the correlated alerts' information will be placed \hypertarget{structAI__config_ab7ea93bbe72b85c4019b4f5656ad62fc}{
\index{AI\_\-config@{AI\_\-config}!corr\_\-rules\_\-dir@{corr\_\-rules\_\-dir}} \index{AI\_\-config@{AI\_\-config}!corr\_\-rules\_\-dir@{corr\_\-rules\_\-dir}}
\index{corr\_\-rules\_\-dir@{corr\_\-rules\_\-dir}!AI_config@{AI\_\-config}} \index{corr\_\-rules\_\-dir@{corr\_\-rules\_\-dir}!AI_config@{AI\_\-config}}
\subsubsection[{corr\_\-rules\_\-dir}]{\setlength{\rightskip}{0pt plus 5cm}char {\bf AI\_\-config::corr\_\-rules\_\-dir}\mbox{[}1024\mbox{]}}} \subsubsection[{corr\_\-rules\_\-dir}]{\setlength{\rightskip}{0pt plus 5cm}char {\bf AI\_\-config::corr\_\-rules\_\-dir}\mbox{[}1024\mbox{]}}}
@ -61,7 +70,12 @@ Correlation rules path \hypertarget{structAI__config_aa736375e57a59936e2e782b7cd
\index{correlationGraphInterval@{correlationGraphInterval}!AI_config@{AI\_\-config}} \index{correlationGraphInterval@{correlationGraphInterval}!AI_config@{AI\_\-config}}
\subsubsection[{correlationGraphInterval}]{\setlength{\rightskip}{0pt plus 5cm}unsigned long {\bf AI\_\-config::correlationGraphInterval}}} \subsubsection[{correlationGraphInterval}]{\setlength{\rightskip}{0pt plus 5cm}unsigned long {\bf AI\_\-config::correlationGraphInterval}}}
\label{structAI__config_aa736375e57a59936e2e782b7cd200e41} \label{structAI__config_aa736375e57a59936e2e782b7cd200e41}
Interval in seconds for running the thread for building alert correlation graphs \hypertarget{structAI__config_ae6ca715cab1d90b70c3aad443133c263}{ Interval in seconds for running the thread for building alert correlation graphs \hypertarget{structAI__config_adf6ef0faedfb4dea0a1353e781b14883}{
\index{AI\_\-config@{AI\_\-config}!correlationThresholdCoefficient@{correlationThresholdCoefficient}}
\index{correlationThresholdCoefficient@{correlationThresholdCoefficient}!AI_config@{AI\_\-config}}
\subsubsection[{correlationThresholdCoefficient}]{\setlength{\rightskip}{0pt plus 5cm}double {\bf AI\_\-config::correlationThresholdCoefficient}}}
\label{structAI__config_adf6ef0faedfb4dea0a1353e781b14883}
Correlation threshold coefficient for correlating two hyperalerts. Two hyperalerts are 'correlated' to each other in a multi-\/step attack graph if and only if their correlation value is $>$= m + ks, where m is the average correlation coefficient, s is the standard deviation over this coefficient, and k is this threshold coefficient. Its value can be $>$= 0. A value in \mbox{[}0,1\mbox{]} is strongly suggested, but this value mostly depends on how accurate the correlation rules where defined. Be careful, defining a correlation coefficient $>$ or $>$$>$ 1 no correlation may occur at all! \hypertarget{structAI__config_ae6ca715cab1d90b70c3aad443133c263}{
\index{AI\_\-config@{AI\_\-config}!databaseParsingInterval@{databaseParsingInterval}} \index{AI\_\-config@{AI\_\-config}!databaseParsingInterval@{databaseParsingInterval}}
\index{databaseParsingInterval@{databaseParsingInterval}!AI_config@{AI\_\-config}} \index{databaseParsingInterval@{databaseParsingInterval}!AI_config@{AI\_\-config}}
\subsubsection[{databaseParsingInterval}]{\setlength{\rightskip}{0pt plus 5cm}unsigned long {\bf AI\_\-config::databaseParsingInterval}}} \subsubsection[{databaseParsingInterval}]{\setlength{\rightskip}{0pt plus 5cm}unsigned long {\bf AI\_\-config::databaseParsingInterval}}}

View file

@ -60,6 +60,12 @@ struct \hyperlink{struct__AI__snort__alert}{\_\-AI\_\-snort\_\-alert} $\ast$ \hy
unsigned int \hyperlink{struct__AI__snort__alert_a285aff12d6bac03c316ccc5305d28e53}{grouped\_\-alarms\_\-count} unsigned int \hyperlink{struct__AI__snort__alert_a285aff12d6bac03c316ccc5305d28e53}{grouped\_\-alarms\_\-count}
\item \item
\hyperlink{structAI__hyperalert__info}{AI\_\-hyperalert\_\-info} $\ast$ \hyperlink{struct__AI__snort__alert_ac101de15b4f9451f235b82122f77b62a}{hyperalert} \hyperlink{structAI__hyperalert__info}{AI\_\-hyperalert\_\-info} $\ast$ \hyperlink{struct__AI__snort__alert_ac101de15b4f9451f235b82122f77b62a}{hyperalert}
\item
struct \hyperlink{struct__AI__snort__alert}{\_\-AI\_\-snort\_\-alert} $\ast$ \hyperlink{struct__AI__snort__alert_a55a5488c7ee7706ded4c16b1235fd9c7}{previous\_\-correlated}
\item
struct \hyperlink{struct__AI__snort__alert}{\_\-AI\_\-snort\_\-alert} $\ast$$\ast$ \hyperlink{struct__AI__snort__alert_aac5e4078600ed17532db1f3d78165390}{derived\_\-alerts}
\item
unsigned int \hyperlink{struct__AI__snort__alert_a1f2d5e8cfd0e6321b977173d1e90cb68}{n\_\-derived\_\-alerts}
\end{DoxyCompactItemize} \end{DoxyCompactItemize}
@ -72,7 +78,12 @@ Data type for Snort alerts
\index{classification@{classification}!_AI_snort_alert@{\_\-AI\_\-snort\_\-alert}} \index{classification@{classification}!_AI_snort_alert@{\_\-AI\_\-snort\_\-alert}}
\subsubsection[{classification}]{\setlength{\rightskip}{0pt plus 5cm}char$\ast$ {\bf \_\-AI\_\-snort\_\-alert::classification}}} \subsubsection[{classification}]{\setlength{\rightskip}{0pt plus 5cm}char$\ast$ {\bf \_\-AI\_\-snort\_\-alert::classification}}}
\label{struct__AI__snort__alert_aa89585e14acb2c4e684a1552d322632f} \label{struct__AI__snort__alert_aa89585e14acb2c4e684a1552d322632f}
\hypertarget{struct__AI__snort__alert_ac0902d7c756ec675fb06347ce4706135}{ \hypertarget{struct__AI__snort__alert_aac5e4078600ed17532db1f3d78165390}{
\index{\_\-AI\_\-snort\_\-alert@{\_\-AI\_\-snort\_\-alert}!derived\_\-alerts@{derived\_\-alerts}}
\index{derived\_\-alerts@{derived\_\-alerts}!_AI_snort_alert@{\_\-AI\_\-snort\_\-alert}}
\subsubsection[{derived\_\-alerts}]{\setlength{\rightskip}{0pt plus 5cm}struct {\bf \_\-AI\_\-snort\_\-alert}$\ast$$\ast$ {\bf \_\-AI\_\-snort\_\-alert::derived\_\-alerts}}}
\label{struct__AI__snort__alert_aac5e4078600ed17532db1f3d78165390}
Array of directly correlated 'derived' alerts from the current one, if any \hypertarget{struct__AI__snort__alert_ac0902d7c756ec675fb06347ce4706135}{
\index{\_\-AI\_\-snort\_\-alert@{\_\-AI\_\-snort\_\-alert}!desc@{desc}} \index{\_\-AI\_\-snort\_\-alert@{\_\-AI\_\-snort\_\-alert}!desc@{desc}}
\index{desc@{desc}!_AI_snort_alert@{\_\-AI\_\-snort\_\-alert}} \index{desc@{desc}!_AI_snort_alert@{\_\-AI\_\-snort\_\-alert}}
\subsubsection[{desc}]{\setlength{\rightskip}{0pt plus 5cm}char$\ast$ {\bf \_\-AI\_\-snort\_\-alert::desc}}} \subsubsection[{desc}]{\setlength{\rightskip}{0pt plus 5cm}char$\ast$ {\bf \_\-AI\_\-snort\_\-alert::desc}}}
@ -132,12 +143,22 @@ Hyperalert information, pre-\/conditions and post-\/conditions \hypertarget{stru
\index{ip\_\-ttl@{ip\_\-ttl}!_AI_snort_alert@{\_\-AI\_\-snort\_\-alert}} \index{ip\_\-ttl@{ip\_\-ttl}!_AI_snort_alert@{\_\-AI\_\-snort\_\-alert}}
\subsubsection[{ip\_\-ttl}]{\setlength{\rightskip}{0pt plus 5cm}{\bf uint8\_\-t} {\bf \_\-AI\_\-snort\_\-alert::ip\_\-ttl}}} \subsubsection[{ip\_\-ttl}]{\setlength{\rightskip}{0pt plus 5cm}{\bf uint8\_\-t} {\bf \_\-AI\_\-snort\_\-alert::ip\_\-ttl}}}
\label{struct__AI__snort__alert_a3c9bbe84ec696cd58668a45799a66600} \label{struct__AI__snort__alert_a3c9bbe84ec696cd58668a45799a66600}
\hypertarget{struct__AI__snort__alert_aa8336d4b3359015ed8ea312ca1fd1173}{ \hypertarget{struct__AI__snort__alert_a1f2d5e8cfd0e6321b977173d1e90cb68}{
\index{\_\-AI\_\-snort\_\-alert@{\_\-AI\_\-snort\_\-alert}!n\_\-derived\_\-alerts@{n\_\-derived\_\-alerts}}
\index{n\_\-derived\_\-alerts@{n\_\-derived\_\-alerts}!_AI_snort_alert@{\_\-AI\_\-snort\_\-alert}}
\subsubsection[{n\_\-derived\_\-alerts}]{\setlength{\rightskip}{0pt plus 5cm}unsigned int {\bf \_\-AI\_\-snort\_\-alert::n\_\-derived\_\-alerts}}}
\label{struct__AI__snort__alert_a1f2d5e8cfd0e6321b977173d1e90cb68}
Number of derived alerts \hypertarget{struct__AI__snort__alert_aa8336d4b3359015ed8ea312ca1fd1173}{
\index{\_\-AI\_\-snort\_\-alert@{\_\-AI\_\-snort\_\-alert}!next@{next}} \index{\_\-AI\_\-snort\_\-alert@{\_\-AI\_\-snort\_\-alert}!next@{next}}
\index{next@{next}!_AI_snort_alert@{\_\-AI\_\-snort\_\-alert}} \index{next@{next}!_AI_snort_alert@{\_\-AI\_\-snort\_\-alert}}
\subsubsection[{next}]{\setlength{\rightskip}{0pt plus 5cm}struct {\bf \_\-AI\_\-snort\_\-alert}$\ast$ {\bf \_\-AI\_\-snort\_\-alert::next}}} \subsubsection[{next}]{\setlength{\rightskip}{0pt plus 5cm}struct {\bf \_\-AI\_\-snort\_\-alert}$\ast$ {\bf \_\-AI\_\-snort\_\-alert::next}}}
\label{struct__AI__snort__alert_aa8336d4b3359015ed8ea312ca1fd1173} \label{struct__AI__snort__alert_aa8336d4b3359015ed8ea312ca1fd1173}
Pointer to the next alert in the log, if any \hypertarget{struct__AI__snort__alert_a25661fa4e212c5e30af5e6a892985ec9}{ Pointer to the next alert in the log, if any \hypertarget{struct__AI__snort__alert_a55a5488c7ee7706ded4c16b1235fd9c7}{
\index{\_\-AI\_\-snort\_\-alert@{\_\-AI\_\-snort\_\-alert}!previous\_\-correlated@{previous\_\-correlated}}
\index{previous\_\-correlated@{previous\_\-correlated}!_AI_snort_alert@{\_\-AI\_\-snort\_\-alert}}
\subsubsection[{previous\_\-correlated}]{\setlength{\rightskip}{0pt plus 5cm}struct {\bf \_\-AI\_\-snort\_\-alert}$\ast$ {\bf \_\-AI\_\-snort\_\-alert::previous\_\-correlated}}}
\label{struct__AI__snort__alert_a55a5488c7ee7706ded4c16b1235fd9c7}
\hypertarget{struct__AI__snort__alert_a25661fa4e212c5e30af5e6a892985ec9}{
\index{\_\-AI\_\-snort\_\-alert@{\_\-AI\_\-snort\_\-alert}!priority@{priority}} \index{\_\-AI\_\-snort\_\-alert@{\_\-AI\_\-snort\_\-alert}!priority@{priority}}
\index{priority@{priority}!_AI_snort_alert@{\_\-AI\_\-snort\_\-alert}} \index{priority@{priority}!_AI_snort_alert@{\_\-AI\_\-snort\_\-alert}}
\subsubsection[{priority}]{\setlength{\rightskip}{0pt plus 5cm}unsigned short {\bf \_\-AI\_\-snort\_\-alert::priority}}} \subsubsection[{priority}]{\setlength{\rightskip}{0pt plus 5cm}unsigned short {\bf \_\-AI\_\-snort\_\-alert::priority}}}

View file

@ -68,7 +68,7 @@ typedef unsigned long word;
/* The trie is represented by an array and each node in /* The trie is represented by an array and each node in
the trie is compactly represented using only 32 bits: the trie is compactly represented using only 32 bits:
5 + 5 + 22 = branch + skip + adr */ 5 + 5 + 22 = branch + skip + adr */
typedef word node_t; typedef word trie_node_t;
#define NOPRE -1 /* an empty prefix pointer */ #define NOPRE -1 /* an empty prefix pointer */
@ -137,7 +137,7 @@ typedef struct { /* compact version of above */
typedef struct routtablerec *routtable_t; typedef struct routtablerec *routtable_t;
struct routtablerec { struct routtablerec {
node_t *trie; /* the main trie search structure */ trie_node_t *trie; /* the main trie search structure */
int triesize; int triesize;
comp_base_t *base; /* the base vector */ comp_base_t *base; /* the base vector */
int basesize; int basesize;

View file

@ -18,7 +18,7 @@
*/ */
#include "spp_ai.h" #include "spp_ai.h"
#ifdef ENABLE_MYSQL #ifdef HAVE_LIBMYSQLCLIENT
#include <mysql/mysql.h> #include <mysql/mysql.h>

110
spp_ai.c
View file

@ -133,22 +133,24 @@ static AI_config * AI_parse(char *args)
{ {
char *arg; char *arg;
char *match; char *match;
char alertfile[1024] = { 0 }; char alertfile[1024] = { 0 };
char clusterfile[1024] = { 0 }; char clusterfile[1024] = { 0 };
char corr_rules_dir[1024] = { 0 }; char corr_rules_dir[1024] = { 0 };
char corr_alerts_dir[1024] = { 0 };
char **matches = NULL; char **matches = NULL;
int nmatches = 0; int nmatches = 0;
int i; int i;
int offset; int offset;
int len; int len;
double corr_threshold_coefficient = DEFAULT_CORR_THRESHOLD;
uint32_t netmask; uint32_t netmask;
int min_val; int min_val;
int max_val; int max_val;
char label[256]; char label[256];
cluster_type type; cluster_type type;
hierarchy_node **hierarchy_nodes = NULL; hierarchy_node **hierarchy_nodes = NULL;
int n_hierarchy_nodes = 0; int n_hierarchy_nodes = 0;
@ -158,21 +160,23 @@ static AI_config * AI_parse(char *args)
alertfile_len = 0, alertfile_len = 0,
clusterfile_len = 0, clusterfile_len = 0,
corr_rules_dir_len = 0, corr_rules_dir_len = 0,
corr_alerts_dir_len = 0,
alert_clustering_interval = 0, alert_clustering_interval = 0,
database_parsing_interval = 0, database_parsing_interval = 0,
correlation_graph_interval = 0; correlation_graph_interval = 0;
BOOL has_cleanup_interval = false, BOOL has_cleanup_interval = false,
has_stream_expire_interval = false, has_stream_expire_interval = false,
has_correlation_interval = false, has_correlation_interval = false,
has_database_interval = false, has_corr_alerts_dir = false,
has_alertfile = false, has_database_interval = false,
has_clusterfile = false, has_alertfile = false,
has_corr_rules_dir = false, has_clusterfile = false,
has_clustering = false, has_corr_rules_dir = false,
has_database_log = false; has_clustering = false,
has_database_log = false;
AI_config *config = NULL; AI_config *config = NULL;
if ( !( config = ( AI_config* ) malloc ( sizeof( AI_config )) )) if ( !( config = ( AI_config* ) malloc ( sizeof( AI_config )) ))
_dpd.fatalMsg("Could not allocate configuration struct.\n"); _dpd.fatalMsg("Could not allocate configuration struct.\n");
@ -276,6 +280,27 @@ static AI_config * AI_parse(char *args)
_dpd.logMsg(" Correlation graph thread interval: %d\n", config->correlationGraphInterval); _dpd.logMsg(" Correlation graph thread interval: %d\n", config->correlationGraphInterval);
} }
/* Parsing the correlation_threshold_coefficient option */
if (( arg = (char*) strcasestr( args, "correlation_threshold_coefficient" ) ))
{
/* has_stream_expire_interval = true; */
for ( arg += strlen("correlation_threshold_coefficient");
*arg && (*arg < '0' || *arg > '9');
arg++ );
if ( !(*arg) )
{
_dpd.fatalMsg("AIPreproc: correlation_threshold_coefficient option used but "
"no value specified\n");
}
corr_threshold_coefficient = strtod ( arg, NULL );
_dpd.logMsg( " Correlation threshold coefficient: %d\n", corr_threshold_coefficient );
}
config->correlationThresholdCoefficient = corr_threshold_coefficient;
/* Parsing the alertfile option */ /* Parsing the alertfile option */
if (( arg = (char*) strcasestr( args, "alertfile" ) )) if (( arg = (char*) strcasestr( args, "alertfile" ) ))
{ {
@ -373,6 +398,38 @@ static AI_config * AI_parse(char *args)
} }
} }
/* Parsing the correlated_alerts_dir option */
if (( arg = (char*) strcasestr( args, "correlated_alerts_dir" ) ))
{
for ( arg += strlen("correlated_alerts_dir");
*arg && *arg != '"';
arg++ );
if ( !(*(arg++)) )
{
_dpd.fatalMsg("AIPreproc: correlated_alerts_dir option used but no filename specified\n");
}
for ( corr_alerts_dir[ (++corr_alerts_dir_len)-1 ] = *arg;
*arg && *arg != '"' && corr_alerts_dir_len < 1024;
arg++, corr_alerts_dir[ (++corr_alerts_dir_len)-1 ] = *arg );
if ( corr_alerts_dir[0] == 0 || corr_alerts_dir_len <= 1 ) {
has_corr_alerts_dir = false;
} else {
if ( corr_alerts_dir_len >= 1024 ) {
_dpd.fatalMsg("AIPreproc: correlated_alerts_dir path too long ( >= 1024 )\n");
} else if ( strlen( corr_alerts_dir ) == 0 ) {
has_corr_alerts_dir = false;
} else {
has_corr_alerts_dir = true;
corr_alerts_dir[ corr_alerts_dir_len-1 ] = 0;
strncpy ( config->corr_alerts_dir, corr_alerts_dir, corr_alerts_dir_len );
_dpd.logMsg(" correlated_alerts_dir: %s\n", config->corr_alerts_dir);
}
}
}
/* Parsing database option */ /* Parsing database option */
if ( preg_match ( "\\s*database\\s*\\(\\s*([^\\)]+)\\)", args, &matches, &nmatches ) > 0 ) if ( preg_match ( "\\s*database\\s*\\(\\s*([^\\)]+)\\)", args, &matches, &nmatches ) > 0 )
{ {
@ -699,8 +756,8 @@ static AI_config * AI_parse(char *args)
} else if ( has_database_log ) { } else if ( has_database_log ) {
has_alertfile = false; has_alertfile = false;
#ifdef ENABLE_DB #ifdef HAVE_LIBMYSQLCLIENT
alertparser_thread = AI_db_alertparser_thread; alertparser_thread = AI_db_alertparser_thread;
#else #else
_dpd.fatalMsg ( "AIPreproc: database logging enabled in config file, but the module was not compiled " _dpd.fatalMsg ( "AIPreproc: database logging enabled in config file, but the module was not compiled "
"with database support (recompile, i.e., with ./configure --with-mysql)\n" ); "with database support (recompile, i.e., with ./configure --with-mysql)\n" );
@ -745,9 +802,16 @@ static AI_config * AI_parse(char *args)
_dpd.logMsg ( "Using correlation rules from directory %s\n", config->corr_rules_dir ); _dpd.logMsg ( "Using correlation rules from directory %s\n", config->corr_rules_dir );
if ( ! has_corr_alerts_dir )
{
strncpy ( config->corr_alerts_dir, DEFAULT_CORR_ALERTS_DIR, sizeof ( DEFAULT_CORR_ALERTS_DIR ));
}
_dpd.logMsg ( "Saving correlated alerts information in %s\n", config->corr_alerts_dir );
if ( has_database_log ) if ( has_database_log )
{ {
#ifdef ENABLE_DB #ifdef HAVE_LIBMYSQLCLIENT
get_alerts = AI_db_get_alerts; get_alerts = AI_db_get_alerts;
#else #else
_dpd.fatalMsg ( "AIPreproc: Using database alert log, but the module was not compiled with database support\n" ); _dpd.fatalMsg ( "AIPreproc: Using database alert log, but the module was not compiled with database support\n" );

View file

@ -54,6 +54,12 @@
/** Default path to alert correlation rules directory */ /** Default path to alert correlation rules directory */
#define DEFAULT_CORR_RULES_DIR "/etc/snort/corr_rules" #define DEFAULT_CORR_RULES_DIR "/etc/snort/corr_rules"
/** Default directory for placing correlated alerts information (.dot and possibly .png files) */
#define DEFAULT_CORR_ALERTS_DIR "/var/log/snort/correlated_alerts"
/** Default correlation threshold coefficient for correlating two hyperalerts */
#define DEFAULT_CORR_THRESHOLD 0.5
extern DynamicPreprocessorData _dpd; extern DynamicPreprocessorData _dpd;
typedef unsigned char uint8_t; typedef unsigned char uint8_t;
typedef unsigned short uint16_t; typedef unsigned short uint16_t;
@ -114,6 +120,16 @@ typedef struct
/** Interval in seconds for running the thread for building alert correlation graphs */ /** Interval in seconds for running the thread for building alert correlation graphs */
unsigned long correlationGraphInterval; unsigned long correlationGraphInterval;
/** Correlation threshold coefficient for correlating two hyperalerts. Two hyperalerts
* are 'correlated' to each other in a multi-step attack graph if and only if their
* correlation value is >= m + ks, where m is the average correlation coefficient,
* s is the standard deviation over this coefficient, and k is this threshold
* coefficient. Its value can be >= 0. A value in [0,1] is strongly suggested,
* but this value mostly depends on how accurate the correlation rules where
* defined. Be careful, defining a correlation coefficient > or >> 1 no correlation
* may occur at all! */
double correlationThresholdCoefficient;
/** Alert file */ /** Alert file */
char alertfile[1024]; char alertfile[1024];
@ -123,6 +139,9 @@ typedef struct
/** Correlation rules path */ /** Correlation rules path */
char corr_rules_dir[1024]; char corr_rules_dir[1024];
/** Directory where the correlated alerts' information will be placed */
char corr_alerts_dir[1024];
/** Database name, if database logging is used */ /** Database name, if database logging is used */
char dbname[256]; char dbname[256];
@ -231,6 +250,17 @@ typedef struct _AI_snort_alert {
/** Hyperalert information, pre-conditions /** Hyperalert information, pre-conditions
* and post-conditions*/ * and post-conditions*/
AI_hyperalert_info *hyperalert; AI_hyperalert_info *hyperalert;
/* 'Parent' correlated alert in the chain,
* if any*/
struct _AI_snort_alert *previous_correlated;
/** Array of directly correlated 'derived'
* alerts from the current one, if any */
struct _AI_snort_alert **derived_alerts;
/** Number of derived alerts */
unsigned int n_derived_alerts;
} AI_snort_alert; } AI_snort_alert;
/*****************************************************************/ /*****************************************************************/
@ -242,7 +272,7 @@ void* AI_hashcleanup_thread ( void* );
void* AI_file_alertparser_thread ( void* ); void* AI_file_alertparser_thread ( void* );
void* AI_alert_correlation_thread ( void* ); void* AI_alert_correlation_thread ( void* );
#ifdef ENABLE_DB #ifdef HAVE_LIBMYSQLCLIENT
AI_snort_alert* AI_db_get_alerts ( void ); AI_snort_alert* AI_db_get_alerts ( void );
void AI_db_free_alerts ( AI_snort_alert *node ); void AI_db_free_alerts ( AI_snort_alert *node );
void* AI_db_alertparser_thread ( void* ); void* AI_db_alertparser_thread ( void* );