#include "sf_snort_packet.h"
#include "sf_dynamic_preprocessor.h"
#include "uthash.h"
Go to the source code of this file.
Data Structures |
| struct | pkt_key |
| struct | pkt_info |
| struct | AI_config |
| struct | _hierarchy_node |
| struct | _AI_snort_alert |
Defines |
| #define | PRIVATE static |
| #define | DEFAULT_HASH_CLEANUP_INTERVAL 300 |
| #define | DEFAULT_STREAM_EXPIRE_INTERVAL 300 |
| #define | DEFAULT_DATABASE_INTERVAL 30 |
| #define | DEFAULT_ALERT_CLUSTERING_INTERVAL 3600 |
| #define | DEFAULT_ALERT_LOG_FILE "/var/log/snort/alert" |
| #define | DEFAULT_CLUSTER_LOG_FILE "/var/log/snort/cluster_alert" |
Typedefs |
| typedef unsigned char | uint8_t |
| typedef unsigned short | uint16_t |
| typedef unsigned int | uint32_t |
| typedef struct _hierarchy_node | hierarchy_node |
| typedef struct _AI_snort_alert | AI_snort_alert |
Enumerations |
| enum | BOOL { false,
true
} |
| enum | cluster_type {
none,
src_addr,
dst_addr,
src_port,
dst_port,
CLUSTER_TYPES
} |
Functions |
| int | preg_match (const char *, char *, char ***, int *) |
| | Check if a string matches a regular expression.
|
| void * | AI_hashcleanup_thread (void *) |
| | Thread called for cleaning up the hash table from the traffic streams older than a certain threshold.
|
| void * | AI_file_alertparser_thread (void *) |
| | Thread for parsing Snort's alert file.
|
| void | AI_pkt_enqueue (SFSnortPacket *) |
| | Function called for appending a new packet to the hash table, creating a new stream or appending it to an existing stream.
|
| void | AI_set_stream_observed (struct pkt_key key) |
| | Set the flag "observed" on a stream associated to a security alert, so that it won't be removed from the hash table.
|
| void | AI_hierarchies_build (AI_config *, hierarchy_node **, int) |
| | Build the clustering hierarchy trees.
|
| struct pkt_info * | AI_get_stream_by_key (struct pkt_key) |
| | Get a TCP stream by key.
|
| AI_snort_alert * | AI_get_alerts (void) |
| | Return the alerts parsed so far as a linked list.
|
| void | AI_free_alerts (AI_snort_alert *node) |
| | Deallocate the memory of a log alert linked list.
|
Variables |
| DynamicPreprocessorData | _dpd |
| AI_snort_alert *(* | get_alerts )(void) |
Define Documentation
| #define DEFAULT_ALERT_CLUSTERING_INTERVAL 3600 |
Default interval in seconds for the thread clustering alerts
| #define DEFAULT_ALERT_LOG_FILE "/var/log/snort/alert" |
Default path to Snort's log file
| #define DEFAULT_CLUSTER_LOG_FILE "/var/log/snort/cluster_alert" |
Default path to Snort's clustered alerts file
| #define DEFAULT_DATABASE_INTERVAL 30 |
Default interval in seconds for reading alerts from the alert database, if used
| #define DEFAULT_HASH_CLEANUP_INTERVAL 300 |
Default interval in seconds for the thread cleaning up TCP streams
| #define DEFAULT_STREAM_EXPIRE_INTERVAL 300 |
Default interval in seconds before a stream without any packet is considered timed out
Typedef Documentation
Data type for Snort alerts
Enumeration Type Documentation
Possible types of clustering attributes
- Enumerator:
| none |
|
| src_addr |
|
| dst_addr |
|
| src_port |
|
| dst_port |
|
| CLUSTER_TYPES |
|
Variable Documentation
| DynamicPreprocessorData _dpd |
Function pointer to the function used for getting the alert list (from log file, db, ...)
1.7.1