Data Structures | Defines | Typedefs | Enumerations | Functions | Variables

spp_ai.h File Reference

#include "sf_snort_packet.h"
#include "sf_dynamic_preprocessor.h"
#include "uthash.h"

Go to the source code of this file.

Data Structures

struct  pkt_key
struct  pkt_info
struct  AI_config
struct  _hierarchy_node
struct  _AI_snort_alert

Defines

#define PRIVATE   static
#define DEFAULT_HASH_CLEANUP_INTERVAL   300
#define DEFAULT_STREAM_EXPIRE_INTERVAL   300
#define DEFAULT_DATABASE_INTERVAL   30
#define DEFAULT_ALERT_CLUSTERING_INTERVAL   3600
#define DEFAULT_ALERT_LOG_FILE   "/var/log/snort/alert"
#define DEFAULT_CLUSTER_LOG_FILE   "/var/log/snort/cluster_alert"

Typedefs

typedef unsigned char uint8_t
typedef unsigned short uint16_t
typedef unsigned int uint32_t
typedef struct _hierarchy_node hierarchy_node
typedef struct _AI_snort_alert AI_snort_alert

Enumerations

enum  BOOL { false, true }
enum  cluster_type {
  none, src_addr, dst_addr, src_port,
  dst_port, CLUSTER_TYPES
}

Functions

int preg_match (const char *, char *, char ***, int *)
 Check if a string matches a regular expression.
void * AI_hashcleanup_thread (void *)
 Thread called for cleaning up the hash table from the traffic streams older than a certain threshold.
void * AI_file_alertparser_thread (void *)
 Thread for parsing Snort's alert file.
void * AI_mysql_alertparser_thread (void *)
 Thread for parsing alerts from MySQL database.
void AI_pkt_enqueue (SFSnortPacket *)
 Function called for appending a new packet to the hash table, creating a new stream or appending it to an existing stream.
void AI_set_stream_observed (struct pkt_key key)
 Set the flag "observed" on a stream associated to a security alert, so that it won't be removed from the hash table.
void AI_hierarchies_build (AI_config *, hierarchy_node **, int)
 Build the clustering hierarchy trees.
struct pkt_infoAI_get_stream_by_key (struct pkt_key)
 Get a TCP stream by key.
AI_snort_alertAI_get_alerts (void)
 Return the alerts parsed so far as a linked list.
AI_snort_alertAI_mysql_get_alerts (void)
 Return the alerts parsed so far as a linked list.
void AI_free_alerts (AI_snort_alert *node)
 Deallocate the memory of a log alert linked list.
void AI_mysql_free_alerts (AI_snort_alert *node)

Variables

DynamicPreprocessorData _dpd
AI_snort_alert *(* get_alerts )(void)

Define Documentation

#define DEFAULT_ALERT_CLUSTERING_INTERVAL   3600

Default interval in seconds for the thread clustering alerts

#define DEFAULT_ALERT_LOG_FILE   "/var/log/snort/alert"

Default path to Snort's log file

#define DEFAULT_CLUSTER_LOG_FILE   "/var/log/snort/cluster_alert"

Default path to Snort's clustered alerts file

#define DEFAULT_DATABASE_INTERVAL   30

Default interval in seconds for reading alerts from the alert database, if used

#define DEFAULT_HASH_CLEANUP_INTERVAL   300

Default interval in seconds for the thread cleaning up TCP streams

#define DEFAULT_STREAM_EXPIRE_INTERVAL   300

Default interval in seconds before a stream without any packet is considered timed out

#define PRIVATE   static

Typedef Documentation

Data type for Snort alerts

typedef unsigned short uint16_t
typedef unsigned int uint32_t
typedef unsigned char uint8_t

Enumeration Type Documentation

enum BOOL
Enumerator:
false 
true 

Possible types of clustering attributes

Enumerator:
none 
src_addr 
dst_addr 
src_port 
dst_port 
CLUSTER_TYPES 

Function Documentation

void AI_mysql_free_alerts ( AI_snort_alert node  ) 

Variable Documentation

DynamicPreprocessorData _dpd

Function pointer to the function used for getting the alert list (from log file, db, ...)

 All Data Structures Files Functions Variables Typedefs Enumerations Enumerator Defines