Data Structures | |
| struct | AI_alert_correlation |
Enumerations | |
| enum | { inHyperAlert, inSnortIdTag, inPreTag, inPostTag, TAG_NUM } |
Functions | |
| double | _AI_correlation_coefficient (AI_snort_alert *a, AI_snort_alert *b) |
| Compute the correlation coefficient between two alerts, as INTERSECTION(pre(B), post(A) / UNION(pre(B), post(A)). | |
| void | _AI_macro_subst (AI_snort_alert **alert) |
| Substitute the macros in hyperalert pre-conditions and post-conditions with their associated values. | |
| PRIVATE AI_hyperalert_info * | _AI_hyperalert_from_XML (AI_hyperalert_key key) |
| Parse info about a hyperalert from a correlation XML file, if it exists. | |
| void * | AI_alert_correlation_thread (void *arg) |
| Thread for correlating clustered alerts. | |
Variables | |
| PRIVATE AI_hyperalert_info * | hyperalerts = NULL |
| PRIVATE AI_config * | conf = NULL |
| PRIVATE AI_snort_alert * | alerts = NULL |
| PRIVATE AI_alert_correlation * | correlation_table = NULL |
| PRIVATE BOOL | lock_flag = false |
| anonymous enum |
| double _AI_correlation_coefficient | ( | AI_snort_alert * | a, | |
| AI_snort_alert * | b | |||
| ) |
Compute the correlation coefficient between two alerts, as INTERSECTION(pre(B), post(A) / UNION(pre(B), post(A)).
| a | Alert a | |
| b | Alert b |
| PRIVATE AI_hyperalert_info* _AI_hyperalert_from_XML | ( | AI_hyperalert_key | key | ) |
Parse info about a hyperalert from a correlation XML file, if it exists.
| key | Key (gid, sid, rev) identifying the alert |
| void _AI_macro_subst | ( | AI_snort_alert ** | alert | ) |
Substitute the macros in hyperalert pre-conditions and post-conditions with their associated values.
| alert | Reference to the hyperalert to work on |
| void* AI_alert_correlation_thread | ( | void * | arg | ) |
Thread for correlating clustered alerts.
| arg | Void pointer to module's configuration |
| PRIVATE AI_snort_alert* alerts = NULL |
| PRIVATE AI_alert_correlation* correlation_table = NULL |
| PRIVATE AI_hyperalert_info* hyperalerts = NULL |
1.7.1
