Data Structures | Defines | Typedefs | Enumerations | Functions | Variables

spp_ai.h File Reference

#include "sf_snort_packet.h"
#include "sf_dynamic_preprocessor.h"
#include "uthash.h"

Go to the source code of this file.

Data Structures

struct  pkt_key
struct  pkt_info
struct  AI_config
struct  _hierarchy_node
struct  _AI_snort_alert

Defines

#define PRIVATE   static
#define DEFAULT_HASH_CLEANUP_INTERVAL   300
#define DEFAULT_STREAM_EXPIRE_INTERVAL   300
#define DEFAULT_ALERT_CLUSTERING_INTERVAL   3600
#define DEFAULT_ALERT_LOG_FILE   "/var/log/snort/alert"
#define DEFAULT_CLUSTER_LOG_FILE   "/var/log/snort/cluster_alert"

Typedefs

typedef unsigned char uint8_t
typedef unsigned short uint16_t
typedef unsigned int uint32_t
typedef struct _hierarchy_node hierarchy_node
typedef struct _AI_snort_alert AI_snort_alert

Enumerations

enum  BOOL { false, true }
enum  cluster_type {
  none, src_addr, dst_addr, src_port,
  dst_port, CLUSTER_TYPES
}

Functions

int preg_match (const char *, char *, char ***, int *)
 Check if a string matches a regular expression.
void * AI_hashcleanup_thread (void *)
 Thread called for cleaning up the hash table from the traffic streams older than a certain threshold.
void * AI_alertparser_thread (void *)
 Thread for parsing Snort's alert file.
void AI_pkt_enqueue (SFSnortPacket *)
 Function called for appending a new packet to the hash table, creating a new stream or appending it to an existing stream.
void AI_set_stream_observed (struct pkt_key key)
 Set the flag "observed" on a stream associated to a security alert, so that it won't be removed from the hash table.
void AI_hierarchies_build (AI_config *, hierarchy_node **, int)
 Build the clustering hierarchy trees.
struct pkt_infoAI_get_stream_by_key (struct pkt_key)
 Get a TCP stream by key.
AI_snort_alertAI_get_alerts (void)
 Return the alerts parsed so far as a linked list.
void AI_free_alerts (AI_snort_alert *node)
 Deallocate the memory of a log alert linked list.

Variables

DynamicPreprocessorData _dpd

Define Documentation

#define DEFAULT_ALERT_CLUSTERING_INTERVAL   3600
#define DEFAULT_ALERT_LOG_FILE   "/var/log/snort/alert"
#define DEFAULT_CLUSTER_LOG_FILE   "/var/log/snort/cluster_alert"
#define DEFAULT_HASH_CLEANUP_INTERVAL   300
#define DEFAULT_STREAM_EXPIRE_INTERVAL   300
#define PRIVATE   static

Typedef Documentation

typedef struct _AI_snort_alert AI_snort_alert
typedef struct _hierarchy_node hierarchy_node
typedef unsigned short uint16_t
typedef unsigned int uint32_t
typedef unsigned char uint8_t

Enumeration Type Documentation

enum BOOL
Enumerator:
false 
true 
enum cluster_type
Enumerator:
none 
src_addr 
dst_addr 
src_port 
dst_port 
CLUSTER_TYPES 

Function Documentation

void* AI_alertparser_thread ( void *  arg  ) 

Thread for parsing Snort's alert file.

FUNCTION: AI_alertparser_thread

Parameters:
arg void* pointer to module's configuration
void AI_free_alerts ( AI_snort_alert node  ) 

Deallocate the memory of a log alert linked list.

FUNCTION: AI_free_alerts

Parameters:
node Linked list to be freed
AI_snort_alert* AI_get_alerts ( void   ) 

Return the alerts parsed so far as a linked list.

FUNCTION: AI_get_alerts

Returns:
An AI_snort_alert pointer identifying the list of alerts
struct pkt_info* AI_get_stream_by_key ( struct pkt_key  key  )  [read]

Get a TCP stream by key.

FUNCTION: AI_get_stream_by_key

Parameters:
key Key of the stream to be picked up (struct pkt_key)
Returns:
A pkt_info pointer to the stream if found, NULL otherwise
void* AI_hashcleanup_thread ( void *  arg  ) 

Thread called for cleaning up the hash table from the traffic streams older than a certain threshold.

FUNCTION: AI_hashcleanup_thread

Parameters:
arg Pointer to the AI_config struct
void AI_hierarchies_build ( AI_config conf,
hierarchy_node **  nodes,
int  n_nodes 
)

Build the clustering hierarchy trees.

FUNCTION: AI_hierarchies_build

Parameters:
conf Reference to the configuration of the module
nodes Nodes containing the information about the clustering ranges
n_nodes Number of nodes
void AI_pkt_enqueue ( SFSnortPacket *  pkt  ) 

Function called for appending a new packet to the hash table, creating a new stream or appending it to an existing stream.

FUNCTION: AI_pkt_enqueue

Parameters:
pkt Packet to be appended
void AI_set_stream_observed ( struct pkt_key  key  ) 

Set the flag "observed" on a stream associated to a security alert, so that it won't be removed from the hash table.

FUNCTION: AI_set_stream_observed

Parameters:
key Key of the stream to be set as "observed"
int preg_match ( const char *  expr,
char *  str,
char ***  matches,
int *  nmatches 
)

Check if a string matches a regular expression.

FUNCTION: preg_match

Parameters:
expr Regular expression to be matched
str String to be checked
matches Reference to a char** that will contain the submatches (NULL if you don't need it)
nmatches Reference to a int containing the number of submatches found (NULL if you don't need it)
Returns:
-1 if the regex is wrong, 0 if no match was found, 1 otherwise

Variable Documentation

DynamicPreprocessorData _dpd
 All Data Structures Files Functions Variables Typedefs Enumerations Enumerator Defines
Generated on Mon Aug 16 2010 22:05:38 for Snort AI preprocessor module by  doxygen 1.7.1