Data Structures | |
| struct | AI_alert_correlation_key |
| struct | AI_alert_correlation |
Enumerations | |
| enum | { inHyperAlert, inSnortIdTag, inPreTag, inPostTag, TAG_NUM } |
Functions | |
| PRIVATE void | _AI_correlation_table_cleanup () |
| Clean up the correlation hash table. | |
| PRIVATE void | _AI_print_correlated_alerts (AI_alert_correlation *corr, FILE *fp) |
| Recursively write a flow of correlated alerts to a .dot file, ready for being rendered as graph. | |
| PRIVATE char * | _AI_get_function_name (const char *orig_stmt) |
| Get the name of the function called by a pre-condition or post-condition predicate. | |
| PRIVATE char ** | _AI_get_function_arguments (char *orig_stmt, int *n_args) |
| Get the arguments passed to a function predicate in a pre-condition or post-condition (comma-separated values). | |
| PRIVATE double | _AI_correlation_coefficient (AI_snort_alert *a, AI_snort_alert *b) |
| Compute the correlation coefficient between two alerts, as INTERSECTION(pre(B), post(A) / UNION(pre(B), post(A)). | |
| PRIVATE void | _AI_macro_subst (AI_snort_alert **alert) |
| Substitute the macros in hyperalert pre-conditions and post-conditions with their associated values. | |
| PRIVATE AI_hyperalert_info * | _AI_hyperalert_from_XML (AI_hyperalert_key key) |
| Parse info about a hyperalert from a correlation XML file, if it exists. | |
| void * | AI_alert_correlation_thread (void *arg) |
| Thread for correlating clustered alerts. | |
Variables | |
| PRIVATE AI_hyperalert_info * | hyperalerts = NULL |
| PRIVATE AI_config * | conf = NULL |
| PRIVATE AI_snort_alert * | alerts = NULL |
| PRIVATE AI_alert_correlation * | correlation_table = NULL |
| PRIVATE BOOL | lock_flag = false |
| anonymous enum |
| PRIVATE double _AI_correlation_coefficient | ( | AI_snort_alert * | a, | |
| AI_snort_alert * | b | |||
| ) |
Compute the correlation coefficient between two alerts, as INTERSECTION(pre(B), post(A) / UNION(pre(B), post(A)).
| a | Alert a | |
| b | Alert b |
| PRIVATE void _AI_correlation_table_cleanup | ( | ) |
Clean up the correlation hash table.
| PRIVATE char** _AI_get_function_arguments | ( | char * | orig_stmt, | |
| int * | n_args | |||
| ) |
Get the arguments passed to a function predicate in a pre-condition or post-condition (comma-separated values).
FUNCTION: _AI_get_function_arguments
| origstmt | Statement representing a pre-condition or post-condition | |
| n_args | Reference to an integer that will contain the number of arguments read |
| PRIVATE char* _AI_get_function_name | ( | const char * | orig_stmt | ) |
Get the name of the function called by a pre-condition or post-condition predicate.
| orig_stmt | Statement representing a pre-condition or post-condition |
| PRIVATE AI_hyperalert_info* _AI_hyperalert_from_XML | ( | AI_hyperalert_key | key | ) |
Parse info about a hyperalert from a correlation XML file, if it exists.
| key | Key (gid, sid, rev) identifying the alert |
| PRIVATE void _AI_macro_subst | ( | AI_snort_alert ** | alert | ) |
Substitute the macros in hyperalert pre-conditions and post-conditions with their associated values.
| alert | Reference to the hyperalert to work on |
| PRIVATE void _AI_print_correlated_alerts | ( | AI_alert_correlation * | corr, | |
| FILE * | fp | |||
| ) |
Recursively write a flow of correlated alerts to a .dot file, ready for being rendered as graph.
| corr_alerts | Correlated alerts | |
| fp | File pointer |
| void* AI_alert_correlation_thread | ( | void * | arg | ) |
Thread for correlating clustered alerts.
| arg | Void pointer to module's configuration |
| PRIVATE AI_snort_alert* alerts = NULL |
| PRIVATE AI_alert_correlation* correlation_table = NULL |
| PRIVATE AI_hyperalert_info* hyperalerts = NULL |
1.7.1
