\hypertarget{group__correlation}{ \section{Module for the correlation of hyperalerts} \label{group__correlation}\index{Module for the correlation of hyperalerts@{Module for the correlation of hyperalerts}} } \subsection*{Data Structures} \begin{DoxyCompactItemize} \item struct \hyperlink{structAI__alert__correlation__key}{AI\_\-alert\_\-correlation\_\-key} \item struct \hyperlink{structAI__alert__correlation}{AI\_\-alert\_\-correlation} \end{DoxyCompactItemize} \subsection*{Enumerations} \begin{DoxyCompactItemize} \item enum \{ \par \hyperlink{group__correlation_gga06fc87d81c62e9abb8790b6e5713c55ba0b3b5f651ab0c6355666ff7b1c778af8}{inHyperAlert}, \hyperlink{group__correlation_gga06fc87d81c62e9abb8790b6e5713c55ba52d913c46f650f89a5da3ff4bfb7a45d}{inSnortIdTag}, \hyperlink{group__correlation_gga06fc87d81c62e9abb8790b6e5713c55ba828f2ec4acb20bae9b9c9fb0c5e0881f}{inPreTag}, \hyperlink{group__correlation_gga06fc87d81c62e9abb8790b6e5713c55baf6430d8e5b9791cca74ec3b325a8339f}{inPostTag}, \par \hyperlink{group__correlation_gga06fc87d81c62e9abb8790b6e5713c55ba551d1861515058fbfe34955d4170ae67}{TAG\_\-NUM} \} \end{DoxyCompactItemize} \subsection*{Functions} \begin{DoxyCompactItemize} \item PRIVATE void \hyperlink{group__correlation_ga9bcb94264ffe30f113f3fb7287b774e3}{\_\-AI\_\-correlation\_\-table\_\-cleanup} () \begin{DoxyCompactList}\small\item\em Clean up the correlation hash table. \item\end{DoxyCompactList}\item PRIVATE void \hyperlink{group__correlation_ga4267a39fa1a5ac035015823bca43288e}{\_\-AI\_\-print\_\-correlated\_\-alerts} (\hyperlink{structAI__alert__correlation}{AI\_\-alert\_\-correlation} $\ast$corr, FILE $\ast$fp) \begin{DoxyCompactList}\small\item\em Recursively write a flow of correlated alerts to a .dot file, ready for being rendered as graph. \item\end{DoxyCompactList}\item PRIVATE char $\ast$ \hyperlink{group__correlation_ga7a1b2d01f526f24ea91d7f08bdefd4fe}{\_\-AI\_\-get\_\-function\_\-name} (const char $\ast$orig\_\-stmt) \begin{DoxyCompactList}\small\item\em Get the name of the function called by a pre-\/condition or post-\/condition predicate. \item\end{DoxyCompactList}\item PRIVATE char $\ast$$\ast$ \hyperlink{group__correlation_gab716702cd226ab2ad957234a92da6e4a}{\_\-AI\_\-get\_\-function\_\-arguments} (char $\ast$orig\_\-stmt, int $\ast$n\_\-args) \begin{DoxyCompactList}\small\item\em Get the arguments passed to a function predicate in a pre-\/condition or post-\/condition (comma-\/separated values). \item\end{DoxyCompactList}\item PRIVATE double \hyperlink{group__correlation_ga9cb283b28a66829574add58a251b93c6}{\_\-AI\_\-correlation\_\-coefficient} (\hyperlink{struct__AI__snort__alert}{AI\_\-snort\_\-alert} $\ast$a, \hyperlink{struct__AI__snort__alert}{AI\_\-snort\_\-alert} $\ast$b) \begin{DoxyCompactList}\small\item\em Compute the correlation coefficient between two alerts, as INTERSECTION(pre(B), post(A) / UNION(pre(B), post(A)). \item\end{DoxyCompactList}\item PRIVATE void \hyperlink{group__correlation_ga70a4aaf8b689472dad62ba7a9bbde1a6}{\_\-AI\_\-macro\_\-subst} (\hyperlink{struct__AI__snort__alert}{AI\_\-snort\_\-alert} $\ast$$\ast$alert) \begin{DoxyCompactList}\small\item\em Substitute the macros in hyperalert pre-\/conditions and post-\/conditions with their associated values. \item\end{DoxyCompactList}\item PRIVATE \hyperlink{structAI__hyperalert__info}{AI\_\-hyperalert\_\-info} $\ast$ \hyperlink{group__correlation_ga929e5c17fdb247a998d83ed6a4ae5a65}{\_\-AI\_\-hyperalert\_\-from\_\-XML} (\hyperlink{structAI__hyperalert__key}{AI\_\-hyperalert\_\-key} key) \begin{DoxyCompactList}\small\item\em Parse info about a hyperalert from a correlation XML file, if it exists. \item\end{DoxyCompactList}\item void $\ast$ \hyperlink{group__correlation_ga939353a4e15de7a8f4145ab986f584be}{AI\_\-alert\_\-correlation\_\-thread} (void $\ast$arg) \begin{DoxyCompactList}\small\item\em Thread for correlating clustered alerts. \item\end{DoxyCompactList}\end{DoxyCompactItemize} \subsection*{Variables} \begin{DoxyCompactItemize} \item PRIVATE \hyperlink{structAI__hyperalert__info}{AI\_\-hyperalert\_\-info} $\ast$ \hyperlink{group__correlation_gae56c79aa018caaeebeeb709a9e51c9c2}{hyperalerts} = NULL \item PRIVATE \hyperlink{structAI__config}{AI\_\-config} $\ast$ \hyperlink{group__correlation_gaad7a982b6016390e7cd1164bd7db8bca}{conf} = NULL \item PRIVATE \hyperlink{struct__AI__snort__alert}{AI\_\-snort\_\-alert} $\ast$ \hyperlink{group__correlation_gae837fc04e61c0eb052f997c54b4fd9fe}{alerts} = NULL \item PRIVATE \hyperlink{structAI__alert__correlation}{AI\_\-alert\_\-correlation} $\ast$ \hyperlink{group__correlation_ga701934a296c51f2397d24e8bf4a9f021}{correlation\_\-table} = NULL \item PRIVATE \hyperlink{spp__ai_8h_a3e5b8192e7d9ffaf3542f1210aec18dd}{BOOL} \hyperlink{group__correlation_gafebc81c042a632dc987e113b7f390274}{lock\_\-flag} = false \end{DoxyCompactItemize} \subsection{Enumeration Type Documentation} \hypertarget{group__correlation_ga06fc87d81c62e9abb8790b6e5713c55b}{ \subsubsection[{"@0}]{\setlength{\rightskip}{0pt plus 5cm}anonymous enum}} \label{group__correlation_ga06fc87d81c62e9abb8790b6e5713c55b} Enumeration for the types of XML tags \begin{Desc} \item[Enumerator: ]\par \begin{description} \index{inHyperAlert@{inHyperAlert}!correlation@{correlation}}\index{correlation@{correlation}!inHyperAlert@{inHyperAlert}}\item[{\em \hypertarget{group__correlation_gga06fc87d81c62e9abb8790b6e5713c55ba0b3b5f651ab0c6355666ff7b1c778af8}{ inHyperAlert} \label{group__correlation_gga06fc87d81c62e9abb8790b6e5713c55ba0b3b5f651ab0c6355666ff7b1c778af8} }]\index{inSnortIdTag@{inSnortIdTag}!correlation@{correlation}}\index{correlation@{correlation}!inSnortIdTag@{inSnortIdTag}}\item[{\em \hypertarget{group__correlation_gga06fc87d81c62e9abb8790b6e5713c55ba52d913c46f650f89a5da3ff4bfb7a45d}{ inSnortIdTag} \label{group__correlation_gga06fc87d81c62e9abb8790b6e5713c55ba52d913c46f650f89a5da3ff4bfb7a45d} }]\index{inPreTag@{inPreTag}!correlation@{correlation}}\index{correlation@{correlation}!inPreTag@{inPreTag}}\item[{\em \hypertarget{group__correlation_gga06fc87d81c62e9abb8790b6e5713c55ba828f2ec4acb20bae9b9c9fb0c5e0881f}{ inPreTag} \label{group__correlation_gga06fc87d81c62e9abb8790b6e5713c55ba828f2ec4acb20bae9b9c9fb0c5e0881f} }]\index{inPostTag@{inPostTag}!correlation@{correlation}}\index{correlation@{correlation}!inPostTag@{inPostTag}}\item[{\em \hypertarget{group__correlation_gga06fc87d81c62e9abb8790b6e5713c55baf6430d8e5b9791cca74ec3b325a8339f}{ inPostTag} \label{group__correlation_gga06fc87d81c62e9abb8790b6e5713c55baf6430d8e5b9791cca74ec3b325a8339f} }]\index{TAG\_\-NUM@{TAG\_\-NUM}!correlation@{correlation}}\index{correlation@{correlation}!TAG\_\-NUM@{TAG\_\-NUM}}\item[{\em \hypertarget{group__correlation_gga06fc87d81c62e9abb8790b6e5713c55ba551d1861515058fbfe34955d4170ae67}{ TAG\_\-NUM} \label{group__correlation_gga06fc87d81c62e9abb8790b6e5713c55ba551d1861515058fbfe34955d4170ae67} }]\end{description} \end{Desc} \subsection{Function Documentation} \hypertarget{group__correlation_ga9cb283b28a66829574add58a251b93c6}{ \index{correlation@{correlation}!\_\-AI\_\-correlation\_\-coefficient@{\_\-AI\_\-correlation\_\-coefficient}} \index{\_\-AI\_\-correlation\_\-coefficient@{\_\-AI\_\-correlation\_\-coefficient}!correlation@{correlation}} \subsubsection[{\_\-AI\_\-correlation\_\-coefficient}]{\setlength{\rightskip}{0pt plus 5cm}PRIVATE double \_\-AI\_\-correlation\_\-coefficient ( \begin{DoxyParamCaption} \item[{{\bf AI\_\-snort\_\-alert} $\ast$}]{ a, } \item[{{\bf AI\_\-snort\_\-alert} $\ast$}]{ b} \end{DoxyParamCaption} )}} \label{group__correlation_ga9cb283b28a66829574add58a251b93c6} Compute the correlation coefficient between two alerts, as INTERSECTION(pre(B), post(A) / UNION(pre(B), post(A)). \begin{DoxyParams}{Parameters} \item[{\em a}]Alert a \item[{\em b}]Alert b \end{DoxyParams} \begin{DoxyReturn}{Returns} The correlation coefficient between A and B as coefficient in \mbox{[}0,1\mbox{]} \end{DoxyReturn} \hypertarget{group__correlation_ga9bcb94264ffe30f113f3fb7287b774e3}{ \index{correlation@{correlation}!\_\-AI\_\-correlation\_\-table\_\-cleanup@{\_\-AI\_\-correlation\_\-table\_\-cleanup}} \index{\_\-AI\_\-correlation\_\-table\_\-cleanup@{\_\-AI\_\-correlation\_\-table\_\-cleanup}!correlation@{correlation}} \subsubsection[{\_\-AI\_\-correlation\_\-table\_\-cleanup}]{\setlength{\rightskip}{0pt plus 5cm}PRIVATE void \_\-AI\_\-correlation\_\-table\_\-cleanup ( \begin{DoxyParamCaption} {} \end{DoxyParamCaption} )}} \label{group__correlation_ga9bcb94264ffe30f113f3fb7287b774e3} Clean up the correlation hash table. \hypertarget{group__correlation_gab716702cd226ab2ad957234a92da6e4a}{ \index{correlation@{correlation}!\_\-AI\_\-get\_\-function\_\-arguments@{\_\-AI\_\-get\_\-function\_\-arguments}} \index{\_\-AI\_\-get\_\-function\_\-arguments@{\_\-AI\_\-get\_\-function\_\-arguments}!correlation@{correlation}} \subsubsection[{\_\-AI\_\-get\_\-function\_\-arguments}]{\setlength{\rightskip}{0pt plus 5cm}PRIVATE char$\ast$$\ast$ \_\-AI\_\-get\_\-function\_\-arguments ( \begin{DoxyParamCaption} \item[{char $\ast$}]{ orig\_\-stmt, } \item[{int $\ast$}]{ n\_\-args} \end{DoxyParamCaption} )}} \label{group__correlation_gab716702cd226ab2ad957234a92da6e4a} Get the arguments passed to a function predicate in a pre-\/condition or post-\/condition (comma-\/separated values). FUNCTION: \_\-AI\_\-get\_\-function\_\-arguments \begin{DoxyParams}{Parameters} \item[{\em origstmt}]Statement representing a pre-\/condition or post-\/condition \item[{\em n\_\-args}]Reference to an integer that will contain the number of arguments read \end{DoxyParams} \begin{DoxyReturn}{Returns} An array of strings containing the arguments of the function \end{DoxyReturn} \hypertarget{group__correlation_ga7a1b2d01f526f24ea91d7f08bdefd4fe}{ \index{correlation@{correlation}!\_\-AI\_\-get\_\-function\_\-name@{\_\-AI\_\-get\_\-function\_\-name}} \index{\_\-AI\_\-get\_\-function\_\-name@{\_\-AI\_\-get\_\-function\_\-name}!correlation@{correlation}} \subsubsection[{\_\-AI\_\-get\_\-function\_\-name}]{\setlength{\rightskip}{0pt plus 5cm}PRIVATE char$\ast$ \_\-AI\_\-get\_\-function\_\-name ( \begin{DoxyParamCaption} \item[{const char $\ast$}]{ orig\_\-stmt} \end{DoxyParamCaption} )}} \label{group__correlation_ga7a1b2d01f526f24ea91d7f08bdefd4fe} Get the name of the function called by a pre-\/condition or post-\/condition predicate. \begin{DoxyParams}{Parameters} \item[{\em orig\_\-stmt}]Statement representing a pre-\/condition or post-\/condition \end{DoxyParams} \begin{DoxyReturn}{Returns} The name of the function called by that statement \end{DoxyReturn} \hypertarget{group__correlation_ga929e5c17fdb247a998d83ed6a4ae5a65}{ \index{correlation@{correlation}!\_\-AI\_\-hyperalert\_\-from\_\-XML@{\_\-AI\_\-hyperalert\_\-from\_\-XML}} \index{\_\-AI\_\-hyperalert\_\-from\_\-XML@{\_\-AI\_\-hyperalert\_\-from\_\-XML}!correlation@{correlation}} \subsubsection[{\_\-AI\_\-hyperalert\_\-from\_\-XML}]{\setlength{\rightskip}{0pt plus 5cm}PRIVATE {\bf AI\_\-hyperalert\_\-info}$\ast$ \_\-AI\_\-hyperalert\_\-from\_\-XML ( \begin{DoxyParamCaption} \item[{{\bf AI\_\-hyperalert\_\-key}}]{ key} \end{DoxyParamCaption} )}} \label{group__correlation_ga929e5c17fdb247a998d83ed6a4ae5a65} Parse info about a hyperalert from a correlation XML file, if it exists. \begin{DoxyParams}{Parameters} \item[{\em key}]Key (gid, sid, rev) identifying the alert \end{DoxyParams} \begin{DoxyReturn}{Returns} A hyperalert structure containing the info about the current alert, if the XML file was found \end{DoxyReturn} \hypertarget{group__correlation_ga70a4aaf8b689472dad62ba7a9bbde1a6}{ \index{correlation@{correlation}!\_\-AI\_\-macro\_\-subst@{\_\-AI\_\-macro\_\-subst}} \index{\_\-AI\_\-macro\_\-subst@{\_\-AI\_\-macro\_\-subst}!correlation@{correlation}} \subsubsection[{\_\-AI\_\-macro\_\-subst}]{\setlength{\rightskip}{0pt plus 5cm}PRIVATE void \_\-AI\_\-macro\_\-subst ( \begin{DoxyParamCaption} \item[{{\bf AI\_\-snort\_\-alert} $\ast$$\ast$}]{ alert} \end{DoxyParamCaption} )}} \label{group__correlation_ga70a4aaf8b689472dad62ba7a9bbde1a6} Substitute the macros in hyperalert pre-\/conditions and post-\/conditions with their associated values. \begin{DoxyParams}{Parameters} \item[{\em alert}]Reference to the hyperalert to work on \end{DoxyParams} \hypertarget{group__correlation_ga4267a39fa1a5ac035015823bca43288e}{ \index{correlation@{correlation}!\_\-AI\_\-print\_\-correlated\_\-alerts@{\_\-AI\_\-print\_\-correlated\_\-alerts}} \index{\_\-AI\_\-print\_\-correlated\_\-alerts@{\_\-AI\_\-print\_\-correlated\_\-alerts}!correlation@{correlation}} \subsubsection[{\_\-AI\_\-print\_\-correlated\_\-alerts}]{\setlength{\rightskip}{0pt plus 5cm}PRIVATE void \_\-AI\_\-print\_\-correlated\_\-alerts ( \begin{DoxyParamCaption} \item[{{\bf AI\_\-alert\_\-correlation} $\ast$}]{ corr, } \item[{FILE $\ast$}]{ fp} \end{DoxyParamCaption} )}} \label{group__correlation_ga4267a39fa1a5ac035015823bca43288e} Recursively write a flow of correlated alerts to a .dot file, ready for being rendered as graph. \begin{DoxyParams}{Parameters} \item[{\em corr\_\-alerts}]Correlated alerts \item[{\em fp}]File pointer \end{DoxyParams} \hypertarget{group__correlation_ga939353a4e15de7a8f4145ab986f584be}{ \index{correlation@{correlation}!AI\_\-alert\_\-correlation\_\-thread@{AI\_\-alert\_\-correlation\_\-thread}} \index{AI\_\-alert\_\-correlation\_\-thread@{AI\_\-alert\_\-correlation\_\-thread}!correlation@{correlation}} \subsubsection[{AI\_\-alert\_\-correlation\_\-thread}]{\setlength{\rightskip}{0pt plus 5cm}void$\ast$ AI\_\-alert\_\-correlation\_\-thread ( \begin{DoxyParamCaption} \item[{void $\ast$}]{ arg} \end{DoxyParamCaption} )}} \label{group__correlation_ga939353a4e15de7a8f4145ab986f584be} Thread for correlating clustered alerts. \begin{DoxyParams}{Parameters} \item[{\em arg}]Void pointer to module's configuration \end{DoxyParams} \subsection{Variable Documentation} \hypertarget{group__correlation_gae837fc04e61c0eb052f997c54b4fd9fe}{ \index{correlation@{correlation}!alerts@{alerts}} \index{alerts@{alerts}!correlation@{correlation}} \subsubsection[{alerts}]{\setlength{\rightskip}{0pt plus 5cm}PRIVATE {\bf AI\_\-snort\_\-alert}$\ast$ {\bf alerts} = NULL}} \label{group__correlation_gae837fc04e61c0eb052f997c54b4fd9fe} \hypertarget{group__correlation_gaad7a982b6016390e7cd1164bd7db8bca}{ \index{correlation@{correlation}!conf@{conf}} \index{conf@{conf}!correlation@{correlation}} \subsubsection[{conf}]{\setlength{\rightskip}{0pt plus 5cm}PRIVATE {\bf AI\_\-config}$\ast$ {\bf conf} = NULL}} \label{group__correlation_gaad7a982b6016390e7cd1164bd7db8bca} \hypertarget{group__correlation_ga701934a296c51f2397d24e8bf4a9f021}{ \index{correlation@{correlation}!correlation\_\-table@{correlation\_\-table}} \index{correlation\_\-table@{correlation\_\-table}!correlation@{correlation}} \subsubsection[{correlation\_\-table}]{\setlength{\rightskip}{0pt plus 5cm}PRIVATE {\bf AI\_\-alert\_\-correlation}$\ast$ {\bf correlation\_\-table} = NULL}} \label{group__correlation_ga701934a296c51f2397d24e8bf4a9f021} \hypertarget{group__correlation_gae56c79aa018caaeebeeb709a9e51c9c2}{ \index{correlation@{correlation}!hyperalerts@{hyperalerts}} \index{hyperalerts@{hyperalerts}!correlation@{correlation}} \subsubsection[{hyperalerts}]{\setlength{\rightskip}{0pt plus 5cm}PRIVATE {\bf AI\_\-hyperalert\_\-info}$\ast$ {\bf hyperalerts} = NULL}} \label{group__correlation_gae56c79aa018caaeebeeb709a9e51c9c2} \hypertarget{group__correlation_gafebc81c042a632dc987e113b7f390274}{ \index{correlation@{correlation}!lock\_\-flag@{lock\_\-flag}} \index{lock\_\-flag@{lock\_\-flag}!correlation@{correlation}} \subsubsection[{lock\_\-flag}]{\setlength{\rightskip}{0pt plus 5cm}PRIVATE {\bf BOOL} {\bf lock\_\-flag} = false}} \label{group__correlation_gafebc81c042a632dc987e113b7f390274}