| | 1 | [[PageOutline]] |
| | 2 | |
| | 3 | = Security Event Center = |
| | 4 | |
| | 5 | == merge algorithm pseudo code == |
| | 6 | {{{ |
| | 7 | #!text |
| | 8 | Merge Algorithm |
| | 9 | output: correlated_event queue |
| | 10 | global: event_scenario , MO_win_size |
| | 11 | |
| | 12 | 1. pull the top event |
| | 13 | 2. if OO_events queue == NULL |
| | 14 | 3. new OO_events as event_scenario in event queue |
| | 15 | 4. OO_events inherit event |
| | 16 | 5. while event-queue ≠ NULL |
| | 17 | { |
| | 18 | 6. pull the top event |
| | 19 | 7. if event.timestamp < ( OO_events.end_time + win_size ) |
| | 20 | 8. Search a correlated_event in correlated_event queue that correlated_event.{ IP_dst, |
| | 21 | port_dst,signature } == event.{ IP_dst, port_dst, signature } |
| | 22 | 9. correlated_event _event.endtime max(event.endtime, MO_event.endtime) |
| | 23 | 10. correlated_event.reference append (event.id ) |
| | 24 | 11. correlated_event.IP_src correlated_event. IP_ src ∪ event. IP_ src |
| | 25 | correlated_event t.port_src correlated_event. port_src ∪ event. port_ src |
| | 26 | 12. else |
| | 27 | 13. new OO_events as event_scenario in event queue |
| | 28 | 14. OO_events inherit event |
| | 29 | } |
| | 30 | 15 return correlated_event queue |
| | 31 | |
| | 32 | … |
| | 33 | |
| | 34 | }}} |
| | 35 | |
| | 36 | |
| | 37 | == php real code == |
| | 38 | {{{ |
| | 39 | #!php |
| | 40 | <? |
| | 41 | |
| | 42 | function merge($timesize) |
| | 43 | { |
| | 44 | global $object,$obj_ctr,$DB; |
| | 45 | |
| | 46 | $mo_base_ctr=0; |
| | 47 | $mo_ptr = 0; //mo pointer |
| | 48 | $i = 0; //tmp |
| | 49 | |
| | 50 | //----------------database check---------------- |
| | 51 | $str="SELECT start_time,end_time,reference,ip_proto, |
| | 52 | event_name,ip_dst,ip_src,sid,dport,sport,sig_class_id, |
| | 53 | signature,sig_priority FROM accident_ticket |
| | 54 | WHERE end_time >= \"".$object[0]->start_time."\" ORDER BY start_time ASC"; |
| | 55 | $DB->query($str); |
| | 56 | $fixed_num = mysql_num_rows($DB->result); |
| | 57 | |
| | 58 | if($fixed_num == null ) |
| | 59 | { |
| | 60 | $fixed_num = 0; |
| | 61 | $obj_ptr=1; |
| | 62 | $mo_ctr=1; |
| | 63 | } |
| | 64 | else |
| | 65 | { |
| | 66 | $obj_ptr=$fixed_num; |
| | 67 | $mo_ctr=$fixed_num; |
| | 68 | } |
| | 69 | $mo[0] = new scenario(null,null,null,null,null,null,null,null,null,null,null,null,null); |
| | 70 | if($fixed_num > 0) |
| | 71 | { |
| | 72 | while(list($start_time,$end_time,$reference,$ip_proto,$event_name,$ip_dst, |
| | 73 | $ip_src,$sid,$dport,$sport,$sig_class_id,$signature,$sig_priority) |
| | 74 | = mysql_fetch_row($DB->result) ) |
| | 75 | { |
| | 76 | $mo[$mo_base_ctr]->start_time = $start_time; |
| | 77 | $mo[$mo_base_ctr]->end_time = $end_time; |
| | 78 | $mo[$mo_base_ctr]->reference = $reference; |
| | 79 | $mo[$mo_base_ctr]->ip_proto = $ip_proto; |
| | 80 | $mo[$mo_base_ctr]->event_name = $event_name; |
| | 81 | $mo[$mo_base_ctr]->ip_dst[0] = $ip_dst; |
| | 82 | $mo[$mo_base_ctr]->ip_src = split(",",$ip_src); |
| | 83 | $mo[$mo_base_ctr]->sid = split(",",$sid); |
| | 84 | $mo[$mo_base_ctr]->dport[0] = $dport; |
| | 85 | $mo[$mo_base_ctr]->sport = $sport; |
| | 86 | $mo[$mo_base_ctr]->sig_class_id = $sig_class_id; |
| | 87 | $mo[$mo_base_ctr]->signature = split(",",$signature); |
| | 88 | $mo[$mo_base_ctr]->sig_priority = $sig_priority; |
| | 89 | $mo[$mo_base_ctr]->cmp_time=nor_time($end_time); |
| | 90 | $mo_base_ctr++; |
| | 91 | } |
| | 92 | $object=array_merge($mo,$object); |
| | 93 | $str="DELETE FROM accident_ticket WHERE end_time >= \"".$object[0]->start_time."\""; |
| | 94 | $DB->query($str); |
| | 95 | $DB->reset_auto("accident_ticket"); |
| | 96 | } |
| | 97 | //if($DB->result) $DB->free_result(); |
| | 98 | //----------------database check---------------- |
| | 99 | //echo "timesize:".$timesize."<br>"; |
| | 100 | while( $obj_ptr < $obj_ctr ) |
| | 101 | { |
| | 102 | |
| | 103 | $object[$obj_ptr]->cmp_time=chk_time($object[$obj_ptr]->start_time,$timesize); |
| | 104 | //----remove timeout class---- |
| | 105 | for($i=$mo_ptr; $i<$mo_ctr ;$i++) |
| | 106 | { |
| | 107 | |
| | 108 | if( strcmp($object[$obj_ptr]->cmp_time,$object[$mo_ptr]->cmp_time) > 0 ) $mo_ptr++; |
| | 109 | else |
| | 110 | { |
| | 111 | $i=$mo_ctr; |
| | 112 | |
| | 113 | } |
| | 114 | } |
| | 115 | //----remove timeout class---- |
| | 116 | //====many2one check=== |
| | 117 | for($i=$mo_ptr; $i<$mo_ctr ;$i++) |
| | 118 | { |
| | 119 | if($object[$obj_ptr]->ip_dst[0] == $object[$i]->ip_dst[0]) |
| | 120 | { |
| | 121 | // if($object[$obj_ptr]->dport[0] == $object[$i]->dport[0]) |
| | 122 | // { |
| | 123 | if($object[$obj_ptr]->signature[0] == $object[$i]->signature[0]) |
| | 124 | { |
| | 125 | //-------------------------merge---------------------------- |
| | 126 | $object[$i]->reference=($object[$i]->reference).", ".($object[$obj_ptr]->reference); |
| | 127 | if( $object[$i]->ip_proto!=$object[$obj_ptr]->ip_proto ) $object[$i]->ip_proto="multiproto"; |
| | 128 | $object[$i]->ip_src=arr_merge($object[$obj_ptr]->ip_src,$object[$i]->ip_src); |
| | 129 | $object[$i]->sid=arr_merge($object[$obj_ptr]->sid,$object[$i]->sid); |
| | 130 | if( $object[$i]->sport!=$object[$obj_ptr]->sport ) $object[$i]->sport="multiport"; |
| | 131 | if( $object[$i]->sig_class_id != $object[$obj_ptr]->sig_class_id ) $object[$i]->sig_class_id=0; |
| | 132 | if( $object[$i]->sig_priority > $object[$obj_ptr]->sig_priority ) $object[$i]->sig_priority=$object[$obj_ptr]->sig_priority; |
| | 133 | if((time_smaller($object[$obj_ptr]->start_time,$object[$i]->start_time))==1) |
| | 134 | { |
| | 135 | $object[$i]->start_time = $object[$obj_ptr]->start_time; |
| | 136 | } |
| | 137 | if((time_smaller($object[$i]->end_time,$object[$obj_ptr]->end_time))==1) |
| | 138 | { |
| | 139 | $object[$i]->end_time = $object[$obj_ptr]->end_time; |
| | 140 | } |
| | 141 | $object[$i]->cmp_time=nor_time($object[$i]->end_time); |
| | 142 | $i=$mo_ctr; |
| | 143 | //-------------------------merge---------------------------- |
| | 144 | } |
| | 145 | // } |
| | 146 | } |
| | 147 | } |
| | 148 | if($i!=$mo_ctr+1) |
| | 149 | { |
| | 150 | |
| | 151 | $object[$mo_ctr]->start_time=$object[$obj_ptr]->start_time; |
| | 152 | $object[$mo_ctr]->end_time=$object[$obj_ptr]->end_time; |
| | 153 | $object[$mo_ctr]->reference=$object[$obj_ptr]->reference; |
| | 154 | $object[$mo_ctr]->ip_proto=$object[$obj_ptr]->ip_proto; |
| | 155 | $object[$mo_ctr]->event_name=$object[$obj_ptr]->event_name; |
| | 156 | $object[$mo_ctr]->ip_dst=arr_cover($object[$obj_ptr]->ip_dst,$object[$mo_ctr]->ip_dst); |
| | 157 | $object[$mo_ctr]->ip_src=arr_cover($object[$obj_ptr]->ip_src,$object[$mo_ctr]->ip_src); |
| | 158 | $object[$mo_ctr]->sid=arr_cover($object[$obj_ptr]->sid,$object[$mo_ctr]->sid); |
| | 159 | $object[$mo_ctr]->dport=arr_cover($object[$obj_ptr]->dport,$object[$mo_ctr]->dport); |
| | 160 | $object[$mo_ctr]->sport=$object[$obj_ptr]->sport; |
| | 161 | $object[$mo_ctr]->sig_class_id=$object[$obj_ptr]->sig_class_id; |
| | 162 | $object[$mo_ctr]->signature=arr_cover($object[$obj_ptr]->signature,$object[$mo_ctr]->signature); |
| | 163 | $object[$mo_ctr]->sig_priority=$object[$obj_ptr]->sig_priority; |
| | 164 | $object[$mo_ctr]->cmp_time=nor_time($object[$mo_ctr]->end_time); |
| | 165 | $mo_ctr++; |
| | 166 | |
| | 167 | } |
| | 168 | //====many2one check=== |
| | 169 | $obj_ptr++; |
| | 170 | } |
| | 171 | $obj_ctr=$mo_ctr; |
| | 172 | }; |
| | 173 | |
| | 174 | |
| | 175 | ?> |
| | 176 | }}} |
