| 1 | [[PageOutline]] |
| 2 | |
| 3 | = Security Event Center = |
| 4 | |
| 5 | == merge algorithm pseudo code == |
| 6 | {{{ |
| 7 | #!text |
| 8 | Merge Algorithm |
| 9 | output: correlated_event queue |
| 10 | global: event_scenario , MO_win_size |
| 11 | |
| 12 | 1. pull the top event |
| 13 | 2. if OO_events queue == NULL |
| 14 | 3. new OO_events as event_scenario in event queue |
| 15 | 4. OO_events inherit event |
| 16 | 5. while event-queue ≠ NULL |
| 17 | { |
| 18 | 6. pull the top event |
| 19 | 7. if event.timestamp < ( OO_events.end_time + win_size ) |
| 20 | 8. Search a correlated_event in correlated_event queue that correlated_event.{ IP_dst, |
| 21 | port_dst,signature } == event.{ IP_dst, port_dst, signature } |
| 22 | 9. correlated_event _event.endtime max(event.endtime, MO_event.endtime) |
| 23 | 10. correlated_event.reference append (event.id ) |
| 24 | 11. correlated_event.IP_src correlated_event. IP_ src ∪ event. IP_ src |
| 25 | correlated_event t.port_src correlated_event. port_src ∪ event. port_ src |
| 26 | 12. else |
| 27 | 13. new OO_events as event_scenario in event queue |
| 28 | 14. OO_events inherit event |
| 29 | } |
| 30 | 15 return correlated_event queue |
| 31 | |
| 32 | … |
| 33 | |
| 34 | }}} |
| 35 | |
| 36 | |
| 37 | == php real code == |
| 38 | {{{ |
| 39 | #!php |
| 40 | <? |
| 41 | |
| 42 | function merge($timesize) |
| 43 | { |
| 44 | global $object,$obj_ctr,$DB; |
| 45 | |
| 46 | $mo_base_ctr=0; |
| 47 | $mo_ptr = 0; //mo pointer |
| 48 | $i = 0; //tmp |
| 49 | |
| 50 | //----------------database check---------------- |
| 51 | $str="SELECT start_time,end_time,reference,ip_proto, |
| 52 | event_name,ip_dst,ip_src,sid,dport,sport,sig_class_id, |
| 53 | signature,sig_priority FROM accident_ticket |
| 54 | WHERE end_time >= \"".$object[0]->start_time."\" ORDER BY start_time ASC"; |
| 55 | $DB->query($str); |
| 56 | $fixed_num = mysql_num_rows($DB->result); |
| 57 | |
| 58 | if($fixed_num == null ) |
| 59 | { |
| 60 | $fixed_num = 0; |
| 61 | $obj_ptr=1; |
| 62 | $mo_ctr=1; |
| 63 | } |
| 64 | else |
| 65 | { |
| 66 | $obj_ptr=$fixed_num; |
| 67 | $mo_ctr=$fixed_num; |
| 68 | } |
| 69 | $mo[0] = new scenario(null,null,null,null,null,null,null,null,null,null,null,null,null); |
| 70 | if($fixed_num > 0) |
| 71 | { |
| 72 | while(list($start_time,$end_time,$reference,$ip_proto,$event_name,$ip_dst, |
| 73 | $ip_src,$sid,$dport,$sport,$sig_class_id,$signature,$sig_priority) |
| 74 | = mysql_fetch_row($DB->result) ) |
| 75 | { |
| 76 | $mo[$mo_base_ctr]->start_time = $start_time; |
| 77 | $mo[$mo_base_ctr]->end_time = $end_time; |
| 78 | $mo[$mo_base_ctr]->reference = $reference; |
| 79 | $mo[$mo_base_ctr]->ip_proto = $ip_proto; |
| 80 | $mo[$mo_base_ctr]->event_name = $event_name; |
| 81 | $mo[$mo_base_ctr]->ip_dst[0] = $ip_dst; |
| 82 | $mo[$mo_base_ctr]->ip_src = split(",",$ip_src); |
| 83 | $mo[$mo_base_ctr]->sid = split(",",$sid); |
| 84 | $mo[$mo_base_ctr]->dport[0] = $dport; |
| 85 | $mo[$mo_base_ctr]->sport = $sport; |
| 86 | $mo[$mo_base_ctr]->sig_class_id = $sig_class_id; |
| 87 | $mo[$mo_base_ctr]->signature = split(",",$signature); |
| 88 | $mo[$mo_base_ctr]->sig_priority = $sig_priority; |
| 89 | $mo[$mo_base_ctr]->cmp_time=nor_time($end_time); |
| 90 | $mo_base_ctr++; |
| 91 | } |
| 92 | $object=array_merge($mo,$object); |
| 93 | $str="DELETE FROM accident_ticket WHERE end_time >= \"".$object[0]->start_time."\""; |
| 94 | $DB->query($str); |
| 95 | $DB->reset_auto("accident_ticket"); |
| 96 | } |
| 97 | //if($DB->result) $DB->free_result(); |
| 98 | //----------------database check---------------- |
| 99 | //echo "timesize:".$timesize."<br>"; |
| 100 | while( $obj_ptr < $obj_ctr ) |
| 101 | { |
| 102 | |
| 103 | $object[$obj_ptr]->cmp_time=chk_time($object[$obj_ptr]->start_time,$timesize); |
| 104 | //----remove timeout class---- |
| 105 | for($i=$mo_ptr; $i<$mo_ctr ;$i++) |
| 106 | { |
| 107 | |
| 108 | if( strcmp($object[$obj_ptr]->cmp_time,$object[$mo_ptr]->cmp_time) > 0 ) $mo_ptr++; |
| 109 | else |
| 110 | { |
| 111 | $i=$mo_ctr; |
| 112 | |
| 113 | } |
| 114 | } |
| 115 | //----remove timeout class---- |
| 116 | //====many2one check=== |
| 117 | for($i=$mo_ptr; $i<$mo_ctr ;$i++) |
| 118 | { |
| 119 | if($object[$obj_ptr]->ip_dst[0] == $object[$i]->ip_dst[0]) |
| 120 | { |
| 121 | // if($object[$obj_ptr]->dport[0] == $object[$i]->dport[0]) |
| 122 | // { |
| 123 | if($object[$obj_ptr]->signature[0] == $object[$i]->signature[0]) |
| 124 | { |
| 125 | //-------------------------merge---------------------------- |
| 126 | $object[$i]->reference=($object[$i]->reference).", ".($object[$obj_ptr]->reference); |
| 127 | if( $object[$i]->ip_proto!=$object[$obj_ptr]->ip_proto ) $object[$i]->ip_proto="multiproto"; |
| 128 | $object[$i]->ip_src=arr_merge($object[$obj_ptr]->ip_src,$object[$i]->ip_src); |
| 129 | $object[$i]->sid=arr_merge($object[$obj_ptr]->sid,$object[$i]->sid); |
| 130 | if( $object[$i]->sport!=$object[$obj_ptr]->sport ) $object[$i]->sport="multiport"; |
| 131 | if( $object[$i]->sig_class_id != $object[$obj_ptr]->sig_class_id ) $object[$i]->sig_class_id=0; |
| 132 | if( $object[$i]->sig_priority > $object[$obj_ptr]->sig_priority ) $object[$i]->sig_priority=$object[$obj_ptr]->sig_priority; |
| 133 | if((time_smaller($object[$obj_ptr]->start_time,$object[$i]->start_time))==1) |
| 134 | { |
| 135 | $object[$i]->start_time = $object[$obj_ptr]->start_time; |
| 136 | } |
| 137 | if((time_smaller($object[$i]->end_time,$object[$obj_ptr]->end_time))==1) |
| 138 | { |
| 139 | $object[$i]->end_time = $object[$obj_ptr]->end_time; |
| 140 | } |
| 141 | $object[$i]->cmp_time=nor_time($object[$i]->end_time); |
| 142 | $i=$mo_ctr; |
| 143 | //-------------------------merge---------------------------- |
| 144 | } |
| 145 | // } |
| 146 | } |
| 147 | } |
| 148 | if($i!=$mo_ctr+1) |
| 149 | { |
| 150 | |
| 151 | $object[$mo_ctr]->start_time=$object[$obj_ptr]->start_time; |
| 152 | $object[$mo_ctr]->end_time=$object[$obj_ptr]->end_time; |
| 153 | $object[$mo_ctr]->reference=$object[$obj_ptr]->reference; |
| 154 | $object[$mo_ctr]->ip_proto=$object[$obj_ptr]->ip_proto; |
| 155 | $object[$mo_ctr]->event_name=$object[$obj_ptr]->event_name; |
| 156 | $object[$mo_ctr]->ip_dst=arr_cover($object[$obj_ptr]->ip_dst,$object[$mo_ctr]->ip_dst); |
| 157 | $object[$mo_ctr]->ip_src=arr_cover($object[$obj_ptr]->ip_src,$object[$mo_ctr]->ip_src); |
| 158 | $object[$mo_ctr]->sid=arr_cover($object[$obj_ptr]->sid,$object[$mo_ctr]->sid); |
| 159 | $object[$mo_ctr]->dport=arr_cover($object[$obj_ptr]->dport,$object[$mo_ctr]->dport); |
| 160 | $object[$mo_ctr]->sport=$object[$obj_ptr]->sport; |
| 161 | $object[$mo_ctr]->sig_class_id=$object[$obj_ptr]->sig_class_id; |
| 162 | $object[$mo_ctr]->signature=arr_cover($object[$obj_ptr]->signature,$object[$mo_ctr]->signature); |
| 163 | $object[$mo_ctr]->sig_priority=$object[$obj_ptr]->sig_priority; |
| 164 | $object[$mo_ctr]->cmp_time=nor_time($object[$mo_ctr]->end_time); |
| 165 | $mo_ctr++; |
| 166 | |
| 167 | } |
| 168 | //====many2one check=== |
| 169 | $obj_ptr++; |
| 170 | } |
| 171 | $obj_ctr=$mo_ctr; |
| 172 | }; |
| 173 | |
| 174 | |
| 175 | ?> |
| 176 | }}} |