Changeset 1614

Timestamp:

04/03/08 23:20:41 (5 months ago)

Author:

till

Message:

nebula
- command line options for minimum segment length and entropy for segment selection added
- error in string concatenation routine fixed

Files:

• nebula/trunk/src/nebula.c (modified) (6 diffs)
• nebula/trunk/src/nebula.h (modified) (1 diff)
• nebula/trunk/src/sig.c (modified) (6 diffs)
• nebula/trunk/src/stree.h (modified) (1 diff)

nebula/trunk/src/nebula.c

@@ -58 +58 @@
-                "\t\t -c <similarity> cluster criterion (a similarity measure in percent)\n"
-                "\t\t -d\t\t daemonize\n"
+                "\t\t -e\t\t minimum substring entropy\n"
-                "\t\t -h\t\t this help\n"
-                "\t\t -E <size>\t cluster element queue size\n"
-                "\t\t -i <sid>\t initial snort signature ID\n"
+                "\t\t -l\t\t minimum substring length\n"
-                "\t\t -O <size>\t outlier queue size\n"
-                "\t\t -p <port>\t listen on this port\n"
@@ -132 +134 @@
-
-        // process args
-E:hi
+e:E:hi:l
-                switch(option) {
-                        case 'a':
@@ -154 +156 @@
-                                daemonize = 1;
-                                break;
+                        case 'e':
+                                min_sstr_ent = atoi(optarg);
+                                if (min_sstr_ent < 0) {
+                                        fprintf(stderr, "Error - Minimum substring entropy cannot be negative.\n");
+                                        exit(EXIT_FAILURE);
+                                }
+                                break;
-                        case 'E':
-                                clusterhashq_max = atoi(optarg);
@@ -165 +174 @@
-                                if (!global_sid) {
-                                        fprintf(stderr, "Error - Invalid initial snort signature ID.\n");
+                                        exit(EXIT_FAILURE);
+                                }
+                                break;
+                        case 'l':
+                                min_sstr_len = atoi(optarg);
+                                if (min_sstr_len < 0) {
+                                        fprintf(stderr, "Error - Minimum substring length cannot be negative.\n");
-                                        exit(EXIT_FAILURE);
-                                }
@@ -337 +353 @@
-                                                        exit(EXIT_FAILURE);
-                                                }
-/*
-int j;
-for (j=1; j<=pollfd_set_size; j++) printf("-- session %d: fd %d, state %u\n", j, pfdset[j].fd, s[j].state);
-*/
-                                                memcpy(tmp_submission, &s[i], sizeof(submission));
-                                                memset(&s[i], 0, sizeof(submission));
@@ -357 +369 @@
-
-                                                session_reset(&s[i], i);
-/*
-for (j=1; j<=pollfd_set_size; j++) printf("== session %d: fd %d, state %u\n", j, pfdset[j].fd, s[j].state);
-*/
-                                                break;
-                                        case 0:

nebula/trunk/src/nebula.h

@@ -54 +54 @@
-unsigned long int       initial_threshold;
-
+ssize_t         min_sstr_len;
+double          min_sstr_ent;
+
-queue           *clusterq;
-queue           *outlierq;

nebula/trunk/src/sig.c

@@ -360 +360 @@
-        u_int32_t       i, acnt, node_id, num_leaves, strllen;
-        lchar           *strlist;
-        ssize_t         min_sstr_len;
-        double          min_sstr_ent;
-        u_char          *byte;
-        qelem           *qe;
@@ -377 +375 @@
-        content         = NULL;
-
-        min_sstr_len    = 0;
-        min_sstr_ent    = 0;
-        acnt            = 0;
-
@@ -409 +405 @@
-                // concatenate attack strings
-                // byte strlist[0] must not be used, it simplifies the GST algorithm which uses offset 0 for the root node
-3
+2
-                        fprintf(stderr, "Error - Unable to allocate memory: %m.\n");
-                        exit(EXIT_FAILURE);
-                }
-                memset(&strlist[strllen], 0, sizeof(lchar) * (attack->attack_len + 3));
-
-                // extend string offset array
@@ -425 +420 @@
-                        strlist[strllen+i+1] = attack->attack[i];
-                }
-
-
+
-                strlist[strllen] = acnt << 8;
-                strllen++;
-
-                // process port info
@@ -453 +446 @@
-        if (verbose > 2) {
-                printf("Concatenated string (%u) is '", strllen);
- = 0; i <
+=1; i <=
-                        byte = (u_char *) &strlist[i];
-                        if (strlist[i] && !(strlist[i] & 0x000000ff))
@@ -588 +581 @@
-                }
-                if (!printable) fprintf(rfile, "|");
-depth: %lu; offset
-seglist[num_frags-1].max_off+seglist[num_frags-1].len
-(seglist[num_frags-1].min_off > seglist[num_frags-1].len ? seglist[num_frags-1].min_off - seglist[num_frags-1].len : 0)
+offset: %lu; depth
+(seglist[num_frags-1].min_off > seglist[num_frags-1].len ? seglist[num_frags-1].min_off - seglist[num_frags-1].len : 0)
+seglist[num_frags-1].max_off+seglist[num_frags-1].len
-
-                // process other segments

nebula/trunk/src/stree.h

@@ -88 +88 @@
-void get_substring_endnodes(stnode *root, substr_list *cstr_list, ssize_t min_length);
-void list_substrings(stree *t, stnode *cstr_node, ssize_t length);
-avl_tree *build_substring_list(stree *t, ssize_t min_length);
-
-