| 1 | |
| 2 | * SnortRegular.java 處理正規化時,若直接處理時間格式,則可以節省後續FuseAlert.java的效能 |
| 3 | * 然而改正規劃格式將導致之前測試完成的功能又要重改重測試,先略過 |
| 4 | |
| 5 | |
| 6 | * map input |
| 7 | |
| 8 | {{{ |
| 9 | #!text |
| 10 | // "gid;sid;version;alert name;class;priority;" |
| 11 | // 0;1__;2 ;3__________;4______________________________;5; |
| 12 | // 1;538;15;NETBIOS SMB;Generic Protocol Command Decode;3; |
| 13 | // "month;day;hour;min;second;source;destination;type;"; |
| 14 | // 6 ;7 ;8 ; 9;10;11__________________;12_________________;13 ; |
| 15 | // 09;04;17;53;56;168.150.177.165:1051;168.150.177.166:139;TCP; |
| 16 | }}} |
| 17 | |
| 18 | * map output & reduce input |
| 19 | |
| 20 | {{{ |
| 21 | #!text |
| 22 | // key: sid;alert name; class; priority @@ des ip @@ src ip |
| 23 | // values: [timestamp1...timestampn] |
| 24 | }}} |
| 25 | |
| 26 | * reduce output |
| 27 | |
| 28 | {{{ |
| 29 | #!text |
| 30 | // key: sid;alert name; class; priority @@ des ip @@ src ip |
| 31 | // values: [timestamp1-timestampn] |
| 32 | }}} |