wiki:waue/2009/1027

Version 3 (modified by waue, 15 years ago) (diff)

--

  • SnortRegular.java 處理正規化時,若直接處理時間格式,則可以節省後續FuseAlert.java的效能
    • 然而改正規劃格式將導致之前測試完成的功能又要重改重測試,先略過

FuseAlert.java

功能:

  • map input 
    // "gid;sid;version;alert name;class;priority;"
    // 0;1__;2 ;3__________;4______________________________;5;
    // 1;538;15;NETBIOS SMB;Generic Protocol Command Decode;3;
    // "month;day;hour;min;second;source;destination;type;";
    // 6 ;7 ;8 ; 9;10;11__________________;12_________________;13 ;
    // 09;04;17;53;56;168.150.177.165:1051;168.150.177.166:139;TCP;
  • map output & reduce input 
    // key: sid;alert name; class; priority @@ des ip @@ src ip
    // values: [timestamp1...timestampn]
  • reduce output 
    // key: sid;alert name; class; priority @@ des ip @@ src ip
    // values: [timestamp1-timestampn]