[Sguil-cvs] sguil/server/lib SguildEvent.tcl,1.2,1.3
Status: Beta
Brought to you by:
bamm
Menu
▾
▴
[Sguil-cvs] sguil/server/lib SguildEvent.tcl,1.2,1.3
|
From: Bamm V. <ba...@us...> - 2004-11-22 22:42:54
|
Update of /cvsroot/sguil/sguil/server/lib In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv14683/lib Modified Files: SguildEvent.tcl Log Message: Alert aggregation now includes sensor ID by default. Index: SguildEvent.tcl =================================================================== RCS file: /cvsroot/sguil/sguil/server/lib/SguildEvent.tcl,v retrieving revision 1.2 retrieving revision 1.3 diff -C2 -d -r1.2 -r1.3 *** SguildEvent.tcl 18 Oct 2004 15:28:20 -0000 1.2 --- SguildEvent.tcl 22 Nov 2004 22:42:41 -0000 1.3 *************** *** 30,34 **** if { ![array exists acRules] || ![AutoCat $eventDataList] } { # Correlation/aggregation checks here: CorrelateEvent SrcIP Message ! set matchAID [ CorrelateEvent [lindex $eventDataList 8] [lindex $eventDataList 7] ] if { $matchAID == 0 } { AddEventToEventArray $eventDataList --- 30,35 ---- if { ![array exists acRules] || ![AutoCat $eventDataList] } { # Correlation/aggregation checks here: CorrelateEvent SrcIP Message ! set sid [lindex $eventDataList 13] ! set matchAID [ CorrelateEvent $sid [lindex $eventDataList 8] [lindex $eventDataList 7] ] if { $matchAID == 0 } { AddEventToEventArray $eventDataList *************** *** 37,41 **** if { $EMAIL_EVENTS } { #Ug-ly. Things will get better when the rules are in the DB. - set sid [lindex $eventDataList 13] set class [lindex $eventDataList 2] if { ([lsearch -exact $EMAIL_CLASSES $class] >= 0\ --- 38,41 ---- *************** *** 205,217 **** } ! proc CorrelateEvent { srcip msg } { ! global eventIDArray eventIDList eventIDCountArray set MATCH 0 # Loop thru the RTEVENTS for a match on srcip msg foreach rteid $eventIDList { if { [lindex $eventIDArray($rteid) 8] == $srcip && [lindex $eventIDArray($rteid) 7] == $msg } { # Have a match set MATCH $rteid } } return $MATCH --- 205,227 ---- } ! proc CorrelateEvent { sid srcip msg } { ! global eventIDArray eventIDList eventIDCountArray SENSOR_AGGREGATION_ON set MATCH 0 # Loop thru the RTEVENTS for a match on srcip msg foreach rteid $eventIDList { + if { [lindex $eventIDArray($rteid) 8] == $srcip && [lindex $eventIDArray($rteid) 7] == $msg } { # Have a match set MATCH $rteid + + # Do sid check if needed here + if {$SENSOR_AGGREGATION_ON} { + if { [lindex [split $rteid .] 0] != $sid } { + set MATCH 0 + } + } + } + } return $MATCH |