Alert Correlation Unit (Implementation)

The ACU represents an actual implementation of the ACU Framework.

ConfigParser

class beemaster::ConfigParser

Public Functions

ConfigParser(std::string const &filepath)

Read filepath as an INI-File.

Section are introduced with [header], comments with # (as first character of line) and key-values as key = value.

Parameters
  • filepath: The file to read

std::string GetString(std::string const &section, std::string const &entry)

Get string for given path.

Return
The stored value
Parameters
  • section: The section to look in
  • entry: The entry to look for

int GetInt(std::string const &section, std::string const &entry)

Get interger for given path.

Return
The stored value (atio).
Parameters
  • section: The section to look in
  • entry: The entry to look for

AlertMapper

class beemaster::AlertMapper

Inherits from AlertMapper

Public Functions

acu::IncomingAlert *GetAlert(const std::string *topic, const broker::message &msg) const

Map an incoming broker-message into an IncomingAlert. The implementation may decide to return a more specific alert.

Return
The corresponding IncomingAlert (possible subtype)
Parameters
  • topic: The topic, this message arrived on
  • msg: The message, which will be converted

TcpAlert

class beemaster::TcpAlert

Inherits from IncomingAlert

Public Functions

TcpAlert(const std::string *topic, const broker::message &msg)

Instantiate a TcpAlert. This alert represents an incoming tcp event.

Parameters
  • topic: The topic, this alert was sent on
  • msg: The message of this event

const TcpType &type() const

Return
The TcpType of this event

PortscanAggregation

class beemaster::PortscanAggregation

Inherits from Aggregation

Public Functions

PortscanAggregation(acu::Storage *storage, std::vector<acu::Threshold> *thresholds)

Instantiate a PortscanAggregation.

Parameters
  • storage: The shared storage object
  • threshold: The thresholds to trigger the PortscanCorrelation

bool Invoke(const acu::IncomingAlert *alert)

Method triggered upon new IncomingAlert. Aggregates values and returns true, if the correlation shall be triggered.

Return
True, if correlation shall be triggered, false otherwise
Parameters
  • alert: The new IncomingAlert.

Public Static Attributes

const std::string THRESHOLD_PORT = "__destination_port__"

Constant port fieldname for the threshold.

const std::string THRESHOLD_TIMESTAMP = "__timestamp__"

Constant timestamp fieldname for the threshold.

PortscanCorrelation

class beemaster::PortscanCorrelation

Inherits from Correlation

Public Functions

PortscanCorrelation(RocksStorage *storage, std::vector<acu::Threshold> *thresholds)

Instantiate a PortscanCorrelation.

Parameters
  • storage: The shared storage object
  • threshold: The thresholds for operation granulation

acu::OutgoingAlert *Invoke()

Method triggered by the aggregation result. Correlates aggregated data to build up a possible meta-alert.

Return
nullptr, if no correlation happened; valid OutgoingAlert otherwise

Public Static Attributes

const std::string THRESHOLD_PORT_COUNT = "__portcount__"

Constant port-count fieldname for the threshold.

PortscanAlert

class beemaster::PortscanAlert

Inherits from OutgoingAlert

Public Functions

PortscanAlert(const std::string &name, const std::chrono::time_point<std::chrono::system_clock> &timestamp)

Instantiate a PortscanAlert. This alert represents an outgoing alert, produced by the PortscanCorrelation.

Parameters
  • name: The name of the event
  • timestamp: The point in time, this alert was created

const std::string EventName() const

Return
This event’s name

const broker::message ToMessage() const

Return
The corresponding broker-message of this alert

Public Members

std::vector<std::string> destination_ips

The targeted IP adresses.

RocksStorage

class beemaster::RocksStorage

Inherits from Storage

Public Functions

RocksStorage(std::string db_name)

Initialise and open DB

Parameters
  • db_name: The path for the database

~RocksStorage()
void Persist(const acu::IncomingAlert *alert)

Persist an alert.

bool Append(const std::string key, const std::string value)

Appends the given value to values currently nested under key.

Return
Success boolean
Parameters
  • key: The key which will be set
  • value: The value to set

std::string Get(const std::string key)

Get the value of key.

Return
The stored value
Parameters
  • key: The key which value will be returned

bool Delete(const std::string key)

Delete key.

Return
Success boolean
Parameters
  • key: The key which will be deleted

rocksdb::Iterator *GetIterator()

Returns the Iterator over the rocksdb, which allows for key-value traversal:

for (it->SeekToFirst(); it->Valid(); it->Next()) {
  ... it->key(); ... it->value();
}
delete it;
Be aware, that the value is a rocksdb::Slice here. Cast via `*(<type>*)it->key()/value().data() or use it->key()/value().ToString()

Public Members

rocksdb::DB *database

The underlying RocksDB.

rocksdb::Options options

The used RocksDB options.

rocksdb::WriteOptions writeOptions

The used RocksDB WriteOptions.

VectorStorage

class beemaster::VectorStorage

Inherits from Storage

Public Functions

VectorStorage(std::string db_name)

Initialise DB

Parameters
  • db_name: The name of the database

~VectorStorage()
void Persist(const acu::IncomingAlert *alert)

Persist an alert.

std::vector<const acu::IncomingAlert *> *Pop(const std::string topic)

Return all messages for topic and remove them from the DB.

TcpType

enum beemaster::TcpType

Type of a TCP message.

Values:

SYN = 1

SYN TCP event.

Utils

namespace beemaster

Functions

bool contains_string(const std::string stack, const std::string needle, const char delimiter)

Checks, whether needle is part of stack.

Return
True if found, false otherwise
Parameters
  • stack: The string to search in
  • needle: The string to search for
  • delimiter: Additional separator in the stack

std::string time_to_string(const std::chrono::time_point<std::chrono::system_clock> ts)

Return
The string representation of that point in time
Parameters
  • ts: The timepoint to convert

std::string decrement_minutes(const std::chrono::time_point<std::chrono::system_clock> ts, const uint64_t interval)

Subtract value from a point in time and return that value as string

Return
The newly changed time as string
Parameters
  • ts: The timepoint to count from
  • interval: The number of minutes to subtract from ts