Have Ruby installed. Install Hamsa using a patched version of sary. Build ds in the TokenAPI directory of Hamsa and build siggen in the Hamsa directory. A modern working version of Hamsa including the patch for sary can be found here. Sary can be found here. The commands listed here assume that setup.rb (found in this repository), ds and siggen (both found in the CHamsa repository) are on the user's PATH.
Run setup.rb on 2 directories full of traffic files with the desired output directories. For example if you have a directory of traffic 'tracker_traffic' in which you want to find invariants and you have a directory 'noise_traffic' with traffic you don't want to match against, run
setup.rb tracker_traffic [tracker_odir]
setup.rb noise_traffic [noise_odir]
ds -w [odir]/data.ary [odir]/data
for each of the 2 odirs to do some preproccessing.
siggen -S [user_traffic_odir] -N [noise_traffic_odir] -G [output_dir]
where output_dir is empty.
The json_suspool and json_norpool directories were used with setup.rb and ds to generate the suspool and norpool directories which were used as input to siggen. The output directory contains the generated signatures using the command
siggen -S suspool -N norpool -G output