I am forwarding this mail on behalf of a list member.
risto
--- On Wed, 1/20/10, Pierre Vigneras <pierre.vigne...@bull.net> wrote:
> From: Pierre Vigneras <pierre.vigne...@bull.net>
> Subject: Complex rule ? Any idea ?
> To: simple-evcorr-users-requ...@lists.sourceforge.net
> Cc: ris...@users.sourceforge.net
> Date: Wednesday, January 20, 2010, 3:25 PM
> Dear all,
>
> Here is a problem we can't find a "good" solution to. Any
> idea in that regard
> would be appreciated! ;-)
>
> We would like to implement the following functionnal use
> case: "when at least
> n warning alerts from distinct hosts are detected within a
> given time window,
> then an action should be triggered on those hosts during
> that time window".
>
> Warning alerts have a form that allows the identification
> of sending host such
> as (simplified):
>
> timestamp host WARNING
> 1253021598 phebus WARNING
>
> Let's take a sample data (please use a fixed font size such
> as monospace for
> the following):
>
>
> |----'----'----'----|----'----'----'----|
> A B A B
> A C D E
>
>
> Where |----' represents one unit of time (second), |...| a
> window time,
> A, B, C, D warning alerts sent by host A, B, C and D
> respectively (actually,
> received by SEC).
>
> In our use case, with a window time of 4 seconds and n=3,
> we would like an
> action to be triggered for hosts B,A,C and D (a script is
> first called with
> parameter ABC, and another time with parameter D). The
> reasoning is the
> following:
>
> On first A, a time window is "opened". On first B, we
> "increment the alert
> counter" (2: AB). On second A, since we already have an A,
> the beginning of
> the window is shifted toward the first B (counter=2: BA).
> When the second B is
> encoutered, there is already a B, therefore, the window is
> shifted toward the
> second A (counter=2, AB). On third A, we already have an A,
> therefore, the
> window is also shifted toward B (counter=2, BA). On event
> C, we now have 3
> different hosts, therefore, the action is triggered (script
> is called with
> parameter BAC). Finally, when D is received, we are still
> in a time window of
> 4 seconds (between last B and D, we only have 3 seconds).
> Therefore, the
> action is also triggered (script is called with parameter
> D). Finally, one
> second after D, the time window is closed. The receipt of E
> starts a new one
> and the process starts again.
>
> At first, we implemented the use case using a
> SingleWithThreshold rule, but it
> does not work because it forgets following events after the
> threshold has been
> reached. Then we used a combination of SingleWithThreshold
> rule followed by a
> Single rule using a takenext=continue and a context, but it
> does not work
> either because we are unable to make SEC understand what we
> want (counting
> only "distincts alerts").
>
> We are thinking of a solution based on a lot of Perl code
> inside a Single
> rule, but this solution looks pretty ugly to us (since most
> of the rule
> smartness would be in the custom Perl code, not in SEC). We
> wonder if there is
> a simple way to achieve this in SEC.
>
> Thanks again for any help.
> Best Regards.
>
> --
> HPC R&D
> BARD / Bruyères-Le-Châtel
> Bull, Architect of an Open World TM (www.bull.com)
> Direct Line: +33 (0)1 69 26 56 95
>
------------------------------------------------------------------------------
Throughout its 18-year history, RSA Conference consistently attracts the
world's best and brightest in the field, creating opportunities for Conference
attendees to learn about information security's most important issues through
interactions with peers, luminaries and emerging and established companies.
http://p.sf.net/sfu/rsaconf-dev2dev
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
