Keep in mind that there are several things that can cause SEC to see the logs in
a different order than they were generated in, so be careful about ordering
requirements.
David Lang
On Thu, 26 Jun 2014, Risto Vaarandi wrote:
For detecting sequences of events, you could use the following strategy:
type=single
ptype=regexp
pattern=event1: (\S+)
desc=detected event1: $1
action=create have_seen_event1_$1 60
type=single
ptype=regexp
pattern=event2: (\S+)
context=have_seen_event1_$1
desc=detected event2: $1
action=create have_seen_event1_event2_$1 30
type=single
ptype=regexp
pattern=event3: (\S+)
context=have_seen_event1_event2_$1
desc=detected event1, after <= 60 sec event2, after <=30 sec event3
action=write - %s
Note that EventGroup rule does not assume any ordering for matching events,
and therefore you have to set up contexts from 'countN' fields of
EventGroup, in order to restrict matching similarly to the above example.
hope this helps,
risto
2014-06-25 14:34 GMT+03:00 Rolf Nufable <rolf_16_nufa...@yahoo.com>:
Hello Mailing List of Sec
I seek for help regarding my little experiment on sec where I want to
generate sequences of events for example this sequence of events
Monitor event -> physmod event-> comprom event -> Monitor event
I want to output in my database
Monitor -> physmod-> comprom->monitor observed
in one config file.. I've tried various correlation rules of sec but none
of them I think can give me the said output though I think by combining
these rules will give me the output, I just dont know how to tweet the
rules, I've also tried the EventGroup which was i though gonna give me the
output but using recurring patterns for the rule wont trigger it.
So please help me in this small but very important experiment that I have
in mind :)
------------------------------------------------------------------------------
Open source business process management suite built on Java and Eclipse
Turn processes into business applications with Bonita BPM Community Edition
Quickly connect people, data, and systems into organized workflows
Winner of BOSSIE, CODIE, OW2 and Gartner awards
http://p.sf.net/sfu/Bonitasoft
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
------------------------------------------------------------------------------
Open source business process management suite built on Java and Eclipse
Turn processes into business applications with Bonita BPM Community Edition
Quickly connect people, data, and systems into organized workflows
Winner of BOSSIE, CODIE, OW2 and Gartner awards
http://p.sf.net/sfu/Bonitasoft
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
------------------------------------------------------------------------------
Open source business process management suite built on Java and Eclipse
Turn processes into business applications with Bonita BPM Community Edition
Quickly connect people, data, and systems into organized workflows
Winner of BOSSIE, CODIE, OW2 and Gartner awards
http://p.sf.net/sfu/Bonitasoft
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
