Hi Risto,
Yes, your suppositions in the points 1, 2 and 3 are correct.
The events can appear in any order.
The expected time window for this events is 60 seconds
Kind regards,
Agustín
Cc: simple-evcorr-users@lists.sourceforge.net
<simple-evcorr-users@lists.sourceforge.net>
Asunto: Re: [Simple-evcorr-users] IP correlation with EventGroup
hi Agustin,
Hi Risto,
My name is Agustín, I'm working with the SEC and I have a problem that I can't
solve.
I have different events such as:
EVENT_TYPE_A FROM 1.1.1.1
EVENT_TYPE_A FROM 2.2.2.2
EVENT_TYPE_B FROM 1.1.1.1
EVENT_TYPE_B FROM 2.2.2.2
EVENT_TYPE_C FROM 1.1.1.1
EVENT_TYPE_C FROM 2.2.2.2
EVENT_TYPE_D FROM 2.2.2.2
FINISH
And I want to get SEC to correlate the events for each IP when the FINISH event
comes in with the following logic:
* For each IP:
* (INPUT FOR SAME IP)
* EVENT_TYPE_A && EVENT_TYPE_B
* (OUPUT)
* MATCH_1 FOR IP
* (INPUT FOR SAME IP)
* EVENT_TYPE_A && EVENT_TYPE_B && EVENT_TYPE_C
* (OUPUT)
* MATCH_2 FOR IP
* (INPUT FOR SAME IP)
* EVENT_TYPE_A || EVENT_TYPE_B && EVENT_TYPE_D
* (OUPUT)
* MATCH_3 FOR IP
Before suggesting anything, I'd like to clarify some details of the problem you
have. Have I understood correctly that you are dealing with the following three
scenarios?
1) if events of type A and type B are observed for the same IP address, you
would like to trigger an action for this IP address,
2) if events of type A, B and C are observer for the same IP address, you would
like to trigger an action for this IP address,
3) if you see either event of type A, or events of type B and D for the same IP
address, you would like to trigger an action for this IP address.
Also, is the order of events important or can they appear in any order? And
what is the expected time window for these events? (Is it 60 seconds as your
rule example suggests?)
kind regards,
risto
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
