Sentinel Correlation Engine Rulelg Language; Correlation Rulelg Language Overview; Event Fields - Novell SENTINEL 6.1 SP2 - REFERENCE GUIDE 02-2010 Reference Manual

Hide thumbs Also See for SENTINEL 6.1 SP2 - REFERENCE GUIDE 02-2010:

Installation manual (176 pages)

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

page of 232

/ 232
Contents
Table of Contents
Bookmarks

Table of Contents

Sentinel Correlation Engine

RuleLG Language

This section is about Sentinel correlation engine Rule LG language.

4.1 Correlation RuleLG Language Overview

The Sentinel Correlation Engine runs rules that are written in the Correlation RuleLg language.

Rules are created in the Sentinel Control Center. Users can create rules using a wizard for the

following rule types:

Simple Rule



Composite Rule

Aggregate Rule



Sequence Rule



These rules are converted to the Correlation RuleLg language when the rules are saved. The same

rule types, plus even more complex rules, can be created in the Sentinel Control Center using the

Custom/Freeform option. To use the Custom/Freeform option, the user must have a good

understanding of the Correlation RuleLg language.

RuleLg uses several operations, operators, and event field short tags to define a rule. The Correlation

Engine loads the rule definition and uses the rules to evaluate, filter, and store in memory events that

meet the criteria specified by the rule. Depending on the rule definition, a correlation rule might fire

based on

the value of one field or multiple fields



the comparison of an incoming event to past events

the number of occurrences of similar events within a defined time period



one or more subrules firing



one or more subrules firing in a particular order

Each of these constructs is represented by an operation in RuleLg.

4.2 Event Fields

All operations function on event fields, which can be referred to by their labels or by their short tags

within the correlation rule language. For a full list of labels and short tags, see "Sentinel Event

Fields" section. The label or metatag must also be combined with a prefix to designate whether the

event field is part of the incoming event or a past event that is stored in memory.

Examples:

e.DestinationIP (Destination IP for the current event)

e.dip (Destination IP for the current event)

w.dip (Destination IP for any stored event)