Novell SENTINEL 6.1 SP2 - REFERENCE GUIDE 02-2010 Reference Manual page 43
Hide thumbs
Also See for SENTINEL 6.1 SP2 - REFERENCE GUIDE 02-2010:
- Installation manual (176 pages)
Table of Contents
Advertisement
In addition to Boolean operators, filter supports the following operators.
Standard Arithmetic Operators
Standard arithmetic operators can be used to build a condition that compares the value of a Sentinel
metatag and a user-specified value (either a numeric value or a string field). The standard arithmetic
operators in Sentinel are =, <, >, !=, <=, and >=.
Examples:
filter(e.Severity > 3)
filter(e.BeginTime < 1179217665)
filter(e.SourceUserName != "Administrator")
Match Regex Operators
The match regex operator can be used to build a condition where the value of a metatag matches a
user-specified regular expression value specified in the rule. This operator is used only for string
tags, and the user-specified values for this operator are case-sensitive.
Examples:
filter(e.Collector match regex ("IBM"))
filter(e.EventName match regex ("Attack"))
Match Subnet Operators
The match subnet operator can be used to build a condition where the value of a metatag maches a
user-specified subnet specified in the rule in CIDR notation. This operator is used only for IP
address fields.
Example:
filter(e.DestinationIP match subnet (10.0.0.1/22))
Inlist Operator
The inlist operator is used to perform a lookup on an existing dynamic list of string values, returning
true if the value is present in the list. For more information on Dynamic Lists, see "Correlation Tab"
in
Sentinel 6.1 User
Guide.
For example, this filter expression is used to evaluate whether the Source IP of the current event is
present on a dynamic list called MailServerList. If the Source IP is present in this list, the expression
evaluates to TRUE.
filter(e.sip inlist MailServerList)
As another example, this filter expression combines the NOT and the INLIST operator. This
expression evaluates to TRUE if the Source IP is not present in the dynamic list called
MailServerList.
filter(not (e.sip inlist MailServerList))
This filter expression is used to evaluate whether the event name of the current event equals "File
Access" and the Source User Name is also not present on a dynamic list called AuthorizedUsers. If
both conditions are true for the current event, the expression evaluates to TRUE.
Sentinel Correlation Engine RuleLG Language
43
Advertisement
Chapters
Table of Contents
Related Manuals for Novell SENTINEL 6.1 SP2 - REFERENCE GUIDE 02-2010
Related Products for Novell SENTINEL 6.1 SP2 - REFERENCE GUIDE 02-2010
- NOVELL ZENWORKS LINUX MANAGEMENT 7.3 IR2 - ADMINISTRATION GUIDE 02-12-2010
- NOVELL APPARMOR 2.0.1 - ADMINISTRATION GUIDE 05-2008
- NOVELL EDIRECTORY 8.8 - GUIDE 09-2006
- NOVELL IFOLDER 3.X - SECURITY ADMINISTRATOR GUIDE 08-15-2006
- NOVELL INTELLISYNC MOBILE SUITE 7.0 - SECURE GATEWAY ADMINISTRATOR GUIDE 04-2006
- NOVELL LINUX ENTERPRISE DESKTOP 10 SP1 - START UP GUIDE 03-15-2007
- NOVELL LINUX ENTERPRISE SERVER 10 - START-UP GUIDE 06-12-2006
- NOVELL LINUX ENTERPRISE SERVER 10 SP2 - STARTUP GUIDE 05-08-2008
- NOVELL LINUX ENTERPRISE SERVER 10 SP2 - STORAGE ADMINISTRATION GUIDE 05-15-2009
- NOVELL OPEN ENTERPRISE SERVER 2 SP2 - LAB GUIDE 01-19-2010
- NOVELL PLATESPIN ORCHESTRATE 2.0.2 - HIGH AVAILABILITY CONFIGURATION GUIDE 06-17-2009
- NOVELL PRIVILEGED USER MANAGER 2.2.1 - ADMINISTRATION GUIDE 03-31-2010
- NOVELL SERVER CONSOLIDATION MIGRATION TOOLKIT 1.2 - ADMINISTRATION GUIDE 09-2007
- NOVELL ZENWORKS APPLICATION VIRTUALIZATION 8.0 - INTEGRATION AND STREAMING GUIDE 05-07-2010
- NOVELL ZENWORKS LINUX MANAGEMENT 7.2 IR2 - ADMINISTRATION GUIDE 09-25-2008
- NOVELL ZENWORKS NETWORK ACCESS CONTROL 5.0 - INSTALLATION GUIDE 09-22-2008
Need help?
Do you have a question about the SENTINEL 6.1 SP2 - REFERENCE GUIDE 02-2010 and is the answer not in the manual?
Questions and answers