Rule Operations; Gate Operation - Novell SENTINEL 6.1 SP2 - REFERENCE GUIDE 02-2010 Reference Manual

Hide thumbs Also See for SENTINEL 6.1 SP2 - REFERENCE GUIDE 02-2010:

Installation manual (176 pages)

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

page of 232

/ 232
Contents
Table of Contents
Bookmarks

Table of Contents

<number of events> is an integer value specifying the number of matching

events that are necessary for the rule to fire

<evaluation period> specifies the duration for which past events matching the

filter expression are maintained, specified in seconds (s), minutes (m), or

hours (h).

discriminator is a field to group by

For example, this rule detects if 5 events with the same source IP address happen within 10 seconds.

trigger(5,10,discriminator(e.sip))

Output Sets



If the specified count is reached within the specified duration, then a set of events containing all

of the events maintained by the trigger is output; if not, the empty set is output.

When receiving a new input set of events, a trigger first discards the outdated events (events



that have been maintained for more than the duration) and then inserts the current event. If the

number of resulting events is greater than or equal to the specified count, then the trigger

outputs a set containing all of the events.

If a trigger is the last operation (or the only operation) of a correlation rule, then the output set



of the trigger is used to construct a correlated event (the correlated events being the trigger

operation output set of events with the current event first).

If a trigger is not the last operation of a correlation rule (that is, it is followed by a flow



operator), then the output set of a trigger is used as the input set to other operations (through the

flow operator).

The discriminator (meta-tag list) is a comma-delimited list of meta-tags. A trigger operation



keeps different counts for each distinct combination of the discriminator meta-tags.

4.4 Rule Operations

Rule operations work on subrules that have been combined into a compound rule. They include:

Gate



Sequence

4.4.1 Gate Operation

The gate operation is used to create a composite rule which is used in identifying complex situations

from the occurrence of simple situations.

The composite rule is made up of one or more nested subrules and can be configured to fire if some,

any or all of the subrules fire within a specified time window. The subrules can be a simple rule or

another composite rule. For more information on Composite Rule, see "Correlation Tab" in

6.1 User

Guide.

The syntax for gate is:

Gate(<subrule 1 rulelg>, <subrule 2 rulelg>...<subrule n ruleLg>,

<evaluation period>, discriminator(<list of tags>))

Where

Sentinel 6.1 Reference Guide

If no letter is specified, seconds are assumed.

Sentinel

<mode>,

Table of Contents

Chapters

Table of Contents

Need help?

Do you have a question about the SENTINEL 6.1 SP2 - REFERENCE GUIDE 02-2010 and is the answer not in the manual?

This manual is also suitable for:

Sentinel 6.1 sp2

Rule Operations; Gate Operation - Novell SENTINEL 6.1 SP2 - REFERENCE GUIDE 02-2010 Reference Manual

4.4 Rule Operations

4.4.1 Gate Operation

Chapters

Need help?

Related Manuals for Novell SENTINEL 6.1 SP2 - REFERENCE GUIDE 02-2010

Related Content for Novell SENTINEL 6.1 SP2 - REFERENCE GUIDE 02-2010

This manual is also suitable for:

Table of Contents