1. Manuals
  2. Brands
  3. Novell Manuals
  4. Software
  5. SENTINEL RAPID DEPLOYMENT 6.1 - 06-15-2009
  6. Reference manual

Event Fields; Event Operations; Filter Operation - Novell SENTINEL RAPID DEPLOYMENT 6.1 - REFERENCE GUIDE 06-15-2009 Reference Manual

Hide thumbs
Table of Contents

Advertisement

3.2 Event Fields

All operations function on event fields, which can be referred to by their labels or by their short tags
within the correlation rule language. For a full list of labels and short tags, see
6.1 Rapid Deployment Event Fields," on page
a prefix to designate whether the event field is part of the incoming event or a past event that is
stored in memory.
Examples:
e.DestinationIP (Destination IP for the current event)
e.dip (Destination IP for the current event)
w.dip (Destination IP for any stored event)
WARNING: If you rename the label of a metatag, do not use the original label name when creating
a correlation rule.

3.3 Event Operations

Event operations evaluate, compare, and count events. They include the following operations:
Filter: Evaluates the current events to determine whether they can potentially trigger a rule to
fire
Window: Compares the current event to past events that have been stored in memory
Trigger: Counts events to determine whether enough events have occurred to trigger a rule
Each operation works on a set of events, receiving a set of events as input and returning a set of
events as output. The current event processed by a rule often has a special meaning for the semantic
of the language. The current event is always part of the set of events in and out of an operation
unless the set is empty. If an input set of an operation is empty, then the operation is not evaluated.

3.3.1 Filter Operation

Filter consists of a Boolean expression that evaluates the current event from the real-time event
stream. It compares event attributes to user-specified values using a wide set of operators
The Boolean expression is a composite of comparison and match instructions.
The syntax for filter is:
Filter <Boolean expression 1> [NOT|AND|OR <Boolean expression 2] [...]
[NOT|AND|OR <Boolean expression n>]
Where
<Boolean expressions 1...n> are expressions using one or more event field names
and filter operators
For example, this rule detects whether the current event has a severity of 4 and the resource event
field contains either "FW" or "Comm."
filter(e.sev = 4 and (e.res match regex ("FW") or e.res match regex ("Comm")))
38
Sentinel 6.1 Rapid Deployment Reference Guide
11. The label or metatag must also be combined with
Chapter 1, "Sentinel

Advertisement

Table of Contents
loading

Related Manuals for Novell SENTINEL RAPID DEPLOYMENT 6.1 - REFERENCE GUIDE 06-15-2009

Related Content for Novell SENTINEL RAPID DEPLOYMENT 6.1 - REFERENCE GUIDE 06-15-2009

This manual is also suitable for:

Sentinel rapid deployment 6.1

Table of Contents