1. Manuals
  2. Brands
  3. Novell Manuals
  4. Software
  5. SENTINEL RAPID DEPLOYMENT 6.1 - 06-15-2009
  6. Reference manual

Trigger Operation; Rule Operations - Novell SENTINEL RAPID DEPLOYMENT 6.1 - REFERENCE GUIDE 06-15-2009 Reference Manual

Hide thumbs
Table of Contents

Advertisement

The current event is not placed into the window until after the current event window evaluation
is complete
To minimize memory usage, only the relevant parts of the past events, not all metatag values,
are maintained in memory.

3.3.3 Trigger Operation

Trigger is used to specify a number of events for a user-specified duration.
The syntax for trigger is:
Trigger (<number of events>, <evaluation period>[, discriminator (<list of
tags>))
Where
<number of events> is an integer value specifying the number of matching
events that are necessary for the rule to fire
<evaluation period> specifies the duration for which past events matching the
filter expression are maintained, specified in seconds (s), minutes (m), or
hours (h).
discriminator is a field to group by
For example, this rule detects if 5 events with the same source IP address happen within 10 seconds.
trigger(5,10,discriminator(e.sip))
Output Sets
If the specified count is reached within the specified duration, then a set of events containing all
of the events maintained by the trigger is output; if not, the empty set is output.
When receiving a new input set of events, a trigger first discards the outdated events (events
that have been maintained for more than the duration) and then inserts the current event. If the
number of resulting events is greater than or equal to the specified count, then the trigger
outputs a set containing all of the events.
If a trigger is the last operation (or the only operation) of a correlation rule, then the output set
of the trigger is used to construct a correlated event (the correlated events being the trigger
operation output set of events with the current event first).
If a trigger is not the last operation of a correlation rule (that is, it is followed by a flow
operator), then the output set of a trigger is used as the input set to other operations (through the
flow operator).
The discriminator (meta-tag list) is a comma-delimited list of meta-tags. A trigger operation
keeps different counts for each distinct combination of the discriminator meta-tags.

3.4 Rule Operations

Rule operations work on subrules that have been combined into a compound rule. They include:
Gate
Sequence
42
Sentinel 6.1 Rapid Deployment Reference Guide
If no letter is specified, seconds are assumed.

Advertisement

Table of Contents
loading

Related Manuals for Novell SENTINEL RAPID DEPLOYMENT 6.1 - REFERENCE GUIDE 06-15-2009

Related Content for Novell SENTINEL RAPID DEPLOYMENT 6.1 - REFERENCE GUIDE 06-15-2009

This manual is also suitable for:

Sentinel rapid deployment 6.1

Table of Contents