1. Manuals
  2. Brands
  3. Novell Manuals
  4. Software
  5. SENTINEL RAPID DEPLOYMENT 6.1 - 06-15-2009
  6. Reference manual

Gate Operation; Sequence Operation - Novell SENTINEL RAPID DEPLOYMENT 6.1 - REFERENCE GUIDE 06-15-2009 Reference Manual

Hide thumbs
Table of Contents

Advertisement

3.4.1 Gate Operation

The gate operation is used to create a composite rule which is used in identifying complex situations
from the occurrence of simple situations.
The composite rule is made up of one or more nested subrules and can be configured to fire if some,
any or all of the subrules fire within a specified time window. The subrules can be a simple rule or
another composite rule. For more information on Composite Rule, see "Correlation Tab" in
Sentinel
6.1 Rapid Deployment User
Guide.
The syntax for gate is:
Gate(<subrule 1 rulelg>, <subrule 2 rulelg>...<subrule n ruleLg>,
<mode>,
<evaluation period>, discriminator(<list of tags>))
Where
Subrule Rulelgs are the rulelg definitions for 1 to n subrules
mode = all | any | 1 | 2 | ... | n, which is the number of subrules that must be
triggered in order for the gate rule to trigger
<evaluation period> specifies the duration for which past events matching the
filter expression are maintained, specified in seconds (s), minutes (m), or
hours (h).
If no letter is specified, seconds are assumed.
discriminator is a field to group by
For example, this rule is a typical perimeter security IDS inside/outside rule
filter(e.sev > 3) flow gate(filter(e.sn = "in"), filter(e.sn = "out"), all,
60s, discriminator(e.dip, e.evt))

3.4.2 Sequence Operation

Sequence rules are similar to gate rules, except that all child rules must fire in time order for the
sequenced rule to evaluate to true.
The subrules can be a simple rule or another composite rule.
The syntax for sequence is:
Sequence(<subrule 1 rulelg>, <subrule 2 rulelg>...<subrule n ruleLg>,
<evaluation period>, discriminator(<list of tags>))
Where
Subrule Rulelgs are the rulelg definitions for 1 to n subrules
<evaluation period> is a time period expressed in seconds (s), minutes (m), or
hours (h)
discriminator is a field to group by
For example, this rule detects three failed logins by a particular user in 10 minutes followed by a
successful login by same user.
sequence (filter(e.evt="failed logins") flow trigger(3, 600,
discriminator(e.sun,e.dip)), filter(e.evt="goodlogin"), 600,
discriminator(e.sun, e.dip))
Sentinel 6.1 Rapid Deployment Correlation Engine RuleLG Language
43

Advertisement

Table of Contents
loading

Related Manuals for Novell SENTINEL RAPID DEPLOYMENT 6.1 - REFERENCE GUIDE 06-15-2009

Related Content for Novell SENTINEL RAPID DEPLOYMENT 6.1 - REFERENCE GUIDE 06-15-2009

This manual is also suitable for:

Sentinel rapid deployment 6.1

Table of Contents