Pierre,
see the below rule -- hopefully it addresses the problem you have.
While writing the solution to your problem, I realized that it is much
more complex than I initially thought -- if the unique event count is
below threshold, window sliding is based *both* on time and on unique
events; however, once we have reached or crossed the threshold, the
sliding is only time-based. My first solution with time-based sliding
only was fairly simple -- however, since you have put forward quite
advanced requirements, there can't be a standard SEC rule for addressing
the problem, and Perl simply has to be used here.
hth,
risto
type=Single
ptype=RegExp
pattern=EVENT (\S+)
context=$1 -> ( sub { my($time) = time(); my(%hash) = (); my($n, $e, $t); \
push @tqueue, $time; push @equeue, $_[0]; \
while ($tqueue[0] < $time - 4) { shift @tqueue; shift @equeue; } \
map { $hash{$_} = 1 } @equeue; $n = scalar(keys %hash); \
if ($n < 3) { \
my(@ebuf) = (); my(@tbuf) = (); \
while (scalar(@equeue)) { $e = pop @equeue; $t = pop @tqueue; \
if (exists($hash{$e})) { delete $hash{$e}; \
unshift @ebuf, $e; unshift @tbuf, $t; } \
} \
@equeue = @ebuf; @tqueue = @tbuf; return 0; \
} else { return 1; } } )
desc=For Pierre
action=eval %events ( join(" ", @equeue); );
On 02/02/2010 12:25 PM, Pierre Vigneras wrote:
> Thanks for your reply,
>
> I will sketch out some use cases taken from your example:
>
>
> |----'----'----'----|----'----'----'----|
> A B C B
>
> In that case, first three distincts events are ABC, therefore the action is
> launched. Then, B is also in the window, the action is launched again
> (threshold is for 3 distinct events, other events within the time interval
> always raise an action, whether they are distinct or not from previous
> events). Therefore, result is ABC,B.
>
> |----'----'----'----|----'----'----'----|
> A B C B
>
> In that case, result is BCB, obviously: the time window has been shifted
> towards first B.
>
> |----'----'----'----|----'----'----'----|
> A B C B
>
> In that case, nothing happens since there are no 3 distinct events within a 4
> seconds time interval.
>
> We are still unable to find a satisfactory solution.
> Thanks again for your reply.
>
> Le vendredi 29 janvier 2010 14:50:55, Risto Vaarandi a écrit :
>> hi Pierre,
>>
>> first of all, sorry for the late reply :(
>> I had a look at the problem description and it seems to me that it would
>> be quite hard to implement the solution with SingleWithThreshold rule (a
>> SEC standard rule that would be an easier solution than having custom
>> Perl code). Unfortunately, in your case there is a requirement to
>> implement window shifting not when the first event appears to be out of
>> window, but rather on the occurrence of certain event.
>>
>> Also, given the problem description, it is hard to envision how the
>> window shifting should be implemented for certain cases. For example,
>> what if you see events in the following order: A, B, C, B. Should the
>> window be moved to C with dropping event A, or should no shifting done
>> at all since we would lose A otherwise?
>>
>> regards,
>> risto
>>
>> On 01/20/2010 05:53 PM, Pierre Vigneras wrote:
>>> Hum, sorry, but it seems that this ascii-art representation is really a
>>> problem !! ;-)
>>>
>>> Actually, the quotation makes the events on 2 lines where they should
>>> only be on one line. Therefore, the result is probably not
>>> understandable.
>>>
>>> Here is what it should look like. I also attach a screenshot in case it
>>> does not work.
>>>
>>> |----'----'----'----|----'----'----'----|
>>>
>>> A B A B A C D E
>>>
>>> Best Regards.
>>>
>>> PS: Hope it will work!
>>>
>>> Le mercredi 20 janvier 2010 15:58:33, Risto Vaarandi a écrit :
>>>> I am forwarding this mail on behalf of a list member.
>>>> risto
>>>>
>>>> --- On Wed, 1/20/10, Pierre Vigneras<[email protected]> wrote:
>>>>> From: Pierre Vigneras<[email protected]>
>>>>> Subject: Complex rule ? Any idea ?
>>>>> To: [email protected]
>>>>> Cc: [email protected]
>>>>> Date: Wednesday, January 20, 2010, 3:25 PM
>>>>> Dear all,
>>>>>
>>>>> Here is a problem we can't find a "good" solution to. Any
>>>>> idea in that regard
>>>>> would be appreciated! ;-)
>>>>>
>>>>> We would like to implement the following functionnal use
>>>>> case: "when at least
>>>>> n warning alerts from distinct hosts are detected within a
>>>>> given time window,
>>>>> then an action should be triggered on those hosts during
>>>>> that time window".
>>>>>
>>>>> Warning alerts have a form that allows the identification
>>>>> of sending host such
>>>>> as (simplified):
>>>>>
>>>>> timestamp host WARNING
>>>>> 1253021598 phebus WARNING
>>>>>
>>>>> Let's take a sample data (please use a fixed font size such
>>>>> as monospace for
>>>>>
>>>>> the following):
>>>>> |----'----'----'----|----'----'----'----|
>>>>>
>>>>> A B A B
>>>>> A C D E
>>>>>
>>>>>
>>>>> Where |----' represents one unit of time (second), |...| a
>>>>> window time,
>>>>> A, B, C, D warning alerts sent by host A, B, C and D
>>>>> respectively (actually,
>>>>> received by SEC).
>>>>>
>>>>> In our use case, with a window time of 4 seconds and n=3,
>>>>> we would like an
>>>>> action to be triggered for hosts B,A,C and D (a script is
>>>>> first called with
>>>>> parameter ABC, and another time with parameter D). The
>>>>> reasoning is the
>>>>> following:
>>>>>
>>>>> On first A, a time window is "opened". On first B, we
>>>>> "increment the alert
>>>>> counter" (2: AB). On second A, since we already have an A,
>>>>> the beginning of
>>>>> the window is shifted toward the first B (counter=2: BA).
>>>>> When the second B is
>>>>> encoutered, there is already a B, therefore, the window is
>>>>> shifted toward the
>>>>> second A (counter=2, AB). On third A, we already have an A,
>>>>> therefore, the
>>>>> window is also shifted toward B (counter=2, BA). On event
>>>>> C, we now have 3
>>>>> different hosts, therefore, the action is triggered (script
>>>>> is called with
>>>>> parameter BAC). Finally, when D is received, we are still
>>>>> in a time window of
>>>>> 4 seconds (between last B and D, we only have 3 seconds).
>>>>> Therefore, the
>>>>> action is also triggered (script is called with parameter
>>>>> D). Finally, one
>>>>> second after D, the time window is closed. The receipt of E
>>>>> starts a new one
>>>>> and the process starts again.
>>>>>
>>>>> At first, we implemented the use case using a
>>>>> SingleWithThreshold rule, but it
>>>>> does not work because it forgets following events after the
>>>>> threshold has been
>>>>> reached. Then we used a combination of SingleWithThreshold
>>>>> rule followed by a
>>>>> Single rule using a takenext=continue and a context, but it
>>>>> does not work
>>>>> either because we are unable to make SEC understand what we
>>>>> want (counting
>>>>> only "distincts alerts").
>>>>>
>>>>> We are thinking of a solution based on a lot of Perl code
>>>>> inside a Single
>>>>> rule, but this solution looks pretty ugly to us (since most
>>>>> of the rule
>>>>> smartness would be in the custom Perl code, not in SEC). We
>>>>> wonder if there is
>>>>> a simple way to achieve this in SEC.
>>>>>
>>>>> Thanks again for any help.
>>>>> Best Regards.
>>>>
>>>> ------------------------------------------------------------------------
>>>> --- --- Throughout its 18-year history, RSA Conference consistently
>>>> attracts the world's best and brightest in the field, creating
>>>> opportunities for Conference attendees to learn about information
>>>> security's most important issues through interactions with peers,
>>>> luminaries and emerging and established companies.
>>>> http://p.sf.net/sfu/rsaconf-dev2dev
>>>> _______________________________________________
>>>> Simple-evcorr-users mailing list
>>>> [email protected]
>>>> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
>>>
>>> -------------------------------------------------------------------------
>>> ----- Throughout its 18-year history, RSA Conference consistently attracts
>>> the world's best and brightest in the field, creating opportunities for
>>> Conference attendees to learn about information security's most important
>>> issues through interactions with peers, luminaries and emerging and
>>> established companies. http://p.sf.net/sfu/rsaconf-dev2dev
>>>
>>>
>>>
>>> _______________________________________________
>>> Simple-evcorr-users mailing list
>>> [email protected]
>>> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
>>
>
------------------------------------------------------------------------------
The Planet: dedicated and managed hosting, cloud storage, colocation
Stay online with enterprise data centers and the best network in the business
Choose flexible plans and management services without long-term contracts
Personal 24x7 support from experience hosting pros just a phone call away.
http://p.sf.net/sfu/theplanet-com
_______________________________________________
Simple-evcorr-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
