...forgot to mention that the %events variable will contain the event
names you are looking for -- just use 'write - %events' to write them to
stdout.
regards,
risto
On 02/02/2010 07:45 PM, Risto Vaarandi wrote:
> Pierre,
> see the below rule -- hopefully it addresses the problem you have.
> While writing the solution to your problem, I realized that it is much
> more complex than I initially thought -- if the unique event count is
> below threshold, window sliding is based *both* on time and on unique
> events; however, once we have reached or crossed the threshold, the
> sliding is only time-based. My first solution with time-based sliding
> only was fairly simple -- however, since you have put forward quite
> advanced requirements, there can't be a standard SEC rule for addressing
> the problem, and Perl simply has to be used here.
> hth,
> risto
>
>
> type=Single
> ptype=RegExp
> pattern=EVENT (\S+)
> context=$1 -> ( sub { my($time) = time(); my(%hash) = (); my($n, $e, $t); \
> push @tqueue, $time; push @equeue, $_[0]; \
> while ($tqueue[0] < $time - 4) { shift @tqueue; shift @equeue; } \
> map { $hash{$_} = 1 } @equeue; $n = scalar(keys %hash); \
> if ($n < 3) { \
> my(@ebuf) = (); my(@tbuf) = (); \
> while (scalar(@equeue)) { $e = pop @equeue; $t = pop @tqueue; \
> if (exists($hash{$e})) { delete $hash{$e}; \
> unshift @ebuf, $e; unshift @tbuf, $t; } \
> } \
> @equeue = @ebuf; @tqueue = @tbuf; return 0; \
> } else { return 1; } } )
> desc=For Pierre
> action=eval %events ( join(" ", @equeue); );
>
>
> On 02/02/2010 12:25 PM, Pierre Vigneras wrote:
>> Thanks for your reply,
>>
>> I will sketch out some use cases taken from your example:
>>
>>
>> |----'----'----'----|----'----'----'----|
>> A B C B
>>
>> In that case, first three distincts events are ABC, therefore the
>> action is
>> launched. Then, B is also in the window, the action is launched again
>> (threshold is for 3 distinct events, other events within the time
>> interval
>> always raise an action, whether they are distinct or not from previous
>> events). Therefore, result is ABC,B.
>>
>> |----'----'----'----|----'----'----'----|
>> A B C B
>>
>> In that case, result is BCB, obviously: the time window has been shifted
>> towards first B.
>>
>> |----'----'----'----|----'----'----'----|
>> A B C B
>>
>> In that case, nothing happens since there are no 3 distinct events
>> within a 4
>> seconds time interval.
>>
>> We are still unable to find a satisfactory solution.
>> Thanks again for your reply.
>>
>> Le vendredi 29 janvier 2010 14:50:55, Risto Vaarandi a écrit :
>>> hi Pierre,
>>>
>>> first of all, sorry for the late reply :(
>>> I had a look at the problem description and it seems to me that it would
>>> be quite hard to implement the solution with SingleWithThreshold rule (a
>>> SEC standard rule that would be an easier solution than having custom
>>> Perl code). Unfortunately, in your case there is a requirement to
>>> implement window shifting not when the first event appears to be out of
>>> window, but rather on the occurrence of certain event.
>>>
>>> Also, given the problem description, it is hard to envision how the
>>> window shifting should be implemented for certain cases. For example,
>>> what if you see events in the following order: A, B, C, B. Should the
>>> window be moved to C with dropping event A, or should no shifting done
>>> at all since we would lose A otherwise?
>>>
>>> regards,
>>> risto
>>>
>>> On 01/20/2010 05:53 PM, Pierre Vigneras wrote:
>>>> Hum, sorry, but it seems that this ascii-art representation is really a
>>>> problem !! ;-)
>>>>
>>>> Actually, the quotation makes the events on 2 lines where they should
>>>> only be on one line. Therefore, the result is probably not
>>>> understandable.
>>>>
>>>> Here is what it should look like. I also attach a screenshot in case it
>>>> does not work.
>>>>
>>>> |----'----'----'----|----'----'----'----|
>>>>
>>>> A B A B A C D E
>>>>
>>>> Best Regards.
>>>>
>>>> PS: Hope it will work!
>>>>
>>>> Le mercredi 20 janvier 2010 15:58:33, Risto Vaarandi a écrit :
>>>>> I am forwarding this mail on behalf of a list member.
>>>>> risto
>>>>>
>>>>> --- On Wed, 1/20/10, Pierre Vigneras<[email protected]> wrote:
>>>>>> From: Pierre Vigneras<[email protected]>
>>>>>> Subject: Complex rule ? Any idea ?
>>>>>> To: [email protected]
>>>>>> Cc: [email protected]
>>>>>> Date: Wednesday, January 20, 2010, 3:25 PM
>>>>>> Dear all,
>>>>>>
>>>>>> Here is a problem we can't find a "good" solution to. Any
>>>>>> idea in that regard
>>>>>> would be appreciated! ;-)
>>>>>>
>>>>>> We would like to implement the following functionnal use
>>>>>> case: "when at least
>>>>>> n warning alerts from distinct hosts are detected within a
>>>>>> given time window,
>>>>>> then an action should be triggered on those hosts during
>>>>>> that time window".
>>>>>>
>>>>>> Warning alerts have a form that allows the identification
>>>>>> of sending host such
>>>>>> as (simplified):
>>>>>>
>>>>>> timestamp host WARNING
>>>>>> 1253021598 phebus WARNING
>>>>>>
>>>>>> Let's take a sample data (please use a fixed font size such
>>>>>> as monospace for
>>>>>>
>>>>>> the following):
>>>>>> |----'----'----'----|----'----'----'----|
>>>>>>
>>>>>> A B A B
>>>>>> A C D E
>>>>>>
>>>>>>
>>>>>> Where |----' represents one unit of time (second), |...| a
>>>>>> window time,
>>>>>> A, B, C, D warning alerts sent by host A, B, C and D
>>>>>> respectively (actually,
>>>>>> received by SEC).
>>>>>>
>>>>>> In our use case, with a window time of 4 seconds and n=3,
>>>>>> we would like an
>>>>>> action to be triggered for hosts B,A,C and D (a script is
>>>>>> first called with
>>>>>> parameter ABC, and another time with parameter D). The
>>>>>> reasoning is the
>>>>>> following:
>>>>>>
>>>>>> On first A, a time window is "opened". On first B, we
>>>>>> "increment the alert
>>>>>> counter" (2: AB). On second A, since we already have an A,
>>>>>> the beginning of
>>>>>> the window is shifted toward the first B (counter=2: BA).
>>>>>> When the second B is
>>>>>> encoutered, there is already a B, therefore, the window is
>>>>>> shifted toward the
>>>>>> second A (counter=2, AB). On third A, we already have an A,
>>>>>> therefore, the
>>>>>> window is also shifted toward B (counter=2, BA). On event
>>>>>> C, we now have 3
>>>>>> different hosts, therefore, the action is triggered (script
>>>>>> is called with
>>>>>> parameter BAC). Finally, when D is received, we are still
>>>>>> in a time window of
>>>>>> 4 seconds (between last B and D, we only have 3 seconds).
>>>>>> Therefore, the
>>>>>> action is also triggered (script is called with parameter
>>>>>> D). Finally, one
>>>>>> second after D, the time window is closed. The receipt of E
>>>>>> starts a new one
>>>>>> and the process starts again.
>>>>>>
>>>>>> At first, we implemented the use case using a
>>>>>> SingleWithThreshold rule, but it
>>>>>> does not work because it forgets following events after the
>>>>>> threshold has been
>>>>>> reached. Then we used a combination of SingleWithThreshold
>>>>>> rule followed by a
>>>>>> Single rule using a takenext=continue and a context, but it
>>>>>> does not work
>>>>>> either because we are unable to make SEC understand what we
>>>>>> want (counting
>>>>>> only "distincts alerts").
>>>>>>
>>>>>> We are thinking of a solution based on a lot of Perl code
>>>>>> inside a Single
>>>>>> rule, but this solution looks pretty ugly to us (since most
>>>>>> of the rule
>>>>>> smartness would be in the custom Perl code, not in SEC). We
>>>>>> wonder if there is
>>>>>> a simple way to achieve this in SEC.
>>>>>>
>>>>>> Thanks again for any help.
>>>>>> Best Regards.
>>>>>
>>>>> ------------------------------------------------------------------------
>>>>>
>>>>> --- --- Throughout its 18-year history, RSA Conference consistently
>>>>> attracts the world's best and brightest in the field, creating
>>>>> opportunities for Conference attendees to learn about information
>>>>> security's most important issues through interactions with peers,
>>>>> luminaries and emerging and established companies.
>>>>> http://p.sf.net/sfu/rsaconf-dev2dev
>>>>> _______________________________________________
>>>>> Simple-evcorr-users mailing list
>>>>> [email protected]
>>>>> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
>>>>
>>>> -------------------------------------------------------------------------
>>>>
>>>> ----- Throughout its 18-year history, RSA Conference consistently
>>>> attracts
>>>> the world's best and brightest in the field, creating opportunities for
>>>> Conference attendees to learn about information security's most
>>>> important
>>>> issues through interactions with peers, luminaries and emerging and
>>>> established companies. http://p.sf.net/sfu/rsaconf-dev2dev
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> Simple-evcorr-users mailing list
>>>> [email protected]
>>>> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
>>>
>>
>
------------------------------------------------------------------------------
The Planet: dedicated and managed hosting, cloud storage, colocation
Stay online with enterprise data centers and the best network in the business
Choose flexible plans and management services without long-term contracts
Personal 24x7 support from experience hosting pros just a phone call away.
http://p.sf.net/sfu/theplanet-com
_______________________________________________
Simple-evcorr-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
