Ludovic, if you are willing to tolerate a slight inaccuracy, the following fairly simple rule could do:
type=EventGroup init=create COUNTING_$2 end=delete COUNTING_$2 ptype=RegExp pattern=([\d.]+) (\w+) context=!$1_COUNTED_FOR_$2 count=alias COUNTING_$2 $1_COUNTED_FOR_$2 desc=3 logins from different IPs for $2 action=write - %s window=3600 thresh=3 This rule will trigger a counting operation for the user name when a login for it has been seen. The operation will produce an alert if for the same user name, three logins from different IPs have been observed. After a login from an IP has been seen for the given user name, the context name ipaddress_COUNTED_FOR_username will be created with the 'alias' action, and the presence of this context name will ensure that further login events for this IP will no longer match (because of context=!$1_COUNTED_FOR_$2). The context names created during event correlation are alias names to COUNTING_username context, which is created when operation is initialized, and removed when operation terminates. The inaccuracy I was talking about can happen when the window slides forward -- it will be moved to the next event matched by the operation, but there might have been events not matched due to the 'context' field. However, to be *entirely* precise, the window should be moved to such previously suppressed event instance. Of course, there is a way out, although somewhat more complex -- instead of setting up a context name, you could create an element in a Perl hash with the 'count' field, have 'multact' field set to 'yes', and run alerting action through Perl code. In the code, you can check the number of hash elements, and alert only if the number equals to the threshold. One thing that the future releases of SEC might have is an opportunity to do such simple branching (and perhaps looping) explicitly in the 'action' field, e.g., action=eval %o (++$i == 10); if %o (write - %s) HTH, risto On 06/21/2011 03:03 PM, Ludovic Hutin wrote: > Hi, > > I got another problem with this simple exemple > > I got entry like that > 10.0.0.1 login > 10.0.0.2 login > 10.0.0.1 login > 10.0.0.6 login => Send a alert. > 1.1.1.1 login2 > 2.2.2.2 login2 => do nothing. > > etc... > > I want to send a alert if a login is detected with 3 differents IP > in a windows of 1 hour. > > I try with 3 SingleWithSuppress but i don't know how to link the > differents rules. > i am sure i will have to write a small perlfunc :( > > Sorry for this (stupid ?) question, > > Ludovic. > > ------------------------------------------------------------------------------ > EditLive Enterprise is the world's most technically advanced content > authoring tool. Experience the power of Track Changes, Inline Image > Editing and ensure content is compliant with Accessibility Checking. > http://p.sf.net/sfu/ephox-dev2dev > _______________________________________________ > Simple-evcorr-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users > ------------------------------------------------------------------------------ EditLive Enterprise is the world's most technically advanced content authoring tool. Experience the power of Track Changes, Inline Image Editing and ensure content is compliant with Accessibility Checking. http://p.sf.net/sfu/ephox-dev2dev _______________________________________________ Simple-evcorr-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
