For detecting sequences of events, you could use the following strategy:
type=single
ptype=regexp
pattern=event1: (\S+)
desc=detected event1: $1
action=create have_seen_event1_$1 60
type=single
ptype=regexp
pattern=event2: (\S+)
context=have_seen_event1_$1
desc=detected event2: $1
action=create have_seen_event1_event2_$1 30
type=single
ptype=regexp
pattern=event3: (\S+)
context=have_seen_event1_event2_$1
desc=detected event1, after <= 60 sec event2, after <=30 sec event3
action=write - %s
Note that EventGroup rule does not assume any ordering for matching events,
and therefore you have to set up contexts from 'countN' fields of
EventGroup, in order to restrict matching similarly to the above example.
hope this helps,
risto
2014-06-25 14:34 GMT+03:00 Rolf Nufable <[email protected]>:
> Hello Mailing List of Sec
>
> I seek for help regarding my little experiment on sec where I want to
> generate sequences of events for example this sequence of events
>
> Monitor event -> physmod event-> comprom event -> Monitor event
>
> I want to output in my database
>
> Monitor -> physmod-> comprom->monitor observed
>
> in one config file.. I've tried various correlation rules of sec but none
> of them I think can give me the said output though I think by combining
> these rules will give me the output, I just dont know how to tweet the
> rules, I've also tried the EventGroup which was i though gonna give me the
> output but using recurring patterns for the rule wont trigger it.
>
>
> So please help me in this small but very important experiment that I have
> in mind :)
>
>
> ------------------------------------------------------------------------------
> Open source business process management suite built on Java and Eclipse
> Turn processes into business applications with Bonita BPM Community Edition
> Quickly connect people, data, and systems into organized workflows
> Winner of BOSSIE, CODIE, OW2 and Gartner awards
> http://p.sf.net/sfu/Bonitasoft
> _______________________________________________
> Simple-evcorr-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
>
>
------------------------------------------------------------------------------
Open source business process management suite built on Java and Eclipse
Turn processes into business applications with Bonita BPM Community Edition
Quickly connect people, data, and systems into organized workflows
Winner of BOSSIE, CODIE, OW2 and Gartner awards
http://p.sf.net/sfu/Bonitasoft
_______________________________________________
Simple-evcorr-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
