hi Alberto,
one can of course address this question with simply using "report
EVENT_STORE tail -n 3" which would output three last events, discarding all
previous ones.
However, this solution is not general enough, because sometimes one might
want to implement a counting operation where the context is always fully in
sync with the event correlation window. In order to implement such
synchronization, it has to be accomplished immediately after event
correlation window has moved forward (otherwise the event store of the
context would remain out of sync for at least some time). Unfortunately,
SingleWithThreshold rule does not have the ability to execute specific
actions when event correlation window slides, but the EventGroup rule has
that feature. Below you can find an illustration of how this functionality
of EventGroup rule could be harnessed:
type=eventgroup
ptype=regexp
pattern=.
desc=count and report
init=create EVENTS; create TIMES
end=delete EVENTS; delete TIMES
count=add EVENTS $0; add TIMES %u
slide=getwpos %start 0; getsize %size TIMES; \
while %size ( shift TIMES %time; \
lcall %quit %start %time -> ( sub { $_[0] <= $_[1] } ); \
if %quit ( prepend TIMES %time; break ); \
shift EVENTS %temp; getsize %size TIMES )
action=report EVENTS /bin/cat
thresh=3
window=10
In this example, 'init' and 'end' actions set up and delete two contexts
for storing events, where the TIMES context has been designed for holding
timestamps of events (seconds since Epoch).
Also, the 'count' action updates TIMES and EVENTS contexts for each
matching event, so that information about events is kept in the order the
events have occurred. The 'slide' field of this rule defines an action list
that is executed immediately after the event correlation window has moved
forward for the counting operation. First, getwpos action is used for
getting the beginning of the event correlation window (seconds in Epoch)
and assigning it to %start variable (the 0 parameter of getwpos denotes the
operation started by the current rule). Then the number of currently stored
events is established with getsize action and assigned to %size variable.
The following while-loop iterates over TIMES and EVENTS contexts, shifting
out events which have occurred *before* the beginning of the event
correlation window (held by the %start variable). For ending the loop,
'lcall' action is used which compares the beginning of the event
correlation window with the event timestamp. If the event from current loop
iteration falls into event correlation window, while-loop is terminated
with the 'break' action.
Although the 'slide' field of the rule might look a bit complex due to
'while' and 'if' actions, hopefully above explanation helps to clarify the
idea behind it.
Hope this helps,
risto
2018-04-04 13:23 GMT+03:00 Alberto Corton <acor...@s21sec.com>:
> Hi,
>
> In a singleWithTreshold rule, we want the action to report the N events
> observed. We have been adding them to a context with a lifetime expecting
> that such context would always have N (threshold) events.
>
> However, we have noticed that, because of the sliding window nature of the
> correlation, the context content gets out of sync with the correlation
> (sometimes the context has less events than the threshold, sometimes more).
>
> This is our current (improved) solution:
>
> type=single
>
> ptype=regexp
>
> continue=takenext
>
> desc=from $1
>
> pattern=from (.+)
>
> context=!EVENT_STORE
>
> action=create EVENT_STORE
>
>
> type=single
>
> ptype=regexp
>
> continue=takenext
>
> desc=from $1
>
> pattern=from (.+)
>
> context=EVENT_STORE
>
> action=add EVENT_STORE $0; set EVENT_STORE 10;
>
>
> type=singlewiththreshold
>
> window=10
>
> thresh=3
>
> ptype=regexp
>
> continue=takenext
>
> desc=from
>
> pattern=from (.+)
>
> context=EVENT_STORE
>
> action=report EVENT_STORE /usr/bin/cat; delete EVENT_STORE;
>
> action2=delete EVENT_STORE;
>
> But it is not perfect, for there are still cases when the context ends up
> holding more events than the threshold.
>
> Is it possible to have a context with the exact events that are part of
> the correlation operation?
>
> Regards,
>
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Simple-evcorr-users mailing list
> Simple-evcorr-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
>
>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
