Hi Risto, I'm sorry, I don't think I made myself clear. Thanks for your help, but it still doesn't work. Here's the problem:
We have the following rule: type=EventGroup2 ptype=RegExp pattern=EVENT_TYPE_A ([\d.]+) continue=TakeNext ptype2=RegExp pattern2=EVENT_TYPE_B ([\d.]+) continue2=TakeNext desc=Events A and B observed for IP $1 within 60 seconds action=write - %s window=60 And if we have the following events (input): EVENT_TYPE_A 1.1.1.1 EVENT_TYPE_A 2.2.2.2 EVENT_TYPE_B 1.1.1.1 EVENT_TYPE_B 2.2.2.2 FINISH I'm waiting for the next output: Events A and B observed for IP 1.1.1.1 within 60 seconds Events A and B observed for IP 2.2.2.2 within 60 seconds But I get the next exit: Events A and B observed for IP 1.1.1.1 within 60 seconds In addition (in another example) if the following events were to occurred: EVENT_TYPE_A 1.1.1.1 EVENT_TYPE_B 2.2.2.2 FINISH The rule should not be activated because although events A and B have occurred, they have not been for the same IP. The main problem is that I want to correlate N differents events for the same IP, but there can be different IPs. I have tried to combine this rule with the creation of contexts containing the IP, but I cannot solve it. Kind regards, Agustín ________________________________ hi Agustin, and thanks for feedback! Instead of developing one rule which addresses all scenarios, it is better to write a separate rule for each case. For example, for the first case EVENT_TYPE_A && EVENT_TYPE_B the rule would look like this: type=EventGroup2 ptype=RegExp pattern=EVENT_TYPE_A ([\d.]+) continue=TakeNext ptype2=RegExp pattern2=EVENT_TYPE_B ([\d.]+) continue2=TakeNext desc=Events A and B observed for IP $1 within 60 seconds action=write - %s window=60 This rule is able to match events of type A and B and extract an IP address from these events. Whichever event occurs first, the rule will start an event correlation operation for extracted IP address, and the operation will wait for the event of second type to arrive within 60 seconds. If expected event arrives on time, the message "Events A and B observed for IP <ip> within 60 seconds" will be written to standard output. Please note that after this message has been generated, the operation will continue to run until the end of 60 second window, and further events A and B will be silently consumed by the operation until the end of the window. If you want to avoid this message suppression, you can change the action list of the above rule as follows: action=write - %s; reset 0 In the above action list, the 'reset' action will terminate the event correlation operation that invoked this action list, and message suppression will therefore not happen. In order to address the second scenario EVENT_TYPE_A && EVENT_TYPE_B && EVENT_TYPE_C, you would use the following rule which is similar to the previous example: type=EventGroup3 ptype=RegExp pattern=EVENT_TYPE_A ([\d.]+) continue=TakeNext ptype2=RegExp pattern2=EVENT_TYPE_B ([\d.]+) continue2=TakeNext ptype3=RegExp pattern3=EVENT_TYPE_C ([\d.]+) continue3=TakeNext desc=Events A, B and C observed for IP $1 within 60 seconds action=write - %s window=60 And as for the final scenario (EVENT_TYPE_A || EVENT_TYPE_B && EVENT_TYPE_D), everything depends on how to interpret it. Given the precedence of logical operators, I would interpret it as EVENT_TYPE_A || (EVENT_TYPE_B && EVENT_TYPE_D), and in that case the following two rules would be sufficient: type=Single ptype=RegExp pattern=EVENT_TYPE_A ([\d.]+) continue=TakeNext desc=Event A observed for IP action=write - %s type=EventGroup2 ptype=RegExp pattern=EVENT_TYPE_B ([\d.]+) continue=TakeNext ptype2=RegExp pattern2=EVENT_TYPE_D ([\d.]+) continue2=TakeNext desc=Events B and D observed for IP $1 within 60 seconds action=write - %s window=60 However, if you are actually dealing with the scenario (EVENT_TYPE_A || EVENT_TYPE_B) && EVENT_TYPE_D, you could use the following two rules: type=EventGroup2 ptype=RegExp pattern=EVENT_TYPE_A ([\d.]+) continue=TakeNext ptype2=RegExp pattern2=EVENT_TYPE_D ([\d.]+) continue2=TakeNext desc=Events A and D observed for IP $1 within 60 seconds action=write - %s window=60 type=EventGroup2 ptype=RegExp pattern=EVENT_TYPE_B ([\d.]+) continue=TakeNext ptype2=RegExp pattern2=EVENT_TYPE_D ([\d.]+) continue2=TakeNext desc=Events B and D observed for IP $1 within 60 seconds action=write - %s window=60 Finally, please note that I have used 'continue*=TakeNext' statements in all rule definitions, since they are matching the same set of events and the statements will allow events to be matched and processed by following rules in the rule base (I have assumed that all 4 rules are in the same rule file). The 'continue' statements are also necessary if in addition to above 4 rules, you have also other rules in the remaining rule file which need to match events A, B, C and D. hope this helps, risto Kontakt Agustín Lara Romero (<aguw...@hotmail.com<mailto:aguw...@hotmail.com>>) kirjutas kuupäeval P, 5. aprill 2020 kell 02:58: Hi Risto, Yes, your suppositions in the points 1, 2 and 3 are correct. The events can appear in any order. The expected time window for this events is 60 seconds Kind regards, Agustín Cc: simple-evcorr-users@lists.sourceforge.net<mailto:simple-evcorr-users@lists.sourceforge.net> <simple-evcorr-users@lists.sourceforge.net<mailto:simple-evcorr-users@lists.sourceforge.net>> Asunto: Re: [Simple-evcorr-users] IP correlation with EventGroup hi Agustin, Hi Risto, My name is Agustín, I'm working with the SEC and I have a problem that I can't solve. I have different events such as: EVENT_TYPE_A FROM 1.1.1.1 EVENT_TYPE_A FROM 2.2.2.2 EVENT_TYPE_B FROM 1.1.1.1 EVENT_TYPE_B FROM 2.2.2.2 EVENT_TYPE_C FROM 1.1.1.1 EVENT_TYPE_C FROM 2.2.2.2 EVENT_TYPE_D FROM 2.2.2.2 FINISH And I want to get SEC to correlate the events for each IP when the FINISH event comes in with the following logic: * For each IP: * (INPUT FOR SAME IP) * EVENT_TYPE_A && EVENT_TYPE_B * (OUPUT) * MATCH_1 FOR IP * (INPUT FOR SAME IP) * EVENT_TYPE_A && EVENT_TYPE_B && EVENT_TYPE_C * (OUPUT) * MATCH_2 FOR IP * (INPUT FOR SAME IP) * EVENT_TYPE_A || EVENT_TYPE_B && EVENT_TYPE_D * (OUPUT) * MATCH_3 FOR IP Before suggesting anything, I'd like to clarify some details of the problem you have. Have I understood correctly that you are dealing with the following three scenarios? 1) if events of type A and type B are observed for the same IP address, you would like to trigger an action for this IP address, 2) if events of type A, B and C are observer for the same IP address, you would like to trigger an action for this IP address, 3) if you see either event of type A, or events of type B and D for the same IP address, you would like to trigger an action for this IP address. Also, is the order of events important or can they appear in any order? And what is the expected time window for these events? (Is it 60 seconds as your rule example suggests?) kind regards, risto _______________________________________________ Simple-evcorr-users mailing list Simple-evcorr-users@lists.sourceforge.net<mailto:Simple-evcorr-users@lists.sourceforge.net> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
_______________________________________________ Simple-evcorr-users mailing list Simple-evcorr-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users