hi Agustin, I have tried the rule from your e-mail, and I am able to get the output you are expecting:
/usr/bin/sec --conf=test4.sec --input=- SEC (Simple Event Correlator) 2.8.2 Reading configuration from test4.sec 1 rules loaded from test4.sec No --bufsize command line option or --bufsize=0, setting --bufsize to 1 Opening input file - Interactive process, SIGINT can't be used for changing the logging level EVENT_TYPE_A 1.1.1.1 <--- the beginning of input for SEC EVENT_TYPE_A 2.2.2.2 EVENT_TYPE_B 1.1.1.1 EVENT_TYPE_B 2.2.2.2 <--- the end of input for SEC Writing event 'Events A and B observed for IP 1.1.1.1 within 60 seconds' to file '-' Events A and B observed for IP 1.1.1.1 within 60 seconds Writing event 'Events A and B observed for IP 2.2.2.2 within 60 seconds' to file '-' Events A and B observed for IP 2.2.2.2 within 60 seconds Are you sure that events for IP address 2.2.2.2 are separated by at most 60 seconds? If there is a larger time gap between those two events, the event correlation operation for 2.2.2.2 will not produce expected output. kind regards, risto Hi Risto, > I'm sorry, I don't think I made myself clear. > Thanks for your help, but it still doesn't work. Here's the problem: > > We have the following rule: > type=EventGroup2 > ptype=RegExp > pattern=EVENT_TYPE_A ([\d.]+) > continue=TakeNext > ptype2=RegExp > pattern2=EVENT_TYPE_B ([\d.]+) > continue2=TakeNext > desc=Events A and B observed for IP $1 within 60 seconds > action=write - %s > window=60 > > > And if we have the following events (input): > > EVENT_TYPE_A 1.1.1.1 > EVENT_TYPE_A 2.2.2.2 > EVENT_TYPE_B 1.1.1.1 > EVENT_TYPE_B 2.2.2.2 > FINISH > > > I'm waiting for the next output: > > Events A and B observed for IP 1.1.1.1 within 60 seconds > Events A and B observed for IP 2.2.2.2 within 60 seconds > > > But I get the next exit: > > Events A and B observed for IP 1.1.1.1 within 60 seconds > > > In addition (in another example) if the following events were to occurred: > > EVENT_TYPE_A 1.1.1.1 > EVENT_TYPE_B 2.2.2.2 > FINISH > > > The rule should not be activated because although events A and B have > occurred, they have not been for the same IP. > > > The main problem is that I want to correlate N differents events for the > same IP, but there can be different IPs. > I have tried to combine this rule with the creation of contexts containing > the IP, but I cannot solve it. > > Kind regards, > Agustín > > ------------------------------ > > > > hi Agustin, > > and thanks for feedback! Instead of developing one rule which addresses > all scenarios, it is better to write a separate rule for each case. For > example, for the first case EVENT_TYPE_A && EVENT_TYPE_B the rule would > look like this: > > type=EventGroup2 > ptype=RegExp > pattern=EVENT_TYPE_A ([\d.]+) > continue=TakeNext > ptype2=RegExp > pattern2=EVENT_TYPE_B ([\d.]+) > continue2=TakeNext > desc=Events A and B observed for IP $1 within 60 seconds > action=write - %s > window=60 > > This rule is able to match events of type A and B and extract an IP > address from these events. Whichever event occurs first, the rule will > start an event correlation operation for extracted IP address, and the > operation will wait for the event of second type to arrive within 60 > seconds. If expected event arrives on time, the message "Events A and B > observed for IP <ip> within 60 seconds" will be written to standard output. > Please note that after this message has been generated, the operation will > continue to run until the end of 60 second window, and further events A and > B will be silently consumed by the operation until the end of the window. > If you want to avoid this message suppression, you can change the action > list of the above rule as follows: > > action=write - %s; reset 0 > > In the above action list, the 'reset' action will terminate the event > correlation operation that invoked this action list, and message > suppression will therefore not happen. > > In order to address the second scenario EVENT_TYPE_A && EVENT_TYPE_B && > EVENT_TYPE_C, you would use the following rule which is similar to the > previous example: > > type=EventGroup3 > ptype=RegExp > pattern=EVENT_TYPE_A ([\d.]+) > continue=TakeNext > ptype2=RegExp > pattern2=EVENT_TYPE_B ([\d.]+) > continue2=TakeNext > ptype3=RegExp > pattern3=EVENT_TYPE_C ([\d.]+) > continue3=TakeNext > desc=Events A, B and C observed for IP $1 within 60 seconds > action=write - %s > window=60 > > And as for the final scenario (EVENT_TYPE_A || EVENT_TYPE_B && > EVENT_TYPE_D), everything depends on how to interpret it. Given the > precedence of logical operators, I would interpret it as EVENT_TYPE_A || > (EVENT_TYPE_B && EVENT_TYPE_D), and in that case the following two rules > would be sufficient: > > type=Single > ptype=RegExp > pattern=EVENT_TYPE_A ([\d.]+) > continue=TakeNext > desc=Event A observed for IP > action=write - %s > > type=EventGroup2 > ptype=RegExp > pattern=EVENT_TYPE_B ([\d.]+) > continue=TakeNext > ptype2=RegExp > pattern2=EVENT_TYPE_D ([\d.]+) > continue2=TakeNext > desc=Events B and D observed for IP $1 within 60 seconds > action=write - %s > window=60 > > However, if you are actually dealing with the scenario (EVENT_TYPE_A || > EVENT_TYPE_B) && EVENT_TYPE_D, you could use the following two rules: > > type=EventGroup2 > ptype=RegExp > pattern=EVENT_TYPE_A ([\d.]+) > continue=TakeNext > ptype2=RegExp > pattern2=EVENT_TYPE_D ([\d.]+) > continue2=TakeNext > desc=Events A and D observed for IP $1 within 60 seconds > action=write - %s > window=60 > > type=EventGroup2 > ptype=RegExp > pattern=EVENT_TYPE_B ([\d.]+) > continue=TakeNext > ptype2=RegExp > pattern2=EVENT_TYPE_D ([\d.]+) > continue2=TakeNext > desc=Events B and D observed for IP $1 within 60 seconds > action=write - %s > window=60 > > Finally, please note that I have used 'continue*=TakeNext' statements in > all rule definitions, since they are matching the same set of events and > the statements will allow events to be matched and processed by following > rules in the rule base (I have assumed that all 4 rules are in the same > rule file). The 'continue' statements are also necessary if in addition to > above 4 rules, you have also other rules in the remaining rule file which > need to match events A, B, C and D. > > hope this helps, > risto > > > Kontakt Agustín Lara Romero (<aguw...@hotmail.com>) kirjutas kuupäeval P, > 5. aprill 2020 kell 02:58: > > Hi Risto, > > Yes, your suppositions in the points 1, 2 and 3 are correct. > The events can appear in any order. > The expected time window for this events is 60 seconds > > Kind regards, > Agustín > > > *Cc:* simple-evcorr-users@lists.sourceforge.net < > simple-evcorr-users@lists.sourceforge.net> > *Asunto:* Re: [Simple-evcorr-users] IP correlation with EventGroup > > hi Agustin, > > Hi Risto, > My name is Agustín, I'm working with the SEC and I have a problem that I > can't solve. > I have different events such as: > EVENT_TYPE_A FROM 1.1.1.1 > EVENT_TYPE_A FROM 2.2.2.2 > EVENT_TYPE_B FROM 1.1.1.1 > EVENT_TYPE_B FROM 2.2.2.2 > EVENT_TYPE_C FROM 1.1.1.1 > EVENT_TYPE_C FROM 2.2.2.2 > EVENT_TYPE_D FROM 2.2.2.2 > FINISH > > And I want to get SEC to correlate the events for each IP when the FINISH > event comes in with the following logic: > > > - For each IP: > - (INPUT FOR SAME IP) > - EVENT_TYPE_A && EVENT_TYPE_B > - (OUPUT) > - MATCH_1 FOR IP > - (INPUT FOR SAME IP) > - EVENT_TYPE_A && EVENT_TYPE_B && EVENT_TYPE_C > - (OUPUT) > - MATCH_2 FOR IP > - (INPUT FOR SAME IP) > - EVENT_TYPE_A || EVENT_TYPE_B && EVENT_TYPE_D > - (OUPUT) > - MATCH_3 FOR IP > > > > Before suggesting anything, I'd like to clarify some details of the > problem you have. Have I understood correctly that you are dealing with the > following three scenarios? > > 1) if events of type A and type B are observed for the same IP address, > you would like to trigger an action for this IP address, > 2) if events of type A, B and C are observer for the same IP address, you > would like to trigger an action for this IP address, > 3) if you see either event of type A, or events of type B and D for the > same IP address, you would like to trigger an action for this IP address. > > Also, is the order of events important or can they appear in any order? > And what is the expected time window for these events? (Is it 60 seconds as > your rule example suggests?) > > kind regards, > risto > > _______________________________________________ > Simple-evcorr-users mailing list > Simple-evcorr-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users > > _______________________________________________ > Simple-evcorr-users mailing list > Simple-evcorr-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users >
_______________________________________________ Simple-evcorr-users mailing list Simple-evcorr-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
