SEC (Simple Event Correlator)

Basics:

 

SEC : perl script which uses a file stream as input and loads rulesets at runtime

ruleset: an ordered set of rules stored in a .sec text file

rule: built using the following key-value pairs

 

type

rule type (9 supported )

ptype

pattern type (13 supported / customizable)

pattern

rule triggering pattern

context

identifying name of the correlation

continue

exit at this rule or continue to next

desc

event description

action

action list upon success

thresh

threshold number

window

time window in seconds

time

for Calendar type

 

Things to know:

 

- contexts are rules that have been activated by a triggering event

- each event is referred to as an event correlation operation

- every context has a lifetime which is either finite or infinite

- for each correlation operation, a key is generated and used to identify the context

- this key is built using the ruleset (configuration)    file name, rule ID and the event description (desc)

- for example:  example.sec | 1 | this is an example event

- contexts can become active in parallel by defining rulesets that are concurrently triggered

 

Useful links:

 

distribution (for prelude)

http://svn.prelude-ids.org/trunk/sec/

man page

http://www.estpak.ee/~risto/sec/sec.pl.html

FAQ

http://www.estpak.ee/~risto/sec/FAQ.html

paper (Vaarandi 2002)

http://kodu.neti.ee/~risto/publications/sec-ipom02-web.pdf

IDMEF

http://www.ietf.org/internet-drafts/draft-ietf-idwg-idmef-xml-16.txt

Great Tutorial

http://sixshooter.v6.thrupoint.net/SEC-examples/article.html