SEC (Simple Event Correlator)
Basics:
SEC : perl script which uses
a file stream as input and loads rulesets at runtime
ruleset: an ordered set of
rules stored in a .sec text file
rule: built using the
following key-value pairs
|
type |
rule type (9 supported ) |
|
ptype |
pattern type (13 supported
/ customizable) |
|
pattern |
rule triggering pattern |
|
context |
identifying name of the
correlation |
|
continue |
exit at this rule or
continue to next |
|
desc |
event description |
|
action |
action list upon success |
|
thresh |
threshold number |
|
window |
time window in seconds |
|
time |
for Calendar type |
Things to know:
|
- contexts are rules that have
been activated by a triggering event - each event is referred to
as an event correlation operation |
|
- every context has a
lifetime which is either finite or infinite |
|
- for each correlation
operation, a key is generated and used to identify the context - this key is built using
the ruleset (configuration) file
name, rule ID and the event description (desc) - for example: example.sec | 1 | this is an example event |
|
- contexts can become active
in parallel by defining rulesets that are concurrently triggered |
Useful links:
|
distribution (for prelude) |
|
|
man page |
|
|
FAQ |
|
|
paper (Vaarandi 2002) |
|
|
IDMEF |
http://www.ietf.org/internet-drafts/draft-ietf-idwg-idmef-xml-16.txt |
|
Great Tutorial |
http://sixshooter.v6.thrupoint.net/SEC-examples/article.html |