Novell Doc: Sentinel 6.1 Rapid Deployment Reference Guide

3.4 Rule Operations

Rule operations work on subrules that have been combined into a compound rule. They include:

Gate
Sequence

3.4.1 Gate Operation

The gate operation is used to create a composite rule which is used in identifying complex situations from the occurrence of simple situations.

The composite rule is made up of one or more nested subrules and can be configured to fire if some, any or all of the subrules fire within a specified time window. The subrules can be a simple rule or another composite rule. For more information on Composite Rule, see Correlation Tab in the Sentinel 6.1 Rapid Deployment User Guide.

The syntax for gate is:

Gate(<subrule 1 rulelg>, <subrule 2 ruled>…<subrule n ruleLG>, <mode>, <evaluation period>, discriminator(<list of tags>))

Where

Subrule Rulelgs are the ruled definitions for 1 to n subrules
mode = all | any | 1 | 2 | … | n, which is the number of subrules that must be triggered in order for the gate rule to trigger
<evaluation period> specifies the duration for which past events matching the filter expression are maintained, specified in seconds (s), minutes (m), or hours (h). If no letter is specified, seconds are assumed.
discriminator is a field to group by

For example, this rule is a typical perimeter security IDS inside/outside rule

filter(e.sev > 3) flow gate(filter(e.sn = “in”), filter(e.sn = “out”), all, 60s, discriminator(e.dip, e.evt))

3.4.2 Sequence Operation

Sequence rules are similar to gate rules, except that all child rules must fire in time order for the sequenced rule to evaluate to true.

The subrules can be a simple rule or another composite rule.

The syntax for sequence is:

Sequence(<subrule 1 rulelg>, <subrule 2 rulelg>…<subrule n ruleLg>, <evaluation period>, discriminator(<list of tags>))

Where

Subrule Rulelgs are the rulelg definitions for 1 to n subrules
<evaluation period> is a time period expressed in seconds (s), minutes (m), or hours (h)
discriminator is a field to group by

For example, this rule detects three failed logins by a particular user in 10 minutes followed by a successful login by same user.

sequence (filter(e.evt="failed logins") flow trigger(3, 600, discriminator(e.sun,e.dip)), filter(e.evt="goodlogin"), 600, discriminator(e.sun, e.dip))