Sentinel: Creating a Free Form RuleLg Correlation Rule

  • Document ID:3844047
  • Creation Date:14-Aug-2006
  • Modified Date:26-Apr-2012
    • Micro Focus Products:
      Sentinel

Environment

Microsoft Windows Server 2003 Standard Edition
Microsoft Windows 2000 Server
RedHat Linux
Solaris 9

Situation

Creating a Free Form RuleLg Correlation Rule

RuleLg is the native Correlation Engine rule language. A correlation rule is composed of high-level operations (filter, window, trigger). Operations are combined together to form a rule with the following operators: flow, union, and intersection.

Resolution

Creating a Free Form RuleLg Correlation Rule

RuleLg is the native Correlation Engine rule language. A correlation rule is composed of high-level operations (filter, window, trigger). Operations are combined together to form a rule with the following operators: flow, union, and intersection.

RuleLg operations (filter, window, trigger)

  • Each operation works on set of events: it receives as input a set of events and returns a set of events.

  • The current event processed by a rule often has a special meaning for the semantic of the language (see details afterward).

  • The current event is always part of the set of events in and out of an operation unless the set is empty.

  • If an input set of an operation is empty the operation is not evaluated.

Filter Operation

filter(Boolean expression)

A filter operation allows filtering according to the content of the current event; that is, its meta-tag values (see RuleLg meta-tag short names) and the filter-specified Boolean expression. The output of a filter is either the empty set (if the current event did not match the filter) or a set containing the current event and all the other events from the incoming set.

  • Filters operate on the current event, evaluating the Boolean expression for the current event.

  • The filter operation returns the input set if the Boolean expression evaluates to true.

  • The filter operation returns the empty set if the Boolean expression evaluates to false.

  • The Boolean expression is a composition of comparison instructions and match instructions with the following Boolean operators: and, or and not.

  • Comparison instructions allow evaluation of event meta-tag values with other event meta-tag values or constants.

  • Available comparison operators are =, !=, >, <, >=,<=.

  • The available match instructions are match regular expressions, match regex(), or match subnets, match subnet().

  • Comparison and match instructions may be nested via parenthesis to any depth.

  • The meta-tag names in comparison and match instructions must always be pre-pended with "e." to specify the current event.

  • See also Boolean operator precedence and associativity table.

  • If a filter is the last operation (or only operation) of a correlation rule, then the output set of the filter is used to construct a correlated event (the correlated events being the filter operation output set of events with the current event first).

  • If a filter is not the last operation of a correlation rule (i.e. there is a flow operator on its right), then the output set of a filter is used as input set to other operations (via the flow operator).

Watchlists are based directly on standalone filters:

  • A basic watchlist is a simple filter with a special meta-tag "all" (concatenation of all the meta-tags of an event) matched with a regular expression.

  • An advanced watchlist allows the user to specify a filter that is evaluated against all incoming events. This form of watchlist is potentially faster than the basic watchlist since not all the meta-tags of the event are taken into consideration and the filter instructions used can be faster than a regular expression.

Examples of Filter Operations

filter(e.sev = 4 and (e.res match regex ("FW") or e.res match regex ("Comm")))

If the current event has a severity of 4 and the resource meta-tag contains either "FW" or "Comm", a correlated event is sent with the current event (single event) listed as the correlated event.

===========================

filter(e.all match regex("ABC"))

If any of the current event meta-tags contains "ABC", a correlated event is sent with the current event (single event) listed as the correlated event.

Window Operation

window(simple Boolean expression [, filter expression], int duration)

A window operation works on the current event in relation to a window of past events. Past events are maintained by the window operation itself. The output of a window is either the empty set (if the current event did not match the simple Boolean expression) or a set containing the current event and all the past events for which the simple Boolean expression is true.

  • The simple Boolean expression is either a single comparison instruction or a single match instruction of a past event meta-tag value with either a current event meta-tag value or a constant.

  • You must prepend a meta-tag name with "e." to specify the current event or with "w." to specify the past events.

  • Available comparison operators are =, !=, >, <, >=,<=.

  • The available match instructions are match regular expressions, match regex(), or match subnets, match subnet().

  • A "w.[meta-tag]" must be present in a window simple Boolean expression.

  • If any past event evaluates to true with the current event for the simple Boolean expression the output set is the incoming event plus all matches in the window.

  • If no events in the window match the current event for the simple Boolean expression, an empty set is output.

  • Past events are maintained for the specified duration of the window operation.

  • The optional filter expression parameter of a window allows the user to control what events the window maintains. This expression is any valid filter.

  • Every incoming event (to the correlation engine) that passes the filter is put into the window of past events.

  • If there is no filter expression then all incoming events (to the correlation engine) are maintained by the window.

  • The current event is not placed into the window until after the current event window evaluation is done.

  • Only the relevant parts of the past events are actually maintained by the window (to lessen memory usage).

If a window is the last operation (or only operation) of a correlation rule, then the output set of the window is used to construct a correlated event (the correlated events being the window operation output set of events with the current event first).

If a window is not the last operation of a correlation rule (i.e. there is a flow operator on its right), the output set of a window is used as input set to other operations (via the flow operator).

Examples of Window Operations

window(e.sip = w.sip, filter(e.sip match subnet (192.168.0.0/16)), 60)

If the current event has a Source IP in the Class B address 192.168.0.0 and matches an event(s) that happened within the past 60 seconds, a correlated event is sent with the current event and any matched past events as the correlated events (current event first).

================================

window(e.sip = w.dip, 3600) intersection window(e.dp = w.dp, 3600) intersection window(e.evt = w.evt, 3600)

Domino type of rule: an attacker exploits a vulnerable system and uses it as an attack platform.

filter(e.sev > 3 and e.sn="in") flow (window(e.sip = w.sip, filter(e.sn="out" and e.sev>3), 5) intersection window(e.evt = w.evt, filter(e.sn="out" and e.sev >3), 5) intersection window(e.dip = w.dip, filter(e.sn="out" and e.sev >3), 5) ) union filter(e.sev > 3 and e.sn="out") flow (window(e.sip = w.sip, filter(e.sn="in" and e.sev >3), 5) intersection window(e.evt = w.evt, filter(e.sn="in" and e.sev >3), 5) intersection window(e.dip = w.dip, filter(e.sn="in" and e.sev >3), 5) )

Inside/outside type of rule: An attack signature is seen on two IDSs (one on the inside side of a firewall and the other one on the outside) and the attack has a severity greater than 3.

Trigger Operation

trigger(int count, int duration[, discriminator(meta-tag list)])

A trigger operation main purpose is to count a number of events for a specified duration. If the specified count is reached within the specified duration a set of events containing all the events maintained by the trigger is output, if not, the empty set is output.

  • The trigger operation receives as input a set of events to be returned part of the output set of events if the specified count, duration and discriminator(s) of the previous input sets and the current input set meet the criteria defined by the trigger operation.

  • The count is an integer value specifying the number of events that need to occur within the duration window to output a non empty set.

  • The duration is an integer value in seconds specifying the duration events are maintained by the trigger operation.

  • If duration is equal to zero a trigger operation just compares the number of events in the input set with count and outputs the input set if this number is greater than or equal to count.

  • When receiving a new input set of events, a trigger first discards the outdated events (events that have been maintained for more than duration) and then inserts the events of the new input set. If the number of resulting events is greater than or equal to the specified count then the trigger outputs a set containing all the events.

  • If a trigger is the last operation (or only operation) of a correlation rule, then the output set of the trigger is used to construct a correlated event (the correlated events being the trigger operation output set of events with the current event first). If a trigger is not the last operation of a correlation rule (i.e. there is a flow operator to its right), the output set of a trigger is used as input set to other operations (via the flow operator).

  • After a first time the trigger operation criteria are met (and therefore the trigger operation outputs a set of events), if the criteria are met again within decay time (specified duration/2) and the trigger is the last operation (or only operation) then the Correlation Engine does not construct a new correlated event but instead constructs an update to the previous correlated event. The decay time is also reset to duration/2.

  • The discriminator (meta-tag list) is a comma-delimited list of meta-tags. A trigger operation keeps different counts for each distinct combination of the discriminator meta-tags.

Example of trigger operations

trigger(5, 10, discriminator(e.sip))

If 5 events with the same Source IP happen within 10 seconds, send a Correlated Event with the 5 events as the correlated events (current event first).

RuleLg Operators

See also RuleLg operator precedence and associativity table.

Flow Operator

operation(s) flow operation(s)

The output set of events of the left hand side operation is the input set of events for the right hand side operation.

Example of Flow Operator

filter(e.sev = 5) flow trigger(3, 60)

The output of the filter operation is the input of the trigger operation therefore the trigger only counts events with severity equal to 5.

Union Operator

operation(s) union operation(s)

  • The union of the left side operation output set and the right side operation output set.

  • The resulting output set contains events from either the left hand side operation output set or the right hand side operation output set without duplicates.

Example of Union Operator

filter(e.sev = 5) union filter(e.sip = 192.168.1.1) is equivalent to filter(e.sev = 5 or e.sip = 192.168.1.1)

Intersection Operator

operation(s) intersection operation(s)

  • The intersection of the left side operation output set and the right side operation output set.

  • The resulting output set contains events that are common in both the left hand side operation output set and the right hand side operation output set without duplicates.

Example of Intersection Operator

filter(e.sev = 5) intersection filter(e.sip = 192.168.1.1) is equivalent to filter(e.sev = 5 and e.sip = 192.168.1.1)

RuleLg meta-tag short names

RuleLG meta-ta short names

Meta-tag names

sev

Severity

vul

Vulnerability

crt

Criticality

dt

DateTime

sip

SourceIP

dip

DestinationIP

id

EventID

src

SourceID

port

WizardPort

agent

WizardAgent

res

Resource

sres

SubResource

evt

EventName

sn

SensorName

st

SensorType

et

EventTime

prot

Protocol

shn

SourceHostName

sp

SourcePort

dhn

DestinationHostName

dp

DestinationPort

sun

SourceUserName

dun

DestinationUserName

fn

FileName

ei

ExtendedInformation

rn

ReporterName

pn

ProductName

msg

Message

rt1

Rt1

rt2

Rt2

rt3

Rt3

ct1

Ct1

ct2

Ct2

ct3

Ct3

ceu

CorrelatedEventUuids

rv1

ReservedVar1

rv2

ReservedVar2

rv100

ReservedVar100

cv1

CustomerVar1

cv2

CustomerVar2

cv100

CustomerVar100

RuleLg operator precedence and associativity

Operator precedence is from highest (top) to lowest (bottom).

Operator

Meaning

Operator Type

Associativity

flow

Output set becomes input set

Binary

Left to right

intersection

Set intersection (remove duplicates)

Binary

Left to right

difference

Set symmetric difference (remove duplicates)

Binary

Left to right

union

Set union (remove duplicates)

Binary

Left to right

Boolean operator precedence and associativity

Boolean operator precedence is from highest (top) to lowest (bottom).

Operator

Meaning

Operator Type

Associativity

not

Logical not

Unary

None

and

Logical and

Binary

Left to right

or

Logical or

Binary

Left to right

Comparison and match instructions (e.g. =, !=, >, <, >=, <=, match subnet, match regex) all have the same precedence (higher than Boolean operator precedence).