0

I would like to detect some patterns using wso2, but my current solution is only capable to detect them if the events arrived are consecutives.

Let's suppose the following pattern:

  • Event 1: Scanning Event from Source 1 to Target 2
  • Event 2: Attempt Exploit from Source 1 to Target 2

That would generate an Alert.

But in a real world scenario, the events won't come in order, there are too many computers in an enterprise.

There is a way to be able to detect the previous pattern with the following event sequence?

  • Event 1: Scanning Event from Source 1 to Target 2
  • Event 2: Not relevant
  • Event 3: Not relevant
  • ...
  • Event N: Attempt Exploit from Source 1 to Target 2

My Current code is:

from every (e1=Events) -> e2=Events
within 10 min
select ...
having e1.type=='Scan' and e2.type=='attack' and e1.Source_IP4==e2.Source_IP4
insert into Alert;

I've also tried other kind of solutions like 

from every e1=Events,e2=Events[Condition]
within 10 min
select ...
having e1.type=='Scan' and e2.type=='attack' and e1.Source_IP4==e2.Source_IP4
insert into Alert;

Maybe it could be done with a Partition? Partiotionate the streams taking into account the Source_IP4

Community
  • 1
  • 1
Peter Rubi
  • 119
  • 1
  • 12

1 Answers1

1

I've finally made it.

The problem was to use "having" to detect the pattern, It has to be moved to the "filter condition" section instead.

from (every)? <event reference>=<input stream>[<filter condition>] -> 
    (every)? <event reference>=<input stream [<filter condition>] -> 
    ... 
    (within <time gap>)?     
select <event reference>.<attribute name>, <event reference>.<attribute name>, ...
insert into <output stream>

Solution:

from every (e1=Events) -> e2=Events[e1.type=='Scan' and type=='attack' and e1.Source_IP4==Source_IP4]
within 10 min
select ...
insert into Alert;
Peter Rubi
  • 119
  • 1
  • 12