Hi All,
I have run into the below situation during Correlation Rule creation.
Customer needs a correlation rule which detects if an event and its counterpart don’t arrive, and same time it makes some cache checks. It looks like this:
Error conditions:
1. if the second event does not follows the first one
2. if the cached values in the second message are differ from the first one
Issues:
The two messages can arrive
- in any combination of two sources (sx) devices (s1 > s2, s2 > s1)
- in any time sequence (e1, e2 or e2, e1)
So I did this:
Statement1: The first event comes in from any of the two FTP servers and says that someone downloaded a file:
1. I check the source device (must be any of the two FTP servers=ip1 or ip2)
2. I check the messageID (=file_downloaded)
3. and save username, filesize and filename in cache variables
AND
Statement2: the second event should come from the counterpart of the above FTP server(!)
1. Error condition1: NO Events within 120 secs
2. I check the source device (again, must be one of the two FTP servers = ip1 or ip2)
3. I check the messageID (=file_downloaded)
4. check if saved username, filesize and filename in the cache are identical to first event
I can detect if the second message is missing. The problem comes when -as expected- two messages received, because the second message also initiates a new correlation check and it produces an error = fires alarm, false alarm. So my question is, if it is possible to quit somehow from a correlation check or anyone has any other idea to solve this issue?
Thanks in advance,
Balazs
