Sentinel Correlation Engine RuleLG Language 45novdocx (en) 7 January 2010As another example, this rule is a domino type of rule. An attacker exploits a vulnerable system anduses it as an attack platform.window((e.sip = w.dip AND e.dp = w.dp AND e.evt = w.evt), 1h)This rule identifies a potential security breach after a denial of service attack. The rule fires if thedestination of a denial of service attack has a service stopped within 60 seconds of the attack.filter(e.rv51="Service" and e.rv52="Stop" and e.st = "H") flow window (e.sip =w.dip, filter(e.rv52="Dos"), 60s) flow trigger(1,0))Output Sets If any past event evaluates to true with the current event for the simple boolean expression, theoutput set is the incoming event plus all matching past events. If no events in the window match the current event for the simple boolean expression, theoutput set is empty. If a window is the last or only operation of a correlation rule, then the output set of the windowis used to construct a correlated event (the correlated events being the window operation outputset of events with the current event first).Additional Information You must prepend a metatag name with "e." to specify the current event or with "w." to specifythe past events All window simple Boolean expressions must include a metatag in the form w.[metatag]. For more information about valid filter expressions, see Section 4.3.1, “Filter Operation,” onpage 42. Every event coming in to the Correlation Engine that passes this filter is put into the window ofpast events If no filter expression exists, then all events coming into the Correlation Engine are maintainedby the window. With extremely high event rates or long durations, this might require a largeamount of memory. The current event is not placed into the window until after the current event window evaluationis complete To minimize memory usage, only the relevant parts of the past events, not all metatag values,are maintained in memory.4.3.3 Trigger OperationTrigger is used to specify a number of events for a user-specified duration.The syntax for trigger is:Trigger (, [, discriminator (tags>))Where