| Administrators and Analysts with rules definition authority may define Event rules by selecting Rules -> Events from the menu bar. Any Analyst may display rule definitions. The Event definition is very similar to the Action definition. The Target type, Attack type, and Severity are used on the Analysis tab display to so that finding the Event definition is a matter of finding the Target type and Attack type in the tree in the left frame of the Event window. Because the Event is the high level report criteria, additional information for management purposes is required. In particular, the Active flag must be set to true for any of the definitions (Trigger, Action, or Event) to be written to the plugin configuration files. Also, the Sensor group field defines which IDS sensors receive the definition. This may be the keyword, 'ALL', or a comma separated list of sensor hostnames. The Request and Reply flags allow for Events to be defined that require a request Action to be immediately followed by a reply Action. This is determined by the Sequence and Acknowledgement numbers in the TCP header. The Validate button tests that the Event context is valid. For example, if the total weight of all Actions is less than the threshold, this can only be determined by using the Validate button. The Event definition displayed in the slide above uses the Action definitions in the previous two slides to define a non-HTTP session using port 80. If either half of the session is valid, the total weight of the Actions will not meet the requred threshold, and the Event will not be reported. |