Event Rules

This section is used to configure active response operations used by the Log Correlation Engine daemon. Log Correlation Engine rules are configured to analyze Log Correlation Engine event content and fire if preset conditions are met. Active responses include the ability to send automatic emails (msmtp, sendmail), syslog alerts (syslog, cef), or run custom commands on the Log Correlation Engine system.

Creating Event Rules

To add a new event rule to your configuration, in the Advanced section of Configuration, under Event Rules, click the Add a New Rule button. The Create an event rule window appears. Using this window, you can specify a name, filters, and an action to be taken.

The following table outlines the syntax that can be applied to filters and actions. Some examples are also available.

Rule Filters

In the Filter drop-down box, select a filter that you want to use for the event rule. The values in the Type box are contextual, based on the filter you select. In some cases, you may not need to specify a type. Generally, you will need to specify whether you want to filter data that includes or excludes the values you specify. You can specify multiple filters.

Filters Description

Source IP (SrcIPS)

This filter will search for source IP addresses that are or are not present. The following five formats are supported:

  • 192.0.2.1/255.255.255.0
  • 192.0.2.1/32
  • 192.0.2.1-255
  • 192.0.2.1-192.0.2.255
  • 192.0.2.1

Each of these formats represent a single value. You can include a comma-delimited list of values using one or a mix of these formats.

Example:

192.0.2.1/32, 192.0.2.1-255, 192.0.2..10

Destination IP (DstIPS)

This filter will search for destination IP addresses that are or are not present. The following five formats are supported:

  • 192.0.2.1/255.255.255.0
  • 192.0.2.1/32
  • 192.0.2.1-255
  • 192.0.2.1-192.0.2.255
  • 192.0.2.1

Each of these formats represent a single value. You can include a comma-delimited list of values using one or a mix of these formats.

Example: 192.0.2.1/32, 192.0.2.1-255, 192.0.2..10

IP (IPS)

This filter allows for the search of IP addresses that are or are not present as either source or destination. The following five formats are supported:

  • 192.0.2.1/255.255.255.0
  • 192.0.2.1/32
  • 192.0.2.1-255
  • 192.0.2.1-192.0.2.255
  • 192.0.2.1

Each of these formats represent a single value. You can include a comma-delimited list of values using one or a mix of these formats.

Example: 192.0.2.1/32, 192.0.2.1-255, 192.0.2..10

Events

Filter on Log Correlation Engine normalized event name. Considers both the primary and secondary event names.

Example: Cisco-IDS_Command_Execution, Windows-Successful_Network_Login, Linux-User_Added

Sensors

Filter on sensor name (available in the Tenable Log Correlation Engine sensor summary view or under Sensor Names) or Tenable Log Correlation Engine client name.

Example: XPmarketing01, Win7payroll02

Types

Filter on Log Correlation Engine event type.

Example: login, login-failure, intrusion

Ports

Filter on the source or destination port.

Example: 80, 443

Protocols

Filter on the protocol of the event. Note that this means the protocol number as defined by IPv4 (1 for ICMP, 6 for TCP, etc.)

Example: 1, 6

Users

Filter on the username in a log.

Example: bobt, johnc

Text

Filter on any string in the log (strings can include spaces and punctuation, but not commas).

Example: Tenable Network Security

Text, caseless (IText)

Filter on any string in the log, but the text considered would be case insensitive (strings can include spaces and punctuation, but not commas).

Example: Tenable Network Security

Vulnerable

Only accepts yes or no. Specify yes if you want to only match logs that correlate to vulnerable hosts.

Threshold

The number of events required over a specified length of time to trigger the rule. The timeframe is expressed using the following format:

(integer) in a [second, minute, hour, day, week, month, year]

Example: 600 in a minute

MaxQueue

The number of events that will be placed into the event processing queue before being dropped from rule evaluation.

Ratelimit

The maximum number of triggers that will occur over a specified length of time regardless of the number of triggering events. The timeframe is expressed using the following format:

(integer) per [second, minute, hour, day, week, month, year]

Example: 1 per hour

Rule Actions

In the Action drop-down box, specify an action that you want to take based on the filters you created. The following table describes the actions that are available.

Action Description

Shell command

Runs the given command at the command line as user lce. Examples of the syntax and variables you can use with the shell command follow this table.
Syslog Forward logs triggered by this rule to the given syslog server. Examples of the syslog syntax follow this table.
CEF Forward logs triggered by this rule to the given syslog server in CEF format. An example of the CEF syntax follows this table.
Ignore Causes all events matching the filters to be ignored by Log Correlation Engine. If an event is ignored in this manner there will be no Log Correlation Engine database entry written for it, no other matching event rules will fire, and no TASLs will process this event for alerts. You cannot enter a value for this action.

Email Syntax

Command: echo "body: $log" | sendmail [email protected] "subject: $event1 from $sip"

Command: echo "This is a test message." | /opt/lce/tools/msmtp -C /opt/lce/tools/msmtp.conf [email protected]

Syslog Syntax

The following syslog line would forward any log that triggered the rule to the remote syslog server 10.10.10.10, port 514, with the default priority of 36 (severity=4, facility=4):

syslog: 10.10.10.10 "Possible password guessing evidence: $log"

The following syslog line would forward any log that triggered the rule to two remote syslog servers, 10.10.10.9, and 10.10.10.10, on port 515, with the specified priority of 116 (severity=4, facility=14):

syslog: 10.10.10.9, 10.10.10.10 "Your message goes here: $log" -priority 116 -port 515

CEF Syntax

The following value would forward any log that triggered the rule to two remote syslog servers, 10.10.10.9, and 10.10.10.10, on port 515:

10.10.10.9, 10.10.10.10 -port 515

Custom Command Syntax

Command: /path/to/scripts/my_custom_firewall_reconfig_command.sh -block $sip

Shell Command Variables

The following case sensitive variables may be included in the shell command string. Any commands using one or more the of shell command variables below need to be encapsulated in double quotations ("").

Option Description

$sip

Source IP of event

$dip

Destination IP of event

$sport

Source port of event

$dport

Destination port of event

$proto

Protocol of event, displayed as N/A, TCP, UDP, ICMP, or a number for other protocols

$vuln

"no" if the event was not correlated with a vulnerability, "yes" otherwise.

$sensor

Name of sensor generating the event

$event1

Primary event name

$event2

Secondary event name

$type

Type name of event

$time

Time event was recorded at Log Correlation Engine (format: Mon MM, YYYY H:M:S)

$user

Username associated with the event

$log

Raw text of log

$queued_logs

All logs currently in the event rules queue. Use of this variable has the effect of emptying the rule's queue

Show All Event Rules

You can display all configured event rules ordered by descending time of creation or modification with psqlf show-config--mv--event_rules.sql.

Example output: