Events are records, composed of fields, that the various input and dissection modules provide to the Orchids detection engine. Those are ordinary, regular events.<\/p>\n
Orchids also allows you to create new events during the execution of a rule. Those events are called\u00a0synthetic<\/em> events, or\u00a0metaevents<\/em>. \u00a0It is the purpose of the Posting synthetic events is useful to make detection hierarchical. For an example, \u00a0imagine that attempting to unduly connect to some machine in the\u00a0 Then a second rule that tries to detect two connection attempts by the same intruder might include code such as:<\/p>\n So what is Just like the Such virtual modules are declared inside the configuration options for the contains a list of declarations of virtual modules<\/em>.\u00a0 Virtual modules work exactly like actual modules, except you do not need to load any shared library at start-up time to start them. \u00a0You start each virtual module by a declaration of the form:<\/p>\n Inside such a declaration, you can declare fields with their names and types:<\/p>\n Example:<\/p>\n Note that you are not forced to use\u00a0all<\/em> the fields declared in a given virtual module. \u00a0It is perfectly fair to build events with only some of the fields, just as we did with the Events are records, composed of fields, that the various input and dissection modules provide to the Orchids detection engine. Those are ordinary, regular events. Orchids also allows you to create new events during the execution of a rule. Those events are called\u00a0synthetic events, or\u00a0metaevents. \u00a0It is the purpose of the metaevent module to provide primitives … Continue reading The metaevent module<\/span> metaevent<\/code> module to provide primitives to post such synthetic events.<\/p>\n$host<\/code> \u00a0is detected by a rule connect_attempt.rule<\/code>, \u00a0and that you would like to detect when the same intruder tries to connect to two machines. \u00a0One possibility is to write connect_attempt.rule<\/code> as a rule that, instead of reporting, would post a synthetic event containing the offending intruder identity and the $host<\/code> it tried to connect to. \u00a0That can be done by writing:<\/p>\ninject_event (.{.meta.host = $host, .meta.intruder = $attacker});<\/pre>\nconnect_attempt.rule<\/code>\u00a0rule, posting the synthetic event given as argument to inject_event<\/code>. \u00a0(Any list of records enclosed between .{<\/code> and }<\/code> is a synthetic event, see “synthetic event” in the expressions<\/a> page. \u00a0The meta<\/code> module does not exist: this is a so-called virtual<\/em> module, see below. Also the list of fields was kept minimal for the illustration.)<\/p>\nstate first_connection {\r\n expect (defined(.meta.host)) goto second_connection;\r\n}\r\nstate second_connection {\r\n $host1 = .meta.host;\r\n $attacker = .meta.intruder; \/\/ record data from first connection\r\n expect (.meta.intruder==$attacker)\r\n \/\/ wait for another meta event with the same $attacker\r\n \/\/ (no need to check defined(.meta.host) here)\r\n goto alert;\r\n}\r\nstate alert! {\r\n $host2 = .meta.host;\r\n report();\r\n}<\/pre>\nVirtual modules<\/h3>\n
meta<\/code> in that example?<\/p>\ngeneric<\/code><\/a> module, the metaevent<\/code> module is a meta<\/em>-module, one that allows you to define new, so-called virtual<\/em> modules. \u00a0Any event field in Orchids is of the form .<\/code>module-name<\/em>.<\/code>field-name<\/em>, so you cannot just write any random event field: either you use fields from some existing modules (which is not what we want to do here), or you create some fresh, specifically designed, virtual modules.<\/p>\nmetaevent<\/code> module. \u00a0Contrarily to\u00a0the generic<\/code><\/a> module, we do not specify regular expressions here, just lists of fields with their types.<\/p>\nConfiguration options<\/h3>\n
<module metaevent><\/code><\/p>\n<vmod<\/code> module-name<\/em>><\/code><\/p>\n\n
str_field<\/code> field-name description<\/em>: a field of type str<\/code> (string)<\/li>\nbstr_field<\/code> field-name description<\/em>: a field of type bstr<\/code> (binary string)<\/li>\nint_field<\/code> field-name description<\/em>: a field of type int<\/code><\/li>\nuint_field<\/code> field-name description<\/em>: a field of type uint<\/code> (unsigned int)<\/li>\nfloat_field<\/code> field-name description<\/em>: a field of type float<\/code> (floating-point number)<\/li>\nipv4_field<\/code> field-name description<\/em>: a field of type ipv4<\/code> (IPv4 address)<\/li>\nipv6_field<\/code> field-name description<\/em>: a field of type ipv4<\/code> (IPv6 address)<\/li>\nctime_field<\/code> field-name description<\/em>: a field of type ctime<\/code> (Unix date)<\/li>\ntimeval_field<\/code> field-name description<\/em>: a field of type timeval<\/code> (duration)<\/li>\nsnmpoid_field<\/code>\u00a0field-name description<\/em>: a field of type snmpoid<\/code> (SNMP object identifier)<\/li>\n<\/ul>\n<vmod meta>\r\n str_field host \"The current host\"\r\n str_field action \"A text description of the action done\"\r\n ipv4_field intruder \"The attacker's IP address\"\r\n ctime_field time \"The detection time\"\r\n<\/vmod><\/pre>\n
meta<\/code> virtual module.<\/p>\n<\/vmod><\/code><\/p>\n<\/module><\/code><\/p>\nPrimitives<\/h3>\n
\n
inject_event<\/code><\/strong> : event<\/code> \u2192 int<\/code>
\ninject the given event into the Orchids event queue; the event can be a synthetic event, or one obtained by current_event<\/code>, possibly enriched: see synthetic events on the expressions<\/a> page<\/p>\n\n
current_event<\/code><\/strong> : \u2192 event<\/code>
\nthe current event<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"