Window Operation

Window compares the current event to a set of past events that are stored in a "window." The events in the window may be all past events for a certain time period, or they may be filtered.

The Boolean expression is a composite of comparison instructions and match instructions with the Boolean operators AND, OR and NOT.

The syntax for window is:

Window (<Boolean expression>[, <filter expression>, <evaluation period>)

Where

<Boolean expression> is an expression comparing a metatag value from the current event to a metatag value from a past event (or a user-specified constant)

<filter expression> is optional and specifies filter criteria for the past events

<evaluation period> specifies the duration for which past events matching the filter expression are maintained, specified in seconds (s), minutes (m), or hours (h). If no letter is specified, seconds are assumed.

For example, this rule detects whether the current event has a source IP address in the specified subnet (208.130.28.0/22) and matches an event(s) that happened within the past 60 seconds.

window(e.sip = w.sip, filter(e.sip match subnet (208.130.28.0/22),60)

As another example, this rule is a domino type of rule. An attacker exploits a vulnerable system and uses it as an attack platform.

window((e.sip = w.dip AND e.dp = w.dp AND e.evt = w.evt), 1h)

This rule identifies a potential security breach after a denial of service attack. The rule fires if the destination of a denial of service attack has a service stopped within 60 seconds of the attack.

filter(e.rv51="Service" and e.rv52="Stop" and e.st = "H") flow window (e.sip = w.dip, filter(e.rv52="Dos"), 60s) flow trigger(1,0))