An example project that contains submodules that implement two methods for security events correlation. The two data input streams for the project, InVirusAlerts and InIDSAlerts, simulate alerts coming from a virus detection system and an intrusion detection system, respectively.
The SecurityPatterns submodule uses the CCL pattern (MATCHING clause) syntax to detect a series of events arriving in the InVirusAlerts and InIDSAlerts streams. An alert is issued if the pattern is detected.
The SecuritySimpleJoin submodule uses a simple join to detect possible intrusions into the system. The query looks for common SourceIP addresses from which attacks originate. This is accomplished by using the following query structure:
INSERT INTO OutRepeatAttackAlerts SELECT I1.SourceIP AS SourceIP, I1.AttackKind AS AttackKind, V1.Virus AS Virus, FROM InIDSAlerts KEEP 30 SECONDS AS I1, InVirusAlerts KEEP 30 SECONDS AS V1 WHERE I1.SourceIP=V1.SourceIP FROM InIDSAlerts As I1 KEEP 30 SECONDS, InVirusAlerts As V1 KEEP 30 SECONDS WHERE I1.SourceIP=V1.SourceIP ;