Distinct parameter

The distinct (DISTINCT) parameter is a flexible way to group different sessions at runtime.

The distinct parameter is used with the following actions:
  • ALERT_ONCE_PER_SESSION
  • ALERT_ONLY
  • ALERT_PER_MATCH
  • DISCARD_SESSION
  • LOG
  • MARK_SESSION
  • THROW_EXCEPTION
  • VERDICT_TERMINATE
Syntax:
Syntax:
<distinct>                ::= [MIN_COUNT=<number><space>][PERIOD=<number><space>][MAX_COUNT=<number><space>][RESET_INTERVAL=<number>[:<number>]<space>][composite key]$
<composite key>     ::= [<key>|<FUNC|key|[condition key]>]]
<FUNC>                 ::= <SUM>
<key>                      ::= [<token>...<token|>]
<condition key>      ::= [<token>...<token|>]
<token>                   ::= $(<session parameter>)$
<session parameter> ::= <DB_USER|CLIENT_IP|CLIENT_HOST_NAME|SERVER_IP|SERVER_HOST_NAME|
                         OS_USER|DB_NAME|DB_TYPE|SOURCE_PROGRAM|SERVICE_NAME|NET_PROTOCOL|
                         ANALYZED_CLIENT_IP|COMMAND|ERROR|SENDER_IP>

MIN_COUNT value is any >0 and <= 65535. 
PERIOD value is the number >0 and <=65535 
MAX_COUNT value is any >0 and <= 65535. 
RESET_INTERVAL measured in minutes.
CON_MIN_COUNT value is any >0.
CON_MAX_COUNT value is any >0.
Examples:
CLIENT_IP         DB_USER    SOURCE_PROGRAM      COUNT
---------------------------------------------------------------
9.70.2.3.1                 SCOTT      SQLPLUS             
19.70.2.3.1                SCOTT      TOAD                
19.70.2.3.1                SCOTT      JDBC                
19.70.2.3.1                SYS        JDBC                
19.70.2.3.1                ALICE      TOAD                
19.70.2.3.2                SCOTT      SQLPLUS             
19.70.2.3.2                BOB        SQLPLUS             
29.70.2.3.2                BOB        TOAD                1
-----------------------------------------------------------
TOTAL CONNECTIONS                                         9
TOTAL PROGRAMS                        3
TOTAL USERS                5
TOTAL CLIENTS  2

1. More than 2 connections from different users of same CLIENT_IP during 1 minute (Client - 9.70.2.3.1, 3 Users - SCOTT, SYS, ALICE):
MIN_COUNT=3 MAX_COUNT=3 RESET_INTERVAL=1 SUM|$(DB_USER)$)|$(CLIENT_IP)$$

2. More than 3 connections from different users during 1 minute (4 occurrences: SCOTT,SYS,ALICE,BOB):
MIN_COUNT=4 MAX_COUNT=4 RESET_INTERVAL=1 SUM|$(DB_USER)$|$

3. More than 3 connections from same users during 1 minute (User SCOTT):
MIN_COUNT=4 MAX_COUNT=4 RESET_INTERVAL=1 $(DB_USER)$$

4. More than 2 connections from same user of same CLIENT_IP during 1 minute (Client - 9.70.2.3.1, User - SCOTT and Client - 9.70.2.3.2, User - BOB):
MIN_COUNT=3 MAX_COUNT=3 RESET_INTERVAL=1 $(DB_USER)$$(CLIENT_IP)$$

5. More than 1 connection from different users and source programs of same CLIENT_IP during 1 minute (Client - 9.70.2.3.1, Client - 9.70.2.3.2):
MIN_COUNT=2 MAX_COUNT=2 RESET_INTERVAL=1 SUM|$(DB_USER)$$(SOURCE_PROGRAM)$)|$(CLIENT_IP)$$

6. More than 1 connection from same user, same program of same CLIENT_IP during 1 minute (Client - 9.70.2.3.2, User - BOB, PROGRAM - SQLPLUS):
MIN_COUNT=2 MAX_COUNT=2 RESET_INTERVAL=1 $(DB_USER)$$(SOURCE_PROGRAM)$$(CLIENT_IP)$$

7. Too many db users connecting from same client ip per period of time (SESSION != 'TAP_DECRYPTED'):
MIN_COUNT=10 MAX_COUNT=10 RESET_INTERVAL=5 SUM|$(DB_USER)$|$(CLIENT_IP)$$

8. Find user with reused password (DB_USER!='%'):
MIN_COUNT=2 SUM|$(DB_USER)$|$(PASSWORD)$$

9. Too many Login failures from same Program and different DB users per period of time (5 in 3 minutes).
MIN_COUNT=5 MAX_COUNT=5 RESET_INTERVAL=3 SUM|$(DB_USER)$|$(SOURCE_PROGRAM)$$