Distinct parameter
The distinct (DISTINCT) parameter is a flexible way to group different sessions at runtime.
The distinct parameter is used with the following actions:
- ALERT_ONCE_PER_SESSION
- ALERT_ONLY
- ALERT_PER_MATCH
- DISCARD_SESSION
- LOG
- MARK_SESSION
- THROW_EXCEPTION
- VERDICT_TERMINATE
Syntax:
Syntax:
<distinct> ::= [MIN_COUNT=<number><space>][PERIOD=<number><space>][MAX_COUNT=<number><space>][RESET_INTERVAL=<number>[:<number>]<space>][composite key]$
<composite key> ::= [<key>|<FUNC|key|[condition key]>]]
<FUNC> ::= <SUM>
<key> ::= [<token>...<token|>]
<condition key> ::= [<token>...<token|>]
<token> ::= $(<session parameter>)$
<session parameter> ::= <DB_USER|CLIENT_IP|CLIENT_HOST_NAME|SERVER_IP|SERVER_HOST_NAME|
OS_USER|DB_NAME|DB_TYPE|SOURCE_PROGRAM|SERVICE_NAME|NET_PROTOCOL|
ANALYZED_CLIENT_IP|COMMAND|ERROR|SENDER_IP>
MIN_COUNT value is any >0 and <= 65535.
PERIOD value is the number >0 and <=65535
MAX_COUNT value is any >0 and <= 65535.
RESET_INTERVAL measured in minutes.
CON_MIN_COUNT value is any >0.
CON_MAX_COUNT value is any >0.
Examples:
CLIENT_IP DB_USER SOURCE_PROGRAM COUNT
---------------------------------------------------------------
9.70.2.3.1 SCOTT SQLPLUS
19.70.2.3.1 SCOTT TOAD
19.70.2.3.1 SCOTT JDBC
19.70.2.3.1 SYS JDBC
19.70.2.3.1 ALICE TOAD
19.70.2.3.2 SCOTT SQLPLUS
19.70.2.3.2 BOB SQLPLUS
29.70.2.3.2 BOB TOAD 1
-----------------------------------------------------------
TOTAL CONNECTIONS 9
TOTAL PROGRAMS 3
TOTAL USERS 5
TOTAL CLIENTS 2
1. More than 2 connections from different users of same CLIENT_IP during 1 minute (Client - 9.70.2.3.1, 3 Users - SCOTT, SYS, ALICE):
MIN_COUNT=3 MAX_COUNT=3 RESET_INTERVAL=1 SUM|$(DB_USER)$)|$(CLIENT_IP)$$
2. More than 3 connections from different users during 1 minute (4 occurrences: SCOTT,SYS,ALICE,BOB):
MIN_COUNT=4 MAX_COUNT=4 RESET_INTERVAL=1 SUM|$(DB_USER)$|$
3. More than 3 connections from same users during 1 minute (User SCOTT):
MIN_COUNT=4 MAX_COUNT=4 RESET_INTERVAL=1 $(DB_USER)$$
4. More than 2 connections from same user of same CLIENT_IP during 1 minute (Client - 9.70.2.3.1, User - SCOTT and Client - 9.70.2.3.2, User - BOB):
MIN_COUNT=3 MAX_COUNT=3 RESET_INTERVAL=1 $(DB_USER)$$(CLIENT_IP)$$
5. More than 1 connection from different users and source programs of same CLIENT_IP during 1 minute (Client - 9.70.2.3.1, Client - 9.70.2.3.2):
MIN_COUNT=2 MAX_COUNT=2 RESET_INTERVAL=1 SUM|$(DB_USER)$$(SOURCE_PROGRAM)$)|$(CLIENT_IP)$$
6. More than 1 connection from same user, same program of same CLIENT_IP during 1 minute (Client - 9.70.2.3.2, User - BOB, PROGRAM - SQLPLUS):
MIN_COUNT=2 MAX_COUNT=2 RESET_INTERVAL=1 $(DB_USER)$$(SOURCE_PROGRAM)$$(CLIENT_IP)$$
7. Too many db users connecting from same client ip per period of time (SESSION != 'TAP_DECRYPTED'):
MIN_COUNT=10 MAX_COUNT=10 RESET_INTERVAL=5 SUM|$(DB_USER)$|$(CLIENT_IP)$$
8. Find user with reused password (DB_USER!='%'):
MIN_COUNT=2 SUM|$(DB_USER)$|$(PASSWORD)$$
9. Too many Login failures from same Program and different DB users per period of time (5 in 3 minutes).
MIN_COUNT=5 MAX_COUNT=5 RESET_INTERVAL=3 SUM|$(DB_USER)$|$(SOURCE_PROGRAM)$$