Tuples
If several groups represent a union of parameters, create a tuple group to represent an intersection of parameters. Only one tuple group is allowed per rule.
Supported
TYPE options: - Analyzed client IP address (ANALYZED_CLIENT_IP)
- Client host name (CLIENT_HOST_NAME)
- Client IP address (CLIENT_IP)
- Client operating system (CLIENT_OS_NAME)
- Command (COMMAND)
- Database name (DB_NAME)
- Database protocol (DB_PROTOCOL)
- Database type (DB_TYPE)
- Database (DB_USER)
- Incident (INCIDENT)
- Network protocol (NET_PROTOCOL)
- Operating system user (OS_USER)
- Sender IP address (SENDER_IP)
- Server description (SERVER_DESC)
- Server host name (SERVER_HOST_NAME)
- SERVER_IP
- Server operating system (SERVER_OS_NAME)
- Server port (SERVER_PORT)
- Service name (SERVICE_NAME)
- Session (SESSION)
- Source application (SOURCE_PROGRAM)
Example:
TUPLES_GROUP_ID = 1 TYPE = (DB_USER OS_USER) SIZE = 5
{
'sys%+oracle%' 'qa+q_a’
%scott+admin' ‘guardium+guardium_%’
'system+admin'
}
Example:
IF ( SERVER_PORT = 1521 TUPLES = (‘’,1) )
{
TRANSFORM_DB_USER WHERE SOURCE = OS_USER OUTPUT_FORMAT = 'OPS$(.*)'
}
tuples_group_id = 1. The TRANSFORM_DB_USER action takes the
OUTPUT_FORMAT and writes it to the DB_USER field, where
OUTPUT_FORMAT = ‘OPS$(.*) means OPS$ plus all data from the field
OS_USER. OUTPUT_FORMAT is a string, and it may include plain text,
a regular expression result group, or the entire source string.Example:
SR_POLICIES
{
TUPLES_GROUP_ID = 1 TYPE = (DB_USER OS_USER) SIZE = 6
{
'%sys+oracle%' 'qa+qa' 'sc??t+syb%'
'sc??t+oracle%' 'system+admin' '%sc%+spo%'
}
TUPLES_GROUP_ID = 2 TYPE = (DB_USER OS_USER) SIZE = 4
{
'%sys+oracle%' 'qa+qa'
'%sc%+spo%' 'OPS%+spo%'
}
IF (DB_USER != ('',1) { VERDICT_ATTACH }
IF (SERVER_PORT = 1521 TUPLES = ('',1))
{
TRANSFORM_DB_USER SOURCE = OS_USER OUTPUT_FORMAT = 'OPS(.*)'
}
IF (TUPLES = ('',2))
{
TRANSFORM_CLIENT_HOST_NAME SEARCH_PREFIX = 'ENCORE' OUTPUT_FORMAT = 'PEREL'
}
GROUP_ID = 1 SIZE = 5 { 'root' 'sys' 'sa' 'admin' 'system' }
}