The gate operation is used to create a composite rule which is used in identifying complex situations from the occurrence of simple situations.
The composite rule is made up of one or more nested subrules and can be configured to fire if some, any or all of the subrules fire within a specified time window. The subrules may be a simple rule or another composite rule. For more information on Composite Rule, see Correlation Tab in Sentinel 6.0 User's Guide.
The syntax for gate is:
Gate(<subrule 1 rulelg>, <subrule 2 rulelg> <subrule n ruleLg>, <mode>, <evaluation period>, discriminator(<list of metatags>))
Where
Subrule Rulelgs are the rulelg definitions for 1 to n subrules
mode = all | any | 1 | 2 | | n, which is the number of subrules that must be triggered in order for the gate rule to trigger
<evaluation period> specifies the duration for which past events matching the filter expression are maintained, specified in seconds (s), minutes (m), or hours (h). If no letter is specified, seconds are assumed.
discriminator is a field to group by
For example, this rule is a typical perimeter security IDS inside/outside rule
filter(e.sev > 3) flow gate(filter(e.sn = "in"), filter(e.sn = "out"), all, 60s, discriminator(e.dip, e.evt))