Well, what WE mean when we say non-linear is that events can fire a correlation regardless of the order they occur.A lot of correlation engines have an "A, followed by B, followed by C" building blocks approach not an "A and B and C need to happen within a reasonable timeframe of one another" approach. Sometimes events don't come in in order due to different sources (if you're correlating firewall data with OS data, one might be faster than the other). Since rules that correlate multiple events are fairly uncommon in the scope of things (most people still have "small data" problems ) it's not really an every day exercise. It would take many rules to do what 1 rule would do if you really meant the second one and had to build a rule for all the permutations. (OTOH if you really mean the first one, we can do that, too, because the timestamps are a part of the event.)
↧