|Reflex - the Customizable Event Correlation System|
Installing the System itself should be easy. It is packaged as a tar.Z file, which means that WinZip (for Windows) or tar (for Unix) should be able to extract everything. You will find the complete source files, some examples, and all of the test code included in the package. The archive will expand to create a directory to contain all of the files.
We have setup and used Reflex on both Windows and Unix machines. Here are the specific configurations we've tested:
Reflex requires a C++ Compiler, a perl interpreter (for test scripts), and make (for unix machines).
You'll find all of the basic files in the top directory, with the tests below that in the 'test' directory. Each subfolder represents a different set of tests: scanner, parser, correlator, and stress tests.
The files in the test folders have regular names. *.in files are the test inputs. Usually, these are policy files, or are some subset of policy files. *.correct files represent the corresponding correct output. *.out files, if present, are the actual outputs collected for each test. Also, for the correlator tests, *.event files are sample event streams, and *.correlator* files are correlator (rather than compiler) outputs.
In each folder there are also two perl scripts. One lists all of the tests in the folder (all *.in files), and the other runs the right test for each input. To run the tests, type 'make test' in any folder (including the stress testing folder). Typing 'make test' in the base folder will run the Scanner, Parser, and Correlator tests.
To examine the tests, simply look at the *.in and *.out files, and look at the perl script to get an idea about what's happening. The test set includes many examples that may help you to create a useful policy. (Look mostly at the correlator tests).
Also, take advantage of the testing system to write your own tests! The best way to make sure that the policies you write work the way you expect them to is to test them. Try out as many possible outcomes as possible, and include some erroneous inputs and stress testing (floods of events).
Using Alternative I/O Sources / Modifying the makefile
We included several I/O files that you can use, or you can create your own. The included files are 'correlator_io_file', 'correlator_io_stress', 'correlator_io_siena', and 'correlator_io_template'. The template file has some usual functions defined to help you port Reflex to a new I/O mechanism. The other files are fully functional.
The file I/O mechanism is the one used by the tests. We use it to make sure that the compiler and correlator engine code are working, and to keep bugs we find from coming back. You can use this mechanism to test your policy. Once you write a policy, create a long event stream file for it, including matches and near-matches of many patterns. Next, build a file I/O version of your Correlator and make sure the output is right! Once it's been verified, you can keep the sample output (rename it from .out to .correct) to make sure that it continues to work with new versions of Reflex.
The stress I/O mechanism does not actually read events, but generates random events of a few types using random numbers.
The Siena I/O mechanism communicates with a nice event bus called Siena, which you can find by searching the internet for 'Siena event'.
To use any of these sources, you can either copy the desired I/O file to the name "correlator_io.cpp", the default, or you can modify the Makefile to use the correct file. (Just open Makefile (Unix) or make.bat (Windows), and find the section that builds the correlator. Then, replace each 'correlator_io.cpp' with your own I/O file name.
Copyright © 2001