3.1.5 Rule Base Parser

 The rule base parser does the job of matching the events sent by the coordinator to

the rules in the rule base. By having the coordinator handle event priorities, the job of the

rule base parser is simplified. After matching the rules to the events, it reconstructs the

action mentioned in the rule by substituting parameters into the action wherever

necessary. The rule base parser then sends the events back to the coordinator, so that they

can be sent in turn to the response server.

3.1.6 Response Server

 The response server handles the triggering of actions that are sent by the

coordinator. Some of the actions involve, sending parameters to already running response

agents. In other cases, the response agents may not be running and have to be initialized

by the response server. For simple tasks such as operating system shell commands, the

response server may itself execute the actions without calls to particular response agents.

The response server provides a good way of coordinating and controlling the response

agents on the system. Ensuring that the response agents are authentic, and modification of

their configuration files can all be done through the response server.

3.1.7 Response Agents

 The response agents help the response server to execute a particular action. Each

response agent handles only a specific action or set of actions. This helps to keep the

response agents small and effective. Response agents can be made to email the

administrator about an event, rewrite the configuration rules of the detectors, or start and

stop detectors to prepare for a possible attack.