The rules follow the Event-Condition-Action model (ECA). The event is specified

by a set of name-value pairs. These name-value pairs are reported by the sensors of the

system. The condition checks these name-value pairs against predefined values in the

rule, and if satisfied, it triggers the corresponding actions. All events can be successfully

reduced to name-value pairs. Hence the ECA model provides the best way for reacting to

sensor events.

 The advantages of the ECA model as highlighted in Gandre [10] are that the

representation is simple yet efficient, the rules are simple to create, and there is more

control over the response due to the presence of conditions.

 Agents in the IDS report events in the following format (Gandre [10]):

BEGIN pid host key agent_name tag event_type event_subtype name_l value_l

name_2 value_2 ... END;

 The pid is the process id of the agent reporting the event. The host is the host on

which the agent resides. The key is an element used by the agent for communication

purposes. The agent_name is the name of the agent reporting the event. The event_type

and event_subtype define the kind of event being reported. Following the

event_subtype is the name-value pair list. All event parameters are passed in this list. In

case there are more classifications of the kind of event, they can also be passed as name-

value pairs.

 The rule for such an event in the rule base will have the following format:

ON;

pid 'host' 'detector name' 'event type' 'event subtype'

CONDITION;