if('boolean expression');

ACTION;

begin;

action 1;

action 2;



end;

END;

 The boolean expression compares the name-value pairs against defined

thresholds. The expressions use normal relational operators for comparison. For

simplicity in parsing, these relational operators have been replaced by equivalent

keywords. For example "gt" replaces the greater than comparison operator. Simple

expressions can be combined to form more complex expressions with the help of the

"and" and "or" operators. If the condition is satisfied, then the list of actions is fired.

There can be multiple actions for a given rule.

 This rule format and the corresponding event reporting syntax, provides a simple

but powerful way of expressing response actions to given events.

 3.5 Analysis of EGIDEM Architecture

 The EGIDEM architecture meets most of the requirements of an IDS for large

networks. The desirable characteristics of an IDS as listed in Balasubramaniyan et al. [4]

are as follows.

1. It must run continually i/ ith minimal supervision. This is the case with our architecture.

2. It must be fault tolerant in the sense that it must be able to recover from system crashes
 and re-initializations. This has been implemented. The heartbeat signals are one of the
 mechanisms of detecting an IDS crash on another host. In response to a crash, the IDS