Use set variables

Set variables are collections of scalar data types. Scalar data values can be inserted and removed from a set. Sets can be tested for the inclusion of a scalar value. Items within a set are keyed, based on their value. This allows constant time data lookup even for large sets. To define a set, square brackets must follow the variable name of a scalar data type.

Example:

global string removableMediaDevices[16] = {};

Sets have a maximum element count, which is specified explicitly by including a numeric value in the brackets or specified implicitly based on the number of initialization values assigned to the variables, as shown in the following example:

string adminAccounts[] = {"ADMIN", "ROOT", "OPER"};

md5digest honeyFiles[] = { md5(12123098fdbfe0987451df4312314324),  md5(19847edf7ba34398f8b7dda738475839) };

To insert into a set, the setinsert function is used, as shown in the following example:

set { setinsert(removableMediaDevices, upper(media.devicePath)); } when  media.event == DEVICE_INSERTED;

Insertion operations that cause the set to exceed its maximum element count result in the least recently accessed item in the set being purged and replaced with the new item. 

To remove an item from a set, the setremove function is used, as shown in the following example:

set { setremove(removableMediaDevices, upper(media.devicePath)); } when  media.event == DEVICE_REMOVED;

Check for the existence of a value in a set, as shown in the following example:

alert when file.event == FILE_WRITE and

removableMediaDevices contains upper(file.devicePath) and

           honeyFiles contains file.md5;

alert when session.event == SESSION_LOGON and

           session.type == SESSION_TYPE_REMOTE and

           session.ipaddr.ipv4 = ("192.168.5.0./24") and

           adminAccounts contains upper(session.username);

‎