Re: [Simple-evcorr-users] Test IF correlation operation exist then take action

Hi Risto, This is exactly what I have looking for! Thank you, Dusan Od: Risto Vaarandi Odoslané: 15. januára 2017 20:54 Komu: Dusan Sovic Kópia: simple-evcorr-users@lists.sourceforge.net Predmet: Re: [Simple-evcorr-users] Test IF

Re: [Simple-evcorr-users] Test IF correlation operation exist then take action

hi Dusan, the use of 'getwpos' is probably the best way to accomplish this task. As an alternative, one could check sec internal data structures, but it is more complex and makes the rules less readable. Since 'getwpos' assigns the beginning of the event correlation window (as seconds since

[Simple-evcorr-users] Test IF correlation operation exist then take action

Dear mailing list users, In one of my rule I need to conditionally take action if given correlation operation exist. From SEC man page, I can see that under rule *action* I can use actions ‘reset’, ‘getwpos’ and ‘setwpos’ to work with correlation operation(s). I learn how to use ‘reset’