Hello!
I'm dabbling with SEC, experimenting with adding lines into contexts and
only when the context is finished, decide what to do with it.
Essentially it's taking a look at the group of log messages emitted by
sendmail for every connection, looking for behaviour that is not
consistent with being an honored guest on the internet, and blocking the
source with iptables and ipset.
The problem is that I'm testing with the same input file over and over,
but the 'report' actions aren't running because the entire log file is
processed in less than 10 seconds:
sec --conf sendmail.test \
--input /tmp/all.logs \
--fromstart \
--notail \
--bufsize=1 \
--log=- \
--intevents \
--intcontexts \
--debug=50
Rather than write some perl to run in the SEC_SHUTDOWN internal event to
write the context buffers to files, I'd really rather just run the
'obsolete' action on all contexts. Is there a straightforward way to do
that?
type=Single
ptype=SubStr
pattern=SEC_SHUTDOWN
context=SEC_INTERNAL_EVENT
desc=Save contexts msg_* into /tmp/report.* on shutdown
action=logonly; lcall %ret -> ( sub { my($context); \
foreach $context (keys %main::context_list) { obsolete $context; } \
} )
Mon Dec 14 14:49:34 2020: Code 'CODE(0x560fca302fb8)' runtime error:
Can't locate object method "obsolete" via package "msg_sendmail[4208]"
(perhaps you forgot to load "msg_sendmail[4208]"?) at (eval 9) line 1.
For better testing, it would be cool if SEC's idea of the current time
could be derived from the timestamps in the log file instead of
wall-clock time, so that context actions happen at the right time
relative to log messages (rather than 30 seconds after the program ends!
:-), but that's probably a bit too much to ask for.
Thanks!
--
Penelope Fudd
sec-u...@ch.pkts.ca_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
