] Test IF correlation operation exist then
take action
hi Dusan,
the use of 'getwpos' is probably the best way to accomplish this task.
As an alternative, one could check sec internal data structures, but
it is more complex and makes the rules less readable. Since 'getwpos'
assigns the beginning of the
hi Dusan,
the use of 'getwpos' is probably the best way to accomplish this task.
As an alternative, one could check sec internal data structures, but
it is more complex and makes the rules less readable. Since 'getwpos'
assigns the beginning of the event correlation window (as seconds
since
Dear mailing list users,
In one of my rule I need to conditionally take action if given correlation
operation exist. From SEC man page, I can see that under rule *action* I can
use actions ‘reset’, ‘getwpos’ and ‘setwpos’ to work with correlation
operation(s).
I learn how to use ‘reset’
