Jon Salud wrote: > Thanks for the replies. I'm pretty much using standard input to test > while cut-n-pasting from a web server log. Here's an example line: > > 192.168.0.2 <http://192.168.0.2> www.mywebserver.com > <http://www.mywebserver.com> somelongstringhere [01/Jan/2001:00:00:00 > -0000] "GET /path/to/some/http HTTP/1.0" 200 12345 > "http://www.mywebserver.com/path/to/some/http"; "Mozilla/4.0 (compatible; > MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)" "-" > > The rule does fire all the time if I remove the context line completely.
hi Jon, do the strings contain whitespace? (If they do, \S+ will match just the first part of strings.) Are the contexts created correctly? At the moment it is hard to tell what could be wrong here - can you post your entire ruleset? br, risto > > sample contexts created: > > good_ip_127.0.0.1 > good_ip_192.168.0.1 > > bad_ip_192.168.0.2 > bad_ip_192.168.0.3 > > bad_string_somelongstringhere1 > bad_string_somelongstringhere2 > bad_string_somelongstringhere3 > > etc... > > ~Jon~ > On 3/20/08, *Risto Vaarandi* <[EMAIL PROTECTED] > <mailto:[EMAIL PROTECTED]>> wrote: > > Jon Salud wrote: > > Hello there, > > > > The following rule doesn't seem to be read according to /tmp/sec.dump > > > > type = Single > > desc = context $1 $2 > > ptype = PerlFunc > > pattern = sub { if ($_[0] =~ /^(\S+) \S+ (\S+)/) { return ($1, $2, > > $_[1]); } return 0; } > > context = !good_ip_$1 && (bad_ip_$1 || bad_string_$2) > > action = shellcmd ./notify.ksh "%t|$3|$2|$1|$0" > > > > I populate all the good_ip_xxx, bad_ip_xxx, bad_string_xxx > contexts at > > the beginning, but this rule doesn't seem to work when I try and test > > it. When I remove the parentheses from the 'context' line it > somewhat > > works, but doesn't behave the way I intend it to. Any thoughts? > > > > hi Jon, > I tested the rule on my Linux workstation by feeding various string > tuples (A, B, C) to SEC, having separate rules put to place for creating > and deleting contexts for the first and third elements of tuples (A and > C, that is). I couldn't find any problem with the rule - if either > bad_ip_A or bad_string_C (or both) exist, and good_ip_A does not exist, > the rule fires; otherwise the action is not executed. > Therefore, I am strongly suspecting that the 'pattern' parameter does > not correctly capture your input. As John suggested, it would be most > helpful if you could provide us some samples of your actual input. > best regards, > risto > > > ~Jon~ > > > > > > > ------------------------------------------------------------------------ > > > > > ------------------------------------------------------------------------- > > This SF.net email is sponsored by: Microsoft > > Defy all challenges. Microsoft(R) Visual Studio 2008. > > http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ > > > > > > > ------------------------------------------------------------------------ > > > > _______________________________________________ > > Simple-evcorr-users mailing list > > [email protected] > <mailto:[email protected]> > > https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users > > > > ------------------------------------------------------------------------ > > ------------------------------------------------------------------------- > This SF.net email is sponsored by: Microsoft > Defy all challenges. Microsoft(R) Visual Studio 2008. > http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ > > > ------------------------------------------------------------------------ > > _______________________________________________ > Simple-evcorr-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ _______________________________________________ Simple-evcorr-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
