Oh my gosh. I'm embarrassed. I went to try out the basic context
expression example from (2.1)
http://sixshooter.v6.thrupoint.net/SEC-examples/article-part2.html and I
noticed an error from the example when I ran it:
Rule in test.conf at line 19: Invalid context specification ' !FOO_CONTEXT
&& (BAR_CONTEXT || BAZ_CONTEXT) '
So I was scratching my head trying to figure out why this simple example
wouldn't work. Then I did a /usr/bin/perl -v and it came up with:
This is perl, version 5.005_03
My problem turned out to be a perl version issue. I ran my test using
5.8and it works just fine. Sorry about that, and thank you for taking
time out
to look into my issue.
~Jon~
On 3/20/08, Risto Vaarandi <[EMAIL PROTECTED]> wrote:
>
> Jon Salud wrote:
> > Thanks for the replies. I'm pretty much using standard input to test
> > while cut-n-pasting from a web server log. Here's an example line:
> >
> > 192.168.0.2 <http://192.168.0.2> www.mywebserver.com
> > <http://www.mywebserver.com> somelongstringhere [01/Jan/2001:00:00:00
> > -0000] "GET /path/to/some/http HTTP/1.0" 200 12345
> > "http://www.mywebserver.com/path/to/some/http"; "Mozilla/4.0 (compatible;
> > MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)" "-"
> >
> > The rule does fire all the time if I remove the context line completely.
>
> hi Jon,
> do the strings contain whitespace? (If they do, \S+ will match just the
> first part of strings.) Are the contexts created correctly?
> At the moment it is hard to tell what could be wrong here - can you post
> your entire ruleset?
> br,
> risto
>
> >
> > sample contexts created:
> >
> > good_ip_127.0.0.1
> > good_ip_192.168.0.1
> >
> > bad_ip_192.168.0.2
> > bad_ip_192.168.0.3
> >
> > bad_string_somelongstringhere1
> > bad_string_somelongstringhere2
> > bad_string_somelongstringhere3
> >
> > etc...
> >
> > ~Jon~
> > On 3/20/08, *Risto Vaarandi* <[EMAIL PROTECTED]
> > <mailto:[EMAIL PROTECTED]>> wrote:
> >
> > Jon Salud wrote:
> > > Hello there,
> > >
> > > The following rule doesn't seem to be read according to
> /tmp/sec.dump
> > >
> > > type = Single
> > > desc = context $1 $2
> > > ptype = PerlFunc
> > > pattern = sub { if ($_[0] =~ /^(\S+) \S+ (\S+)/) { return ($1,
> $2,
> > > $_[1]); } return 0; }
> > > context = !good_ip_$1 && (bad_ip_$1 || bad_string_$2)
> > > action = shellcmd ./notify.ksh "%t|$3|$2|$1|$0"
> > >
> > > I populate all the good_ip_xxx, bad_ip_xxx, bad_string_xxx
> > contexts at
> > > the beginning, but this rule doesn't seem to work when I try and
> test
> > > it. When I remove the parentheses from the 'context' line it
> > somewhat
> > > works, but doesn't behave the way I intend it to. Any thoughts?
> > >
> >
> > hi Jon,
> > I tested the rule on my Linux workstation by feeding various string
> > tuples (A, B, C) to SEC, having separate rules put to place for
> creating
> > and deleting contexts for the first and third elements of tuples (A
> and
> > C, that is). I couldn't find any problem with the rule - if either
> > bad_ip_A or bad_string_C (or both) exist, and good_ip_A does not
> exist,
> > the rule fires; otherwise the action is not executed.
> > Therefore, I am strongly suspecting that the 'pattern' parameter
> does
> > not correctly capture your input. As John suggested, it would be
> most
> > helpful if you could provide us some samples of your actual input.
> > best regards,
> > risto
> >
> > > ~Jon~
> > >
> > >
> > >
> >
> ------------------------------------------------------------------------
> > >
> > >
> >
> -------------------------------------------------------------------------
> > > This SF.net email is sponsored by: Microsoft
> > > Defy all challenges. Microsoft(R) Visual Studio 2008.
> > > http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
> > >
> > >
> > >
> >
> ------------------------------------------------------------------------
> > >
> > > _______________________________________________
> > > Simple-evcorr-users mailing list
> > > [email protected]
> > <mailto:[email protected]>
> > > https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
> >
> >
> >
> > ------------------------------------------------------------------------
> >
> >
> -------------------------------------------------------------------------
> > This SF.net email is sponsored by: Microsoft
> > Defy all challenges. Microsoft(R) Visual Studio 2008.
> > http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
> >
> >
> > ------------------------------------------------------------------------
> >
> > _______________________________________________
> > Simple-evcorr-users mailing list
> > [email protected]
> > https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
>
>
-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Simple-evcorr-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
