John,
Thank you for the help. I did it this way:
type=Single
ptype=RegExp
pattern=TEST_COINCIDENCE_OF_EVENT1_EVENT2_OR_EVENT3
context= c_event1 && c_event2 || c_event3
desc=$0
action=pipe '%s' /usr/bin/mail -s 'Attack_X' [EMAIL PROTECTED]
type=Single
ptype=RegExp
pattern=event1
desc=$0
action=create c_event1 60;event TEST_COINCIDENCE_OF_EVENT1_EVENT2_OR_EVENT3
type=Single
ptype=RegExp
pattern=event2
desc=$0
action=create c_event2 60;event TEST_COINCIDENCE_OF_EVENT1_EVENT2_OR_EVENT3
type=Single
ptype=RegExp
pattern=event3
desc=$0
action=create c_event3 60;event TEST_COINCIDENCE_OF_EVENT1_EVENT2_OR_EVENT3
I have tested it and I think it's working,
Fabiano
"John P. Rouillard" <[EMAIL PROTECTED]> escreveu:
In message <[EMAIL PROTECTED]>,
Fabiano writes:
> What is the best SEC rule to make something like this:
>
> IF ((event1) AND (event2)) OR (event3) email "Attack_X" ??
Umm, well you haven't specified the time dependence between event1 and
event2. So:
type=single
ptype=regexp
pattern=event3
action= shellcmd email --subject "attack X"
and then if event1 must occur before event2 and you will wait forever
for event 2 to occur:
type=pairwithwindow
pattern=event1
pattern2=event2
action=none
action2= shellcmd email --subject "attack X"
window=0
if event1 and event2 can occur in either order but must occur within 1
minute of each other you can use two of the pairwithwindow statements
above with window=60 or a coincidence checking rulegroup like:
type=single
ptype=regexp
pattern=TEST_COINCIDENCE_OF_EVENT1_EVENT2
context = c_event1 && c_event2
action= shellcmd email --subject "attack X"
type=single
ptype=regexp
pattern=event1
action= create c_event1 60;event TEST_COINCIDENCE_OF_EVENT1_EVENT2
type=single
ptype=regexp
pattern=event2
action= create c_event2 60;event TEST_COINCIDENCE_OF_EVENT1_EVENT2
--
-- rouilj
John Rouillard
===========================================================================
My employers don't acknowledge my existence much less my opinions.
-------------------------------------------------------------------------
This SF.net email is sponsored by the 2008 JavaOne(SM) Conference
Register now and save $200. Hurry, offer ends at 11:59 p.m.,
Monday, April 7! Use priority code J8TLD2.
http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
_______________________________________________
Simple-evcorr-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
---------------------------------
Abra sua conta no Yahoo! Mail, o único sem limite de espaço para armazenamento! -------------------------------------------------------------------------
This SF.net email is sponsored by the 2008 JavaOne(SM) Conference
Register now and save $200. Hurry, offer ends at 11:59 p.m.,
Monday, April 7! Use priority code J8TLD2.
http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
_______________________________________________
Simple-evcorr-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
