Thanks a lot John that really hit the spot. I'm finding your Sec paper from 2004 also a good read. Thanks again!
-h John P. Rouillard wrote: > 1 rule that matches all 4lines > context = matching_4lines && ! failed_4way > action = delete matching_4lines > > 2 first line matching rule > context = ! failed_4way > action = create context matching_4lines for 2 seconds > when it expires: > create context failed_4way match > copy matching_4lines %m > event %m > event "END REPLAY" > add matching_4lines $0 > > 3 single rule that matches any line, or two single rules that match > lines 2 and 3 > context = matching_4lines > action = add matching_4lines $0 > > > 4 single rule matching "END REPLAY" > action = delete failed_4way > > What this does is recognize the start of the sequence, buffer the > lines in the sequence for 2 seconds. If all 4 lines didn't arrive in 2 > seconds, replay the events bypassing the attempt to recognize all 4 > lines. > > So line 1 comes in: > > rule context action > 1 none ignored by context > 2 none executed - context matching_4lines created > 3,4 - event was consumed by rule 2, so never seen > > Line 2 comes in: > > rule context action > 1 matching_4lines does not match regular expression > 2 matching_4lines does not match regular expression > 3 matching_4lines event consumed, added to context. > 4 - no event > Line 2 comes in: > > rule context action > 1 matching_4lines does not match regular expression > 2 matching_4lines does not match regular expression > 3 matching_4lines event consumed, added to context. > 4 - no event > > line 3 proceeds along line 2. line 4: > > rule context action > 1 matching_4lines matches regular expression, executes > 2,3,4 - no event > > Now if line 3 comes in 4 seconds later we see after 2 seconds (not > driven by event): > > context matching_4lines deleted > context failed_4way created > lines 1 and 2 are in the event queue and are replayed before line 3 > event END REPLAY is in event queue and replayed before line 3 > > so line 1 replay comes in again: > > rule context action > 1 failed_4way ignored by context > 2 failed_4way ignored by context > 3 failed_4way ignored by context > 4 failed_4way doesn't match regexp > 5... failed_4way maybe matched and acted on > > line 2 replay proceeds the same > > event "END REPLAY" comes in: > > rule context action > 1 failed_4way ignored by context > 2 failed_4way ignored by context > 3 failed_4way ignored by context > 4 failed_4way deletes failed_4way and consumes event > > now the 4 second delayed line 3 comes in > > rule context action > 1 none ignored by context > 2 none ignored by context > 3 none ignored by context > 4 none doesn't match regexp > 5... none maybe matched and acted on > > line 4 operates the same and is passed through for action. -- Hari Sekhon ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ _______________________________________________ Simple-evcorr-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
