In message <[EMAIL PROTECTED]>,
Hari Sekhon writes:
>John P. Rouillard wrote:
>> 1 rule that matches all 4lines
>> context = matching_4lines && ! failed_4way
>> action = delete matching_4lines
>>
>> 2 first line matching rule
>> context = ! failed_4way
>> action = create context matching_4lines for 2 seconds
>> when it expires:
>> create context failed_4way match
>> copy matching_4lines %m
>> event %m
>> event "END REPLAY"
>> add matching_4lines $0
>>
>> 3 single rule that matches any line, or two single rules that match
>> lines 2 and 3
>> context = matching_4lines
>> action = add matching_4lines $0
>>
>>
>> 4 single rule matching "END REPLAY"
>> action = delete failed_4way
>>
>> What this does is recognize the start of the sequence, buffer the
>> lines in the sequence for 2 seconds. If all 4 lines didn't arrive in 2
>> seconds, replay the events bypassing the attempt to recognize all 4
>> lines.
>Thanks a lot John that really hit the spot.
Just out o curiosity, did you go with the 4 single rule, or the 2
single and one pair rule?
>I'm finding your Sec paper from 2004 also a good read.
Good to hear.
One problem with the rules above is that the replay dumps all of the
events in order destroying their original timing. So if you wanted to
have a rule that matched all 4 events in a 2 second window and all 4
events in a 4 second window for example, it would be a problem.
One way to do that is to use two rules files. This makes sense (to my
warped mind at least) since separate rules files are processed
"virtually" in parallel. (See the sec man page for more detail). In
this case we want the two rules (2 second and 4 second) to see
identical parallel input streams.
One file has the 4 rules for the 2 second variant, one file has the
rules files for the 4 second variant. The matching_4lines context need
to be unique for each rule set. In rule 1 for each of them, destroy
the matching contexts for both:
delete matching_4lines; delete matching_4lines_in4seconds;
I think the failed_4way context stays identical since during a replay
both rules 1 and 2 need to be skipped, but verifying that is left as
an exercise for the reader.
--
-- rouilj
John Rouillard
===========================================================================
My employers don't acknowledge my existence much less my opinions.
-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
Simple-evcorr-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
