Given loglines like this: Oct 7 08:46:20.000 ops1.sys.dev1.int sudo: jschroeder : 3 incorrect password attempts ; TTY=pts/13 ; PWD=/home/jschroeder ; USER=root ; COMMAND=/usr/bin/test test test Oct 7 08:47:51.000 ops1.sys.dev1.int sudo: jschroeder : 3 incorrect password attempts ; TTY=pts/15 ; PWD=/home/jschroeder ; USER=root ; COMMAND=/usr/bin/test test test
And a pattern like this: pattern=^.+\d+:\d+:\d+\.\d+ (.+) sudo: (.*) : (\d+) incorrect password attempts ;.*USER=(.*) ; COMMAND=(.*)$ Is there a way to use $3 for the threshhold and sum it instead of using the line count? I briefly cracked open sec.pl and found these lines: 2317 if ($ref->{"thresh"} !~ /^0*(\d+)$/ || $1 == 0) { 2318 log_msg(LOG_ERR, "Rule in $conffile at line $lineno:", 2319 "Invalid threshold '", $ref->{"thresh"}, "'"); 2320 return 0; 2321 } else { $ref->{"thresh"} = $1; } Ideally if sec saw those two log lines the thresh should be 6 in the created context. My attempts to set thresh via eval have all failed miserably. Is sec able to do this? Thanks -- Jeff Schroeder Don't drink and derive, alcohol and analysis don't mix. http://www.digitalprognosis.com ------------------------------------------------------------------------------ Come build with us! The BlackBerry(R) Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9 - 12, 2009. Register now! http://p.sf.net/sfu/devconference _______________________________________________ Simple-evcorr-users mailing list Simple-evcorr-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users