Hi all:
I have been doing some revision to some rules to extract more info for
correlation purposes and I got a little confused. Perl 5 (unlike
python and IIRC Perl 6) doesn't have a way of naming sub-pattern
matches. So you end up with $1, $2 ... rather than $hostname $user.
As a reult it is easy to get confused when you use the $1 ... $n
patterns and not have the intended result.
I was wondering if we could make up for this deficientcy in SEC. As an
example of this functionality:
type = single
ptype = regexp
pattern=process\[([0-9]+)\]: (.*)
format= pid:$1 reason:$2
context = ${pid} > 20
action = write - ${process}-${pid}
define a new format keyword that provides a mapping between $x (or %x)
variables and variable names. This allows you to modify the pattern
and format mappings without having to modify any of the rest of the
rule.
The way I see this working is that the variable names defined in the
format exist only for the rule (i.e. same scope as $1, $2 ....) unlike
normal user defined variables that exist permanently.
Since I have multiple rules with the same regexp to keep the parsing
consistant, a single regexp change for an event results in changes to a
number of rules as I propigate the regexp.
Does this seem like a useful idea?
--
-- rouilj
John Rouillard
===========================================================================
My employers don't acknowledge my existence much less my opinions.
------------------------------------------------------------------------------
The Planet: dedicated and managed hosting, cloud storage, colocation
Stay online with enterprise data centers and the best network in the business
Choose flexible plans and management services without long-term contracts
Personal 24x7 support from experience hosting pros just a phone call away.
http://p.sf.net/sfu/theplanet-com
_______________________________________________
Simple-evcorr-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
