hi Mark,
thanks for sharing -- it is good to hear the newer functionality of sec is
useful for you!
I have to acknowledge that I've had only a brief look into the rule from
your post, and didn't get into all the details. Nevertheless, the rule
seems to be quite efficient since most of the Perl code does not get
compiled repeatedly but just once.
There is one thing, though, that might be appropriate for long code
fragments (longer than the ones from your post) -- sometimes it is useful
to define them in a separate module as functions and call these functions
from 'lcall'. One advantage of this approach is the clarity of code -- in
sec rules, code lines have to be continued with backslashes and #-style
comments can't be used in code, while in modules you don't have these
restrictions. Also, putting the code into functions makes it easy to write
almost identical lcall actions in a short way. But as I seem to remember
from some of your previous posts throughout the years, you have used this
technique for your rulesets already :)
kind regards,
risto
2013/9/25 Mark D. Nagel <[email protected]>
> I thought I would share my final version of the rule I was working on.
> Turns out that you
> have made my life way simpler since last time I looked deeply into what I
> could do --
> thanks, Risto! Note that this is part of a larger ruleset that begins
> with JSON/flatten
> of Windows events received from nxlog-ce and this is the final catchall
> Jump target.
>
> Regards,
> Mark
>
> # Handle all unclassified windows events; by default, event types
> # are assigned aggregation lifetimes as follows:
> #
> # error: 30 minutes
> # warning: 90 minutes
> # audit_failure: 60 minutes
> #
> # This can be adjusted in the 'eval %lifetime' action line.
>
> type=Single
> ptype=Cached
> pattern=WINDOWS
> desc=Windows Unclassified $+{EventType}: $+{SourceName}
> action=exists %exists WINDOWS_UNCLASSIFIED_$+{EventType}_$+{SourceName}; \
> if %exists ( \
> none; \
> ) else ( \
> eval %lifetime ( \
> $+{EventType} eq "AUDIT_FAILURE" ? 3600 : \
> $+{EventType} eq "WARNING" ? 5400 : \
> $+{EventType} eq "ERROR" ? 1800 : \
> 7200 \
> ); \
> create WINDOWS_UNCLASSIFIED_$+{EventType}_$+{SourceName}
> %lifetime ( \
> lcall %o $+{EventType} $+{SourceName} -> ( \
> sub { \
> my ($eventtype,$sourcename) = @_; \
> my @ret = map {
> "$WINDOWS_UNCLASSIFIED{$eventtype}{$sourcename}{Info}->{$_}\t$_" } \
> sort {
> $WINDOWS_UNCLASSIFIED{$eventtype}{$sourcename}{Info}->{$b} <=>
> $WINDOWS_UNCLASSIFIED{$eventtype}{$sourcename}{Info}->{$a} } \
> keys
> %{$WINDOWS_UNCLASSIFIED{$eventtype}{$sourcename}{Info}}; \
> unshift(@ret, "First Seen: " . scalar
> localtime($WINDOWS_UNCLASSIFIED{$eventtype}{$sourcename}{When}) .
> "\n\nCount\tEvent"); \
> delete
> $WINDOWS_UNCLASSIFIED{$eventtype}{$sourcename}; \
> return @ret; \
> } ); \
> fill WINDOWS_UNCLASSIFIED_$+{EventType}_$+{SourceName} %o; \
> report WINDOWS_UNCLASSIFIED_$+{EventType}_$+{SourceName}
> /usr/libexec/sec/notify.pl -m %nt_mail -f %nt_from "%s"; \
> ); \
> lcall %o $+{EventType} $+{SourceName} -> ( \
> sub { my ($eventtype,$sourcename) = @_; \
> delete
> $WINDOWS_UNCLASSIFIED{$eventtype}{$sourcename}; \
> $WINDOWS_UNCLASSIFIED{$eventtype}{$sourcename}{When}
> = time; \
> } ) \
> ); \
> lcall %o $+{EventType} $+{SourceName} $+{Hostname} $+{EventID}
> $+{Message} -> ( \
> sub { \
> my ($eventtype,$sourcename,$hostname,$eventid,$message) =
> @_; \
>
> $WINDOWS_UNCLASSIFIED{$eventtype}{$sourcename}{Info}->{sprintf("%s: %s/%d:
> %s", $hostname, $sourcename, $eventid, $message)}++; \
> } )
>
>
> ------------------------------------------------------------------------------
> October Webinars: Code for Performance
> Free Intel webinars can help you accelerate application performance.
> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most
> from
> the latest Intel processors and coprocessors. See abstracts and register >
> http://pubads.g.doubleclick.net/gampad/clk?id=60133471&iu=/4140/ostg.clktrk
> _______________________________________________
> Simple-evcorr-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
>
------------------------------------------------------------------------------
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60133471&iu=/4140/ostg.clktrk
_______________________________________________
Simple-evcorr-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
