On 9/25/2013 2:21 PM, Risto Vaarandi wrote: > > thanks for sharing -- it is good to hear the newer functionality of sec is > useful for you! > I have to acknowledge that I've had only a brief look into the rule from your > post, and > didn't get into all the details. Nevertheless, the rule seems to be quite > efficient > since most of the Perl code does not get compiled repeatedly but just once. > There is one thing, though, that might be appropriate for long code fragments > (longer > than the ones from your post) -- sometimes it is useful to define them in a > separate > module as functions and call these functions from 'lcall'. One advantage of > this > approach is the clarity of code -- in sec rules, code lines have to be > continued with > backslashes and #-style comments can't be used in code, while in modules you > don't have > these restrictions. Also, putting the code into functions makes it easy to > write almost > identical lcall actions in a short way. But as I seem to remember from some > of your > previous posts throughout the years, you have used this technique for your > rulesets > already :)
Yes, absolutely. I was developing this inline since it was fluid at the time, but I want to get the meat of it into a library. Going back to my previous request on getting access to the varmap hash, I would like to definitely see that in a future release. For example, having access to the entire hash would allow me to export its fields into environment variables for use by our notification script. We have a Template::Toolkit based knowledgebase facility within that, and having structured access to all the Windows event fields would be really handy. I can see no other way to do this now short of accessing SEC internal data structures. Thanks, Mark -- Mark D. Nagel, CCIE #3177 <[email protected]> Principal Consultant, Willing Minds LLC (http://www.willingminds.com) cell: 949-279-5817, desk: 714-495-4001, fax: 714-646-8277 ** For faster support response time, please ** email [email protected] or call 714-495-4000 ------------------------------------------------------------------------------ October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60133471&iu=/4140/ostg.clktrk _______________________________________________ Simple-evcorr-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
