hi Pedro,
you have asked a good question since all builtin counters of sec counting
rules get incremented on matching events. For implementing custom counters
that can both increase and decrease when different events are observed, it
is probably best to use perl code snippets in sec rules. Also, quite often
event counting makes sense within a certain time window (e.g. 60 seconds, 1
day, etc). The two rules below use a perl array for memorizing the
occurrence times of events, so that the counting and thresholding is done
for events of the last 60 seconds:
type=single
ptype=substr
pattern=event1
context= -> ( sub { my($t) = time(); push @times, $t; \
while ($times[0] < $t - 60) { shift @times; } \
return scalar(@times) >= 3; } )
desc=three or more instances of event1 observed
action=write - %s
type=single
ptype=substr
pattern=event2
desc=event2 observed
action=lcall %o -> ( sub { shift @times; } )
Note that since the counting happens within a window of 60 seconds,
occurrence times of old events need to be dropped when becoming stale (this
is done with the context expression of the first rule).
However, the above ruleset is producing repeated alerts after the threshold
of 3 has been crossed. In order to avoid this, the rules could be
elaborated further, creating the context ALERTED that suppresses repeated
alerts for 2 minutes:
type=single
ptype=substr
pattern=event1
context=!ALERTED && -> ( sub { my($t) = time(); push @times, $t; \
while ($times[0] < $t - 60) { shift @times; } \
return scalar(@times) == 3; } )
desc=three instances of event1 observed
action=write - %s; create ALERTED 120; lcall %o -> ( sub { @times = (); } )
type=single
ptype=substr
pattern=event2
context=!ALERTED
desc=event2 observed
action=lcall %o -> ( sub { shift @times; } )
Hopefully these examples are helpful.
kind regards,
risto
2013/10/7 Pedro Serotto <[email protected]>
> Hi all,
> I think it's easy (i hope) but I don't understand how can I do it.
>
> How I can configure sec to do this kind of job:
>
> #!/usr/bin/perl
>
> my $counter=0;
> while (<>) {
> chomp;
> if ($_ eq "foo"){$counter=$counter+1;}
> if ($_ eq "bar"){$counter=$counter-1;}
> if ($counter >= 3) {print "send e-mail \n";}
> }
>
> Tnx a lot
>
> Pedro
>
>
> ------------------------------------------------------------------------------
> October Webinars: Code for Performance
> Free Intel webinars can help you accelerate application performance.
> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most
> from
> the latest Intel processors and coprocessors. See abstracts and register >
> http://pubads.g.doubleclick.net/gampad/clk?id=60134791&iu=/4140/ostg.clktrk
> _______________________________________________
> Simple-evcorr-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
>
>
------------------------------------------------------------------------------
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk
_______________________________________________
Simple-evcorr-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
