Hi Risto,
many thanks for your response.
The reason for this request dependends on the management of a sensor that turns
on and off.
I find that on the last version (2.7.4) there is "if %<var>" action, so I
develop a conf on this. Here it is:
type=Single
ptype=RegExp
pattern=DOWN
desc=$0
action=delete MY_CONTEXT
type=Single
ptype=RegExp
pattern=UP
desc=$0
action= add MY_CONTEXT $0; \
report MY_CONTEXT; \
getsize %M MY_CONTEXT; \
eval %N (%M == 3)
type=Single
ptype=RegExp
pattern=STAT
context=MY_CONTEXT
desc=$0
action= if %N (write - MY_CONTEXT 3 EVENTS)
What do you tink about ? I hope this could be useful for someone else.
BR.
Pedro
________________________________
De: Risto Vaarandi <[email protected]>
Para: Pedro Serotto <[email protected]>
CC: "[email protected]"
<[email protected]>
Enviado: Lunes 7 de octubre de 2013 22:59
Asunto: Re: [Simple-evcorr-users] Realy Realy newbie question
hi Pedro,
you have asked a good question since all builtin counters of sec counting rules
get incremented on matching events. For implementing custom counters that can
both increase and decrease when different events are observed, it is probably
best to use perl code snippets in sec rules. Also, quite often event counting
makes sense within a certain time window (e.g. 60 seconds, 1 day, etc). The two
rules below use a perl array for memorizing the occurrence times of events, so
that the counting and thresholding is done for events of the last 60 seconds:
type=single
ptype=substr
pattern=event1
context= -> ( sub { my($t) = time(); push @times, $t; \
while ($times[0] < $t - 60) { shift @times; } \
return scalar(@times) >= 3; } )
desc=three or more instances of event1 observed
action=write - %s
type=single
ptype=substr
pattern=event2
desc=event2 observed
action=lcall %o -> ( sub { shift @times; } )
Note that since the counting happens within a window of 60 seconds, occurrence
times of old events need to be dropped when becoming stale (this is done with
the context expression of the first rule).
However, the above ruleset is producing repeated alerts after the threshold of
3 has been crossed. In order to avoid this, the rules could be elaborated
further, creating the context ALERTED that suppresses repeated alerts for 2
minutes:
type=single
ptype=substr
pattern=event1
context=!ALERTED && -> ( sub { my($t) = time(); push @times, $t; \
while ($times[0] < $t - 60) { shift @times; } \
return scalar(@times) == 3; } )
desc=three instances of event1 observed
action=write - %s; create ALERTED 120; lcall %o -> ( sub { @times = (); } )
type=single
ptype=substr
pattern=event2
context=!ALERTED
desc=event2 observed
action=lcall %o -> ( sub { shift @times; } )
Hopefully these examples are helpful.
kind regards,
risto
2013/10/7 Pedro Serotto <[email protected]>
Hi all,
>I think it's easy (i hope) but I don't understand how can I do it.
>
>
>How I can configure sec to do this kind of job:
>
>
>#!/usr/bin/perl
>
>my $counter=0;
>while (<>) {
>chomp;
>if ($_ eq "foo"){$counter=$counter+1;}
>if ($_ eq "bar"){$counter=$counter-1;}
>if ($counter >= 3) {print "send e-mail
\n";}
>}
>
>
>
>Tnx a lot
>
>Pedro
>------------------------------------------------------------------------------
>October Webinars: Code for Performance
>Free Intel webinars can help you accelerate application performance.
>Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from
>the latest Intel processors and coprocessors. See abstracts and register >
>http://pubads.g.doubleclick.net/gampad/clk?id=60134791&iu=/4140/ostg.clktrk
>_______________________________________________
>Simple-evcorr-users mailing list
>[email protected]
>https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
>
>------------------------------------------------------------------------------
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk
_______________________________________________
Simple-evcorr-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
