By default, sec jumps to the end of the input file when it is started, and
will apply the rules to lines which will be appended to the file. If you
would like to match the rules against all existing lines before the 'tail'
mode is entered, use the --fromstart command line option.
BR,
risto
2013/10/26 Rolf Nufable <[email protected]>
> Thanks for the tips sir!,
>
> but can sec get input from a simple text file?
>
> my sample text file has these words
>
> foo bar
> bar foo bar
> baz foo barz
>
> and my conf file is this one
>
> type=Single
> ptype=RegExp
> pattern=foo\s+(\S+)
> desc=$0
> action=logonly
>
> and this is how i run it in the terminal line,
> (the config file and the text file are located in my desktop)
>
> perl sec.pl -conf=/home/rolf/Desktop/example.conf
> -input=/home/rolf/Desktop/sample.txt
>
> but there are no outputs. and I'm really confused on whats wrong. please
> help me :|
>
>
> On Saturday, October 26, 2013 2:28 AM, Risto Vaarandi <
> [email protected]> wrote:
> Rolf, that is possible since SEC can use any text file as input.
> If barnyard outputs events in multiline format withyour setup, you can
> take advantage of multi-line match features of SEC (regexpN patterns with
> --nojointbuf command line option). If you are creating output events with
> barnyard's alert_syslog or syslog_full plugins, you have single-line events
> and don't need to bother with multiline matching.
> kind regards,
> risto
>
>
> 2013/10/25 Rolf Nufable <[email protected]>
>
>
> HI! one question
>
> is there a way for sec to read from a text file and use its configured
> rules to correlate the data inside the text file??
>
> (I'm using snort to scan network traffic and use barnyard to parse them and
> output them to a text file)..
>
> suggestions is much appreciated :)
>
>
>
>
>
>
>
>
> ------------------------------------------------------------------------------
> October Webinars: Code for Performance
> Free Intel webinars can help you accelerate application performance.
> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most
> from
> the latest Intel processors and coprocessors. See abstracts and register >
> http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk
> _______________________________________________
> Simple-evcorr-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
>
>
>
>
>
------------------------------------------------------------------------------
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk
_______________________________________________
Simple-evcorr-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
