2015-04-06 22:41 GMT+03:00 Leonard Lawton <[email protected]>:
> Hi,
>
> I tried this:
>
> main.conf:
> type=Options
> joincfset=returnfromjumps
> procallin=no
>
> type=Jump
> ptype=RegExp
> pattern=ASA
> cfset=firewall-events
>
> label=returnfromjumpslabel
>
> ...
>
> join.conf
>
> type=Options
> procallin=no
> joincfset=firewall-events
>
> ...
>
> type=Jump
> ptype=RegExp
> pattern=.?
> cfset=returnfromjumps
> continue=goto returnfromjumpslabel
>
> But I get "label returnfromjumpslabel does not exist, assuming
> continue=DontCont" when restarting syslog.
>
...you are seeing this message, since "goto" can be used for moving to a
label within the *same* rule file, but in your case "returnfromjumpslabel"
is in a different file.
regards,
risto
>
> On 04/06/2015 11:35 AM, John P. Rouillard wrote:
> > Hello:
> >
> > In message <[email protected]>,
> > Leonard Lawton writes:
> >> After a jump rule is matched in the "main" sec configuration, but does
> >> not match any rules in the included config where the join-cfset is
> >> located, how can I continue processing that rule in the "main" config?
> > I think this would work:
> >
> > main.conf
> > type = options
> > joincfset = main
> > procallin = yes
> >
> >
> > [...]
> >
> > type = jump
> > [...]
> > cfset = join-cfset
> >
> > label = event_already_seen_by_above_rules
> >
> > join.conf
> >
> > # at end of file
> >
> > type = jump
> > [...]
> > cfset = main
> > continue = GOTO event_already_seen_by_above_rules
> >
> > I.E. make the main config file part of a cf set and make sure all
> > events will go through it. At the end of the join cf set add a jump
> > rule that will jump into the main config file after the rule that
> > redirected event processing to the join.conf file (hence the need for
> > label/goto label).
> >
> > If the jump rule at the end of join.conf is matched, the event wasn't
> > processed/consumed by any of the rules in that file.. Then the label
> > placed just after that rule in the main file will cause the jump to
> > the main cfset to bypass that rule and continue in the main file.
> >
> > A second way to do this would be to use a context on the main jump
> > rule and jump to the main config file from the join.conf file setting
> > a context that stops the main jump rule from matching again. You will
> > need to make sure the context is destroyed when the next event
> > arrives.
> >
> > Now having said this, I claim it is a *very* bad idea to do this. It
> > would be very easy to set up an infinite loop and stop all the
> > analysis. I always set up my rules so that they form a tree (well
> > simple digraph without loops) so I can be sure that any event will
> > always exit the analysis.
> >
> > SEC will not (and really can not) protect you if you set up loops.
> >
> > Good luck and wishing you a loop free ruleset.
> >
> > --
> > -- rouilj
> > John Rouillard
> >
> ===========================================================================
> > My employers don't acknowledge my existence much less my opinions.
> >
> >
> ------------------------------------------------------------------------------
> > BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT
> > Develop your own process in accordance with the BPMN 2 standard
> > Learn Process modeling best practices with Bonita BPM through live
> exercises
> > http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual-
> event?utm_
> > source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF
> > _______________________________________________
> > Simple-evcorr-users mailing list
> > [email protected]
> > https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
>
>
>
> ------------------------------------------------------------------------------
> BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT
> Develop your own process in accordance with the BPMN 2 standard
> Learn Process modeling best practices with Bonita BPM through live
> exercises
> http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual-
> event?utm_
> source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF
> _______________________________________________
> Simple-evcorr-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
>
------------------------------------------------------------------------------
BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT
Develop your own process in accordance with the BPMN 2 standard
Learn Process modeling best practices with Bonita BPM through live exercises
http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- event?utm_
source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF
_______________________________________________
Simple-evcorr-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
