Hi Risto,
Thank for the examples and the explanation Risto. I understood everything
really quick!!!. I´ve tried to execute and i can find the way to do it.
Scene-> all the files are in the same folder.
I created like this:
______________________________________________________________________
SecModule.pm
______________________________________________________________________
package SecModule;
use strict;
use warnings;
require Exporter;
our @ISA = qw(Exporter);
our $VERSION = 1.00;
our @EXPORT_OK = qw(build_ip_table %ipaddr);
our %ipaddr;
sub build_ip_table {
%ipaddr = ();
$ipaddr{"192.168.1.1"} = 1;
$ipaddr{"10.1.1.1"} = 1;
}
1;
___________________________________________________________________________
rules.conf
___________________________________________________________________________
type=Single
ptype=SubStr
pattern=SEC_STARTUP
context=SEC_INTERNAL_EVENT
continue=TakeNext
desc=Load the SecModule module and terminate if it is not found
action=eval %ret (require "SecModule.pm"); \
if %ret ( logonly SecModule loaded ) else ( eval %o exit(1) )
type=Single
ptype=RegExp
pattern=^(?:SEC_STARTUP|SEC_RESTART|SEC_SOFTRESTART)$
context=SEC_INTERNAL_EVENT
desc=create IP address table
action=lcall %o -> ( sub { SecModule::build_ip_table() } )
type=Single
ptype=RegExp
pattern=addIP: ([\d.]+)
desc=add IP address $1 to IP table
action=lcall %o $1 -> ( sub { $SecModule::ipaddr{$_[0]} = 1 } )
type=Single
ptype=RegExp
pattern=event for IP ([\d.]+)
context=$1 -> ( sub { exists $SecModule::ipaddr{$_[0]} } )
desc=Event received for IP address $1 that is in the IP table
action=write - %s
______________________________________________________________________________
muestra.txt
______________________________________________________________________________
192.168.1.1
I launch sec like this:
perl.exe sec -intevents -fromstart -notail -conf=rules.conf
-input=muestra.txt -log=Log.log
Output:
Mon Apr 18 17:34:05 2016: Deleting SEC internal context 'SEC_INTERNAL_EVENT'
Mon Apr 18 17:34:05 2016: Creating SEC internal context 'SEC_INTERNAL_EVENT'
Mon Apr 18 17:34:05 2016: Creating SEC internal event 'SEC_SHUTDOWN'
Mon Apr 18 17:34:05 2016: Deleting SEC internal context 'SEC_INTERNAL_EVENT'
Mon Apr 18 17:47:34 2016: SEC (Simple Event Correlator) 2.6.2
Mon Apr 18 17:47:34 2016: Reading configuration from rules.conf
Mon Apr 18 17:47:34 2016: Rule in rules.conf at line 3: Invalid action 'if
%ret ( logonly SecModule loaded ) else ( eval %o exit(1) )'
Mon Apr 18 17:47:34 2016: Rule in rules.conf at line 3: Invalid action list
' eval %ret (require "SecModule.pm"); if %ret ( logonly SecModule
loaded ) else ( eval %o exit(1) ) '
Mon Apr 18 17:47:34 2016: 3 rules loaded from rules.conf
Mon Apr 18 17:47:34 2016: Opening input file muestra.txt
Mon Apr 18 17:47:34 2016: set the 'inode' to fileID 1460981233 for file
muestra.txt
Mon Apr 18 17:47:34 2016: Stdin connected to terminal, SIGINT can't be used
for changing the logging level
Mon Apr 18 17:47:34 2016: Creating SEC internal context 'SEC_INTERNAL_EVENT'
Mon Apr 18 17:47:34 2016: Creating SEC internal event 'SEC_STARTUP'
Mon Apr 18 17:47:34 2016: Calling code 'CODE(0x25fe2dc)' and setting
variable '%o'
Mon Apr 18 17:47:34 2016: Code 'CODE(0x25fe2dc)' runtime error: Undefined
subroutine &SecModule::build_ip_table called at (eval 4) line 1.
Also i did like this
perl.exe -c sec -intevents -fromstart -notail -conf=rules.conf
-input=muestra.txt -log=Log.log
Output:
sec syntax ok
Should i use execution options? Thank you for your support Risto!.
Regards.
2016-04-16 21:23 GMT+02:00 Risto Vaarandi <risto.vaara...@gmail.com>:
> hi Jaren,
> since the scheme you have seems to be a bit more complex, it is likely
> that you would need to have several longer Perl functions to create and
> modify a number of data structures. Therefore, I would recommend to set up
> a Perl module which contains all your custom code. Defining longer Perl
> code within sec rules might become cumbersome, and factoring the code out
> into a separate module is definitely a cleaner approach.
>
> As for the performance of custom Perl code (be it defined entirely within
> sec rules or in a separate module), the code is compiled when sec starts
> up, and therefore runs as fast as sec itself. If you would like to measure
> its performance, you can easily instrument your code. Here I would
> recommend to look into dedicated Perl modules which offer such
> functionality, for example http://perldoc.perl.org/Benchmark.html.
>
> Below you can find a simple example of a Perl module that contains some
> code for sec:
>
> ### The content of the /home/risto/SecModule.pm
> ### this module imports the build_ip_table() function and %ipaddr hash
> table
> package SecModule;
> use strict;
> use warnings;
> require Exporter;
> our @ISA = qw(Exporter);
>
> our $VERSION = 1.00;
> our @EXPORT_OK = qw(build_ip_table %ipaddr);
>
> our %ipaddr;
>
> sub build_ip_table {
> %ipaddr = ();
> $ipaddr{"192.168.1.1"} = 1;
> $ipaddr{"10.1.1.1"} = 1;
> }
>
> 1;
> ### end of the module
>
> And here are example sec rules which harness this code:
>
> # This rule attempts to load the SecModule module when sec starts,
> # and calls exit(1) if the module is not found
> type=Single
> ptype=SubStr
> pattern=SEC_STARTUP
> context=SEC_INTERNAL_EVENT
> continue=TakeNext
> desc=Load the SecModule module and terminate if it is not found
> action=eval %ret (require "/home/risto/SecModule.pm"); \
> if %ret ( logonly SecModule loaded ) else ( eval %o exit(1) )
>
> # initialize the %ipaddr hash table at sec startup, on the reception
> # of SIGHUP signal, or on the reception of SIGABRT signal
> type=Single
> ptype=RegExp
> pattern=^(?:SEC_STARTUP|SEC_RESTART|SEC_SOFTRESTART)$
> context=SEC_INTERNAL_EVENT
> desc=create IP address table
> action=lcall %o -> ( sub { SecModule::build_ip_table() } )
>
> # add the IP address to the %ipaddr hash table if the string
> # "addIP: <ipaddress>" is seen in input
> type=Single
> ptype=RegExp
> pattern=addIP: ([\d.]+)
> desc=add IP address $1 to IP table
> action=lcall %o $1 -> ( sub { $SecModule::ipaddr{$_[0]} = 1 } )
>
> # when a string "event for IP <ipaddress>" is seen in input and
> # the IP address appears in the %ipaddr hash table, write
> # a notification to standard output
> type=Single
> ptype=RegExp
> pattern=event for IP ([\d.]+)
> context=$1 -> ( sub { exists $SecModule::ipaddr{$_[0]} } )
> desc=Event received for IP address $1 that is in the IP table
> action=write - %s
>
> The first rule loads the SecModule.pm module, while the second rule
> employs the build_ip_table() function from this module for initializing the
> %ipaddr hash table. Initializing means deleting all previous content from
> the hash table, and creating two entries 192.168.1.1 and 10.1.1.1. Since
> the SecModule.pm imports the %ipaddr hash table, it can be directly
> accessed from sec rules, and the third and fourth rule illustrate this.The
> third rule adds a new IP address entry into the %ipaddr hash table, while
> the fourth rule produces a notification for an input event if its IP
> address is found in the hash table.
>
> Hopefully this example illustrates how to create and harness a Perl module
> from sec, and how to define interfaces between sec and external module.
> Also, if you are interested in more detailed information about modules,
> have a look into Perl official documentation:
> http://perldoc.perl.org/perlmod.html
>
> kind regards,
> risto
>
>
>
>
> 2016-04-15 16:06 GMT+03:00 Jaren Peich <burkol...@gmail.com>:
>
>> Hi,
>>
>> The idea that you gave to meet it is good but i have some files.
>> I made a schema of the scene that i have. I dont know which option is the
>> best to get the goal or the best for the system performance. Another doubt
>> that i have, Is something to analyze the performance of sec library?
>>
>> [image: Imágenes integradas 1]
>>
>> Thank you!!!. Regards.
>>
>>
>> ---------- Forwarded message ----------
>> From: Risto Vaarandi <risto.vaara...@gmail.com>
>> Date: 2016-04-14 18:42 GMT+02:00
>> Subject: Re: Create and load library with SEC
>> To: Jaren Peich <burkol...@gmail.com>,
>> simple-evcorr-users@lists.sourceforge.net
>>
>>
>> hi Jaren,
>> if you would like to load a list of interesting URLs from an external
>> file into memory and use this information for matching incoming events,
>> this can be indeed done with a Perl hash that holds the data. Here is a
>> simple example which illustrates this concept.
>>
>> Suppose you have a url file called /etc/sec/url.txt which contains the
>> following lines:
>>
>> http://www.example.com
>> http://www.mydomain
>>
>> Also suppose you have the following two rules:
>>
>> type=Single
>> ptype=RegExp
>> pattern=^(?:SEC_STARTUP|SEC_RESTART|SEC_SOFTRESTART)$
>> context=SEC_INTERNAL_EVENT
>> desc=Initialize the %url hash table
>> action=lcall %o -> ( sub { if (!open(URL, "/etc/sec/url.txt")) { return;
>> } \
>> my(@url) = <URL>; chomp(@url); close(URL); \
>> %url = map { $_ => 1 } @url; } )
>>
>> type=Single
>> ptype=RegExp
>> pattern=URL (\S+) was accessed
>> context=$1 -> ( sub { exists $url{$_[0]} } )
>> desc=Check if URL $1 is interesting
>> action=write - Interesting URL $1 has been observed
>>
>> The first rule loads the content of the url file into memory, so that
>> each url becomes a key in the Perl hash table %url. The content of the url
>> file is loaded when sec starts up, or receives either a HUP or ABRT signal
>> (these signals are used for doing a full restart and soft restart of sec).
>>
>> The second rule matches any line which has the format URL <url> was
>> accessed. The url part is extracted from the line, and the context
>> expression
>> $1 -> ( sub { exists $url{$_[0]} } )
>> looks up the %url hash table for the presence of this url. If the url is
>> found in the table, the context expression evaluates true, and the event
>> matches the rule.
>>
>> When you start up sec with the command line
>> sec --conf=hash-example.sec --intevents --input=-
>>
>> and type in the following line
>> URL http://www.example.com was accessed
>>
>> the string "Interesting URL http://www.example.com has been observed" is
>> echoed to standard output.
>>
>> Hopefully this example is helpful,
>> risto
>>
>>
>>
>> 2016-04-14 11:32 GMT+03:00 Jaren Peich <burkol...@gmail.com>:
>>
>>> Hi,
>>>
>>> The main problem is that i have to parse url with some logs from various
>>> txt files. I want to load in hash table at the begining and then use it
>>> throught various sec rules files. I thought to create a "module "which load
>>> lists in memory and then use it only variables to access it pointing the
>>> files.
>>>
>>> Thank you. Regards.
>>>
>>>
>>> 2016-04-11 17:39 GMT+02:00 Risto Vaarandi <risto.vaara...@gmail.com>:
>>>
>>>> hi Jaren,
>>>> if you want to have variables which are set during run time and which
>>>> have the global scope across all rule files, you can harness sec action
>>>> list variables for this purpose. For example, suppose you have the
>>>> following two rule files test-a.rules and test-b.rules:
>>>>
>>>> # test-a.rules
>>>> #
>>>> type=Single
>>>> ptype=RegExp
>>>> pattern=test1: (\S+)
>>>> desc=set action list variable mytest
>>>> action=assign %mytest $1
>>>>
>>>> # test-b.rules
>>>> #
>>>> type=Single
>>>> ptype=SubStr
>>>> pattern=test2
>>>> desc=echo action list variable mytest
>>>> action=write - %mytest
>>>>
>>>> Also, suppose sec is started with the command line:
>>>> sec --conf=test-*.rules --input=-
>>>> and gets all its input events from standard input.
>>>>
>>>> If a line "test1: myvalue" is typed in, this event will set action list
>>>> variable %mytest to "myvalue", while typing in "test2" will print the
>>>> current value of %mytest.
>>>>
>>>> I am not sure if action list variables help you to accomplish the thing
>>>> you want to do, but hopefully the above simplistic example helps to clarify
>>>> how they could be harnessed.
>>>>
>>>> However, action list variables can be set and accessed only during
>>>> runtime. If you are looking for macros that would be evaluated during rule
>>>> file parsing phase, there is currently no support for this in sec itself,
>>>> but you have to rely on external packages (like m4).
>>>>
>>>> kind regards,
>>>> risto
>>>>
>>>>
>>>> 2016-04-11 12:37 GMT+03:00 Jaren Peich <burkol...@gmail.com>:
>>>>
>>>>> I add is it possible to create global variables to all sec files?
>>>>>
>>>>>
>>>>> Thank you. Regards.
>>>>>
>>>>> 2016-04-11 11:35 GMT+02:00 Jaren Peich <burkol...@gmail.com>:
>>>>>
>>>>>> Hi,
>>>>>>
>>>>>> I have to read some files from specific text files in some sec alert
>>>>>> files and i want to create a library which load this files in a perl hash
>>>>>> table or an array. Also i want to create in this library methods to read
>>>>>> or
>>>>>> search strings from the files loaded or create a tag to point the
>>>>>> content
>>>>>> of the files to be used in all of sec files. Is it possible to do this?
>>>>>> I´m
>>>>>> quite lost.
>>>>>>
>>>>>>
>>>>>> Thanks for your help. Regards.
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>
>>
>
------------------------------------------------------------------------------
Find and fix application performance issues faster with Applications Manager
Applications Manager provides deep performance insights into multiple tiers of
your business applications. It resolves application problems quickly and
reduces your MTTR. Get your free trial!
https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
