Thank you Risto!. It´s working properly!.
I know that i have to update the library but still i can´t. I´m trying to
do it.
2016-04-18 20:30 GMT+02:00 Risto Vaarandi <risto.vaara...@gmail.com>:
> ...also, if you would like to use rules with if-actions, they are
> supported by sec-2.7.X (the latest major version). Unless you have specific
> restrictions what versions you can install, I would recommend to go with
> sec-2.7.9 which is the latest stable distribution.
> kind regards,
> risto
>
> 2016-04-18 20:41 GMT+03:00 Risto Vaarandi <risto.vaara...@gmail.com>:
>
>> hi Jaren,
>> when looking at the command line options, they have been properly set.
>> However, from the sec debug messages I can see that you are using version
>> 2.6.2. This version is fairly old and does not support the 'if ( )' action.
>> In order to adjust the first rule for version 2.6.2, it should be rewritten
>> as:
>>
>> type=Single
>> ptype=SubStr
>> pattern=SEC_STARTUP
>> context=SEC_INTERNAL_EVENT
>> continue=TakeNext
>> desc=Load the SecModule module and terminate if it is not found
>> action=assign %ret 0; eval %ret (require "SecModule.pm"); eval %o
>> (exit(1) unless %ret)
>>
>> Also, if you would like to test how the fourth rule matches the event in
>> muestra.txt, the event should be rewritten as
>> event for IP 192.168.1.1
>> since otherwise the regular expression of the fourth rule would not
>> produce a match.
>>
>> kind regards,
>> risto
>>
>>
>>
>>
>> 2016-04-18 18:55 GMT+03:00 Jaren Peich <burkol...@gmail.com>:
>>
>>> Hi Risto,
>>>
>>> Thank for the examples and the explanation Risto. I understood
>>> everything really quick!!!. I´ve tried to execute and i can find the way to
>>> do it.
>>> Scene-> all the files are in the same folder.
>>>
>>> I created like this:
>>>
>>> ______________________________________________________________________
>>> SecModule.pm
>>> ______________________________________________________________________
>>>
>>> package SecModule;
>>> use strict;
>>> use warnings;
>>> require Exporter;
>>> our @ISA = qw(Exporter);
>>>
>>> our $VERSION = 1.00;
>>> our @EXPORT_OK = qw(build_ip_table %ipaddr);
>>>
>>> our %ipaddr;
>>>
>>> sub build_ip_table {
>>> %ipaddr = ();
>>> $ipaddr{"192.168.1.1"} = 1;
>>> $ipaddr{"10.1.1.1"} = 1;
>>> }
>>>
>>> 1;
>>>
>>>
>>> ___________________________________________________________________________
>>> rules.conf
>>>
>>> ___________________________________________________________________________
>>>
>>> type=Single
>>> ptype=SubStr
>>> pattern=SEC_STARTUP
>>> context=SEC_INTERNAL_EVENT
>>> continue=TakeNext
>>> desc=Load the SecModule module and terminate if it is not found
>>> action=eval %ret (require "SecModule.pm"); \
>>> if %ret ( logonly SecModule loaded ) else ( eval %o exit(1) )
>>>
>>>
>>> type=Single
>>> ptype=RegExp
>>> pattern=^(?:SEC_STARTUP|SEC_RESTART|SEC_SOFTRESTART)$
>>> context=SEC_INTERNAL_EVENT
>>> desc=create IP address table
>>> action=lcall %o -> ( sub { SecModule::build_ip_table() } )
>>>
>>>
>>> type=Single
>>> ptype=RegExp
>>> pattern=addIP: ([\d.]+)
>>> desc=add IP address $1 to IP table
>>> action=lcall %o $1 -> ( sub { $SecModule::ipaddr{$_[0]} = 1 } )
>>>
>>> type=Single
>>> ptype=RegExp
>>> pattern=event for IP ([\d.]+)
>>> context=$1 -> ( sub { exists $SecModule::ipaddr{$_[0]} } )
>>> desc=Event received for IP address $1 that is in the IP table
>>> action=write - %s
>>>
>>>
>>> ______________________________________________________________________________
>>> muestra.txt
>>>
>>> ______________________________________________________________________________
>>>
>>> 192.168.1.1
>>>
>>>
>>>
>>> I launch sec like this:
>>> perl.exe sec -intevents -fromstart -notail -conf=rules.conf
>>> -input=muestra.txt -log=Log.log
>>>
>>> Output:
>>>
>>> Mon Apr 18 17:34:05 2016: Deleting SEC internal context
>>> 'SEC_INTERNAL_EVENT'
>>> Mon Apr 18 17:34:05 2016: Creating SEC internal context
>>> 'SEC_INTERNAL_EVENT'
>>> Mon Apr 18 17:34:05 2016: Creating SEC internal event 'SEC_SHUTDOWN'
>>> Mon Apr 18 17:34:05 2016: Deleting SEC internal context
>>> 'SEC_INTERNAL_EVENT'
>>> Mon Apr 18 17:47:34 2016: SEC (Simple Event Correlator) 2.6.2
>>> Mon Apr 18 17:47:34 2016: Reading configuration from rules.conf
>>> Mon Apr 18 17:47:34 2016: Rule in rules.conf at line 3: Invalid action
>>> 'if %ret ( logonly SecModule loaded ) else ( eval %o exit(1) )'
>>> Mon Apr 18 17:47:34 2016: Rule in rules.conf at line 3: Invalid action
>>> list ' eval %ret (require "SecModule.pm"); if %ret ( logonly
>>> SecModule loaded ) else ( eval %o exit(1) ) '
>>> Mon Apr 18 17:47:34 2016: 3 rules loaded from rules.conf
>>> Mon Apr 18 17:47:34 2016: Opening input file muestra.txt
>>> Mon Apr 18 17:47:34 2016: set the 'inode' to fileID 1460981233 for file
>>> muestra.txt
>>> Mon Apr 18 17:47:34 2016: Stdin connected to terminal, SIGINT can't be
>>> used for changing the logging level
>>> Mon Apr 18 17:47:34 2016: Creating SEC internal context
>>> 'SEC_INTERNAL_EVENT'
>>> Mon Apr 18 17:47:34 2016: Creating SEC internal event 'SEC_STARTUP'
>>> Mon Apr 18 17:47:34 2016: Calling code 'CODE(0x25fe2dc)' and setting
>>> variable '%o'
>>> Mon Apr 18 17:47:34 2016: Code 'CODE(0x25fe2dc)' runtime error:
>>> Undefined subroutine &SecModule::build_ip_table called at (eval 4) line 1.
>>>
>>> Also i did like this
>>> perl.exe -c sec -intevents -fromstart -notail -conf=rules.conf
>>> -input=muestra.txt -log=Log.log
>>>
>>> Output:
>>>
>>> sec syntax ok
>>>
>>> Should i use execution options? Thank you for your support Risto!.
>>>
>>> Regards.
>>>
>>>
>>>
>
------------------------------------------------------------------------------
Find and fix application performance issues faster with Applications Manager
Applications Manager provides deep performance insights into multiple tiers of
your business applications. It resolves application problems quickly and
reduces your MTTR. Get your free trial!
https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
