hi Jaren,
I think you have a small typo in your action list -- currently it reads as
action=lcall %o -> ( sub { print Data::Dumper(%SecModule::ip);} )
but when you look into the action more closely, there is only the module
prefix "Data::Dumper" without the function name. Since you probably wanted
to invoke the Dumper() function from Data::Dumper module, the action list
should probably read as:
action=lcall %o -> ( sub { print Data::Dumper::Dumper(%SecModule::ip);} )
Try this modification and see if it works.
kind regards,
risto
2016-04-20 17:58 GMT+03:00 Jaren Peich <burkol...@gmail.com>:
> Hi Risto,
>
> Finally i got it! I can load and search in the hash table but i´m trying
> to show the hash table with Data::Dumper and i don´t know why it´s not
> working.
> Is there any diferencies to load your own module and the system modules?
>
> rules.conf
> _____________________________________________________________________
>
> type=Single
> ptype=SubStr
> pattern=SEC_STARTUP
> context=SEC_INTERNAL_EVENT
> continue=TakeNext
> desc=Load the Dumper module and terminate if it is not found
> action=assign %ret 0; eval %ret (require Data::Dumper;); eval %o (exit(1)
> unless %ret)
>
> type=Single
> ptype=RegExp
> continue=TakeNext
> pattern=.*getHash.*
> desc=Event received
> action=lcall %o -> ( sub { print Data::Dumper(%SecModule::ip);} )
>
>
> Output:
> Code 'CODE(0x281f2c4)' runtime error: Undefined subroutine &Data::Dumper
>
>
> Thank you!. Regards.
>
>
> 2016-04-19 10:48 GMT+02:00 Jaren Peich <burkol...@gmail.com>:
>
>> Thank you Risto!. It´s working properly!.
>>
>> I know that i have to update the library but still i can´t. I´m trying to
>> do it.
>>
>> 2016-04-18 20:30 GMT+02:00 Risto Vaarandi <risto.vaara...@gmail.com>:
>>
>>> ...also, if you would like to use rules with if-actions, they are
>>> supported by sec-2.7.X (the latest major version). Unless you have specific
>>> restrictions what versions you can install, I would recommend to go with
>>> sec-2.7.9 which is the latest stable distribution.
>>> kind regards,
>>> risto
>>>
>>> 2016-04-18 20:41 GMT+03:00 Risto Vaarandi <risto.vaara...@gmail.com>:
>>>
>>>> hi Jaren,
>>>> when looking at the command line options, they have been properly set.
>>>> However, from the sec debug messages I can see that you are using version
>>>> 2.6.2. This version is fairly old and does not support the 'if ( )' action.
>>>> In order to adjust the first rule for version 2.6.2, it should be rewritten
>>>> as:
>>>>
>>>> type=Single
>>>> ptype=SubStr
>>>> pattern=SEC_STARTUP
>>>> context=SEC_INTERNAL_EVENT
>>>> continue=TakeNext
>>>> desc=Load the SecModule module and terminate if it is not found
>>>> action=assign %ret 0; eval %ret (require "SecModule.pm"); eval %o
>>>> (exit(1) unless %ret)
>>>>
>>>> Also, if you would like to test how the fourth rule matches the event
>>>> in muestra.txt, the event should be rewritten as
>>>> event for IP 192.168.1.1
>>>> since otherwise the regular expression of the fourth rule would not
>>>> produce a match.
>>>>
>>>> kind regards,
>>>> risto
>>>>
>>>>
>>>>
>>>>
>>>> 2016-04-18 18:55 GMT+03:00 Jaren Peich <burkol...@gmail.com>:
>>>>
>>>>> Hi Risto,
>>>>>
>>>>> Thank for the examples and the explanation Risto. I understood
>>>>> everything really quick!!!. I´ve tried to execute and i can find the way
>>>>> to
>>>>> do it.
>>>>> Scene-> all the files are in the same folder.
>>>>>
>>>>> I created like this:
>>>>>
>>>>> ______________________________________________________________________
>>>>> SecModule.pm
>>>>> ______________________________________________________________________
>>>>>
>>>>> package SecModule;
>>>>> use strict;
>>>>> use warnings;
>>>>> require Exporter;
>>>>> our @ISA = qw(Exporter);
>>>>>
>>>>> our $VERSION = 1.00;
>>>>> our @EXPORT_OK = qw(build_ip_table %ipaddr);
>>>>>
>>>>> our %ipaddr;
>>>>>
>>>>> sub build_ip_table {
>>>>> %ipaddr = ();
>>>>> $ipaddr{"192.168.1.1"} = 1;
>>>>> $ipaddr{"10.1.1.1"} = 1;
>>>>> }
>>>>>
>>>>> 1;
>>>>>
>>>>>
>>>>> ___________________________________________________________________________
>>>>> rules.conf
>>>>>
>>>>> ___________________________________________________________________________
>>>>>
>>>>> type=Single
>>>>> ptype=SubStr
>>>>> pattern=SEC_STARTUP
>>>>> context=SEC_INTERNAL_EVENT
>>>>> continue=TakeNext
>>>>> desc=Load the SecModule module and terminate if it is not found
>>>>> action=eval %ret (require "SecModule.pm"); \
>>>>> if %ret ( logonly SecModule loaded ) else ( eval %o exit(1) )
>>>>>
>>>>>
>>>>> type=Single
>>>>> ptype=RegExp
>>>>> pattern=^(?:SEC_STARTUP|SEC_RESTART|SEC_SOFTRESTART)$
>>>>> context=SEC_INTERNAL_EVENT
>>>>> desc=create IP address table
>>>>> action=lcall %o -> ( sub { SecModule::build_ip_table() } )
>>>>>
>>>>>
>>>>> type=Single
>>>>> ptype=RegExp
>>>>> pattern=addIP: ([\d.]+)
>>>>> desc=add IP address $1 to IP table
>>>>> action=lcall %o $1 -> ( sub { $SecModule::ipaddr{$_[0]} = 1 } )
>>>>>
>>>>> type=Single
>>>>> ptype=RegExp
>>>>> pattern=event for IP ([\d.]+)
>>>>> context=$1 -> ( sub { exists $SecModule::ipaddr{$_[0]} } )
>>>>> desc=Event received for IP address $1 that is in the IP table
>>>>> action=write - %s
>>>>>
>>>>>
>>>>> ______________________________________________________________________________
>>>>> muestra.txt
>>>>>
>>>>> ______________________________________________________________________________
>>>>>
>>>>> 192.168.1.1
>>>>>
>>>>>
>>>>>
>>>>> I launch sec like this:
>>>>> perl.exe sec -intevents -fromstart -notail -conf=rules.conf
>>>>> -input=muestra.txt -log=Log.log
>>>>>
>>>>> Output:
>>>>>
>>>>> Mon Apr 18 17:34:05 2016: Deleting SEC internal context
>>>>> 'SEC_INTERNAL_EVENT'
>>>>> Mon Apr 18 17:34:05 2016: Creating SEC internal context
>>>>> 'SEC_INTERNAL_EVENT'
>>>>> Mon Apr 18 17:34:05 2016: Creating SEC internal event 'SEC_SHUTDOWN'
>>>>> Mon Apr 18 17:34:05 2016: Deleting SEC internal context
>>>>> 'SEC_INTERNAL_EVENT'
>>>>> Mon Apr 18 17:47:34 2016: SEC (Simple Event Correlator) 2.6.2
>>>>> Mon Apr 18 17:47:34 2016: Reading configuration from rules.conf
>>>>> Mon Apr 18 17:47:34 2016: Rule in rules.conf at line 3: Invalid action
>>>>> 'if %ret ( logonly SecModule loaded ) else ( eval %o exit(1) )'
>>>>> Mon Apr 18 17:47:34 2016: Rule in rules.conf at line 3: Invalid action
>>>>> list ' eval %ret (require "SecModule.pm"); if %ret ( logonly
>>>>> SecModule loaded ) else ( eval %o exit(1) ) '
>>>>> Mon Apr 18 17:47:34 2016: 3 rules loaded from rules.conf
>>>>> Mon Apr 18 17:47:34 2016: Opening input file muestra.txt
>>>>> Mon Apr 18 17:47:34 2016: set the 'inode' to fileID 1460981233 for
>>>>> file muestra.txt
>>>>> Mon Apr 18 17:47:34 2016: Stdin connected to terminal, SIGINT can't be
>>>>> used for changing the logging level
>>>>> Mon Apr 18 17:47:34 2016: Creating SEC internal context
>>>>> 'SEC_INTERNAL_EVENT'
>>>>> Mon Apr 18 17:47:34 2016: Creating SEC internal event 'SEC_STARTUP'
>>>>> Mon Apr 18 17:47:34 2016: Calling code 'CODE(0x25fe2dc)' and setting
>>>>> variable '%o'
>>>>> Mon Apr 18 17:47:34 2016: Code 'CODE(0x25fe2dc)' runtime error:
>>>>> Undefined subroutine &SecModule::build_ip_table called at (eval 4) line 1.
>>>>>
>>>>> Also i did like this
>>>>> perl.exe -c sec -intevents -fromstart -notail -conf=rules.conf
>>>>> -input=muestra.txt -log=Log.log
>>>>>
>>>>> Output:
>>>>>
>>>>> sec syntax ok
>>>>>
>>>>> Should i use execution options? Thank you for your support Risto!.
>>>>>
>>>>> Regards.
>>>>>
>>>>>
>>>>>
>>>
>>
>
------------------------------------------------------------------------------
Find and fix application performance issues faster with Applications Manager
Applications Manager provides deep performance insights into multiple tiers of
your business applications. It resolves application problems quickly and
reduces your MTTR. Get your free trial!
https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
