Hi Risto,
I´m trying to locate the .pm file in other folder. I tried windows and
linux path, escaping, without escaping. Has it to be in the same folder
with the rules?.
type=Single
ptype=SubStr
pattern=SEC_STARTUP
context=SEC_INTERNAL_EVENT
continue=TakeNext
desc=Load the SecModule module and terminate if it is not found
action=assign %ret 0; eval %ret (require "SecModule.pm"); eval %o (exit(1)
unless %ret)
Regards.
2016-04-20 17:14 GMT+02:00 Jaren Peich <burkol...@gmail.com>:
> Thanks Risto!!!. :). It´s working properly. I´m newbie programming in perl
> and i´m getting used to.hehehe.
>
> Have a nice evening.
>
> 2016-04-20 17:05 GMT+02:00 Risto Vaarandi <risto.vaara...@gmail.com>:
>
>> hi Jaren,
>> I think you have a small typo in your action list -- currently it reads
>> as
>>
>> action=lcall %o -> ( sub { print Data::Dumper(%SecModule::ip);} )
>>
>> but when you look into the action more closely, there is only the module
>> prefix "Data::Dumper" without the function name. Since you probably wanted
>> to invoke the Dumper() function from Data::Dumper module, the action list
>> should probably read as:
>>
>> action=lcall %o -> ( sub { print Data::Dumper::Dumper(%SecModule::ip);} )
>>
>> Try this modification and see if it works.
>>
>> kind regards,
>> risto
>>
>>
>> 2016-04-20 17:58 GMT+03:00 Jaren Peich <burkol...@gmail.com>:
>>
>>> Hi Risto,
>>>
>>> Finally i got it! I can load and search in the hash table but i´m trying
>>> to show the hash table with Data::Dumper and i don´t know why it´s not
>>> working.
>>> Is there any diferencies to load your own module and the system modules?
>>>
>>> rules.conf
>>> _____________________________________________________________________
>>>
>>> type=Single
>>> ptype=SubStr
>>> pattern=SEC_STARTUP
>>> context=SEC_INTERNAL_EVENT
>>> continue=TakeNext
>>> desc=Load the Dumper module and terminate if it is not found
>>> action=assign %ret 0; eval %ret (require Data::Dumper;); eval %o
>>> (exit(1) unless %ret)
>>>
>>> type=Single
>>> ptype=RegExp
>>> continue=TakeNext
>>> pattern=.*getHash.*
>>> desc=Event received
>>> action=lcall %o -> ( sub { print Data::Dumper(%SecModule::ip);} )
>>>
>>>
>>> Output:
>>> Code 'CODE(0x281f2c4)' runtime error: Undefined subroutine &Data::Dumper
>>>
>>>
>>> Thank you!. Regards.
>>>
>>>
>>> 2016-04-19 10:48 GMT+02:00 Jaren Peich <burkol...@gmail.com>:
>>>
>>>> Thank you Risto!. It´s working properly!.
>>>>
>>>> I know that i have to update the library but still i can´t. I´m trying
>>>> to do it.
>>>>
>>>> 2016-04-18 20:30 GMT+02:00 Risto Vaarandi <risto.vaara...@gmail.com>:
>>>>
>>>>> ...also, if you would like to use rules with if-actions, they are
>>>>> supported by sec-2.7.X (the latest major version). Unless you have
>>>>> specific
>>>>> restrictions what versions you can install, I would recommend to go with
>>>>> sec-2.7.9 which is the latest stable distribution.
>>>>> kind regards,
>>>>> risto
>>>>>
>>>>> 2016-04-18 20:41 GMT+03:00 Risto Vaarandi <risto.vaara...@gmail.com>:
>>>>>
>>>>>> hi Jaren,
>>>>>> when looking at the command line options, they have been properly
>>>>>> set. However, from the sec debug messages I can see that you are using
>>>>>> version 2.6.2. This version is fairly old and does not support the 'if (
>>>>>> )'
>>>>>> action. In order to adjust the first rule for version 2.6.2, it should be
>>>>>> rewritten as:
>>>>>>
>>>>>> type=Single
>>>>>> ptype=SubStr
>>>>>> pattern=SEC_STARTUP
>>>>>> context=SEC_INTERNAL_EVENT
>>>>>> continue=TakeNext
>>>>>> desc=Load the SecModule module and terminate if it is not found
>>>>>> action=assign %ret 0; eval %ret (require "SecModule.pm"); eval %o
>>>>>> (exit(1) unless %ret)
>>>>>>
>>>>>> Also, if you would like to test how the fourth rule matches the event
>>>>>> in muestra.txt, the event should be rewritten as
>>>>>> event for IP 192.168.1.1
>>>>>> since otherwise the regular expression of the fourth rule would not
>>>>>> produce a match.
>>>>>>
>>>>>> kind regards,
>>>>>> risto
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> 2016-04-18 18:55 GMT+03:00 Jaren Peich <burkol...@gmail.com>:
>>>>>>
>>>>>>> Hi Risto,
>>>>>>>
>>>>>>> Thank for the examples and the explanation Risto. I understood
>>>>>>> everything really quick!!!. I´ve tried to execute and i can find the
>>>>>>> way to
>>>>>>> do it.
>>>>>>> Scene-> all the files are in the same folder.
>>>>>>>
>>>>>>> I created like this:
>>>>>>>
>>>>>>>
>>>>>>> ______________________________________________________________________
>>>>>>> SecModule.pm
>>>>>>>
>>>>>>> ______________________________________________________________________
>>>>>>>
>>>>>>> package SecModule;
>>>>>>> use strict;
>>>>>>> use warnings;
>>>>>>> require Exporter;
>>>>>>> our @ISA = qw(Exporter);
>>>>>>>
>>>>>>> our $VERSION = 1.00;
>>>>>>> our @EXPORT_OK = qw(build_ip_table %ipaddr);
>>>>>>>
>>>>>>> our %ipaddr;
>>>>>>>
>>>>>>> sub build_ip_table {
>>>>>>> %ipaddr = ();
>>>>>>> $ipaddr{"192.168.1.1"} = 1;
>>>>>>> $ipaddr{"10.1.1.1"} = 1;
>>>>>>> }
>>>>>>>
>>>>>>> 1;
>>>>>>>
>>>>>>>
>>>>>>> ___________________________________________________________________________
>>>>>>> rules.conf
>>>>>>>
>>>>>>> ___________________________________________________________________________
>>>>>>>
>>>>>>> type=Single
>>>>>>> ptype=SubStr
>>>>>>> pattern=SEC_STARTUP
>>>>>>> context=SEC_INTERNAL_EVENT
>>>>>>> continue=TakeNext
>>>>>>> desc=Load the SecModule module and terminate if it is not found
>>>>>>> action=eval %ret (require "SecModule.pm"); \
>>>>>>> if %ret ( logonly SecModule loaded ) else ( eval %o exit(1) )
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> type=Single
>>>>>>> ptype=RegExp
>>>>>>> pattern=^(?:SEC_STARTUP|SEC_RESTART|SEC_SOFTRESTART)$
>>>>>>> context=SEC_INTERNAL_EVENT
>>>>>>> desc=create IP address table
>>>>>>> action=lcall %o -> ( sub { SecModule::build_ip_table() } )
>>>>>>>
>>>>>>>
>>>>>>> type=Single
>>>>>>> ptype=RegExp
>>>>>>> pattern=addIP: ([\d.]+)
>>>>>>> desc=add IP address $1 to IP table
>>>>>>> action=lcall %o $1 -> ( sub { $SecModule::ipaddr{$_[0]} = 1 } )
>>>>>>>
>>>>>>> type=Single
>>>>>>> ptype=RegExp
>>>>>>> pattern=event for IP ([\d.]+)
>>>>>>> context=$1 -> ( sub { exists $SecModule::ipaddr{$_[0]} } )
>>>>>>> desc=Event received for IP address $1 that is in the IP table
>>>>>>> action=write - %s
>>>>>>>
>>>>>>>
>>>>>>> ______________________________________________________________________________
>>>>>>> muestra.txt
>>>>>>>
>>>>>>> ______________________________________________________________________________
>>>>>>>
>>>>>>> 192.168.1.1
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> I launch sec like this:
>>>>>>> perl.exe sec -intevents -fromstart -notail -conf=rules.conf
>>>>>>> -input=muestra.txt -log=Log.log
>>>>>>>
>>>>>>> Output:
>>>>>>>
>>>>>>> Mon Apr 18 17:34:05 2016: Deleting SEC internal context
>>>>>>> 'SEC_INTERNAL_EVENT'
>>>>>>> Mon Apr 18 17:34:05 2016: Creating SEC internal context
>>>>>>> 'SEC_INTERNAL_EVENT'
>>>>>>> Mon Apr 18 17:34:05 2016: Creating SEC internal event 'SEC_SHUTDOWN'
>>>>>>> Mon Apr 18 17:34:05 2016: Deleting SEC internal context
>>>>>>> 'SEC_INTERNAL_EVENT'
>>>>>>> Mon Apr 18 17:47:34 2016: SEC (Simple Event Correlator) 2.6.2
>>>>>>> Mon Apr 18 17:47:34 2016: Reading configuration from rules.conf
>>>>>>> Mon Apr 18 17:47:34 2016: Rule in rules.conf at line 3: Invalid
>>>>>>> action 'if %ret ( logonly SecModule loaded ) else ( eval %o exit(1) )'
>>>>>>> Mon Apr 18 17:47:34 2016: Rule in rules.conf at line 3: Invalid
>>>>>>> action list ' eval %ret (require "SecModule.pm"); if %ret (
>>>>>>> logonly
>>>>>>> SecModule loaded ) else ( eval %o exit(1) ) '
>>>>>>> Mon Apr 18 17:47:34 2016: 3 rules loaded from rules.conf
>>>>>>> Mon Apr 18 17:47:34 2016: Opening input file muestra.txt
>>>>>>> Mon Apr 18 17:47:34 2016: set the 'inode' to fileID 1460981233 for
>>>>>>> file muestra.txt
>>>>>>> Mon Apr 18 17:47:34 2016: Stdin connected to terminal, SIGINT can't
>>>>>>> be used for changing the logging level
>>>>>>> Mon Apr 18 17:47:34 2016: Creating SEC internal context
>>>>>>> 'SEC_INTERNAL_EVENT'
>>>>>>> Mon Apr 18 17:47:34 2016: Creating SEC internal event 'SEC_STARTUP'
>>>>>>> Mon Apr 18 17:47:34 2016: Calling code 'CODE(0x25fe2dc)' and setting
>>>>>>> variable '%o'
>>>>>>> Mon Apr 18 17:47:34 2016: Code 'CODE(0x25fe2dc)' runtime error:
>>>>>>> Undefined subroutine &SecModule::build_ip_table called at (eval 4) line
>>>>>>> 1.
>>>>>>>
>>>>>>> Also i did like this
>>>>>>> perl.exe -c sec -intevents -fromstart -notail -conf=rules.conf
>>>>>>> -input=muestra.txt -log=Log.log
>>>>>>>
>>>>>>> Output:
>>>>>>>
>>>>>>> sec syntax ok
>>>>>>>
>>>>>>> Should i use execution options? Thank you for your support Risto!.
>>>>>>>
>>>>>>> Regards.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>
>>>>
>>>
>>
>
------------------------------------------------------------------------------
Find and fix application performance issues faster with Applications Manager
Applications Manager provides deep performance insights into multiple tiers of
your business applications. It resolves application problems quickly and
reduces your MTTR. Get your free trial!
https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
