Hi,
I explain fully. Using sec 2.6.2.
I have various files for one alert because it depends on a list and i use a
library to match.
I want to launch some variables on alert.conf file from the load file
(iniLib.conf).
iniLib.conf.-->Load ini rules.
____________________________________________________________________
type=Single
ptype=SubStr
pattern=SEC_STARTUP
context=SEC_INTERNAL_EVENT
continue=TakeNext
desc=Load the SecModule module and terminate if it is not found
action=assign %ret 0; eval %ret (require Data::Dumper;); eval %o (exit(1)
unless %ret)
type=Single
ptype=SubStr
pattern=SEC_STARTUP
context=SEC_INTERNAL_EVENT
continue=TakeNext
desc=Load the SecModule module and terminate if it is not found
action=assign %ret 0; eval %ret (require 'Module.pm'); eval %o (exit(1)
unless %ret)
#Regla que carga el objeto en una variable.
type=Single
ptype=RegExp
pattern=^(?:SEC_STARTUP|SEC_RESTART|SEC_SOFTRESTART)$
context=SEC_INTERNAL_EVENT
continue=TakeNext
desc=create IP address table
action=lcall %o -> ( sub { Module::build_ip_table('simu.txt') } )
type=Single
ptype=RegExp
pattern=^(?:SEC_STARTUP|SEC_RESTART|SEC_SOFTRESTART)$
context=SEC_INTERNAL_EVENT
continue=TakeNext
desc=-
action=event launAssig
main.conf-->Parse string
____________________________________________________________________
type = Jump
ptype = RegExp
desc = $0
continue = Takenext
pattern =launch(\d+)
varmap = alert;ecode=1
cfset = al
alert.conf-->launch alert
_____________________________________________________________________
type = Options
joincfset = al
procallin = no
#Here i want the assign rule launched during the load of iniLib.conf
type = Single
continue= TakeNext
ptype=Substr
pattern=launAssig
desc = -
action = assign %category (Log); \
assign %summary (Alert); \
assign %priority (M); \
assign %typology (C);
#||->string separator.
#contieneElemento->Function to match the numbers from the list using the
library.
type = Single
ptype = Cached
desc =-
context= $+{ecode} -> (sub { Module::contieneElemento($_[0])==1} )
pattern = alert
continue=TakeNext
action = eval %o (\
$string='category=%category||summary=%summary||priority=%priority||tipology=%typology||error
code=$+{ecode}||'."\n";\
print $string."\n";);
simu.txt
____________________________________________________________________
5
6
7
input.conf
___________________________________________________________________
launch5
launch7
Running options
__________________________________________________________________
-intevents -fromstart -notail
Still not running. Any ideas?
Thank your Risto. Regards.
2016-05-26 13:04 GMT+02:00 Jaren Peich <burkol...@gmail.com>:
> Sorry, i thought that mailing list email was on the thread.
>
> 2016-05-26 12:27 GMT+02:00 Risto Vaarandi <risto.vaara...@gmail.com>:
>
>> ...please post your question to the mailing list.
>> risto
>>
>> 2016-05-26 13:05 GMT+03:00 Jaren Peich <burkol...@gmail.com>:
>>
>>> Hi,
>>>
>>> I explain fully. Using sec 2.6.2.
>>>
>>> I have various files for one alert because it depends on a list and i
>>> use a library to match.
>>>
>>> I want to launch some variables on alert.conf file from the load file
>>> (iniLib.conf).
>>>
>>>
>>> iniLib.conf.-->Load ini rules.
>>> ____________________________________________________________________
>>>
>>> type=Single
>>> ptype=SubStr
>>> pattern=SEC_STARTUP
>>> context=SEC_INTERNAL_EVENT
>>> continue=TakeNext
>>> desc=Load the SecModule module and terminate if it is not found
>>> action=assign %ret 0; eval %ret (require Data::Dumper;); eval %o
>>> (exit(1) unless %ret)
>>>
>>> type=Single
>>> ptype=SubStr
>>> pattern=SEC_STARTUP
>>> context=SEC_INTERNAL_EVENT
>>> continue=TakeNext
>>> desc=Load the SecModule module and terminate if it is not found
>>> action=assign %ret 0; eval %ret (require 'Module.pm'); eval %o (exit(1)
>>> unless %ret)
>>>
>>> #Regla que carga el objeto en una variable.
>>> type=Single
>>> ptype=RegExp
>>> pattern=^(?:SEC_STARTUP|SEC_RESTART|SEC_SOFTRESTART)$
>>> context=SEC_INTERNAL_EVENT
>>> continue=TakeNext
>>> desc=create IP address table
>>> action=lcall %o -> ( sub { Module::build_ip_table('simu.txt') } )
>>>
>>> type=Single
>>> ptype=RegExp
>>> pattern=^(?:SEC_STARTUP|SEC_RESTART|SEC_SOFTRESTART)$
>>> context=SEC_INTERNAL_EVENT
>>> continue=TakeNext
>>> desc=-
>>> action=event launAssig
>>>
>>>
>>>
>>> main.conf-->Parse string
>>> ____________________________________________________________________
>>>
>>> type = Jump
>>> ptype = RegExp
>>> desc = $0
>>> continue = Takenext
>>> pattern =launch(\d+)
>>> varmap = alert;ecode=1
>>> cfset = al
>>>
>>>
>>> alert.conf-->launch alert
>>> _____________________________________________________________________
>>>
>>> type = Options
>>> joincfset = al
>>> procallin = no
>>>
>>> #Here i want the assign rule launched during the load of iniLib.conf
>>> type = Single
>>> continue= TakeNext
>>> ptype=Substr
>>> pattern=launAssig
>>> desc = -
>>> action = assign %category (Log); \
>>> assign %summary (Alert); \
>>> assign %priority (M); \
>>> assign %typology (C);
>>>
>>> #||->string separator.
>>> #contieneElemento->Function to match the numbers from the list using the
>>> library.
>>> type = Single
>>> ptype = Cached
>>> desc =-
>>> context= $+{ecode} -> (sub { Module::contieneElemento($_[0])==1} )
>>> pattern = alert
>>> continue=TakeNext
>>> action = eval %o (\
>>> $string='category=%category||summary=%summary||priority=%priority||tipology=%typology||error
>>> code=$+{ecode}||'."\n";\
>>> print $string."\n";);
>>>
>>>
>>> simu.txt
>>> ____________________________________________________________________
>>>
>>> 5
>>> 6
>>> 7
>>>
>>> input.conf
>>> ___________________________________________________________________
>>> launch5
>>> launch7
>>>
>>> Running options
>>> __________________________________________________________________
>>>
>>> -intevents -fromstart -notail
>>>
>>> Still not running. Any ideas?
>>>
>>> Thank your Risto. Regards.
>>>
>>>
>>> 2016-05-26 11:10 GMT+02:00 Risto Vaarandi <risto.vaara...@gmail.com>:
>>>
>>>> hi Jaren,
>>>>
>>>> as for the Options rule, 2.6.2 should be compatible with the latest
>>>> 2.7.X versions. Of course, everything depends on the actual configuration
>>>> in your rule files, and without seeing the rules it is impossible to tell
>>>> what might be wrong.
>>>>
>>>> If you want to investigate potential incompatibilities from sec manual,
>>>> I would strongly recommend to download the sec-2.6.2 source tarball. Each
>>>> sec tarball contains the man page which is the official documentation, and
>>>> all sec versions released since 2001 can be downloaded from sourceforge:
>>>> https://sourceforge.net/projects/simple-evcorr/files/sec/
>>>> There is also a corresponding link in the sec home page under the
>>>> "Download" section.
>>>>
>>>> Also, can you post your further questions to the mailing list? In that
>>>> way, all other users can benefit from the discussion.
>>>>
>>>> kind regards,
>>>> risto
>>>>
>>>>
>>>>
>>>> 2016-05-26 11:56 GMT+03:00 Jaren Peich <burkol...@gmail.com>:
>>>>
>>>>> Hi Risto,
>>>>>
>>>>> I´ve realised that if there is an Option rule before that´s not work.
>>>>> I have one in the file and i can´t quit it(i need the variables of the
>>>>> cfset). If i split in two files it loads asssign variables, it works. Is
>>>>> there any incompatibility between them? I´m still using sec 2.6.2. :)
>>>>>
>>>>> Thank you Risto!. Regards.
>>>>>
>>>>>
>>>>>
>>>>> 2016-05-25 19:15 GMT+02:00 Risto Vaarandi <risto.vaara...@gmail.com>:
>>>>>
>>>>>> I loaded the both rule files with the following command line using
>>>>>> sec-2.7.8:
>>>>>>
>>>>>> sec --conf=iniLib.conf --conf=ruleFile.conf --intevents --input=-
>>>>>>
>>>>>> When I started up sec with the above command line, all the
>>>>>> assignments were done according to sec debug log:
>>>>>>
>>>>>> SEC (Simple Event Correlator) 2.7.8
>>>>>> Reading configuration from iniLib.conf
>>>>>> 1 rules loaded from iniLib.conf
>>>>>> Reading configuration from ruleFile.conf
>>>>>> 1 rules loaded from ruleFile.conf
>>>>>> No --bufsize command line option or --bufsize=0, setting --bufsize to
>>>>>> 1
>>>>>> Opening input file -
>>>>>> Interactive process, SIGINT can't be used for changing the logging
>>>>>> level
>>>>>> Creating SEC internal context 'SEC_INTERNAL_EVENT'
>>>>>> Creating SEC internal event 'SEC_STARTUP'
>>>>>> Creating event 'launAssig'
>>>>>> Deleting SEC internal context 'SEC_INTERNAL_EVENT'
>>>>>> Assigning 'Log' to variable '%category_Alert'
>>>>>> Assigning 'Alert' to variable '%summary_Alert'
>>>>>> Assigning 'M' to variable '%priority_Alert'
>>>>>> Assigning 'C' to variable '%typology_Alert'
>>>>>> Assigning 'Proxy' to variable '%subcategory_Alert'
>>>>>> Assigning 'Network' to variable '%asset_category_Alert'
>>>>>>
>>>>>>
>>>>>> Are you sure you have specified both rule files with the --conf
>>>>>> option? Also, have you used the --intevents command line option which
>>>>>> forces the generation of SEC_STARTUP and other internal events? If
>>>>>> --intevents is not given, these events are not created, and thus the
>>>>>> second
>>>>>> rule will not fire.
>>>>>>
>>>>>> kind regards,
>>>>>> risto
>>>>>>
>>>>>>
>>>>>> 2016-05-25 17:51 GMT+03:00 Jaren Peich <burkol...@gmail.com>:
>>>>>>
>>>>>>> Yes, it was wrong.Other stuff worked properly. Thank you risto. :)
>>>>>>>
>>>>>>> I have another doubt about this.
>>>>>>>
>>>>>>> I´m trying from one file to another file launch couple of assign
>>>>>>> sentences at the beginning and i can´t.
>>>>>>>
>>>>>>> I have two files with some rules inside, the other rules worked
>>>>>>> properly but when i´m trying to launch this one it is imposible.
>>>>>>>
>>>>>>> File: iniLib.conf
>>>>>>> _____________________________________________________________________
>>>>>>>
>>>>>>> type=Single
>>>>>>> ptype=RegExp
>>>>>>> pattern=^(?:SEC_STARTUP|SEC_RESTART|SEC_SOFTRESTART)$
>>>>>>> context=SEC_INTERNAL_EVENT
>>>>>>> continue=TakeNext
>>>>>>> desc=-
>>>>>>> action=event launAssig
>>>>>>>
>>>>>>>
>>>>>>> File: ruleFile.conf
>>>>>>> ____________________________________________________________________
>>>>>>>
>>>>>>> type = Single
>>>>>>> continue= TakeNext
>>>>>>> ptype=Substr
>>>>>>> pattern=launAssig
>>>>>>> desc = -
>>>>>>> action = assign %category_Alert (Log); \
>>>>>>> assign %summary_Alert (Alert); \
>>>>>>> assign %priority_Alert (M); \
>>>>>>> assign %typology_Alert (C); \
>>>>>>> assign %subcategory_Alert (Proxy); \
>>>>>>> assign %asset_category_Alert (Network);
>>>>>>>
>>>>>>> I´v tried with RegExp and Substr rule type and system launch the
>>>>>>> event but the other rule is unable to find the event created and the
>>>>>>> second
>>>>>>> rule doesn´t launch.
>>>>>>>
>>>>>>> Thank you again Risto. Regards.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> 2016-04-29 16:55 GMT+02:00 Risto Vaarandi <risto.vaara...@gmail.com>
>>>>>>> :
>>>>>>>
>>>>>>>> hi Jaren,
>>>>>>>> variables of the Cached pattern (created previously with 'varmap'
>>>>>>>> statement) are treated like regular match variables, and therefore the
>>>>>>>> following definition you have is valid:
>>>>>>>>
>>>>>>>> context= $+{url} -> (sub {
>>>>>>>> SecBlacklist::contieneElemento($_[0])==1} )
>>>>>>>>
>>>>>>>> However, since the 2.6.2 version is fairly old, it doesn't support
>>>>>>>> the :> operator in context expressions, so the definitions
>>>>>>>>
>>>>>>>> context= alert :> (sub {
>>>>>>>> SecBlacklist::contieneElemento($_[0]->{'url'})==1} )
>>>>>>>> context= alertParam :> (sub {
>>>>>>>> SecBlacklist::contieneElemento($_[0]->{'url'})==1} )
>>>>>>>>
>>>>>>>> do not work. In order to use them, you need to install sec-2.7.X.
>>>>>>>> Also, since alertParam is not the name of the cache entry created with
>>>>>>>> 'varmap', the definition
>>>>>>>>
>>>>>>>> context= alertParam :> (sub {
>>>>>>>> SecBlacklist::contieneElemento($_[0]->{'url'})==1} )
>>>>>>>>
>>>>>>>> wouldn't work for 2.7.X, but you would need to use the name of an
>>>>>>>> existing pattern match cache entry.
>>>>>>>>
>>>>>>>> Also, I spotted the following rule in your configuration:
>>>>>>>>
>>>>>>>> type = Single
>>>>>>>> continue= TakeNext
>>>>>>>> desc = -
>>>>>>>> ptype = Cached
>>>>>>>> pattern = SEC_STARTUP|SEC_RESTART()
>>>>>>>> action = assign %category_Alert (Log); \
>>>>>>>> assign %summary_Alert (Alert: Blacklist);
>>>>>>>>
>>>>>>>> The parentheses seem to be misaligned in the 'pattern' field, and
>>>>>>>> also, 'ptype' is set to "Cached", although the pattern looks like a
>>>>>>>> regular
>>>>>>>> expression. Have you checked this rule? It is likely to be incorrect
>>>>>>>> and
>>>>>>>> might be one of the reasons the ruleset is not working properly.
>>>>>>>>
>>>>>>>> kind regards,
>>>>>>>> risto
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> 2016-04-29 15:14 GMT+03:00 Jaren Peich <burkol...@gmail.com>:
>>>>>>>>
>>>>>>>>> Hi,
>>>>>>>>>
>>>>>>>>> I´m trying to validate a sec context with a perl function and
>>>>>>>>> writing an output message in a a file using the assign variables in
>>>>>>>>> the
>>>>>>>>> string. I´m using SEC 2.6.2. Can i use the variable from the varmap
>>>>>>>>> or i
>>>>>>>>> have to use the context to pass the variable through the sec context?
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> ________________________________________________________________________________
>>>>>>>>>
>>>>>>>>> Perl Function(This function search if "elemento" is a part of hash
>>>>>>>>> key).
>>>>>>>>>
>>>>>>>>> SecBlacklist.pm-->This file is loaded in the beginning and
>>>>>>>>> contains other functions.
>>>>>>>>>
>>>>>>>>> ________________________________________________________________________________
>>>>>>>>> sub contieneElemento{
>>>>>>>>> my($elemento)=@_;
>>>>>>>>> my($rep)=0;
>>>>>>>>> for my $key (keys %ip){
>>>>>>>>> if (index($key,$elemento)!= -1){
>>>>>>>>> $rep=1;
>>>>>>>>> }
>>>>>>>>> }
>>>>>>>>> return $rep;
>>>>>>>>> }
>>>>>>>>> 1;
>>>>>>>>>
>>>>>>>>> ________________________________________________________________________________
>>>>>>>>>
>>>>>>>>> The varmap alert is passed from other file with a Jump rule using
>>>>>>>>> a varmap. I want to pass the url parameter to the perl function to be
>>>>>>>>> the
>>>>>>>>> url validated in the method.
>>>>>>>>>
>>>>>>>>> rules.conf
>>>>>>>>>
>>>>>>>>> ________________________________________________________________________________
>>>>>>>>> #Varmap:
>>>>>>>>> type = Jump
>>>>>>>>> ptype = RegExp
>>>>>>>>> desc = $0
>>>>>>>>> continue = Takenext
>>>>>>>>> pattern = Url:(.*)\sClient:(.*)
>>>>>>>>> varmap = alert;url=1;client_ip=2
>>>>>>>>> cfset=alertParam
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> alert.conf
>>>>>>>>>
>>>>>>>>> ________________________________________________________________________________
>>>>>>>>> type = Options
>>>>>>>>> joincfset = alertParam
>>>>>>>>> procallin = no
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> type = Single
>>>>>>>>> continue= TakeNext
>>>>>>>>> desc = -
>>>>>>>>> ptype = Cached
>>>>>>>>> pattern = SEC_STARTUP|SEC_RESTART()
>>>>>>>>> action = assign %category_Alert (Log); \
>>>>>>>>> assign %summary_Alert (Alert: Blacklist);
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> type = Single
>>>>>>>>> ptype = Cached
>>>>>>>>> desc =ip_$+{client_ip}
>>>>>>>>> context= $+{url} -> (sub {
>>>>>>>>> SecBlacklist::contieneElemento($_[0])==1} )
>>>>>>>>> pattern = alert
>>>>>>>>> continue=TakeNext
>>>>>>>>> action = write C:\Alerts.log "Context OK!!!"
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> I´ve read the manual and i tried also like this:
>>>>>>>>>
>>>>>>>>> context= $+{url} -> (sub {
>>>>>>>>> SecBlacklist::contieneElemento($_[0])==1} )
>>>>>>>>>
>>>>>>>>> context= alert :> (sub {
>>>>>>>>> SecBlacklist::contieneElemento($_[0]->{'url'})==1} )
>>>>>>>>>
>>>>>>>>> context= alertParam :> (sub {
>>>>>>>>> SecBlacklist::contieneElemento($_[0]->{'url'})==1} )
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Thank you in advance Risto!.
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>
>
------------------------------------------------------------------------------
Mobile security can be enabling, not merely restricting. Employees who
bring their own devices (BYOD) to work are irked by the imposition of MDM
restrictions. Mobile Device Manager Plus allows you to control only the
apps on BYO-devices by containerizing them, leaving personal data untouched!
https://ad.doubleclick.net/ddm/clk/304595813;131938128;j
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
