On 11/24/2010 12:15 AM, Tim Peiffer wrote:
> On 11/17/10 3:13 PM, Tim Peiffer wrote:
>>
>> I need some help in debugging a context expression. I create intercept
>> zones in my recursive DNS configurations in a somewhat automated
>> manner. Conversely, I would like to know when the zones expire, and
>> take action on the expiring zone. I think I can cause a SEC calendar
>> event to extract the zone name and expiration details out of the
>> configurations and a Single RegExp2 rule to parse those zones looking
>> for candidates.
>>
>> Would any of you kind souls be willing to debug the below for me? I am
>> having problems in particular with the context expression and
>> comparison against %alnum variables.
>>
> I think I figured it out. From the manual page, it looks like I can set
> the $alnum variable inside the perl mini code, and then eval takes on
> that value under %alnum. %alnum is usable in actions and $alnum is
> available within patterns and context expressions.
>
> That is pretty neat and tidy.. too bad I didn't see that earlier.
I'd like to add one additional note -- in some cases, the ->() operator
works better that the =() operator in context expressions. One one hand,
the expression inside =() can be just a Perl expression, while ->()
takes a function definition. However, =() involves the compilation of
the code before each execution, while in the case of ->() the function
is compiled only one (at SEC startup).
If the context expression is checked against large volume of events,
->() is *much* more efficient.
kind regards,
risto
>
> Regards,
> Tim Peiffer
>
> SEC allows the user to define patterns, context expressions, and
> actions which involve calls to the Perl eval() function. In addition
> to explicitly using %<alnum_name> variables that are global across the
> rules, the user can implicitly employ Perl variables created with
> eval() for the same purpose. E.g., when SEC has executed the following
> action
>
> action=eval %a ($b = 1)
>
> the variable $b and its value will become visible in the following
> context expression
>
> context= =(++$b > 10)
>
>>
>> type=Single
>> desc=Set variables and things on startup or restart of sec (core)
>> ptype=RegExp
>> pattern=SEC_(STARTUP|RESTART|SOFTRESTART)
>> context=[ SEC_INTERNAL_EVENT ]
>> action=eval %YY ( `/bin/date +%y` ; ); \
>> eval %MM ( `/bin/date +%m` ; ); \
>> eval %DD ( `/bin/date +%m` ; ); \
>> logonly "date %{MM}/%{DD}/%{YY}"
>>
>> type=Calendar
>> time=47 * * * *
>> desc=zone expirations
>> action=spawn /bin/egrep -i "intercept|zone"
>> /exemplar/named.conf.intercept
>>
>> # //
>> # // DNS Intercept expire 11/17/2011 TicketNNNNN
>> # zone "fresh-phish.com" {
>> # type forward;
>> # forward only;
>> # forwarders {
>> # 1.2.3.4; //my authoritative server 1
>> # 2.1.3.4; //my authoritative server 2
>> # };
>> # };
>>
>>
>> type=Single
>> ptype=RegExp2
>> pattern=DNS Intercept expire (\d+)/(\d+)/(20)?(\d+) (\S+)\nzone "(\S+)"
>> desc=zone expiration zone $6 ticket $5 date $1/$2/$4
>> action=logonly XXXXX expires today %s XXXXXX
>> context= =("$1" eq "%{MM}" && "$2" eq "%{DD}" && "$4" eq "%{YY}" )
>>
>> Regards,
>> Tim Peiffer
>>
>
>
>
> ------------------------------------------------------------------------------
> Increase Visibility of Your 3D Game App& Earn a Chance To Win $500!
> Tap into the largest installed PC base& get more eyes on your game by
> optimizing for Intel(R) Graphics Technology. Get started today with the
> Intel(R) Software Partner Program. Five $500 cash prizes are up for grabs.
> http://p.sf.net/sfu/intelisp-dev2dev
>
>
>
> _______________________________________________
> Simple-evcorr-users mailing list
> Simple-evcorr-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
------------------------------------------------------------------------------
Increase Visibility of Your 3D Game App & Earn a Chance To Win $500!
Tap into the largest installed PC base & get more eyes on your game by
optimizing for Intel(R) Graphics Technology. Get started today with the
Intel(R) Software Partner Program. Five $500 cash prizes are up for grabs.
http://p.sf.net/sfu/intelisp-dev2dev
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
