hi all, this email provides a more detailed description of major new features in SEC-2.9.alpha1.
Firstly, one can use 'egptype' and 'egpattern' fields in EventGroup rule that specify an additional event group matching condition to conventional threshold conditions. The 'egptype' and 'egpattern' fields define the *event group pattern* which can be a regular expression, string pattern, or a Perl function. Event group pattern is used for matching the *event group string* which reflects all events the event correlation operation has seen within its event correlation window. For example, consider the EventGroup2 operation which has observed three events, so that the earliest event has matched its 'pattern' field, and the following two events its 'pattern2' field. In that case, the event group string is "1 2 2". The event group string is matched with the event group pattern only after *all* traditional numeric threshold conditions have evaluated true. To illustrate how event group patterns work, consider the following EventGroup2 rule: type=EventGroup2 ptype=SubStr pattern=EVENT_A thresh=2 ptype2=SubStr pattern2=EVENT_B thresh2=2 desc=Sequence of two or more As and Bs with 'A B' at the end action=write - %s egptype=RegExp egpattern=1 2$ window=60 Also, suppose the following events occur, and each event timestamp reflects the time SEC observes the event: Mar 10 12:05:31 EVENT_B Mar 10 12:05:32 EVENT_B Mar 10 12:05:38 EVENT_A Mar 10 12:05:39 EVENT_A Mar 10 12:05:42 EVENT_B When these events are observed by the above EventGroup2 rule, the rule starts an event correlation operation at 12:05:31. When the fourth event appears at 12:05:39, all threshold conditions (thresh=2 and thresh2=2) become satisfied. Note that without 'egptype' and 'egpattern' rule fields, the operation would execute the 'write' action. However, since these fields are present, the following event group string is built from the first four events "2 2 1 1", and this string is matched with the regular expression 1 2$ (the event group pattern provided with the 'egpattern' field). Since there is no match, the operation will *not* execute the 'write' action given with the 'action' field. When the fifth event appears at 12:05:42, all threshold conditions are again satisfied, and all observed events produce the following event group string: "2 2 1 1 2". Since this time the event group string matches the regular expression given with the 'egpattern' field, the operation will write the string "Sequence of two or more As and Bs with 'A B' at the end" to standard output with the 'write' action. To summarize, the 'egptype' and 'egpattern' fields allow for matching specific event sequences in a given time window (e.g., one can verify if events appear in specific order). The 2.9.alpha1 version is also supporting five new actions: 'cmdexec', 'spawnexec', 'cspawnexec', 'pipeexec', and 'reportexec'. These actions are similar to 'shellcmd', 'spawn', 'cspawn', 'pipe', and 'report' actions, but they execute command lines without shell interpretation. For example, consider the following action definition: cmdexec rm /tmp/report* This action will execute the command line 'rm /tmp/report*', but unlike the 'shellcmd' action, the asterisk is not treated as a file pattern but just as a file name character. Therefore, the action will remove the file with the name "/tmp/report*", and not the files /tmp/report1 and /tmp/report2 if they are present in the /tmp directory. The new actions you can find in 2.9.alpha1 allow for executing external programs in a more secure way and avoiding unexpected side effects if shell metacharacters are injected into command lines. Also, the SingleWithScript rule has an additional 'shell' rule field in the new version for running external programs with or without shell interpretation. Finally, the new version is no longer using the Perl JSON module and has switched to JSON::PP, since unlike the JSON module, JSON::PP is a part of the standard Perl distribution. This means that SEC is only using standard Perl modules now which come together with Perl, and does not require any additional modules. Since Sys::Syslog and JSON::PP modules might be missing from some old Perl distributions (Perl versions 5.8, 5.10 and 5.12 usually don't have them installed by default), the presence of these modules is not mandatory. If you have such an old Perl distribution and don't want to install Sys::Syslog and JSON::PP manually, SEC will simply run with a couple of non-essential features disabled, producing a warning message if you attempt to use these features. As for other new features and changes in SEC-2.9.alpha1, please see the changelog of the new version. kind regards, risto _______________________________________________ Simple-evcorr-users mailing list Simple-evcorr-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
