On 9/27/2013 8:37 PM, David Lang wrote:
actually, it occures to me that you can just use the hash that the
json parse creates, the thing that gets passed to flatten.
In fact, the more I think about it, the less it seems to be the right
thing to use flatten and cache.
Instead it seems like
On 9/25/2013 2:21 PM, Risto Vaarandi wrote:
thanks for sharing -- it is good to hear the newer functionality of sec is
useful for you!
I have to acknowledge that I've had only a brief look into the rule from your
post, and
didn't get into all the details. Nevertheless, the rule seems to be
Yes, absolutely. I was developing this inline since it was fluid at the
time, but I want
to get the meat of it into a library. Going back to my previous request
on getting access
to the varmap hash, I would like to definitely see that in a future
release. For example,
having access to
On 9/27/2013 2:06 PM, Risto Vaarandi wrote:
As I understand, you'd like to have a separate action which could take varmap
names as
parameters, and would pass references to given varmaps into a Perl function?
kind regards,
Right -- would want to be able to access the hash in an lcall, for
On Fri, 27 Sep 2013, Mark D. Nagel wrote:
On 9/27/2013 2:06 PM, Risto Vaarandi wrote:
As I understand, you'd like to have a separate action which could take
varmap names as
parameters, and would pass references to given varmaps into a Perl function?
kind regards,
Right -- would want to
On Fri, 27 Sep 2013, Mark D. Nagel wrote:
On 9/27/2013 4:14 PM, David Lang wrote:
remember that Perl variables (including hashes) that you create with one
rule can be
accessed by your perl code in any other rule.
you don't _have_ to use varmap.
If your flatten routine sets a variable
hi Mark,
thanks for sharing -- it is good to hear the newer functionality of sec is
useful for you!
I have to acknowledge that I've had only a brief look into the rule from
your post, and didn't get into all the details. Nevertheless, the rule
seems to be quite efficient since most of the Perl
I thought I would share my final version of the rule I was working on. Turns
out that you
have made my life way simpler since last time I looked deeply into what I could
do --
thanks, Risto! Note that this is part of a larger ruleset that begins with
JSON/flatten
of Windows events received
On 9/23/2013 11:46 AM, Risto Vaarandi wrote:
hi Mark,
maybe I am wrong here, but can't the quoting problem be handled with the
lcall action?
For example, lcall %o $+{Message} - ( sub { ... } )
would pass $+{Message} as a string into a precompiled function where it can
be retrieved
from
Internally, the match data that match variables represent are kept in Perl
variables, lists and hash tables, and are not interpreted. During the match
variable substitution, they are substituted as strings, and although this
does not allow to pass references, it does not alter string data.
I thought there must be a way to do this safely without digging into the
innards of SEC, but it seems I have no solution other than that --
hoping someone can guide me back to a non-innards method. The problem
is this -- how do you take a pattern match and feed that into Perl code
(via eval or
11 matches
Mail list logo
