Thanks for the replies. I'm pretty much using standard input to test while
cut-n-pasting from a web server log. Here's an example line:
192.168.0.2 www.mywebserver.com somelongstringhere [01/Jan/2001:00:00:00
-0000] "GET /path/to/some/http HTTP/1.0" 200 12345 "
http://www.mywebserver.com/path/to/some/http"; "Mozilla/4.0 (compatible; MSIE
6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)" "-"
The rule does fire all the time if I remove the context line completely.
sample contexts created:
good_ip_127.0.0.1
good_ip_192.168.0.1
bad_ip_192.168.0.2
bad_ip_192.168.0.3
bad_string_somelongstringhere1
bad_string_somelongstringhere2
bad_string_somelongstringhere3
etc...
~Jon~
On 3/20/08, Risto Vaarandi <[EMAIL PROTECTED]> wrote:
>
> Jon Salud wrote:
> > Hello there,
> >
> > The following rule doesn't seem to be read according to /tmp/sec.dump
> >
> > type = Single
> > desc = context $1 $2
> > ptype = PerlFunc
> > pattern = sub { if ($_[0] =~ /^(\S+) \S+ (\S+)/) { return ($1, $2,
> > $_[1]); } return 0; }
> > context = !good_ip_$1 && (bad_ip_$1 || bad_string_$2)
> > action = shellcmd ./notify.ksh "%t|$3|$2|$1|$0"
> >
> > I populate all the good_ip_xxx, bad_ip_xxx, bad_string_xxx contexts at
> > the beginning, but this rule doesn't seem to work when I try and test
> > it. When I remove the parentheses from the 'context' line it somewhat
> > works, but doesn't behave the way I intend it to. Any thoughts?
> >
>
> hi Jon,
> I tested the rule on my Linux workstation by feeding various string
> tuples (A, B, C) to SEC, having separate rules put to place for creating
> and deleting contexts for the first and third elements of tuples (A and
> C, that is). I couldn't find any problem with the rule - if either
> bad_ip_A or bad_string_C (or both) exist, and good_ip_A does not exist,
> the rule fires; otherwise the action is not executed.
> Therefore, I am strongly suspecting that the 'pattern' parameter does
> not correctly capture your input. As John suggested, it would be most
> helpful if you could provide us some samples of your actual input.
> best regards,
> risto
>
> > ~Jon~
> >
> >
> > ------------------------------------------------------------------------
> >
> >
> -------------------------------------------------------------------------
> > This SF.net email is sponsored by: Microsoft
> > Defy all challenges. Microsoft(R) Visual Studio 2008.
> > http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
> >
> >
> > ------------------------------------------------------------------------
> >
> > _______________________________________________
> > Simple-evcorr-users mailing list
> > [email protected]
> > https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
>
>
-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Simple-evcorr-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
