Adding rule branching in SEC is a very interesting.
What about using the filename of each rule file along with an optional "new" rule label (explicitly declared by the rule's author to enable branching to the rule)? So here's a primitive example of the idea in practice: In file testRules1.conf: label=Rule A type=single continue=testRules2.conf->Rule B ptype=regexp pattern=some pattern A action=some action A In file testRules2.conf label=Rule B type=single continue=dontcont ptype=regexp pattern=some pattern B action=some action B Where '->' references the rule in a specified file to jump to (and if '->' is omitted can assume it's somewhere in the current file). In this way old rules can easily be adapted to allow jumps by simply adding the optional destination "label" to a rule and a simple expansion to SEC's "continue" to reference any labeled rule. Each label would be required to be unique within a file. Aside: As for avoiding infinite loops I would consider preprocessing the rules upon startup to check that no rules could possibly be circular and simply not allow circular references. Regards, Rock -----Original Message----- From: Risto Vaarandi [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 04, 2008 10:45 AM To: '[email protected] ' Subject: [Simple-evcorr-users] SEC - support for rule branching hi all, as you all well know, SEC has had very limited support for rule branching. Rules can be (de)activated with contexts, but true rule branches can't be set up (for example, in the way you can define iptables chains). I have given it some thought and there are some at least some ways of doing this. There could be a special command line flag (e.g., -conf2) which loads a rule file, but doesn't use it for matching input lines by default. Instead, a user could employ the 'jump' action to tell SEC to use specific rule file only. Another way to enable branching would be to have 'load' and 'drop' actions for loading configuration from additional rule files at run time, and then let user to employ 'jump' for narrowing the matching process to given files only. Instead of files, I've been thinking of using textual tags, e.g., 'load linux /etc/sec/linux/*.rules', 'jump linux', etc. (or -conf2=/etc/sec/linux/*.rules=linux which is somewhat similar to specifying input file contexts for SEC). What do you think? br, risto ------------------------------------------------------------------------ - This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ _______________________________________________ Simple-evcorr-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users ***** The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential, proprietary, and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from all computers. GA621 ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ _______________________________________________ Simple-evcorr-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
