[Simple-evcorr-users] Invalid SEC context doesn't raise an error

Mon, 10 Aug 2009 15:51:09 -0700 

Hi all:

I have a rule that has not been working for a while and I keep
spending a little time to try to fix it. It's kind of a pain since
it's one rule in a SEC instance that has been running for months as an
external correlation engine for Nagios.

Here is the rule:

  type=single
  desc=suppress zombie alerts on backuppc servers.
  ptype=regexp
  pattern= ^03a (\[[0-9]+\] 
PROCESS_SERVICE_CHECK_RESULT;(ops03.psm1|ops01.fp.bos1.example.com);ZombieCheck;)[12];(PROCS
 .*?: ([0-9]+).*)
  context = $4 < 48
  action = write %nagiosCmd ($1;0;[backuppc zombies] $3);

As you can see the pattern is kind of hairy. However it's obvious that
I botched the context. It's a perl mini-program and is missing it's =(
... ) decorations.

What I am wondering is how/why SEC interprets this as a syntactically
valid context at all? The parse tree for this has to be bogus as there
is no || or && separating the operands. Per the man page:

  Context expression is a logical expression that consists of context
  names, Perl mini-programs, and Perl functions as operands; operands
  are combined with operators !  (logical NOT), && (short-circuit
  logical AND), || (short-circuit logical OR), and parentheses.

Yet SEC will happily load this rule. Putting this rule in b.sr I see:

  % sec -notail -input=file -conf=b.sr -debug=6
  SEC (Simple Event Correlator) 2.5.1
  Reading configuration from b.sr
  1 rules loaded from b.sr

Risto is there any way to warn/error on bogus contexts like this? I
would expect it to break the parse tree immediately after the $4 as
the next token isn't a:

   (, or -> (indicating a perl function)
   =( indicating a perl mini-program
   &&, ||, ! indicating another operand should be scanned

Thanks.

--
                                -- rouilj
John Rouillard
===========================================================================
My employers don't acknowledge my existence much less my opinions.

------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day 
trial. Simplify your report design, integration and deployment - and focus on 
what you do best, core application coding. Discover what's new with 
Crystal Reports now.  http://p.sf.net/sfu/bobj-july
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users

Reply via email to