hi John, you are seeing this behavior, because context expression parser doesn't require the context name operand to contain no spaces. I seem to remember that in past version of SEC, it was possible to use multiword context names in expressions. However, after having briefly checked the code and man page, it seems that with later versions every context related action has a check that forces a single-word operand. I will verify this issue and implement a relevant check in the context name parser, if needed. BR, risto
--- On Tue, 8/11/09, John P. Rouillard <rou...@cs.umb.edu> wrote: > From: John P. Rouillard <rou...@cs.umb.edu> > Subject: [Simple-evcorr-users] Invalid SEC context doesn't raise an error > To: simple-evcorr-users@lists.sourceforge.net > Date: Tuesday, August 11, 2009, 1:47 AM > > Hi all: > > I have a rule that has not been working for a while and I > keep > spending a little time to try to fix it. It's kind of a > pain since > it's one rule in a SEC instance that has been running for > months as an > external correlation engine for Nagios. > > Here is the rule: > > type=single > desc=suppress zombie alerts on backuppc servers. > ptype=regexp > pattern= ^03a (\[[0-9]+\] > PROCESS_SERVICE_CHECK_RESULT;(ops03.psm1|ops01.fp.bos1.example.com);ZombieCheck;)[12];(PROCS > .*?: ([0-9]+).*) > context = $4 < 48 > action = write %nagiosCmd ($1;0;[backuppc zombies] > $3); > > As you can see the pattern is kind of hairy. However it's > obvious that > I botched the context. It's a perl mini-program and is > missing it's =( > ... ) decorations. > > What I am wondering is how/why SEC interprets this as a > syntactically > valid context at all? The parse tree for this has to be > bogus as there > is no || or && separating the operands. Per the man > page: > > Context expression is a logical expression that > consists of context > names, Perl mini-programs, and Perl functions as > operands; operands > are combined with operators ! (logical NOT), > && (short-circuit > logical AND), || (short-circuit logical OR), and > parentheses. > > Yet SEC will happily load this rule. Putting this rule in > b.sr I see: > > % sec -notail -input=file -conf=b.sr -debug=6 > SEC (Simple Event Correlator) 2.5.1 > Reading configuration from b.sr > 1 rules loaded from b.sr > > Risto is there any way to warn/error on bogus contexts like > this? I > would expect it to break the parse tree immediately after > the $4 as > the next token isn't a: > > (, or -> (indicating a perl function) > =( indicating a perl mini-program > &&, ||, ! indicating another > operand should be scanned > > Thanks. > > -- > > -- rouilj > John Rouillard > =========================================================================== > My employers don't acknowledge my existence much less my > opinions. > > ------------------------------------------------------------------------------ > Let Crystal Reports handle the reporting - Free Crystal > Reports 2008 30-Day > trial. Simplify your report design, integration and > deployment - and focus on > what you do best, core application coding. Discover what's > new with > Crystal Reports now. http://p.sf.net/sfu/bobj-july > _______________________________________________ > Simple-evcorr-users mailing list > Simple-evcorr-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users > ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________ Simple-evcorr-users mailing list Simple-evcorr-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
