hi Rafael,
I see your point now. Just out of curiosity -- how complex is the time
difference calculation? If it is only a matter of subtraction (and some
simple conversions), I would personally not use the SingleWithScript
rule for this, since this involves forking a separate process.
For simple calculations that don't need much CPU time, it is much more
efficient to write them as Perl functions, and use those functions from
the context expression. Also, since you want to save previously seen
timestamps into variables, you have to use Perl variables, because match
variables exist only within the scope of current rule *and* current match.
Let me illustrate how this could work for simple case when all events
are of the same type and have simple UNIX numeric timestamps:
1302074341: filesystem /tmp full
1302074343: filesystem /var full
In that case, you could encapsulate timestamp difference calculation
into a small Perl function that is compiled at SEC startup and invoked
from the 'context' field. Note that the previous timestamp is stored
into the $prev variable that can be accessed *only* from Perl code which
is invoked from SEC rules:
type=single
ptype=regexp
pattern=(\d+): filesystem \S+ full
context=$1 -> ( sub { if (!defined($prev)) { $prev = 0; } \
my($ret) = $_[0] - $prev > 30; $prev = $_[0]; return
$ret; } )
desc=Time difference between two "filesystem full" events more than 30
seconds
action=write - %s
type=single
ptype=regexp
pattern=(\d+): filesystem \S+ full
desc=Time difference between two "filesystem full" events less than 30
seconds
action=write - %s
(Note that if no previous "filesystem full" event has been observed, the
timestamp difference is considered larger than 30 seconds, but it is
relatively straightforward to modify the Perl code to treat this
particular case differently.)
However, timestamp difference based event correlation can be implemented
in various other ways. For example, have you considered the use of
contexts? You could create a context for N seconds when you see first
event, and if the context still exists when you see the second event,
the first event must have occurred no more than N seconds ago. So the
ruleset might look something like this:
type=single
ptype=substr
pattern=firstevent
desc=firstevent was seen
action=create SEEN1stEVENT 30
type=single
ptype=substr
pattern=secondevent
desc=secondevent was seen and firstevent occurred at most 30 seconds ago
context=SEEN1stEVENT
action=write - %s
There are also other opportunities like the use of Pair rule (this would
wait for "secondevent" during 30 seconds since the *first* occurrence of
"firstevent"). I am sure there are several other ways for tackling this
issue, but it all depends on your requirements and input.
Hopefully I was able to provide some insight into different potential
solution scenarios :)
kind regards,
risto
On 04/05/2011 10:57 PM, Rafael Bonilla wrote:
> Thanks Risto for the clarification of the types of variables that can be used.
>
> The scripts need to compute the time elapse between a timestamp captured
> earlier (stored in $+{varname}) and a new timestamp extracted from the new
> matching pattern and stored in $1. If the time elapsed is less than n seconds
> I would like to execute action; otherwise, execute action2.
>
> Hope it makes sense.
>
> Regards,
> Rafael
>
> On Apr 5, 2011, at 2:12 PM, Risto Vaarandi wrote:
>
>> hi Rafael,
>> there are three kind of variables that can be used in SEC rules:
>> 1) action list variables which are visible in action lists only (e.g.,
>> %t or %s),
>> 2) match variables which are set by patterns (e.g., $1 or $+{varname}),
>> 3) Perl variables that are set and used in Perl code snippets
>> defined/invoked in/from SEC rules.
>> Since the 'script' field which defines a command line to external
>> program, only match variables can be used in this field. BTW, what
>> sort of functionality the external program implements and what data
>> are held by $my_variable? Maybe there is another way to express the
>> same idea with a different rule...
>> kind regards,
>> risto
>>
>> 2011/4/5 Rafael Bonilla<rafael.boni...@gmail.com>:
>>> Hi,
>>>
>>> I'm pretty new to SEC and was wondering if I can use a $my_variable as an
>>> argument when calling a perl script with the script= option of a
>>> SingleWithScript rule.
>>>
>>> So far I've tried the following:
>>> type=SingleWithScript
>>> ptype=RegExp
>>> pattern=some pattern
>>> context=some context
>>> script=someScript.pl $my_variable $0
>>> ...
>>>
>>> with no success. It seem that the perl script never receives the value
>>> stored in $my_variable and I know it has a value.
>>>
>>> Any suggestions?
>>>
>>> Thanks,
>>> Rafael
>>> ------------------------------------------------------------------------------
>>> Xperia(TM) PLAY
>>> It's a major breakthrough. An authentic gaming
>>> smartphone on the nation's most reliable network.
>>> And it wants your games.
>>> http://p.sf.net/sfu/verizon-sfdev
>>> _______________________________________________
>>> Simple-evcorr-users mailing list
>>> Simple-evcorr-users@lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
>>>
>
>
> ------------------------------------------------------------------------------
> Xperia(TM) PLAY
> It's a major breakthrough. An authentic gaming
> smartphone on the nation's most reliable network.
> And it wants your games.
> http://p.sf.net/sfu/verizon-sfdev
> _______________________________________________
> Simple-evcorr-users mailing list
> Simple-evcorr-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
>
------------------------------------------------------------------------------
Xperia(TM) PLAY
It's a major breakthrough. An authentic gaming
smartphone on the nation's most reliable network.
And it wants your games.
http://p.sf.net/sfu/verizon-sfdev
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
