David,
<voice style=edmcmahon>You are correct, sir!</voice>
Per the inline documentation:
# if SIGHUP has arrived, reopen input files and logfile, re-read
# configuration and empty all lists concerning events and correlation
# information; *if SIGABRT has arrived, behave like SIGHUP but preserve *
* # contexts that are active*
Mon Oct 24 12:45:52 2011: SIGHUP received: full restart of SEC
Mon Oct 24 12:45:52 2011: Reading configuration from /etc/sec/cisco/asa.sec
Mon Oct 24 12:45:52 2011: 21 rules loaded from /etc/sec/cisco/asa.sec
Mon Oct 24 12:45:52 2011: Creating SEC internal context 'SEC_INTERNAL_EVENT'
Mon Oct 24 12:45:52 2011: Creating SEC internal event 'SEC_RESTART'
Mon Oct 24 12:45:52 2011: Deleting SEC internal context 'SEC_INTERNAL_EVENT'
Mon Oct 24 12:57:09 2011: SIGABRT received: soft restart of SEC
Mon Oct 24 12:57:09 2011: Creating SEC internal context 'SEC_INTERNAL_EVENT'
Mon Oct 24 12:57:09 2011: Creating SEC internal event 'SEC_SOFTRESTART'
Mon Oct 24 12:57:09 2011: Deleting SEC internal context 'SEC_INTERNAL_EVENT'
A safer reload the hashes, without losing the contexts, is to send a KILL
$pid -ABRT after editing the file.
type=Single
desc=Dynamically reload Hashes
ptype=SubStr
continue=TakeNext
pattern=SEC_SOFT**RESTART
context=SEC_INTERNAL_EVENT
action=eval %a ( open(FILE, "</etc/sec/friendlynames.txt")**; \
while (<FILE>) { chomp; my ($key, $val) = split /=/; $hash{"$key"} = $val;
})
Or, if feeling adventurous, it's merely a .pl file. We can always
roll-your-own SIG handler. :)
---
Justin J. Novack
Official Disturber of the Peace
On Wed, Oct 19, 2011 at 3:37 PM, <da...@lang.hm> wrote:
>
>
> I am thinking that they are lost on a -HUP because the -HUP recompiles the
> rules.
>
> I am thinking that you need something along the lines of
>
>
> type=Single
> desc=Load hashes at startup
> ptype=SubStr
> continue=TakeNext
> pattern=reload friendlynames.txt file
> action=eval %a ( open(FILE, "</etc/sec/friendlynames.txt")**; %hash=();\
>
> while (<FILE>) { chomp; my ($key, $val) = split /=/; $hash{"$key"} =
> $val; })
>
> since you run things on reload, you probably need the clearing of the hash
> in your original version as well (since this file is something that usually
> only grows, the fact that a reload would not remove an entry from the hash
> is probably not a big problem, but in other contexts it will matter)
>
> David Lang
>
> ------------------------------------------------------------------------------
> The demand for IT networking professionals continues to grow, and the
> demand for specialized networking skills is growing even more rapidly.
> Take a complimentary Learning@Ciosco Self-Assessment and learn
> about Cisco certifications, training, and career opportunities.
> http://p.sf.net/sfu/cisco-dev2dev
> _______________________________________________
> Simple-evcorr-users mailing list
> Simple-evcorr-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
>
>
------------------------------------------------------------------------------
The demand for IT networking professionals continues to grow, and the
demand for specialized networking skills is growing even more rapidly.
Take a complimentary Learning@Cisco Self-Assessment and learn
about Cisco certifications, training, and career opportunities.
http://p.sf.net/sfu/cisco-dev2dev
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
