Hi all:
I have the following setup:
ruleset 01 does some processing
ruleset 05 has a jump rule in it that jumps to the END cf set
(rules to spit out new event and clear some contexts)
type= jump
continue = dontcont
desc= Skip all processing for slapd
ptype= regexp
pattern= \.example\.com slapd\[[0-9]+\]:
cfset = END
ruleset 10, 15, 30....99reset are the additional rules that I expect
the jump to skip for the matching event.
ruleset 99zzend adds the ruleset to the END cfset.
type = options
joincfset = END
procallin = no
type = single
desc = log
ptype = regexp
pattern = .*
action = write - triggered 99zzend.sr $0
What I am expecting for an input line of:
foo.example.com slapd[2345]: something
is to take the jump rule, branch to 99zzend and stop processing that
event. But what I am seeing (from an instrumented version of SEC
2.6.2) is:
Added line foo.example.com slapd[2345]: lslsls from input as new event
Applying rule: 0 from 01control.sr
Tvalue application true in 1.7e-05s
Applying rule: 0 from 05EventResetDispatch.sr
(*log new event to stdout rule
Applying rule: 1 from 05EventResetDispatch.sr
Regexp application in 3.1e-05s
Writing event 'new event foo.example.com slapd[2345]: lslsls' to file -
(* logged devent to stdout stdout)
new event foo.example.com slapd[2345]: lslsls
Applying rule: 2 from 05EventResetDispatch.sr (* slapd match rule above)
Regexp application in 2.8e-05s
(* jump has occurred as expected)
Applying rule: 0 from 99zzend.sr
Regexp application in 2e-05s
Writing event 'triggered 99zzend.sr foo.example.com slapd[2345]: lslsls' to
file -
triggered 99zzend.sr foo.example.com slapd[2345]: lslsls
(* now it looks like it is going through all the rest of the rule
files in order.)
Applying rule: 0 from 10timestamp.sr
Applying rule: 0 from 11suppressFlood.sr
Applying rule: 1 from 11suppressFlood.sr
Tvalue application true in 1.3e-05s
Creating context 'EVENT_PROCESSED'
Applying rule: 2 from 11suppressFlood.sr
Applying rule: 3 from 11suppressFlood.sr
Applying rule: 4 from 11suppressFlood.sr
Applying rule: 5 from 11suppressFlood.sr
Applying rule: 6 from 11suppressFlood.sr
Applying rule: 7 from 11suppressFlood.sr
Applying rule: 8 from 11suppressFlood.sr
Applying rule: 9 from 11suppressFlood.sr
Applying rule: 10 from 11suppressFlood.sr
Applying rule: 11 from 11suppressFlood.sr
Creating context 'unparsed_event'
Applying rule: 12 from 11suppressFlood.sr
Regexp application in 2.2e-05s
Writing event 'foo.renesys.com slapd[2345]: lslsls' to file Unparsed
Deleting context 'unparsed_event'
Context 'unparsed_event' deleted
Applying rule: 13 from 11suppressFlood.sr
Tvalue application true in 1.3e-05s
Deleting context 'EVENT_PROCESSED'
Context 'EVENT_PROCESSED' deleted
Applying rule: 0 from 14slapd.sr
[...]
Applying rule: 0 from 31postgres.sr
Applying rule: 0 from 50mfs.sr
Applying rule: 0 from 70misc_filter.sr
Tvalue application true in 1.2e-05s
Applying rule: 0 from 99rules_reset.sr
Tvalue application true in 1.1e-05s
Deleting context 'EVENT_PROCESSED'
Context 'EVENT_PROCESSED' deleted
and that ends the event processing.
>From sec.dump right after this the only item in the buffer is:
foo.example.com slapd[2345]: lslsls
I don't see any cfset definitions in the dump file but I am not sure
if I should.
If I change rulset 99zzend so the options rule uses procallin=yes,
then I see the 99zzend.sr ruleset processed twice once in the jump
sequence and once after 99rules_reset.sr. So that is working as
expected.
For some reason I thought the jump rule replaced the standard file
sequence, but that appears to not be the case.
Is my option here to add
joincfset = standard
procallin = no
to all of the rest of my rulesets and add a catchall rule in ruleset 5
to jump to cfset standard so there are no "all" processing rules?
--
-- rouilj
John Rouillard
===========================================================================
My employers don't acknowledge my existence much less my opinions.
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
