Hi John, I use jump heavily in my system. I don't know if I just assumed or that I found reason to, but I've always had a "continue=DontCont" entry in my last ruleset of all of the jumped to rules. I have had no issues with it continuing to try and process.
Regards, - Steve > -----Original Message----- > From: John P. Rouillard [mailto:rou...@cs.umb.edu] > Sent: Thursday, September 13, 2012 5:25 PM > To: simple-evcorr-users@lists.sourceforge.net > Subject: [Simple-evcorr-users] Jump rule oddness > > > Hi all: > > I have the following setup: > > ruleset 01 does some processing > > ruleset 05 has a jump rule in it that jumps to the END cf set > > (rules to spit out new event and clear some contexts) > > type= jump > continue = dontcont > desc= Skip all processing for slapd > ptype= regexp > pattern= \.example\.com slapd\[[0-9]+\]: > cfset = END > > ruleset 10, 15, 30....99reset are the additional rules that I expect > the jump to skip for the matching event. > > ruleset 99zzend adds the ruleset to the END cfset. > > type = options > joincfset = END > procallin = no > > type = single > desc = log > ptype = regexp > pattern = .* > action = write - triggered 99zzend.sr $0 > > What I am expecting for an input line of: > > foo.example.com slapd[2345]: something > > is to take the jump rule, branch to 99zzend and stop processing that > event. But what I am seeing (from an instrumented version of SEC > 2.6.2) is: > > Added line foo.example.com slapd[2345]: lslsls from input as new event > Applying rule: 0 from 01control.sr > Tvalue application true in 1.7e-05s > Applying rule: 0 from 05EventResetDispatch.sr > (*log new event to stdout rule > Applying rule: 1 from 05EventResetDispatch.sr > Regexp application in 3.1e-05s > Writing event 'new event foo.example.com slapd[2345]: lslsls' to file - > (* logged devent to stdout stdout) > new event foo.example.com slapd[2345]: lslsls > Applying rule: 2 from 05EventResetDispatch.sr (* slapd match rule > above) > Regexp application in 2.8e-05s > (* jump has occurred as expected) > Applying rule: 0 from 99zzend.sr > Regexp application in 2e-05s > Writing event 'triggered 99zzend.sr foo.example.com slapd[2345]: > lslsls' to file - > triggered 99zzend.sr foo.example.com slapd[2345]: lslsls > > (* now it looks like it is going through all the rest of the rule > files in order.) > > Applying rule: 0 from 10timestamp.sr > Applying rule: 0 from 11suppressFlood.sr > Applying rule: 1 from 11suppressFlood.sr > Tvalue application true in 1.3e-05s > Creating context 'EVENT_PROCESSED' > Applying rule: 2 from 11suppressFlood.sr > Applying rule: 3 from 11suppressFlood.sr > Applying rule: 4 from 11suppressFlood.sr > Applying rule: 5 from 11suppressFlood.sr > Applying rule: 6 from 11suppressFlood.sr > Applying rule: 7 from 11suppressFlood.sr > Applying rule: 8 from 11suppressFlood.sr > Applying rule: 9 from 11suppressFlood.sr > Applying rule: 10 from 11suppressFlood.sr > Applying rule: 11 from 11suppressFlood.sr > Creating context 'unparsed_event' > Applying rule: 12 from 11suppressFlood.sr > Regexp application in 2.2e-05s > Writing event 'foo.renesys.com slapd[2345]: lslsls' to file Unparsed > Deleting context 'unparsed_event' > Context 'unparsed_event' deleted > Applying rule: 13 from 11suppressFlood.sr > Tvalue application true in 1.3e-05s > Deleting context 'EVENT_PROCESSED' > Context 'EVENT_PROCESSED' deleted > Applying rule: 0 from 14slapd.sr > [...] > Applying rule: 0 from 31postgres.sr > Applying rule: 0 from 50mfs.sr > Applying rule: 0 from 70misc_filter.sr > Tvalue application true in 1.2e-05s > Applying rule: 0 from 99rules_reset.sr > Tvalue application true in 1.1e-05s > Deleting context 'EVENT_PROCESSED' > Context 'EVENT_PROCESSED' deleted > > and that ends the event processing. > > >From sec.dump right after this the only item in the buffer is: > > foo.example.com slapd[2345]: lslsls > > I don't see any cfset definitions in the dump file but I am not sure > if I should. > > If I change rulset 99zzend so the options rule uses procallin=yes, > then I see the 99zzend.sr ruleset processed twice once in the jump > sequence and once after 99rules_reset.sr. So that is working as > expected. > > For some reason I thought the jump rule replaced the standard file > sequence, but that appears to not be the case. > > Is my option here to add > > joincfset = standard > procallin = no > > to all of the rest of my rulesets and add a catchall rule in ruleset 5 > to jump to cfset standard so there are no "all" processing rules? > > -- > -- rouilj > John Rouillard > ======================================================================= > ==== > My employers don't acknowledge my existence much less my opinions. > > ----------------------------------------------------------------------- > ------- > Live Security Virtual Conference > Exclusive live event will cover all the ways today's security and > threat landscape has changed and how IT managers can respond. > Discussions > will include endpoint security, mobile security and the latest in > malware > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ > _______________________________________________ > Simple-evcorr-users mailing list > Simple-evcorr-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users ------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://ad.doubleclick.net/clk;258768047;13503038;j? http://info.appdynamics.com/FreeJavaPerformanceDownload.html _______________________________________________ Simple-evcorr-users mailing list Simple-evcorr-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
