On 09/14/2012 12:25 AM, John P. Rouillard wrote: > > Hi all: > > I have the following setup: > > ruleset 01 does some processing > > ruleset 05 has a jump rule in it that jumps to the END cf set > > (rules to spit out new event and clear some contexts) > > type= jump > continue = dontcont > desc= Skip all processing for slapd > ptype= regexp > pattern= \.example\.com slapd\[[0-9]+\]: > cfset = END > > ruleset 10, 15, 30....99reset are the additional rules that I expect > the jump to skip for the matching event. > > ruleset 99zzend adds the ruleset to the END cfset. > > type = options > joincfset = END > procallin = no > > type = single > desc = log > ptype = regexp > pattern = .* > action = write - triggered 99zzend.sr $0 > > What I am expecting for an input line of: > > foo.example.com slapd[2345]: something > > is to take the jump rule, branch to 99zzend and stop processing that > event. But what I am seeing (from an instrumented version of SEC > 2.6.2) is: > > Added line foo.example.com slapd[2345]: lslsls from input as new event > Applying rule: 0 from 01control.sr > Tvalue application true in 1.7e-05s > Applying rule: 0 from 05EventResetDispatch.sr > (*log new event to stdout rule > Applying rule: 1 from 05EventResetDispatch.sr > Regexp application in 3.1e-05s > Writing event 'new event foo.example.com slapd[2345]: lslsls' to file - > (* logged devent to stdout stdout) > new event foo.example.com slapd[2345]: lslsls > Applying rule: 2 from 05EventResetDispatch.sr (* slapd match rule above) > Regexp application in 2.8e-05s > (* jump has occurred as expected) > Applying rule: 0 from 99zzend.sr > Regexp application in 2e-05s > Writing event 'triggered 99zzend.sr foo.example.com slapd[2345]: lslsls' to > file - > triggered 99zzend.sr foo.example.com slapd[2345]: lslsls > > (* now it looks like it is going through all the rest of the rule > files in order.) > > Applying rule: 0 from 10timestamp.sr > Applying rule: 0 from 11suppressFlood.sr > Applying rule: 1 from 11suppressFlood.sr > Tvalue application true in 1.3e-05s > Creating context 'EVENT_PROCESSED' > Applying rule: 2 from 11suppressFlood.sr > Applying rule: 3 from 11suppressFlood.sr > Applying rule: 4 from 11suppressFlood.sr > Applying rule: 5 from 11suppressFlood.sr > Applying rule: 6 from 11suppressFlood.sr > Applying rule: 7 from 11suppressFlood.sr > Applying rule: 8 from 11suppressFlood.sr > Applying rule: 9 from 11suppressFlood.sr > Applying rule: 10 from 11suppressFlood.sr > Applying rule: 11 from 11suppressFlood.sr > Creating context 'unparsed_event' > Applying rule: 12 from 11suppressFlood.sr > Regexp application in 2.2e-05s > Writing event 'foo.renesys.com slapd[2345]: lslsls' to file Unparsed > Deleting context 'unparsed_event' > Context 'unparsed_event' deleted > Applying rule: 13 from 11suppressFlood.sr > Tvalue application true in 1.3e-05s > Deleting context 'EVENT_PROCESSED' > Context 'EVENT_PROCESSED' deleted > Applying rule: 0 from 14slapd.sr > [...] > Applying rule: 0 from 31postgres.sr > Applying rule: 0 from 50mfs.sr > Applying rule: 0 from 70misc_filter.sr > Tvalue application true in 1.2e-05s > Applying rule: 0 from 99rules_reset.sr > Tvalue application true in 1.1e-05s > Deleting context 'EVENT_PROCESSED' > Context 'EVENT_PROCESSED' deleted > > and that ends the event processing. > >> From sec.dump right after this the only item in the buffer is: > > foo.example.com slapd[2345]: lslsls > > I don't see any cfset definitions in the dump file but I am not sure > if I should. > > If I change rulset 99zzend so the options rule uses procallin=yes, > then I see the 99zzend.sr ruleset processed twice once in the jump > sequence and once after 99rules_reset.sr. So that is working as > expected. > > For some reason I thought the jump rule replaced the standard file > sequence, but that appears to not be the case. > > Is my option here to add > > joincfset = standard > procallin = no > > to all of the rest of my rulesets and add a catchall rule in ruleset 5 > to jump to cfset standard so there are no "all" processing rules?
That's correct. If no Jump and Options are used at all, SEC's default behavior is to submit the event for processing to all rule files (of course, in the beginning of each file there can be a rule for disabling any further processing). The meaning of procallin=no statement within an Options rule is to switch off this default behavior, and to accept input events through Jump-rules only. If procallin=no option is not given for a rule file, SEC will submit an event for processing to this file (even if processing has been previously redirected into it with Jump). Also, it is possible to join several files under the same cfset, and in this case Jump to this cfset will actually submit event for processing to all files in cfset. with kind regards, risto > > -- > -- rouilj > John Rouillard > =========================================================================== > My employers don't acknowledge my existence much less my opinions. > > ------------------------------------------------------------------------------ > Live Security Virtual Conference > Exclusive live event will cover all the ways today's security and > threat landscape has changed and how IT managers can respond. Discussions > will include endpoint security, mobile security and the latest in malware > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ > _______________________________________________ > Simple-evcorr-users mailing list > Simple-evcorr-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users > ------------------------------------------------------------------------------ Got visibility? Most devs has no idea what their production app looks like. Find out how fast your code is with AppDynamics Lite. http://ad.doubleclick.net/clk;262219671;13503038;y? http://info.appdynamics.com/FreeJavaPerformanceDownload.html _______________________________________________ Simple-evcorr-users mailing list Simple-evcorr-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
