John,
Thanks for the information.
Is it possible to set %xx variables as part of a pattern return, or $n, or is
that also just reserved for "action" statements.
For example... this code works, but I'd like to retain the node and class name,
and send back to SEC for use by other rules. Any idea on how that would be
accomplished?
This works... but how to retain node and class in $1 and $2, or %node_class ???
type=Single
continue=DontCont
ptype=perlfunc
pattern=sub { \
my(@myLine) = (); \
my($myNode) = "0"; \
my($myClass)= "0"; \
@myLine = split(/\s+::\s+/, $_[0]); \
if (defined($myLine[1])) { $myNode = $myLine[1]; } \
if (defined($myLine[2])) { $myClass = $myLine[2]; } \
if ( exists $suppressTbl{$myNode}) \
{ if ($suppressTbl{$myNode} =~ /$myClass|0/i) { return 1; } } \
return 0; \
}
desc=NodeAndClassSuppress::$0
action=write /sec/log/sec.suppress.log %s
Thanks again for your help!
-----Original Message-----
From: John P. Rouillard [mailto:rou...@cs.umb.edu]
Sent: Friday, October 12, 2012 9:23 AM
To: simple-evcorr-users@lists.sourceforge.net
Subject: Re: [Simple-evcorr-users] Use Of lcall.
In message
<eddf5556138a864f836192f6d101812a110c6...@fmsmsx104.amr.corp.intel.c
om>, "Boyles, Gary P" writes:
>Question on "lcall"...
>
>Is "lcall" a keyword for the action statement only (i.e. one of the
>action->list keywords)?
Yes.
>I tried to use it with pattern, and it doesn't seem to recognize it there.
To call perl from a pattern, I think you have to use a *perlfunc ptype.
Now that said, I believe:
if a rule run on startup does an:
eval %f { sub fooble {do something;} }
I think the later use of:
type = ...
ptype = perlfunc
pattern = sub ( &fooble (arg1, arg2) )
or some modification of that should work as all the user supplied
functions are compiled into the same namespace IIRC.
Somebody who has done more work with the SEC/perl interface will no
doubt have a better idea, or be able to prove I am talking
foolishness.
--
-- rouilj
John Rouillard
===========================================================================
My employers don't acknowledge my existence much less my opinions.
------------------------------------------------------------------------------
Don't let slow site performance ruin your business. Deploy New Relic APM
Deploy New Relic app performance management and know exactly
what is happening inside your Ruby, Python, PHP, Java, and .NET app
Try New Relic at no cost today and get our sweet Data Nerd shirt too!
http://p.sf.net/sfu/newrelic-dev2dev
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
------------------------------------------------------------------------------
Don't let slow site performance ruin your business. Deploy New Relic APM
Deploy New Relic app performance management and know exactly
what is happening inside your Ruby, Python, PHP, Java, and .NET app
Try New Relic at no cost today and get our sweet Data Nerd shirt too!
http://p.sf.net/sfu/newrelic-dev2dev
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
