On 02/07/2013 01:28 PM, David Lang wrote: > On Thu, 7 Feb 2013, Risto Vaarandi wrote: > >> >> I am actually also thinking of reusing the already existing 'spawn' >> action for arbitrary command lines. One very common approach of using >> 'spawn' has been to start a command line with it which is reading its >> input through a named pipe. In other parts of the ruleset, the 'write' >> action can then be used to write into this particular named pipe. This >> will drop the need for distinguishing command lines from each other and >> having handles for them, since the filename of the named pipe provides a >> natural unique identifier. >> >> In the current version, there has been one issue related to using >> 'spawn' in the above way -- since 'write' opens and closes the named >> pipe at each write operation, a process listening to the pipe will see >> EOF after each event and could terminate (this will happen to many >> common tools like 'logger' or 'cat'). However, if the 'write' action >> would keep the pipe constantly open, many unix command line tools would >> not need such frequent restarting. > > This can work, but unless SEC also creates the named pipe, it seems like there > are more steps needed to set it up than should be needed.
Well, actually the difference is not that big, since the named pipe can be set up very easily with the 'mkfifo' tool. In shell, this can be done with: mkfifo pipe; logger -t test -p user.info < pipe The nameless pipe equivalent is of course shorter (|logger -t test -p user.info), but with longer command lines the difference is probably not that big. kind regards, risto ------------------------------------------------------------------------------ Free Next-Gen Firewall Hardware Offer Buy your Sophos next-gen firewall before the end March 2013 and get the hardware for free! Learn more. http://p.sf.net/sfu/sophos-d2d-feb _______________________________________________ Simple-evcorr-users mailing list Simple-evcorr-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
