Hi, I tried this:
main.conf: type=Options joincfset=returnfromjumps procallin=no type=Jump ptype=RegExp pattern=ASA cfset=firewall-events label=returnfromjumpslabel ... join.conf type=Options procallin=no joincfset=firewall-events ... type=Jump ptype=RegExp pattern=.? cfset=returnfromjumps continue=goto returnfromjumpslabel But I get "label returnfromjumpslabel does not exist, assuming continue=DontCont" when restarting syslog. On 04/06/2015 11:35 AM, John P. Rouillard wrote: > Hello: > > In message <5522cad9.5020...@gmail.com>, > Leonard Lawton writes: >> After a jump rule is matched in the "main" sec configuration, but does >> not match any rules in the included config where the join-cfset is >> located, how can I continue processing that rule in the "main" config? > I think this would work: > > main.conf > type = options > joincfset = main > procallin = yes > > > [...] > > type = jump > [...] > cfset = join-cfset > > label = event_already_seen_by_above_rules > > join.conf > > # at end of file > > type = jump > [...] > cfset = main > continue = GOTO event_already_seen_by_above_rules > > I.E. make the main config file part of a cf set and make sure all > events will go through it. At the end of the join cf set add a jump > rule that will jump into the main config file after the rule that > redirected event processing to the join.conf file (hence the need for > label/goto label). > > If the jump rule at the end of join.conf is matched, the event wasn't > processed/consumed by any of the rules in that file.. Then the label > placed just after that rule in the main file will cause the jump to > the main cfset to bypass that rule and continue in the main file. > > A second way to do this would be to use a context on the main jump > rule and jump to the main config file from the join.conf file setting > a context that stops the main jump rule from matching again. You will > need to make sure the context is destroyed when the next event > arrives. > > Now having said this, I claim it is a *very* bad idea to do this. It > would be very easy to set up an infinite loop and stop all the > analysis. I always set up my rules so that they form a tree (well > simple digraph without loops) so I can be sure that any event will > always exit the analysis. > > SEC will not (and really can not) protect you if you set up loops. > > Good luck and wishing you a loop free ruleset. > > -- > -- rouilj > John Rouillard > =========================================================================== > My employers don't acknowledge my existence much less my opinions. > > ------------------------------------------------------------------------------ > BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT > Develop your own process in accordance with the BPMN 2 standard > Learn Process modeling best practices with Bonita BPM through live exercises > http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- event?utm_ > source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF > _______________________________________________ > Simple-evcorr-users mailing list > Simple-evcorr-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users ------------------------------------------------------------------------------ BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT Develop your own process in accordance with the BPMN 2 standard Learn Process modeling best practices with Bonita BPM through live exercises http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- event?utm_ source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF _______________________________________________ Simple-evcorr-users mailing list Simple-evcorr-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
