hi Leonard,
are you having roughly the following configuration in main.sec
type=Jump
ptype=RegExp
pattern=sshd\[\d+\]:
cfset=sshd-rules
type=Single
ptype=RegExp
pattern=sshd\[\d+\]:
desc=sshd event has been observed
action=write - %s
and you want the second rule to match if no rule in configuration file set
'sshd-rules' has matched? If so, then you could set a context which
indicates there was a match in 'sshd-rules', and main.sec could be modified
as follows:
type=Single
ptype=TValue
pattern=true
context=SSHD_RULES_MATCHED
continue=TakeNext
desc=drop the SSHD_RULES_MATCHED context
action=delete SSHD_RULES_MATCHED
type=Jump
ptype=RegExp
pattern=sshd\[\d+\]:
continue=TakeNext
cfset=sshd-rules
type=Single
ptype=RegExp
pattern=sshd\[\d+\]:
context=!SSHD_RULES_MATCHED
desc=sshd event has been observed which was not matched by rules in
sshd-rules cfset
action=write - %s
In sshd-rules cfset, SSHD_RULES_MATCHED context should be created for each
match. For example, here is an example sshd.sec file which is part of
sshd-rules configuration file set:
type=Options
procallin=no
joincfset=sshd-rules
type=Single
ptype=Substr
pattern=test
desc=a matching test event has been seen
action=create SSHD_RULES_MATCHED
As John already mentioned, using Jump rules for redirecting rule processing
back to the upper layers in cfset hierarchy is generally a bad idea. On one
hand, sec implements a basic loop detection and quits the processing of the
event when it sees the cfset label already observed during past jumps.
However, with large rule bases it might take many unnecessary steps before
you reach previously visited cfset, and thus a lot of unwanted load will be
imposed on CPU.
kind regards,
risto
Hope this helps,
risto
2015-04-06 21:05 GMT+03:00 Leonard Lawton <leonard.law...@gmail.com>:
> After a jump rule is matched in the "main" sec configuration, but does
> not match any rules in the included config where the join-cfset is
> located, how can I continue processing that rule in the "main" config?
>
>
> ------------------------------------------------------------------------------
> BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT
> Develop your own process in accordance with the BPMN 2 standard
> Learn Process modeling best practices with Bonita BPM through live
> exercises
> http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual-
> event?utm_
> source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF
> _______________________________________________
> Simple-evcorr-users mailing list
> Simple-evcorr-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
>
------------------------------------------------------------------------------
BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT
Develop your own process in accordance with the BPMN 2 standard
Learn Process modeling best practices with Bonita BPM through live exercises
http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- event?utm_
source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
