hi Jaren,
if you would like to load a list of interesting URLs from an external file
into memory and use this information for matching incoming events, this can
be indeed done with a Perl hash that holds the data. Here is a simple
example which illustrates this concept.
Suppose you have a url file called /etc/sec/url.txt which contains the
following lines:
http://www.example.com
http://www.mydomain
Also suppose you have the following two rules:
type=Single
ptype=RegExp
pattern=^(?:SEC_STARTUP|SEC_RESTART|SEC_SOFTRESTART)$
context=SEC_INTERNAL_EVENT
desc=Initialize the %url hash table
action=lcall %o -> ( sub { if (!open(URL, "/etc/sec/url.txt")) { return; } \
my(@url) = <URL>; chomp(@url); close(URL); \
%url = map { $_ => 1 } @url; } )
type=Single
ptype=RegExp
pattern=URL (\S+) was accessed
context=$1 -> ( sub { exists $url{$_[0]} } )
desc=Check if URL $1 is interesting
action=write - Interesting URL $1 has been observed
The first rule loads the content of the url file into memory, so that each
url becomes a key in the Perl hash table %url. The content of the url file
is loaded when sec starts up, or receives either a HUP or ABRT signal
(these signals are used for doing a full restart and soft restart of sec).
The second rule matches any line which has the format URL <url> was
accessed. The url part is extracted from the line, and the context
expression
$1 -> ( sub { exists $url{$_[0]} } )
looks up the %url hash table for the presence of this url. If the url is
found in the table, the context expression evaluates true, and the event
matches the rule.
When you start up sec with the command line
sec --conf=hash-example.sec --intevents --input=-
and type in the following line
URL http://www.example.com was accessed
the string "Interesting URL http://www.example.com has been observed" is
echoed to standard output.
Hopefully this example is helpful,
risto
2016-04-14 11:32 GMT+03:00 Jaren Peich <burkol...@gmail.com>:
> Hi,
>
> The main problem is that i have to parse url with some logs from various
> txt files. I want to load in hash table at the begining and then use it
> throught various sec rules files. I thought to create a "module "which load
> lists in memory and then use it only variables to access it pointing the
> files.
>
> Thank you. Regards.
>
>
> 2016-04-11 17:39 GMT+02:00 Risto Vaarandi <risto.vaara...@gmail.com>:
>
>> hi Jaren,
>> if you want to have variables which are set during run time and which
>> have the global scope across all rule files, you can harness sec action
>> list variables for this purpose. For example, suppose you have the
>> following two rule files test-a.rules and test-b.rules:
>>
>> # test-a.rules
>> #
>> type=Single
>> ptype=RegExp
>> pattern=test1: (\S+)
>> desc=set action list variable mytest
>> action=assign %mytest $1
>>
>> # test-b.rules
>> #
>> type=Single
>> ptype=SubStr
>> pattern=test2
>> desc=echo action list variable mytest
>> action=write - %mytest
>>
>> Also, suppose sec is started with the command line:
>> sec --conf=test-*.rules --input=-
>> and gets all its input events from standard input.
>>
>> If a line "test1: myvalue" is typed in, this event will set action list
>> variable %mytest to "myvalue", while typing in "test2" will print the
>> current value of %mytest.
>>
>> I am not sure if action list variables help you to accomplish the thing
>> you want to do, but hopefully the above simplistic example helps to clarify
>> how they could be harnessed.
>>
>> However, action list variables can be set and accessed only during
>> runtime. If you are looking for macros that would be evaluated during rule
>> file parsing phase, there is currently no support for this in sec itself,
>> but you have to rely on external packages (like m4).
>>
>> kind regards,
>> risto
>>
>>
>> 2016-04-11 12:37 GMT+03:00 Jaren Peich <burkol...@gmail.com>:
>>
>>> I add is it possible to create global variables to all sec files?
>>>
>>>
>>> Thank you. Regards.
>>>
>>> 2016-04-11 11:35 GMT+02:00 Jaren Peich <burkol...@gmail.com>:
>>>
>>>> Hi,
>>>>
>>>> I have to read some files from specific text files in some sec alert
>>>> files and i want to create a library which load this files in a perl hash
>>>> table or an array. Also i want to create in this library methods to read or
>>>> search strings from the files loaded or create a tag to point the content
>>>> of the files to be used in all of sec files. Is it possible to do this? I´m
>>>> quite lost.
>>>>
>>>>
>>>> Thanks for your help. Regards.
>>>>
>>>>
>>>>
>>>
>>
>
------------------------------------------------------------------------------
Find and fix application performance issues faster with Applications Manager
Applications Manager provides deep performance insights into multiple tiers of
your business applications. It resolves application problems quickly and
reduces your MTTR. Get your free trial!
https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
