hi Jaren,
since the scheme you have seems to be a bit more complex, it is likely that
you would need to have several longer Perl functions to create and modify a
number of data structures. Therefore, I would recommend to set up a Perl
module which contains all your custom code. Defining longer Perl code
within sec rules might become cumbersome, and factoring the code out into a
separate module is definitely a cleaner approach.
As for the performance of custom Perl code (be it defined entirely within
sec rules or in a separate module), the code is compiled when sec starts
up, and therefore runs as fast as sec itself. If you would like to measure
its performance, you can easily instrument your code. Here I would
recommend to look into dedicated Perl modules which offer such
functionality, for example http://perldoc.perl.org/Benchmark.html.
Below you can find a simple example of a Perl module that contains some
code for sec:
### The content of the /home/risto/SecModule.pm
### this module imports the build_ip_table() function and %ipaddr hash table
package SecModule;
use strict;
use warnings;
require Exporter;
our @ISA = qw(Exporter);
our $VERSION = 1.00;
our @EXPORT_OK = qw(build_ip_table %ipaddr);
our %ipaddr;
sub build_ip_table {
%ipaddr = ();
$ipaddr{"192.168.1.1"} = 1;
$ipaddr{"10.1.1.1"} = 1;
}
1;
### end of the module
And here are example sec rules which harness this code:
# This rule attempts to load the SecModule module when sec starts,
# and calls exit(1) if the module is not found
type=Single
ptype=SubStr
pattern=SEC_STARTUP
context=SEC_INTERNAL_EVENT
continue=TakeNext
desc=Load the SecModule module and terminate if it is not found
action=eval %ret (require "/home/risto/SecModule.pm"); \
if %ret ( logonly SecModule loaded ) else ( eval %o exit(1) )
# initialize the %ipaddr hash table at sec startup, on the reception
# of SIGHUP signal, or on the reception of SIGABRT signal
type=Single
ptype=RegExp
pattern=^(?:SEC_STARTUP|SEC_RESTART|SEC_SOFTRESTART)$
context=SEC_INTERNAL_EVENT
desc=create IP address table
action=lcall %o -> ( sub { SecModule::build_ip_table() } )
# add the IP address to the %ipaddr hash table if the string
# "addIP: <ipaddress>" is seen in input
type=Single
ptype=RegExp
pattern=addIP: ([\d.]+)
desc=add IP address $1 to IP table
action=lcall %o $1 -> ( sub { $SecModule::ipaddr{$_[0]} = 1 } )
# when a string "event for IP <ipaddress>" is seen in input and
# the IP address appears in the %ipaddr hash table, write
# a notification to standard output
type=Single
ptype=RegExp
pattern=event for IP ([\d.]+)
context=$1 -> ( sub { exists $SecModule::ipaddr{$_[0]} } )
desc=Event received for IP address $1 that is in the IP table
action=write - %s
The first rule loads the SecModule.pm module, while the second rule employs
the build_ip_table() function from this module for initializing the %ipaddr
hash table. Initializing means deleting all previous content from the hash
table, and creating two entries 192.168.1.1 and 10.1.1.1. Since the
SecModule.pm imports the %ipaddr hash table, it can be directly accessed
from sec rules, and the third and fourth rule illustrate this.The third
rule adds a new IP address entry into the %ipaddr hash table, while the
fourth rule produces a notification for an input event if its IP address is
found in the hash table.
Hopefully this example illustrates how to create and harness a Perl module
from sec, and how to define interfaces between sec and external module.
Also, if you are interested in more detailed information about modules,
have a look into Perl official documentation:
http://perldoc.perl.org/perlmod.html
kind regards,
risto
2016-04-15 16:06 GMT+03:00 Jaren Peich <burkol...@gmail.com>:
> Hi,
>
> The idea that you gave to meet it is good but i have some files.
> I made a schema of the scene that i have. I dont know which option is the
> best to get the goal or the best for the system performance. Another doubt
> that i have, Is something to analyze the performance of sec library?
>
>
>
> Thank you!!!. Regards.
>
>
> ---------- Forwarded message ----------
> From: Risto Vaarandi <risto.vaara...@gmail.com>
> Date: 2016-04-14 18:42 GMT+02:00
> Subject: Re: Create and load library with SEC
> To: Jaren Peich <burkol...@gmail.com>,
> simple-evcorr-users@lists.sourceforge.net
>
>
> hi Jaren,
> if you would like to load a list of interesting URLs from an external file
> into memory and use this information for matching incoming events, this can
> be indeed done with a Perl hash that holds the data. Here is a simple
> example which illustrates this concept.
>
> Suppose you have a url file called /etc/sec/url.txt which contains the
> following lines:
>
> http://www.example.com
> http://www.mydomain
>
> Also suppose you have the following two rules:
>
> type=Single
> ptype=RegExp
> pattern=^(?:SEC_STARTUP|SEC_RESTART|SEC_SOFTRESTART)$
> context=SEC_INTERNAL_EVENT
> desc=Initialize the %url hash table
> action=lcall %o -> ( sub { if (!open(URL, "/etc/sec/url.txt")) { return; }
> \
> my(@url) = <URL>; chomp(@url); close(URL); \
> %url = map { $_ => 1 } @url; } )
>
> type=Single
> ptype=RegExp
> pattern=URL (\S+) was accessed
> context=$1 -> ( sub { exists $url{$_[0]} } )
> desc=Check if URL $1 is interesting
> action=write - Interesting URL $1 has been observed
>
> The first rule loads the content of the url file into memory, so that each
> url becomes a key in the Perl hash table %url. The content of the url file
> is loaded when sec starts up, or receives either a HUP or ABRT signal
> (these signals are used for doing a full restart and soft restart of sec).
>
> The second rule matches any line which has the format URL <url> was
> accessed. The url part is extracted from the line, and the context
> expression
> $1 -> ( sub { exists $url{$_[0]} } )
> looks up the %url hash table for the presence of this url. If the url is
> found in the table, the context expression evaluates true, and the event
> matches the rule.
>
> When you start up sec with the command line
> sec --conf=hash-example.sec --intevents --input=-
>
> and type in the following line
> URL http://www.example.com was accessed
>
> the string "Interesting URL http://www.example.com has been observed" is
> echoed to standard output.
>
> Hopefully this example is helpful,
> risto
>
>
>
> 2016-04-14 11:32 GMT+03:00 Jaren Peich <burkol...@gmail.com>:
>
>> Hi,
>>
>> The main problem is that i have to parse url with some logs from various
>> txt files. I want to load in hash table at the begining and then use it
>> throught various sec rules files. I thought to create a "module "which load
>> lists in memory and then use it only variables to access it pointing the
>> files.
>>
>> Thank you. Regards.
>>
>>
>> 2016-04-11 17:39 GMT+02:00 Risto Vaarandi <risto.vaara...@gmail.com>:
>>
>>> hi Jaren,
>>> if you want to have variables which are set during run time and which
>>> have the global scope across all rule files, you can harness sec action
>>> list variables for this purpose. For example, suppose you have the
>>> following two rule files test-a.rules and test-b.rules:
>>>
>>> # test-a.rules
>>> #
>>> type=Single
>>> ptype=RegExp
>>> pattern=test1: (\S+)
>>> desc=set action list variable mytest
>>> action=assign %mytest $1
>>>
>>> # test-b.rules
>>> #
>>> type=Single
>>> ptype=SubStr
>>> pattern=test2
>>> desc=echo action list variable mytest
>>> action=write - %mytest
>>>
>>> Also, suppose sec is started with the command line:
>>> sec --conf=test-*.rules --input=-
>>> and gets all its input events from standard input.
>>>
>>> If a line "test1: myvalue" is typed in, this event will set action list
>>> variable %mytest to "myvalue", while typing in "test2" will print the
>>> current value of %mytest.
>>>
>>> I am not sure if action list variables help you to accomplish the thing
>>> you want to do, but hopefully the above simplistic example helps to clarify
>>> how they could be harnessed.
>>>
>>> However, action list variables can be set and accessed only during
>>> runtime. If you are looking for macros that would be evaluated during rule
>>> file parsing phase, there is currently no support for this in sec itself,
>>> but you have to rely on external packages (like m4).
>>>
>>> kind regards,
>>> risto
>>>
>>>
>>> 2016-04-11 12:37 GMT+03:00 Jaren Peich <burkol...@gmail.com>:
>>>
>>>> I add is it possible to create global variables to all sec files?
>>>>
>>>>
>>>> Thank you. Regards.
>>>>
>>>> 2016-04-11 11:35 GMT+02:00 Jaren Peich <burkol...@gmail.com>:
>>>>
>>>>> Hi,
>>>>>
>>>>> I have to read some files from specific text files in some sec alert
>>>>> files and i want to create a library which load this files in a perl hash
>>>>> table or an array. Also i want to create in this library methods to read
>>>>> or
>>>>> search strings from the files loaded or create a tag to point the content
>>>>> of the files to be used in all of sec files. Is it possible to do this?
>>>>> I´m
>>>>> quite lost.
>>>>>
>>>>>
>>>>> Thanks for your help. Regards.
>>>>>
>>>>>
>>>>>
>>>>
>>>
>>
>
>
------------------------------------------------------------------------------
Find and fix application performance issues faster with Applications Manager
Applications Manager provides deep performance insights into multiple tiers of
your business applications. It resolves application problems quickly and
reduces your MTTR. Get your free trial!
https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
