hi Jaren,
variables of the Cached pattern (created previously with 'varmap'
statement) are treated like regular match variables, and therefore the
following definition you have is valid:
context= $+{url} -> (sub { SecBlacklist::contieneElemento($_[0])==1} )
However, since the 2.6.2 version is fairly old, it doesn't support the :>
operator in context expressions, so the definitions
context= alert :> (sub { SecBlacklist::contieneElemento($_[0]->{'url'})==1}
)
context= alertParam :> (sub {
SecBlacklist::contieneElemento($_[0]->{'url'})==1} )
do not work. In order to use them, you need to install sec-2.7.X. Also,
since alertParam is not the name of the cache entry created with 'varmap',
the definition
context= alertParam :> (sub {
SecBlacklist::contieneElemento($_[0]->{'url'})==1} )
wouldn't work for 2.7.X, but you would need to use the name of an existing
pattern match cache entry.
Also, I spotted the following rule in your configuration:
type = Single
continue= TakeNext
desc = -
ptype = Cached
pattern = SEC_STARTUP|SEC_RESTART()
action = assign %category_Alert (Log); \
assign %summary_Alert (Alert: Blacklist);
The parentheses seem to be misaligned in the 'pattern' field, and also,
'ptype' is set to "Cached", although the pattern looks like a regular
expression. Have you checked this rule? It is likely to be incorrect and
might be one of the reasons the ruleset is not working properly.
kind regards,
risto
2016-04-29 15:14 GMT+03:00 Jaren Peich <burkol...@gmail.com>:
> Hi,
>
> I´m trying to validate a sec context with a perl function and writing an
> output message in a a file using the assign variables in the string. I´m
> using SEC 2.6.2. Can i use the variable from the varmap or i have to use
> the context to pass the variable through the sec context?
>
>
> ________________________________________________________________________________
>
> Perl Function(This function search if "elemento" is a part of hash key).
>
> SecBlacklist.pm-->This file is loaded in the beginning and contains other
> functions.
>
> ________________________________________________________________________________
> sub contieneElemento{
> my($elemento)=@_;
> my($rep)=0;
> for my $key (keys %ip){
> if (index($key,$elemento)!= -1){
> $rep=1;
> }
> }
> return $rep;
> }
> 1;
>
> ________________________________________________________________________________
>
> The varmap alert is passed from other file with a Jump rule using a
> varmap. I want to pass the url parameter to the perl function to be the url
> validated in the method.
>
> rules.conf
>
> ________________________________________________________________________________
> #Varmap:
> type = Jump
> ptype = RegExp
> desc = $0
> continue = Takenext
> pattern = Url:(.*)\sClient:(.*)
> varmap = alert;url=1;client_ip=2
> cfset=alertParam
>
>
> alert.conf
>
> ________________________________________________________________________________
> type = Options
> joincfset = alertParam
> procallin = no
>
>
> type = Single
> continue= TakeNext
> desc = -
> ptype = Cached
> pattern = SEC_STARTUP|SEC_RESTART()
> action = assign %category_Alert (Log); \
> assign %summary_Alert (Alert: Blacklist);
>
>
>
> type = Single
> ptype = Cached
> desc =ip_$+{client_ip}
> context= $+{url} -> (sub { SecBlacklist::contieneElemento($_[0])==1} )
> pattern = alert
> continue=TakeNext
> action = write C:\Alerts.log "Context OK!!!"
>
>
>
> I´ve read the manual and i tried also like this:
>
> context= $+{url} -> (sub { SecBlacklist::contieneElemento($_[0])==1} )
>
> context= alert :> (sub {
> SecBlacklist::contieneElemento($_[0]->{'url'})==1} )
>
> context= alertParam :> (sub {
> SecBlacklist::contieneElemento($_[0]->{'url'})==1} )
>
>
> Thank you in advance Risto!.
>
------------------------------------------------------------------------------
Find and fix application performance issues faster with Applications Manager
Applications Manager provides deep performance insights into multiple tiers of
your business applications. It resolves application problems quickly and
reduces your MTTR. Get your free trial!
https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
