I loaded the both rule files with the following command line using
sec-2.7.8:
sec --conf=iniLib.conf --conf=ruleFile.conf --intevents --input=-
When I started up sec with the above command line, all the assignments were
done according to sec debug log:
SEC (Simple Event Correlator) 2.7.8
Reading configuration from iniLib.conf
1 rules loaded from iniLib.conf
Reading configuration from ruleFile.conf
1 rules loaded from ruleFile.conf
No --bufsize command line option or --bufsize=0, setting --bufsize to 1
Opening input file -
Interactive process, SIGINT can't be used for changing the logging level
Creating SEC internal context 'SEC_INTERNAL_EVENT'
Creating SEC internal event 'SEC_STARTUP'
Creating event 'launAssig'
Deleting SEC internal context 'SEC_INTERNAL_EVENT'
Assigning 'Log' to variable '%category_Alert'
Assigning 'Alert' to variable '%summary_Alert'
Assigning 'M' to variable '%priority_Alert'
Assigning 'C' to variable '%typology_Alert'
Assigning 'Proxy' to variable '%subcategory_Alert'
Assigning 'Network' to variable '%asset_category_Alert'
Are you sure you have specified both rule files with the --conf option?
Also, have you used the --intevents command line option which forces the
generation of SEC_STARTUP and other internal events? If --intevents is not
given, these events are not created, and thus the second rule will not fire.
kind regards,
risto
2016-05-25 17:51 GMT+03:00 Jaren Peich <burkol...@gmail.com>:
> Yes, it was wrong.Other stuff worked properly. Thank you risto. :)
>
> I have another doubt about this.
>
> I´m trying from one file to another file launch couple of assign sentences
> at the beginning and i can´t.
>
> I have two files with some rules inside, the other rules worked properly
> but when i´m trying to launch this one it is imposible.
>
> File: iniLib.conf
> _____________________________________________________________________
>
> type=Single
> ptype=RegExp
> pattern=^(?:SEC_STARTUP|SEC_RESTART|SEC_SOFTRESTART)$
> context=SEC_INTERNAL_EVENT
> continue=TakeNext
> desc=-
> action=event launAssig
>
>
> File: ruleFile.conf
> ____________________________________________________________________
>
> type = Single
> continue= TakeNext
> ptype=Substr
> pattern=launAssig
> desc = -
> action = assign %category_Alert (Log); \
> assign %summary_Alert (Alert); \
> assign %priority_Alert (M); \
> assign %typology_Alert (C); \
> assign %subcategory_Alert (Proxy); \
> assign %asset_category_Alert (Network);
>
> I´v tried with RegExp and Substr rule type and system launch the event but
> the other rule is unable to find the event created and the second rule
> doesn´t launch.
>
> Thank you again Risto. Regards.
>
>
>
>
>
> 2016-04-29 16:55 GMT+02:00 Risto Vaarandi <risto.vaara...@gmail.com>:
>
>> hi Jaren,
>> variables of the Cached pattern (created previously with 'varmap'
>> statement) are treated like regular match variables, and therefore the
>> following definition you have is valid:
>>
>> context= $+{url} -> (sub { SecBlacklist::contieneElemento($_[0])==1} )
>>
>> However, since the 2.6.2 version is fairly old, it doesn't support the :>
>> operator in context expressions, so the definitions
>>
>> context= alert :> (sub {
>> SecBlacklist::contieneElemento($_[0]->{'url'})==1} )
>> context= alertParam :> (sub {
>> SecBlacklist::contieneElemento($_[0]->{'url'})==1} )
>>
>> do not work. In order to use them, you need to install sec-2.7.X. Also,
>> since alertParam is not the name of the cache entry created with 'varmap',
>> the definition
>>
>> context= alertParam :> (sub {
>> SecBlacklist::contieneElemento($_[0]->{'url'})==1} )
>>
>> wouldn't work for 2.7.X, but you would need to use the name of an
>> existing pattern match cache entry.
>>
>> Also, I spotted the following rule in your configuration:
>>
>> type = Single
>> continue= TakeNext
>> desc = -
>> ptype = Cached
>> pattern = SEC_STARTUP|SEC_RESTART()
>> action = assign %category_Alert (Log); \
>> assign %summary_Alert (Alert: Blacklist);
>>
>> The parentheses seem to be misaligned in the 'pattern' field, and also,
>> 'ptype' is set to "Cached", although the pattern looks like a regular
>> expression. Have you checked this rule? It is likely to be incorrect and
>> might be one of the reasons the ruleset is not working properly.
>>
>> kind regards,
>> risto
>>
>>
>>
>>
>>
>> 2016-04-29 15:14 GMT+03:00 Jaren Peich <burkol...@gmail.com>:
>>
>>> Hi,
>>>
>>> I´m trying to validate a sec context with a perl function and writing an
>>> output message in a a file using the assign variables in the string. I´m
>>> using SEC 2.6.2. Can i use the variable from the varmap or i have to use
>>> the context to pass the variable through the sec context?
>>>
>>>
>>> ________________________________________________________________________________
>>>
>>> Perl Function(This function search if "elemento" is a part of hash key).
>>>
>>> SecBlacklist.pm-->This file is loaded in the beginning and contains
>>> other functions.
>>>
>>> ________________________________________________________________________________
>>> sub contieneElemento{
>>> my($elemento)=@_;
>>> my($rep)=0;
>>> for my $key (keys %ip){
>>> if (index($key,$elemento)!= -1){
>>> $rep=1;
>>> }
>>> }
>>> return $rep;
>>> }
>>> 1;
>>>
>>> ________________________________________________________________________________
>>>
>>> The varmap alert is passed from other file with a Jump rule using a
>>> varmap. I want to pass the url parameter to the perl function to be the url
>>> validated in the method.
>>>
>>> rules.conf
>>>
>>> ________________________________________________________________________________
>>> #Varmap:
>>> type = Jump
>>> ptype = RegExp
>>> desc = $0
>>> continue = Takenext
>>> pattern = Url:(.*)\sClient:(.*)
>>> varmap = alert;url=1;client_ip=2
>>> cfset=alertParam
>>>
>>>
>>> alert.conf
>>>
>>> ________________________________________________________________________________
>>> type = Options
>>> joincfset = alertParam
>>> procallin = no
>>>
>>>
>>> type = Single
>>> continue= TakeNext
>>> desc = -
>>> ptype = Cached
>>> pattern = SEC_STARTUP|SEC_RESTART()
>>> action = assign %category_Alert (Log); \
>>> assign %summary_Alert (Alert: Blacklist);
>>>
>>>
>>>
>>> type = Single
>>> ptype = Cached
>>> desc =ip_$+{client_ip}
>>> context= $+{url} -> (sub { SecBlacklist::contieneElemento($_[0])==1} )
>>> pattern = alert
>>> continue=TakeNext
>>> action = write C:\Alerts.log "Context OK!!!"
>>>
>>>
>>>
>>> I´ve read the manual and i tried also like this:
>>>
>>> context= $+{url} -> (sub { SecBlacklist::contieneElemento($_[0])==1} )
>>>
>>> context= alert :> (sub {
>>> SecBlacklist::contieneElemento($_[0]->{'url'})==1} )
>>>
>>> context= alertParam :> (sub {
>>> SecBlacklist::contieneElemento($_[0]->{'url'})==1} )
>>>
>>>
>>> Thank you in advance Risto!.
>>>
>>
>>
>
------------------------------------------------------------------------------
Mobile security can be enabling, not merely restricting. Employees who
bring their own devices (BYOD) to work are irked by the imposition of MDM
restrictions. Mobile Device Manager Plus allows you to control only the
apps on BYO-devices by containerizing them, leaving personal data untouched!
https://ad.doubleclick.net/ddm/clk/304595813;131938128;j
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
