hi Jaren,
as for the Options rule, 2.6.2 should be compatible with the latest 2.7.X
versions. Of course, everything depends on the actual configuration in your
rule files, and without seeing the rules it is impossible to tell what
might be wrong.
If you want to investigate potential incompatibilities from sec manual, I
would strongly recommend to download the sec-2.6.2 source tarball. Each sec
tarball contains the man page which is the official documentation, and all
sec versions released since 2001 can be downloaded from sourceforge:
https://sourceforge.net/projects/simple-evcorr/files/sec/
There is also a corresponding link in the sec home page under the
"Download" section.
Also, can you post your further questions to the mailing list? In that way,
all other users can benefit from the discussion.
kind regards,
risto
2016-05-26 11:56 GMT+03:00 Jaren Peich <burkol...@gmail.com>:
> Hi Risto,
>
> I´ve realised that if there is an Option rule before that´s not work. I
> have one in the file and i can´t quit it(i need the variables of the
> cfset). If i split in two files it loads asssign variables, it works. Is
> there any incompatibility between them? I´m still using sec 2.6.2. :)
>
> Thank you Risto!. Regards.
>
>
>
> 2016-05-25 19:15 GMT+02:00 Risto Vaarandi <risto.vaara...@gmail.com>:
>
>> I loaded the both rule files with the following command line using
>> sec-2.7.8:
>>
>> sec --conf=iniLib.conf --conf=ruleFile.conf --intevents --input=-
>>
>> When I started up sec with the above command line, all the assignments
>> were done according to sec debug log:
>>
>> SEC (Simple Event Correlator) 2.7.8
>> Reading configuration from iniLib.conf
>> 1 rules loaded from iniLib.conf
>> Reading configuration from ruleFile.conf
>> 1 rules loaded from ruleFile.conf
>> No --bufsize command line option or --bufsize=0, setting --bufsize to 1
>> Opening input file -
>> Interactive process, SIGINT can't be used for changing the logging level
>> Creating SEC internal context 'SEC_INTERNAL_EVENT'
>> Creating SEC internal event 'SEC_STARTUP'
>> Creating event 'launAssig'
>> Deleting SEC internal context 'SEC_INTERNAL_EVENT'
>> Assigning 'Log' to variable '%category_Alert'
>> Assigning 'Alert' to variable '%summary_Alert'
>> Assigning 'M' to variable '%priority_Alert'
>> Assigning 'C' to variable '%typology_Alert'
>> Assigning 'Proxy' to variable '%subcategory_Alert'
>> Assigning 'Network' to variable '%asset_category_Alert'
>>
>>
>> Are you sure you have specified both rule files with the --conf option?
>> Also, have you used the --intevents command line option which forces the
>> generation of SEC_STARTUP and other internal events? If --intevents is not
>> given, these events are not created, and thus the second rule will not fire.
>>
>> kind regards,
>> risto
>>
>>
>> 2016-05-25 17:51 GMT+03:00 Jaren Peich <burkol...@gmail.com>:
>>
>>> Yes, it was wrong.Other stuff worked properly. Thank you risto. :)
>>>
>>> I have another doubt about this.
>>>
>>> I´m trying from one file to another file launch couple of assign
>>> sentences at the beginning and i can´t.
>>>
>>> I have two files with some rules inside, the other rules worked properly
>>> but when i´m trying to launch this one it is imposible.
>>>
>>> File: iniLib.conf
>>> _____________________________________________________________________
>>>
>>> type=Single
>>> ptype=RegExp
>>> pattern=^(?:SEC_STARTUP|SEC_RESTART|SEC_SOFTRESTART)$
>>> context=SEC_INTERNAL_EVENT
>>> continue=TakeNext
>>> desc=-
>>> action=event launAssig
>>>
>>>
>>> File: ruleFile.conf
>>> ____________________________________________________________________
>>>
>>> type = Single
>>> continue= TakeNext
>>> ptype=Substr
>>> pattern=launAssig
>>> desc = -
>>> action = assign %category_Alert (Log); \
>>> assign %summary_Alert (Alert); \
>>> assign %priority_Alert (M); \
>>> assign %typology_Alert (C); \
>>> assign %subcategory_Alert (Proxy); \
>>> assign %asset_category_Alert (Network);
>>>
>>> I´v tried with RegExp and Substr rule type and system launch the event
>>> but the other rule is unable to find the event created and the second rule
>>> doesn´t launch.
>>>
>>> Thank you again Risto. Regards.
>>>
>>>
>>>
>>>
>>>
>>> 2016-04-29 16:55 GMT+02:00 Risto Vaarandi <risto.vaara...@gmail.com>:
>>>
>>>> hi Jaren,
>>>> variables of the Cached pattern (created previously with 'varmap'
>>>> statement) are treated like regular match variables, and therefore the
>>>> following definition you have is valid:
>>>>
>>>> context= $+{url} -> (sub { SecBlacklist::contieneElemento($_[0])==1} )
>>>>
>>>> However, since the 2.6.2 version is fairly old, it doesn't support the
>>>> :> operator in context expressions, so the definitions
>>>>
>>>> context= alert :> (sub {
>>>> SecBlacklist::contieneElemento($_[0]->{'url'})==1} )
>>>> context= alertParam :> (sub {
>>>> SecBlacklist::contieneElemento($_[0]->{'url'})==1} )
>>>>
>>>> do not work. In order to use them, you need to install sec-2.7.X. Also,
>>>> since alertParam is not the name of the cache entry created with 'varmap',
>>>> the definition
>>>>
>>>> context= alertParam :> (sub {
>>>> SecBlacklist::contieneElemento($_[0]->{'url'})==1} )
>>>>
>>>> wouldn't work for 2.7.X, but you would need to use the name of an
>>>> existing pattern match cache entry.
>>>>
>>>> Also, I spotted the following rule in your configuration:
>>>>
>>>> type = Single
>>>> continue= TakeNext
>>>> desc = -
>>>> ptype = Cached
>>>> pattern = SEC_STARTUP|SEC_RESTART()
>>>> action = assign %category_Alert (Log); \
>>>> assign %summary_Alert (Alert: Blacklist);
>>>>
>>>> The parentheses seem to be misaligned in the 'pattern' field, and also,
>>>> 'ptype' is set to "Cached", although the pattern looks like a regular
>>>> expression. Have you checked this rule? It is likely to be incorrect and
>>>> might be one of the reasons the ruleset is not working properly.
>>>>
>>>> kind regards,
>>>> risto
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> 2016-04-29 15:14 GMT+03:00 Jaren Peich <burkol...@gmail.com>:
>>>>
>>>>> Hi,
>>>>>
>>>>> I´m trying to validate a sec context with a perl function and writing
>>>>> an output message in a a file using the assign variables in the string.
>>>>> I´m
>>>>> using SEC 2.6.2. Can i use the variable from the varmap or i have to use
>>>>> the context to pass the variable through the sec context?
>>>>>
>>>>>
>>>>> ________________________________________________________________________________
>>>>>
>>>>> Perl Function(This function search if "elemento" is a part of hash
>>>>> key).
>>>>>
>>>>> SecBlacklist.pm-->This file is loaded in the beginning and contains
>>>>> other functions.
>>>>>
>>>>> ________________________________________________________________________________
>>>>> sub contieneElemento{
>>>>> my($elemento)=@_;
>>>>> my($rep)=0;
>>>>> for my $key (keys %ip){
>>>>> if (index($key,$elemento)!= -1){
>>>>> $rep=1;
>>>>> }
>>>>> }
>>>>> return $rep;
>>>>> }
>>>>> 1;
>>>>>
>>>>> ________________________________________________________________________________
>>>>>
>>>>> The varmap alert is passed from other file with a Jump rule using a
>>>>> varmap. I want to pass the url parameter to the perl function to be the
>>>>> url
>>>>> validated in the method.
>>>>>
>>>>> rules.conf
>>>>>
>>>>> ________________________________________________________________________________
>>>>> #Varmap:
>>>>> type = Jump
>>>>> ptype = RegExp
>>>>> desc = $0
>>>>> continue = Takenext
>>>>> pattern = Url:(.*)\sClient:(.*)
>>>>> varmap = alert;url=1;client_ip=2
>>>>> cfset=alertParam
>>>>>
>>>>>
>>>>> alert.conf
>>>>>
>>>>> ________________________________________________________________________________
>>>>> type = Options
>>>>> joincfset = alertParam
>>>>> procallin = no
>>>>>
>>>>>
>>>>> type = Single
>>>>> continue= TakeNext
>>>>> desc = -
>>>>> ptype = Cached
>>>>> pattern = SEC_STARTUP|SEC_RESTART()
>>>>> action = assign %category_Alert (Log); \
>>>>> assign %summary_Alert (Alert: Blacklist);
>>>>>
>>>>>
>>>>>
>>>>> type = Single
>>>>> ptype = Cached
>>>>> desc =ip_$+{client_ip}
>>>>> context= $+{url} -> (sub { SecBlacklist::contieneElemento($_[0])==1} )
>>>>> pattern = alert
>>>>> continue=TakeNext
>>>>> action = write C:\Alerts.log "Context OK!!!"
>>>>>
>>>>>
>>>>>
>>>>> I´ve read the manual and i tried also like this:
>>>>>
>>>>> context= $+{url} -> (sub { SecBlacklist::contieneElemento($_[0])==1} )
>>>>>
>>>>> context= alert :> (sub {
>>>>> SecBlacklist::contieneElemento($_[0]->{'url'})==1} )
>>>>>
>>>>> context= alertParam :> (sub {
>>>>> SecBlacklist::contieneElemento($_[0]->{'url'})==1} )
>>>>>
>>>>>
>>>>> Thank you in advance Risto!.
>>>>>
>>>>
>>>>
>>>
>>
>
------------------------------------------------------------------------------
Mobile security can be enabling, not merely restricting. Employees who
bring their own devices (BYOD) to work are irked by the imposition of MDM
restrictions. Mobile Device Manager Plus allows you to control only the
apps on BYO-devices by containerizing them, leaving personal data untouched!
https://ad.doubleclick.net/ddm/clk/304595813;131938128;j
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
