hi Jaren,
is your ruleset not functioning as expected, and what is the exact
problem you are currently having with this ruleset? Since you haven't
mentioned what is the expected outcome from these rules and what the
current implementation is missing, it is somewhat hard to troubleshoot
the rules.
kind regards,
risto
2016-09-30 12:20 GMT+03:00 Jaren Peich <burkol...@gmail.com>:
> Hi Risto,
>
> I have a little doubt that i haven´t seen in the documentation.
> I want to detect and keep some data from the logs and then read the context
> again and extract this data to process this info throught a perl function.
>
> It´s a mail logging that creates various lines for one email.
>
> One log line has the subject and mid(internal unique id number for email)
> and other line has the sender email address with mid.
>
> I´m using sec 2.6.2 + Strawberry perl. I can´t update sec library. :(
>
> Input data:
> ________________________________________________________________________________
>
> email:Mid 52364 Subject:'Hello World'
> email:Mid 52365 Subject:'Hello World'
> email:Mid 52366 Subject:'Hello World'
> email:Mid 52366 sender:'s...@sec.com'
> email:Mid 52365 sender:'ja...@seco.com'
> email:Mid 52364 sender:'pe...@sec.com'
>
>
> SEC + Perl Code:
>
>
> rem=detect mid y subject
> type=Single
> ptype=Regexp
> pattern=email:Mid\s(\d+)\sSubject\:\'([^\']*)\'
> varmap=SubjectMID;log=0;mid=1;subject=2
> continue=TakeNext
> desc=parser mid y subject
> action=none
>
> rem=create context and store first mid-count 2 and 3
> type=EventGroup1
> ptype=Cached
> pattern=SubjectMID
> context=SM_$+{subject}
> thresh=2
> window=60
> count=add SM_$+{subject} $+{mid}
> desc=create context by subject_$+{subject}
> end=delete SM_$+{subject}
> action = eval %o ( \
> $i=0;\
> my(@arraymids)=();\
> ####################################\
> #Here i want to read again the context and extract the values. Add to the
> array for processing.\
> @midcont=("52366","52365","52364");\
> ###################################
> @files = <C:\\files\\m*.log>;\
> print "@files";\
> if(@files){\
> foreach $file (@files) {\
> open (FILE, "$file");\
> while($line= <FILE> ){\
> my ($mid, $email)= $line=~ m/email:Mid\s(\d+)\ssender\:\'([^\']*)\'/gi;\
> print "\n====>Vuelta\n";\
> foreach my $lmid (@midcont) {\
> print "\nMid fichero===>$mid\tlmid===>$lmid\n" if defined($mid);\
> if ($mid == $lmid){\
> my ($username, $domain) = $email =~ /(.*)@(.*)/;\
> print "\nDOMAIN FINDED===>$domain\n";\
> unshift(@arraymids, $domain);\
> }\
> }\
> }\
> }\
> if($arraymids[0] eq $arraymids[1] && $arraymids[0] eq $arraymids[2]){\
> print "\n=======>SAME DOMAIN\n";\
> }else{\
> print "\n=======>Different DOMAIN\n";\
> }\
> }else{\
> print "========>NO FILES TO SEARCH";\
> }\
> );reset 0;
>
>
> rem=create context and store first mid-count 1
> type=Single
> ptype=Cached
> pattern=SubjectMID
> context=!SM_$+{subject}
> continue=TakeNext
> desc=create context by subject_$+{subject}
> action=create SM_$+{subject} 60; add SM_$+{subject} $+{mid}
>
> Thank you for your help Risto. Regards.
>
>
>
>
>
>
>
>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
