Hi,
I have a little issue. I´m trying to access a declared variables from lcall
block of code in "Rule 3". Also i can´t access to an array that i declared
inside. All rules are in the same file.
Which is the difference between eval and lcall? The idea is to mix
pre-declared variables in "Rule 1" and mix with the variables generated in
"matches" array in "Rule 3" in just 1 string.
The output of the rules is just:
%priority
matches[0]
It doesn´t make any subtitution.
I´m using Strawberry Perl and Sec 2.6.2.
It´s not working. It is just an example of code.
rem =Rule 1
type=SingleWithThreshold
ptype=Regexp
continue=Takenext
pattern=EF:(.*)
desc=-
window=300
thresh=1
action=create Email_$1;fill Email_$1 $0;assign %category (Log Management); \
assign %summary (Alert: Detected 3 malicious emails); \
assign %issue_type (SAlert); \
assign %priority (medium); \
assign %description (Detected 3 malicious emails); \
assign %typology (Communications); \
assign %subcategory (Mail); \
assign %code (Alert); \
assign %action (-); \
assign %ip (-); \
assign %port (-);
rem = Rule 2
type=Single
ptype=RegExp
pattern=EI:(.*)
continue=Takenext
context = Email_$1
desc=-
action = event Email:$1
rem = Rule 3
type=SingleWithThreshold
ptype=RegExp
pattern=Email:(\S+)
desc=Three messages from the same sender $1
window=21600
thresh=3
action=copy Email_$1 %loggi;lcall %o %loggi -> (sub{\
my($logginput) = split(/\n/, $_[0]);\
my (@matches) = ( $logginput =~ /EF:(.*)/g);\
print join("=====", @matches);\
print %priority;\
});
Thank you for your help.
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
