hi Jia,
thanks for an interesting question! SEC match variables are set to new
values after each pattern match and they don't have any persistence over
several matches. Since there is only one capture group in each regular
expression of your example rule, all four patterns are setting the $1
variable, and the previous value of $1 is not accessible.
However, there is a way to address this issue with 'count' fields of
EventGroup rule which allow for executing a custom action on every pattern
match. If you would store the current value of $1 variable into a
persistent object like a SEC context, the value could be retrieved later.
For example, consider the following rule example which is using four
contexts P1,...,P4 for this purpose:
type=EventGroup4
init=create P1; create P2; create P3; create P4
end=delete P1; delete P2; delete P3; delete P4
ptype=RegExp
pattern=(\d+)A
count=fill P1 $1
ptype2=RegExp
pattern2=(\d+)B
count2=fill P2 $1
ptype3=RegExp
pattern3=(\d+)C
count3=fill P3 $1
ptype4=RegExp
pattern4=(\d+)D
count4=fill P4 $1
desc=test
action=copy P1 %p1; copy P2 %p2; copy P3 %p3; copy P4 %p4; \
write - %p1, %p2, %p3, %p4 at %t.
window=10
The 'init' and 'end' fields of the rule will create and delete four
contexts P1, P2, P3 and P4 for holding the values of $1 match variable.
Contexts are created when the counting operation starts, and deletion
happens when the operation finishes its work. There are also four count*
fields in rule definition which store the value of $1 into corresponding
context with 'fill' action. Finally, in the action field the values will be
retrieved from contexts with 'copy' actions and written to standard output.
One can of course shorten this rule example and use %p1,...,%p4 action list
variables only, dropping contexts P1,...,P4 altogether. In that case,
'init' and 'end' fields are not necessary and count* fields would look like
this: count=assign %p1 $1. Also, there wouldn't be a need for 'copy'
actions. Unfortunately, if the 'desc' field contains match variables and
the rule can run several event correlation operations simultaneously, the
same set of four variables would be used by all simultaneously running
operations which is probably not what you want. However, since context
names are allowed to contain match variables, you can utilize variables
which are unique for each operation for naming the contexts. For example,
if $2 holds the IP address and the 'desc' field is defined as "desc=test
for IP $2", the rule runs a separate operation for each IP address. For
keeping the data for each operation separate and safe from overwriting by
another operation, you can simply use contexts P1_$2, P2_$2, P3_$2 and
P4_$2.
One final note -- each pattern in EventGroup rule can match several times,
and if that happens, above rule example stores the *last* value for given
pattern. For example, if you have the following events within 10 seconds:
4C
5D
1A
2A
3B
the rule would produce the following output:
2, 3, 4, 5 at Fri Jun 28 19:11:51 2019.
If you would like to store the *first* value which the pattern has seen
during the lifetime of the operation, you could use the following 'count'
field:
count=getsize %o P1; if %o ( none ) else ( fill P1 $1 )
However, since the event correlation window of EventGroup rule is sliding,
the stored value might originate from event which is already outside the
window when the operation terminates (you will never have this issue if you
store last values like the example rule does).
I hope my answer was helpful,
risto
Kontakt Xinying Sun (<sunxinying...@gmail.com>) kirjutas kuupƤeval R, 28.
juuni 2019 kell 17:25:
> Hello SEC Users,
> I have a question about match variables of EVENTGROUP RULE. For example:
>
> type=EventGroup4
> ptype=RegExp
> pattern=(\d+)A
> ptype2=RegExp
> pattern2=(\d+)B
> ptype3=RegExp
> pattern3=(\d+)C
> ptype4=RegExp
> pattern4=(\d+)D
> desc=test
> action=write - $1, $2, $3, $4 at %t.
> window=10
>
> Then input:
> 1A
> 2B
> 3C
> 4D
> It can output 1,2,3,4 at...
>
> Is there any method that can modify the example to match every patterns' (
> ) content?
> Thanks,
> Jia
> _______________________________________________
> Simple-evcorr-users mailing list
> Simple-evcorr-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
>
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
