hi David,
I would second to Rock's recommendation to use regular expressions in the
Pair rule. Firstly, two PerlFunc patterns implement only regular expression
matching and there isn't anything additional (such as arithmetic
operations) which would require the use of Perl. Therefore, it is easier to
express these patterns as RegExp patterns.
There is another major benefit -- if you use RegExp patterns in Pair or
PairWithWindow rules, you can include match variables (e.g., $1, $2) in
'pattern2' field which are substituted with values when 'pattern' field
matches. On the other hand, you can *not* use match variables inside Perl
code given with PerlFunc patterns, since this code is compiled only once
when SEC starts. During event processing, the same already compiled code is
executed for pattern matching purposes, and no substitution of match
variables can take place (substitution would change the code and would thus
require recompiling).
One small sidenote -- if you would like to use named match variables in
RegExp patterns, regular expressions support them natively with
"<?varname>" construct in the beginning of each capture group. For example,
the following expression will set $+{user}, $+{global_address} and
$+{local_address} variables:
User <(?<user>[^\s]+)>.+IP
<(?<global_address>[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})>.+IPv4
Address <(?<local_address>[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})>
kind regards,
risto
Kontakt David Thomas (<dtho...@kwiktrip.com>) kirjutas kuupƤeval N, 3.
oktoober 2019 kell 22:37:
> I'm running into an issue with a correlation I'm trying to implement and
> I'm hoping you can help.
>
> Event 1 happens when a user logs into a vpn. It has the user's name the
> global address and the local address assigned by the vpn.
> Event 2 happens when the user logs off the vpn. It has the user's name,
> the global address, the duration and amount of traffic.
>
> My objective is to get the local address from event 1 and combine it with
> the information from event 2.
>
> I'm using a hash to get the name and both addresses from event 1. Then in
> pattern 2 I reference that to see if the user name and global address match
> and add the local address from the hash. What I'm trying now is below.
>
> I'm getting messages from action2 tcp sock so it seems like I'm matching
> the pattern but the values of the hash keys that come from pattern 1 are
> empty.
>
> Here is an example of what I'm getting:
> VPN Disconnect - User="" Global Address="" Local Address=""
> Duration="0h:03m:07s" Xmit Bytes="1689622 Rcv Bytes="34370"
>
> Here is the .sec file I'm currently using. I'm hoping someone can point
> out what I'm doing wrong. Thanks!
>
> type=pair
> ptype=PerlFunc
> pattern=sub { my(%var); \
> if ($_[0] !~ /User <([^\s]+)>.+IP
> <([0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3})>.+IPv4 Address
> <([0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3})>/) { return 0; } \
> $var{"user"} = $1; \
> $var{"global_address"} = $2; \
> $var{"local_address"} = $3; \
> return \%var; }
> desc=Get Name - Global Address - Local Address
> action=tcpsock 10.3.0.85:514 LzEC VPN Address Mapping - User="$+{user}" -
> Global Address ="$+{global_address}" - Local Address =
> "$+{local_address}"%{.nl};
> ptype2=PerlFunc
> pattern2=sub { my(%var); \
> if ($_[0] !~ /Username = $+{user}.+IP =
> $+{global_address}.+Duration: ([0-9]{1,2}h:[0-9]{1,2}m:[0-9]{1,2}s).+xmt:
> ([0-9]+).+rcv: ([0-9]+)/) { return 0; } \
> $var{"duration"} = $1; \
> $var{"xmit_bytes"} = $2; \
> $var{"rcv_bytes"} = $3; \
> return \%var; }
> desc2=Add Local Address To Disconnect Message
> action2=tcpsock 10.3.0.85:514 LzEC VPN Disconnect - User="$+{user}"
> Global Address="$+{global_address}" Local Address="$+{local_address}"
> Duration="$+{duration}" Xmit Bytes="$+{xmit_bytes} Rcv
> Bytes="$+{rcv_bytes}"%{.nl};
>
>
> _______________________________________________
> Simple-evcorr-users mailing list
> Simple-evcorr-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
>
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
