hi David, I would second to Rock's recommendation to use regular expressions in the Pair rule. Firstly, two PerlFunc patterns implement only regular expression matching and there isn't anything additional (such as arithmetic operations) which would require the use of Perl. Therefore, it is easier to express these patterns as RegExp patterns.
There is another major benefit -- if you use RegExp patterns in Pair or PairWithWindow rules, you can include match variables (e.g., $1, $2) in 'pattern2' field which are substituted with values when 'pattern' field matches. On the other hand, you can *not* use match variables inside Perl code given with PerlFunc patterns, since this code is compiled only once when SEC starts. During event processing, the same already compiled code is executed for pattern matching purposes, and no substitution of match variables can take place (substitution would change the code and would thus require recompiling). One small sidenote -- if you would like to use named match variables in RegExp patterns, regular expressions support them natively with "<?varname>" construct in the beginning of each capture group. For example, the following expression will set $+{user}, $+{global_address} and $+{local_address} variables: User <(?<user>[^\s]+)>.+IP <(?<global_address>[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})>.+IPv4 Address <(?<local_address>[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})> kind regards, risto Kontakt David Thomas (<dtho...@kwiktrip.com>) kirjutas kuupƤeval N, 3. oktoober 2019 kell 22:37: > I'm running into an issue with a correlation I'm trying to implement and > I'm hoping you can help. > > Event 1 happens when a user logs into a vpn. It has the user's name the > global address and the local address assigned by the vpn. > Event 2 happens when the user logs off the vpn. It has the user's name, > the global address, the duration and amount of traffic. > > My objective is to get the local address from event 1 and combine it with > the information from event 2. > > I'm using a hash to get the name and both addresses from event 1. Then in > pattern 2 I reference that to see if the user name and global address match > and add the local address from the hash. What I'm trying now is below. > > I'm getting messages from action2 tcp sock so it seems like I'm matching > the pattern but the values of the hash keys that come from pattern 1 are > empty. > > Here is an example of what I'm getting: > VPN Disconnect - User="" Global Address="" Local Address="" > Duration="0h:03m:07s" Xmit Bytes="1689622 Rcv Bytes="34370" > > Here is the .sec file I'm currently using. I'm hoping someone can point > out what I'm doing wrong. Thanks! > > type=pair > ptype=PerlFunc > pattern=sub { my(%var); \ > if ($_[0] !~ /User <([^\s]+)>.+IP > <([0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3})>.+IPv4 Address > <([0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3})>/) { return 0; } \ > $var{"user"} = $1; \ > $var{"global_address"} = $2; \ > $var{"local_address"} = $3; \ > return \%var; } > desc=Get Name - Global Address - Local Address > action=tcpsock 10.3.0.85:514 LzEC VPN Address Mapping - User="$+{user}" - > Global Address ="$+{global_address}" - Local Address = > "$+{local_address}"%{.nl}; > ptype2=PerlFunc > pattern2=sub { my(%var); \ > if ($_[0] !~ /Username = $+{user}.+IP = > $+{global_address}.+Duration: ([0-9]{1,2}h:[0-9]{1,2}m:[0-9]{1,2}s).+xmt: > ([0-9]+).+rcv: ([0-9]+)/) { return 0; } \ > $var{"duration"} = $1; \ > $var{"xmit_bytes"} = $2; \ > $var{"rcv_bytes"} = $3; \ > return \%var; } > desc2=Add Local Address To Disconnect Message > action2=tcpsock 10.3.0.85:514 LzEC VPN Disconnect - User="$+{user}" > Global Address="$+{global_address}" Local Address="$+{local_address}" > Duration="$+{duration}" Xmit Bytes="$+{xmit_bytes} Rcv > Bytes="$+{rcv_bytes}"%{.nl}; > > > _______________________________________________ > Simple-evcorr-users mailing list > Simple-evcorr-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users >
_______________________________________________ Simple-evcorr-users mailing list Simple-evcorr-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users