[Simple-evcorr-users] Trying to Benchmark - But Problems
Brought to you by:
ristov
Menu
▾
▴
[Simple-evcorr-users] Trying to Benchmark - But Problems
|
From: Gertz, W. <wil...@at...> - 2003-11-27 14:47:17
|
Risto (and any one else in SECland),
I'm trying to do the benchmarking and am running into problems with more =
than thresholding more than 100 events. I know I must be doing =
something wrong, but I just don't see it. The strange thing is the =
ruleset works for a threshold set to 100 but more than that seems to be =
a problem:
CYGWIN SHELL:
$ perl sec.2.2beta2.pl -input=3D/tmp/example.data =
-conf=3D/tmp/load-module-example.100.conf -intevents -log=3D/tmp/sec.log =
-fromstart
$ grep 127.0.0.1 /tmp/example.data | wc
20155 792653 8959991
RULESET:
type =3D single
desc =3D Module load and range setup
pattern =3D SEC_STARTUP
ptype =3D substr
context =3D [SEC_INTERNAL_EVENT]
action =3D assign %a 0; \
eval %a (require NetAddr::IP; \
$range =3D NetAddr::IP->new('127.0.0.0/26'); 1;); \
eval %a (exit(1) unless %a); \
create test 1 \
(report test /bin/cat > /tmp/found-dmz; \
eval %a (exit(1)))
type =3D singlewiththreshold
desc =3D Find an IP Address
pattern =3D ((?:\d{1,3}\.){3}\d{1,3})
ptype =3D regexp
context =3D =3D(NetAddr::IP->new('$1')->within($range))
thresh =3D 100
window =3D 10
action =3D add test Found address $1
RESULTS @100:
Thu Nov 27 13:09:44 2003: Simple Event Correlator version 2.2.beta2
Thu Nov 27 13:09:44 2003: Reading configuration from =
/tmp/load-module-example-100.conf
Thu Nov 27 13:09:44 2003: 2 rules loaded from =
/tmp/load-module-example-100.conf
Thu Nov 27 13:09:44 2003: Creating SEC internal context =
'SEC_INTERNAL_EVENT'
Thu Nov 27 13:09:44 2003: Creating SEC internal event 'SEC_STARTUP'
Thu Nov 27 13:09:44 2003: Assigning value '0' to variable '%a'
Thu Nov 27 13:09:44 2003: Evaluating code 'require NetAddr::IP; =
$range =3D NetAddr::IP->new('127.0.0.0/26'); 1;' and setting variable =
'%a'
Thu Nov 27 13:09:45 2003: Assigning value '1' to variable '%a'
Thu Nov 27 13:09:45 2003: Evaluating code 'exit(1) unless 1' and setting =
variable '%a'
Thu Nov 27 13:09:45 2003: Assigning value '1' to variable '%a'
Thu Nov 27 13:09:45 2003: Creating context 'test'
Thu Nov 27 13:09:45 2003: Deleting SEC internal context =
'SEC_INTERNAL_EVENT'
Thu Nov 27 13:09:45 2003: Adding event 'Found address 127.0.0.1' to =
context 'test'
Thu Nov 27 13:09:47 2003: Deleting stale context 'test'
Thu Nov 27 13:09:47 2003: Reporting the event store of context 'test' =
through shell command '/bin/cat > /tmp/found-dmz'
Thu Nov 27 13:09:47 2003: Child 352 created for command '/bin/cat > =
/tmp/found-dmz'
Thu Nov 27 13:09:47 2003: Evaluating code 'exit(1)' and setting variable =
'%a'
RESULTS @1000:
Thu Nov 27 13:09:57 2003: Simple Event Correlator version 2.2.beta2
Thu Nov 27 13:09:57 2003: Reading configuration from =
/tmp/load-module-example-1000.conf
Thu Nov 27 13:09:57 2003: 2 rules loaded from =
/tmp/load-module-example-1000.conf
Thu Nov 27 13:09:57 2003: Creating SEC internal context =
'SEC_INTERNAL_EVENT'
Thu Nov 27 13:09:57 2003: Creating SEC internal event 'SEC_STARTUP'
Thu Nov 27 13:09:57 2003: Assigning value '0' to variable '%a'
Thu Nov 27 13:09:57 2003: Evaluating code 'require NetAddr::IP; =
$range =3D NetAddr::IP->new('127.0.0.0/26'); 1;' and setting variable =
'%a'
Thu Nov 27 13:09:57 2003: Assigning value '1' to variable '%a'
Thu Nov 27 13:09:57 2003: Evaluating code 'exit(1) unless 1' and setting =
variable '%a'
Thu Nov 27 13:09:57 2003: Assigning value '1' to variable '%a'
Thu Nov 27 13:09:57 2003: Creating context 'test'
Thu Nov 27 13:09:57 2003: Deleting SEC internal context =
'SEC_INTERNAL_EVENT'
Thu Nov 27 13:09:59 2003: Deleting stale context 'test'
Thu Nov 27 13:09:59 2003: Reporting the event store of context 'test' =
through shell command '/bin/cat > /tmp/found-dmz'
Thu Nov 27 13:09:59 2003: Event store of context 'test' is empty, can't =
report
Thu Nov 27 13:09:59 2003: Evaluating code 'exit(1)' and setting variable =
'%a'
I don't see the mistake I surely made - help!
Kind Regards,
Bill =20
<<load-module-example-100.conf>> <<load-module-example-1000.conf>> =
<<load-module-example-10000.conf>> <<sec.log>> <<dprofpp-100.txt>>=20
|