version 2.8.2

Author: risto

ChangeLog

@@ -1,3 +1,11 @@
+--- version 2.8.2
+
+* added support for 'varset' action.
+
+* fixed a bug where reference to $:{cacheentry:varname} match variable
+  for non-existing pattern match cache entry would create an empty entry.
+
+
 --- version 2.8.1
 
 * fixed a bug in dump file creation routine (a perl warning message was

README

@@ -1,4 +1,4 @@
-SEC (Simple Event Correlator) 2.8.1
+SEC (Simple Event Correlator) 2.8.2
 
 Introduction:
 -------------
@@ -17,15 +17,15 @@ wide variety of other ways.
 Availability:
 -------------
 This program is distributed under the terms of GNU General Public License, 
-and can be downloaded from http://simple-evcorr.github.io
+and can be downloaded from https://simple-evcorr.github.io
 
 Release Notes:
 --------------
 SEC has been tested primarily on Linux and Solaris, but since it is written 
 in Perl and does not use any platform dependent subroutines, it should also
 work on other OS platforms.
 Because SEC is not tested against ancient Perl releases, it is recommended 
-to run SEC with at least Perl 5.8 (see http://www.perl.org for the latest 
+to run SEC with at least Perl 5.8 (see https://www.perl.org for the latest 
 stable release). 
 SEC uses Perl Getopt, POSIX, Fcntl, Socket, IO::Handle, and Sys::Syslog 
 modules which are included in the standard Perl installation (the presence

contrib/suse.startup

@@ -4,7 +4,7 @@
 #   and its symbolic link
 # /(usr/)sbin/rcsec
 #
-# LSB compatible service control script; see http://www.linuxbase.org/spec/
+# LSB compatible service control script; see https://www.linuxbase.org/spec/
 # Contributed by Malcolm J Lewis <malcolmlewis@opensuse.org> 
 #
 ### BEGIN INIT INFO

contrib/suse.sysconfig

@@ -1,5 +1,5 @@
 ## Description: Simple Event Correlator Configuration File
-## URL: http://simple-evcorr.sourceforge.net/
+## URL: https://simple-evcorr.github.io
 ## License: GPL-2.0
 ## Modified by Malcolm J Lewis <malcolmlewis@opensuse.org>
 ## Path: System/sec

sec

@@ -1,7 +1,7 @@
 #!/usr/bin/perl -w
 #
-# SEC (Simple Event Correlator) 2.8.1 - sec
-# Copyright (C) 2000-2018 Risto Vaarandi
+# SEC (Simple Event Correlator) 2.8.2 - sec
+# Copyright (C) 2000-2019 Risto Vaarandi
 #
 # This program is free software; you can redistribute it and/or
 # modify it under the terms of the GNU General Public License
@@ -179,8 +179,8 @@ $WIN32 = ($^O =~ /win/i  &&  $^O !~ /cygwin/i  &&  $^O !~ /darwin/i);
 
 # set version and usage variables
 
-$SEC_VERSION = "SEC (Simple Event Correlator) 2.8.1";
-$SEC_COPYRIGHT = "Copyright (C) 2000-2018 Risto Vaarandi";
+$SEC_VERSION = "SEC (Simple Event Correlator) 2.8.2";
+$SEC_COPYRIGHT = "Copyright (C) 2000-2019 Risto Vaarandi";
 
 $SEC_USAGE = qq!Usage: $0 [options] 
 
@@ -325,6 +325,7 @@ use constant REWRITE		=> 51;
 use constant ADDINPUT		=> 52;
 use constant DROPINPUT		=> 53;
 use constant SIGEMUL		=> 54;
+use constant VARIABLESET	=> 55;
 use constant IF			=> 100;
 use constant WHILE		=> 101;
 use constant BREAK		=> 102;
@@ -867,7 +868,7 @@ sub analyze_action {
   my($actionlist, @action);
   my($actionlist2, @action2);
   my($createafter, $event, $timestamp);
-  my($lifetime, $context, $alias);
+  my($lifetime, $context, $alias, $entry);
   my($variable, $value, $code, $codeptr, $params, $evalok, $op);
 
   if ($action =~ /^none$/i)  { return NONE; }
@@ -1559,6 +1560,28 @@ sub analyze_action {
     return (SIGEMUL, $signal); 
   }
 
+  elsif ($action =~ /^varset\s+(\S+)\s+(\S+)$/i) {
+
+    $variable = $1;
+    $entry = $2;
+    process_action_parens($entry);
+
+    if ($variable !~ /^%[[:alpha:]]\w*$/) {
+      log_msg(LOG_ERR, "Rule in $conffile at line $lineno:", 
+                       "Variable $variable does not have the form",
+                       "%<letter>[<letter>|<digit>|<underscore>]...");
+      return INVALIDVALUE;
+    }
+
+    if (!length($entry)) {
+      log_msg(LOG_ERR, "Rule in $conffile at line $lineno:", 
+              "Empty pattern match cache entry name given for varset action");
+      return INVALIDVALUE;
+    }
+
+    return (VARIABLESET, substr($variable, 1), $entry); 
+  }
+
   elsif ($action =~ /^if\s/i) {
 
     $value = EXPRSYMBOL;
@@ -6439,6 +6462,27 @@ sub execute_sigemul_action {
   return 2;
 }
 
+sub execute_varset_action {
+
+  my($actionlist, $text, $i) = @_;
+  my($entry, $variable, $value);
+
+  $variable = $actionlist->[$i+1];
+  $entry = $actionlist->[$i+2];
+
+  substitute_actionlist_var($entry, $text);
+
+  log_msg(LOG_DEBUG, 
+          "Checking the presence of pattern match cache entry '$entry'");
+
+  $value = (exists($pmatch_cache{$entry}))?1:0; 
+  $variables{$variable} = $value;
+
+  log_msg(LOG_DEBUG, "Variable '%$variable' set to '$value'");
+
+  return 3;
+}
+
 sub execute_if_action {
 
   my($actionlist, $text, $i) = @_;
@@ -7442,12 +7486,16 @@ sub subst_string {
 
     } else {
 
+      # calling defined($pmatch_cache{$4}->{$+}) will create $pmatch_cache{$4}
+      # if it doesn't exist, thus exists($pmatch_cache{$4}) is called first
+
       $msg =~ s/$token2(?:$token2|([0-9]+)|\{([0-9]+)\}|
                           \+\{([[:alpha:]_][\w!]*|[0-9]+)\}|
                           :\{([[:alpha:]]\w*):([[:alpha:]_][\w!]*|[0-9]+)\})/
       !defined($+)?$token:
-          (!defined($4)?(defined($subst_ref->{$+})?$subst_ref->{$+}:"")
-           :(defined($pmatch_cache{$4}->{$+})?$pmatch_cache{$4}->{$+}:""))/egx;
+          (!defined($4)?(defined($subst_ref->{$+})?$subst_ref->{$+}:""):
+            ((exists($pmatch_cache{$4}) && defined($pmatch_cache{$4}->{$+}))?
+              $pmatch_cache{$4}->{$+}:""))/egx;
     }
   }
 
@@ -9565,6 +9613,11 @@ sub actionlist2str {
       $i += 2;
     } 
 
+    elsif ($actionlist->[$i] == VARIABLESET) { 
+      $result .= "varset %" . $actionlist->[$i+1] . " " . $actionlist->[$i+2]; 
+      $i += 3;
+    }
+
     elsif ($actionlist->[$i] == IF) {
       $result .= "if %" . $actionlist->[$i+1] . " (";
       if (scalar(@{$actionlist->[$i+2]})) {
@@ -13386,6 +13439,7 @@ $actioncopyfunc[REWRITE] = \&copy_three_elem_action;
 $actioncopyfunc[ADDINPUT] = \&copy_four_elem_action;
 $actioncopyfunc[DROPINPUT] = \&copy_two_elem_action;
 $actioncopyfunc[SIGEMUL] = \&copy_two_elem_action;
+$actioncopyfunc[VARIABLESET] = \&copy_three_elem_action;
 $actioncopyfunc[IF] = \&copy_if_action;
 $actioncopyfunc[WHILE] = \&copy_while_action;
 $actioncopyfunc[BREAK] = \&copy_one_elem_action;
@@ -13446,6 +13500,7 @@ $actionsubstfunc[REWRITE] = \&subst_three_elem_action;
 $actionsubstfunc[ADDINPUT] = \&subst_four_elem_action;
 $actionsubstfunc[DROPINPUT] = \&subst_two_elem_action;
 $actionsubstfunc[SIGEMUL] = \&subst_two_elem_action;
+$actionsubstfunc[VARIABLESET] = \&subst_event_assign_etc_action;
 $actionsubstfunc[IF] = \&subst_if_action;
 $actionsubstfunc[WHILE] = \&subst_while_action;
 $actionsubstfunc[BREAK] = \&subst_none_break_continue;
@@ -13506,6 +13561,7 @@ $execactionfunc[REWRITE] = \&execute_rewrite_action;
 $execactionfunc[ADDINPUT] = \&execute_addinput_action;
 $execactionfunc[DROPINPUT] = \&execute_dropinput_action;
 $execactionfunc[SIGEMUL] = \&execute_sigemul_action;
+$execactionfunc[VARIABLESET] = \&execute_varset_action;
 $execactionfunc[IF] = \&execute_if_action;
 $execactionfunc[WHILE] = \&execute_while_action;
 $execactionfunc[BREAK] = \&execute_break_action;

sec.man

@@ -1,6 +1,6 @@
 .\"
-.\" SEC (Simple Event Correlator) 2.8.1 - sec.man
-.\" Copyright (C) 2000-2018 Risto Vaarandi
+.\" SEC (Simple Event Correlator) 2.8.2 - sec.man
+.\" Copyright (C) 2000-2019 Risto Vaarandi
 .\"
 .\" This program is free software; you can redistribute it and/or
 .\" modify it under the terms of the GNU General Public License
@@ -16,7 +16,7 @@
 .\" along with this program; if not, write to the Free Software
 .\" Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
 .\" 
-.TH sec 1 "October 2018" "SEC 2.8.1"
+.TH sec 1 "June 2019" "SEC 2.8.2"
 .SH NAME
 sec \- simple event correlator
 .SH SYNOPSIS
@@ -2764,6 +2764,16 @@ HUP, ABRT, USR1, USR2, INT, or TERM. For example, the action
 triggers the generation of SEC dump file. See the SIGNALS section for
 detailed information on signals that are handled by SEC.
 .TP
+.I varset %<var> <entry>
+If the pattern match cache entry <entry> exists, set the action list variable 
+%<var> to 1, otherwise set %<var> to 0. For example, if pattern match cache
+contains the entry with the name SSH but not the entry with the name NTP, 
+the action
+.I varset %ssh SSH
+will set the %ssh action list variable to 1, while the action
+.I varset %ntp NTP
+will set the %ntp action list variable to 0.
+.TP
 .I if %<var> ( <action list> ) [ else ( <action list2> ) ]
 If the action list variable %<var> evaluates true in the Perl boolean context
 (i.e., it holds a defined value which is neither 0 nor empty string), execute