Class: REC::Rule

Inherits:

Object

• Object
• REC::Rule

Defined in:

lib/rec/rule.rb

Overview

A Rule specifies which log entries to match, what to remember, and what to do about them.

Constant Summary

@@rules =

[]

@@index =

hash index of rules to allow lookup of messages etc.

{}

@@checked =

{}

@@matched =

{}

@@created =

{}

@@reacted =

{}

Instance Attribute Summary

• #alert ⇒ Object readonly

  the template for an alert message to be generated should it be necessary.

• #lifespan ⇒ Object readonly

  the time in seconds for a created state to persist.

• #message ⇒ Object readonly

  the template for the title of any state created.

• #params ⇒ Object readonly

  hash of the rules parameters, passed in when creating the rule.

• #pattern ⇒ Object readonly

  the regexp pattern to match an original log entry against :pattern => /^sw+sFirewall:sSkype is listening from 0.0.0.0:(d+)/, :details => [”port“], Note that regexp captures must correspond to customer field names in details.

• #rid ⇒ Object readonly

  the unique ID of the rule.

Class Method Summary

• .<<(rule) ⇒ Object

  Adds a rule to the ruleset.

• .[](rid) ⇒ Object

  Get a rule belonging to the key of rid.

• .each(&block) ⇒ Object

  Convenience method to iterate through the ruleset.

• .stats ⇒ Object

  Returns some summary statistics in a 5-element array, the first four elements a hash keyed on rule ID, the fifth is an array of rules: 1.

Instance Method Summary

• #action ⇒ Object

  block to be executed when #react is called.

• #check(logMessage) ⇒ Object

  Checks the original logMessage against the rule, looking for a match.

• #continue ⇒ Object

  Returns the continue parameter.

• #create_state(title) ⇒ Object

  Creates a state with the given title at the specified time.

• #initialize(rid, params = {}, &action) ⇒ Rule constructor

  Creates a new rule.

• #react(state, logLine) ⇒ Object

  Executes any action specified by the rule.

Constructor Details

#initialize(rid, params = {}, &action) ⇒ Rule

Creates a new rule. rid must be unique. action may be supplied as a block argument: :lifespan => 479 }) { |state| state.alert_first_only() } or as a Proc.new value to the :action key: :lifespan => 479, :action => Proc.new { |state| state.alert_first_only() } }) In most cases, an action is required when a state reacts with an event, but only in certain cases do we need an :onexpiry block. That is why the action may be supplied as a block if desired.

# File 'lib/rec/rule.rb', line 94

def initialize(rid, params={}, &action)
	@rid = rid
	@pattern = params[:pattern] || raise("No pattern specified for rule #{@ruleId}")
	@message = params[:message] || ""	# no message means no state created - ie. ignore event
	@lifespan = params[:lifespan] || 0
	@allstates = params[:allstates] || []
	@anystates = params[:anystates] || []
	@notstates = params[:notstates] || []
	@details = params[:details] || []
	@params = params
	@params[:action] = action unless action.nil?	# store the action into the params
	@params[:alert] = @params[:message] unless @params.has_key?(:alert)	# default alert if absent
	@matches = nil
	Rule << self
end

Instance Attribute Details

#alert ⇒ Object (readonly)

the template for an alert message to be generated should it be necessary

# File 'lib/rec/rule.rb', line 61

def alert
  @alert
end

#lifespan ⇒ Object (readonly)

the time in seconds for a created state to persist

# File 'lib/rec/rule.rb', line 59

def lifespan
  @lifespan
end

#message ⇒ Object (readonly)

the template for the title of any state created. :message => “sudo activity for user %userid$s”, will create states with titles like “sudo activity for user richard”

# File 'lib/rec/rule.rb', line 57

def message
  @message
end

#params ⇒ Object (readonly)

hash of the rules parameters, passed in when creating the rule

# File 'lib/rec/rule.rb', line 63

def params
  @params
end

#pattern ⇒ Object (readonly)

the regexp pattern to match an original log entry against :pattern => /^sw+sFirewall:sSkype is listening from 0.0.0.0:(d+)/, :details => [”port“], Note that regexp captures must correspond to customer field names in details

# File 'lib/rec/rule.rb', line 53

def pattern
  @pattern
end

#rid ⇒ Object (readonly)

the unique ID of the rule

# File 'lib/rec/rule.rb', line 48

def rid
  @rid
end

Class Method Details

.<<(rule) ⇒ Object

Adds a rule to the ruleset

# File 'lib/rec/rule.rb', line 22

def self.<<(rule)
	@@rules << rule
	@@index[rule.rid] = rule
	@@checked[rule.rid] = 0
	@@matched[rule.rid] = 0
	@@created[rule.rid] = 0
	@@reacted[rule.rid] = 0
end

.[](rid) ⇒ Object

Get a rule belonging to the key of rid

# File 'lib/rec/rule.rb', line 32

def self.[](rid)
	@@index[rid]
end

.each(&block) ⇒ Object

Convenience method to iterate through the ruleset

# File 'lib/rec/rule.rb', line 17

def self.each(&block)
	@@rules.each(&block)
end

.stats ⇒ Object

Returns some summary statistics in a 5-element array, the first four elements a hash keyed on rule ID, the fifth is an array of rules:

1. number of times each rule was checked

2. number of times each rule was matched

3. number of states created by each rule

4. number of times #react was called on each rule

5. list of rules, evaluated in sequence for each event

# File 'lib/rec/rule.rb', line 43

def self.stats()
	[@@checked, @@matched, @@created, @@reacted, @@rules]
end

Instance Method Details

#action ⇒ Object

block to be executed when #react is called. For example: Rule.new(10035, { :pattern => /^sw+sFirewall:sSkype is listening from 0.0.0.0:(d+)/, :details => [”port“], :message => ”Skype conversation started on port %port$d“, :alert => ”Skype running on port %port$d“, :lifespan => 479 }) { |state| state.alert_first_only() }

# File 'lib/rec/rule.rb', line 74

def action()
	@params[:action]
end

#check(logMessage) ⇒ Object

Checks the original logMessage against the rule, looking for a match. Returns a boolean (true if entry matched the pattern), and a string

# File 'lib/rec/rule.rb', line 112

def check(logMessage)
	@@checked[@rid] += 1
	return [false, nil] unless matchData = @pattern.match(logMessage)
	@matches = Hash[@details.zip(matchData.to_a()[1..-1])]	# map matched values to detail keys
	# if any notstates are specified, make sure none are present
	@notstates.each { |str| return([true, nil]) if State[str.sprinth(@matches)]	}
	# if any allstates are specified, they all need to be present
	@allstates.each { |str| return([true, nil]) unless State[str.sprinth(@matches)]	}
	# if anystates are specified, we must find one that matches
	return([true, nil]) unless @anystates.empty? or @anystates.detect {|str| State[str.sprinth(@matches)] }
	title = @message.sprinth(@matches)
	@@matched[@rid] += 1
	return([true, title])
end

#continue ⇒ Object

Returns the continue parameter. If false, stop processing rules for this event.

# File 'lib/rec/rule.rb', line 143

def continue()
	@params[:continue]
end

#create_state(title) ⇒ Object

Creates a state with the given title at the specified time

# File 'lib/rec/rule.rb', line 128

def create_state(title)
	@@created[@rid] += 1
	$stderr.puts("+ Creating new state  #{title}") if $debug
	State.new(title, @lifespan, @params)
end

#react(state, logLine) ⇒ Object

Executes any action specified by the rule

# File 'lib/rec/rule.rb', line 135

def react(state, logLine)
	@@reacted[@rid] += 1
	state.update(@rid, @matches, logLine)
	$stderr.puts("~ Rule #{@rid}, state = #{state.inspect()}") if $debug
	action().call(state) if action()
end