That's a good point...
I tested this just to make sure and indeed, when you disable the event in the first rule, it's not triggered again for the second rule or any other HTTP requests over the same TCP connection:
rule log_events_rule_1 {
when CLIENT_ACCEPTED {
log local0. "[clock clicks -milliseconds]"
}
when HTTP_REQUEST {
event HTTP_REQUEST disable
log local0. "[clock clicks -milliseconds]"
}
when HTTP_RESPONSE {
log local0. "[clock clicks -milliseconds]"
}
when CLIENT_CLOSED {
log local0. "[clock clicks -milliseconds]"
}
}
rule log_events_rule_2 {
when CLIENT_ACCEPTED {
log local0. "[clock clicks -milliseconds]"
}
when HTTP_REQUEST {
log local0. "[clock clicks -milliseconds]"
}
when HTTP_RESPONSE {
log local0. "[clock clicks -milliseconds]"
}
when CLIENT_CLOSED {
log local0. "[clock clicks -milliseconds]"
}
}
I made ten requests using CURL, which re-uses the same TCP connection for multiple HTTP requests:
curl
http://http_vip/test[0-9]
Checked the logging for the rules and it shows the HTTP_REQUEST event is only triggered for the first rule and only once per TCP connection:
Oct 18 10:57:26 tmm tmm[1234]: Rule log_events_rule_1 : 1524276803
Oct 18 10:57:26 tmm tmm[1234]: Rule log_events_rule_2 : 1524276803
Oct 18 10:57:26 tmm tmm[1234]: Rule log_events_rule_1 : 1524276803
Oct 18 10:57:26 tmm tmm[1234]: Rule log_events_rule_1 : 1524276804
Oct 18 10:57:26 tmm tmm[1234]: Rule log_events_rule_2 : 1524276804
Oct 18 10:57:26 tmm tmm[1234]: Rule log_events_rule_1 : 1524276808
Oct 18 10:57:26 tmm tmm[1234]: Rule log_events_rule_2 : 1524276808
Oct 18 10:57:26 tmm tmm[1234]: Rule log_events_rule_1 : 1524276812
Oct 18 10:57:26 tmm tmm[1234]: Rule log_events_rule_2 : 1524276812
Oct 18 10:57:26 tmm tmm[1234]: Rule log_events_rule_1 : 1524276816
Oct 18 10:57:26 tmm tmm[1234]: Rule log_events_rule_2 : 1524276816
Oct 18 10:57:26 tmm tmm[1234]: Rule log_events_rule_1 : 1524276819
Oct 18 10:57:26 tmm tmm[1234]: Rule log_events_rule_2 : 1524276819
Oct 18 10:57:26 tmm tmm[1234]: Rule log_events_rule_1 : 1524276822
Oct 18 10:57:26 tmm tmm[1234]: Rule log_events_rule_2 : 1524276822
Oct 18 10:57:26 tmm tmm[1234]: Rule log_events_rule_1 : 1524276826
Oct 18 10:57:26 tmm tmm[1234]: Rule log_events_rule_2 : 1524276826
Oct 18 10:57:26 tmm tmm[1234]: Rule log_events_rule_1 : 1524276829
Oct 18 10:57:26 tmm tmm[1234]: Rule log_events_rule_2 : 1524276829
Oct 18 10:57:26 tmm tmm[1234]: Rule log_events_rule_1 : 1524276832
Oct 18 10:57:26 tmm tmm[1234]: Rule log_events_rule_2 : 1524276832
Oct 18 10:57:26 tmm tmm[1234]: Rule log_events_rule_1 : 1524276836
Oct 18 10:57:26 tmm tmm[1234]: Rule log_events_rule_2 : 1524276836
Oct 18 10:57:26 tmm tmm[1234]: Rule log_events_rule_1 : 1524276838
Oct 18 10:57:26 tmm tmm[1234]: Rule log_events_rule_2 : 1524276838
So I think the simplest workaround is to combine the two rules into one rule.
I suppose you could try something fancy with setting a global variable in the first rule that the second rule checks. But I think it might get complicated trying to differentiate which TCP connection the variable is referencing. Or perhaps you could use the session table.
Does anyone else have suggestions on this?
Thanks,
Aaron