Counting Results

You can also use posted conditions to count the number of results returned by the microagent method. Some microagent methods return tabular data when invoked. If the method returns a table of results, an instance of the associated test is generated for every row of the table. The actual value of a posted condition is the number of associated test instances that evaluated to true. You can use this relationship to count the number of rows in the table that match some condition. A non-zero value means that at least one row in the table matched the test condition. The value of the posted condition is the exact number of rows that matched the test condition.

For example, a software virus spawns multiple copies of a common process such as a web browser. The virus uses the SYSTEM account to accomplish this, which is not the normal account for a web browser. To check for the presence of this virus on your network you could create several tests and use a posted condition. The first rule could retrieve the process table, and use a compound test to check for more than one copy of the browser process running as SYSTEM.

If ((name=="netscape") AND (user=="SYSTEM")) 

When the test evaluates to true, a posted condition named SystemBrowser is created. The second rule tests the value of the posted condition. It does not require data from a microagent, but uses a token data source: the microagent method Self:getUptime():10. This method returns the number of seconds the agent has been running every 10 seconds. The actual data retrieved from the data source is discarded, but every 10 seconds this method triggers a test for SystemBrowser>1. When the test evaluates to true, a high-level alert is generated.