Compilation warnings
1. Common compiler warnings
  1. Access per-process variables in a rule that does not reference an event type with a process context
  1. Use identifier names greater than 64 characters in length

Compilation warnings

The rule compiler generates compilation warnings in certain scenarios. While warnings do not prevent rule compilation, any rules that generate compiler warnings should be rewritten.

Common compiler warnings

Access per-process variables in a rule that does not reference an event type with a process context

If a rule attempts to access a per-process variable and the rule does not reference an event type that has process context associated with the rule, then a compiler warning is generated. For more information about process context and variables, see Variable Scope.

Example:

local bool bSomeCondition;

set { bSomeCondition = true;} when media.deviceserial ....

alert when bSomeCondition;

When compiled, the alert rule generates the following warning:

variables requiring process context were referenced but no event providing process context was referenced

The local variable bSomeCondition is referenced in the alert rule, but no event is referenced that provides process context. In addition, bSomeCondition, once set, remains TRUE unless another set rule is specifically written to clear the value. That means that the alert rule continues to fire on every subsequent future event of any type that is processed. The rule is best rewritten by making bSomeCondition a temporary variable.

Example:

temp bool bSomeCondition = false;

set { bSomeCondition = true;} when file.event ....

alert when bSomeCondition;

Temporary variables are reset to their default values automatically each time a new event is processed and are referenced in any rule without requiring that rule to reference an event that provides process context.

Use identifier names greater than 64 characters in length

Identifiers (rule group names and variable names) must be 64 characters or less in length. If longer names are used, the names are automatically truncated to the 64-character limit, and a compiler warning is generated. A variable declaration like:

uint32 ZZ0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef;

results in a compiler warning like:

identifier "ZZ0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef" exceeded maximum allowed length of 64 and was truncated