It would be cool to be able to send event info to a local script as an argument and accept the return value as a local variable within that rule. This return value could then be used for regex comparisons, state variables or input for responses. I am aware of the possibility of buffer overflow issues but I am sure you could limit acceptable returns to limited strings. Just a thought after wanting to compare usernames against machine names for failed logons.
