If it helps, try carefully examining tabs from spaces. I remember
spaces won't work but tabs do.
Ferran Pichel wrote:
> On Wednesday 02 December 2009 11:15:41 Moshe Basanchig wrote:
>
>> Same here,
>>
>> I'm having the exact same issue.
>> Suggestions?
>>
>>
>
> Same here!
>
> We have a lot of exclusion filters:
>
> # cat ProcessMonitor.exl | wc -l
> 59
> # cat RegistryMonitor.exl | wc -l
> 563
> # cat FileMonitor.exl | wc -l
> 286
>
> Additionaly, we are having some confussing message like:
>
> UNKNOWN executed 'created' to C:
> \Program_Files\Windows_Media_Player\wmpnscfg.exe (3700)
>
> What does 'UNKNOWN' mean in this context?
>
> Thank you very much :)
>
> PD: To verify the correct sintax, we are using the following perl script.
>
> print 'FileMonitor'."\n";
> open(ifd,'FileMonitor.exl') or die "Could not open 'FileMonitor.exl'\n";
> $c = 0;
> foreach $l (<ifd>){
> $c++;
> if( $l !~ /^[+|-]\t\w+\t[^\t]+\t[^\t]+$/ ){
> if( $l !~ /[a-z0-1]/ or $l =~ /^#/ ){ next; }
> print $c," ",$l;
> }
> }
>
> print 'ProcessMonitor'."\n";
> open(ifd,'ProcessMonitor.exl') or die "Could not open 'ProcessMonitor.exl'\n";
> $c = 0;
> foreach $l (<ifd>){
> $c++;
> if( $l !~ /^[+|-]\t[^\t]+\t[^\t]+\t[^\t]+$/ ){
> if( $l !~ /[a-z0-1]/ or $l =~ /^#/ ){ next; }
> print $c," ",$l;
> }
> }
> print 'RegistryMonitor'."\n";
> open(ifd,'RegistryMonitor.exl') or die "Could not open
> 'RegistryMonitor.exl'\n";
> $c = 0;
> foreach $l (<ifd>){
> $c++;
> if( $l !~ /^[+|-]\t\w+\t[^\t]+\t[^\t]+$/ ){
> if( $l !~ /[a-z0-1]/ or $l =~ /^#/ ){ next; }
> print $c," ",$l;
> }
> }
>
>
_______________________________________________
Capture-HPC mailing list
Capture-HPC@public.honeynet.org
https://public.honeynet.org/mailman/listinfo/capture-hpc
