Here the code of compiled rule:
#include "shared.h"
#include "eventinfo.h"
#include "config.h"
#include <stdio.h>
void *logman(Eventinfo *lf)
{
static const char filename[] = "/var/ossec/adslist";
if(!lf->dstuser)
{
return(NULL);
}
char user[128];
strcpy(user,lf->dstuser);
Eventinfo *lfr = NULL;
if(strlen(user) > 0){
FILE *file = fopen ( filename, "r" );
if ( file != NULL ){
char line[128];
while ( fgets ( line, sizeof line, file ) != NULL ){
if (strlen(user) == (strlen(line)-1)){
user[strlen(user)] = 0;
line[strlen(line)-1] = 0;
int i;
for (i=0; i < strlen(line) ; i++)
line[i] = tolower(line[i]);
if (strcmp(user,line) == 0){
lfr=lf;
break;
}
}
}
fclose ( file );
}
else
{
perror ( filename );
}
}
return(lfr);
}
On 26 Mag, 11:00, Stefano Pedretti <[email protected]> wrote:
> Hi all,
> using OSSEC I found a limitation for the lenghtness of a regexp.
> So i'm writing my own compiled rule for my pourpose.
>
> This code simply compare the dstuser field with a list of users in a
> file.
>
> I tested my C rule with ossec-logtest and works fine but no match
> appears at all when events come from agents.
>
> Everytime I modify the rule C source i reinstall all, using the
> install.sh script.
>
> Someone has found a similar behaviour? There's a trick to avoid that?
>
> Thank you!
>
> --
> -----------------------------
> Pedretti Stefano
> [email protected]
> PGP Fingerprint: 5B00129Ehttp://paroledisilicio.wordpress.com
> Skype : ste.pedro83
> mobile: +393292348186
> -----------------------------
