Hi Stefano, Can you send some of the logs you are trying to parse?
Also, your code has some serious security issues in there. I recommend that you double check it before putting in production (e.g. strcpy should not be used). Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On Fri, May 28, 2010 at 10:16 AM, Stefano Pedretti <[email protected]> wrote: > Here the code of compiled rule: > > #include "shared.h" > #include "eventinfo.h" > #include "config.h" > #include <stdio.h> > > void *logman(Eventinfo *lf) > { > static const char filename[] = "/var/ossec/adslist"; > > if(!lf->dstuser) > { > return(NULL); > } > > char user[128]; > strcpy(user,lf->dstuser); > > Eventinfo *lfr = NULL; > > if(strlen(user) > 0){ > FILE *file = fopen ( filename, "r" ); > if ( file != NULL ){ > char line[128]; > while ( fgets ( line, sizeof line, file ) != NULL ){ > if (strlen(user) == (strlen(line)-1)){ > user[strlen(user)] = 0; > line[strlen(line)-1] = 0; > > int i; > for (i=0; i < strlen(line) ; i++) > line[i] = tolower(line[i]); > > if (strcmp(user,line) == 0){ > lfr=lf; > break; > } > } > } > fclose ( file ); > } > else > { > perror ( filename ); > } > } > return(lfr); > } > > > > > On 26 Mag, 11:00, Stefano Pedretti <[email protected]> wrote: >> Hi all, >> using OSSEC I found a limitation for the lenghtness of a regexp. >> So i'm writing my own compiled rule for my pourpose. >> >> This code simply compare the dstuser field with a list of users in a >> file. >> >> I tested my C rule with ossec-logtest and works fine but no match >> appears at all when events come from agents. >> >> Everytime I modify the rule C source i reinstall all, using the >> install.sh script. >> >> Someone has found a similar behaviour? There's a trick to avoid that? >> >> Thank you! >> >> -- >> ----------------------------- >> Pedretti Stefano >> [email protected] >> PGP Fingerprint: 5B00129Ehttp://paroledisilicio.wordpress.com >> Skype : ste.pedro83 >> mobile: +393292348186 >> -----------------------------
