Thank you for your reply, On 15 Giu, 14:31, Daniel Cid <[email protected]> wrote: > Hi Stefano, > > Can you send some of the logs you are trying to parse?
Yes, sure: WinEvtLog: Security: AUDIT_SUCCESS(538): Security: my.username: AOSS: AS2SA: User Logoff: User Name: my.username Domain: AOVV Logon ID: (0x0,0x85A659B) Logon Type: 3 The results of the match should change if in the file /var/ossec/ adslist the line "my.username" exists or not. > > Also, your code has some serious security issues in there. I recommend that > you double check it before putting in production (e.g. strcpy should not be > used). Thank you for the information. Sure i check it again. > > Thanks, > > -- > Daniel B. Cid > dcid ( at ) ossec.net > > On Fri, May 28, 2010 at 10:16 AM, Stefano Pedretti > > > > <[email protected]> wrote: > > Here the code ofcompiledrule: > > > #include "shared.h" > > #include "eventinfo.h" > > #include "config.h" > > #include <stdio.h> > > > void *logman(Eventinfo *lf) > > { > > static const char filename[] = "/var/ossec/adslist"; > > > if(!lf->dstuser) > > { > > return(NULL); > > } > > > char user[128]; > > strcpy(user,lf->dstuser); > > > Eventinfo *lfr = NULL; > > > if(strlen(user) > 0){ > > FILE *file = fopen ( filename, "r" ); > > if ( file != NULL ){ > > char line[128]; > > while ( fgets ( line, sizeof line, file ) != NULL ){ > > if (strlen(user) == (strlen(line)-1)){ > > user[strlen(user)] = 0; > > line[strlen(line)-1] = 0; > > > int i; > > for (i=0; i < strlen(line) ; i++) > > line[i] = tolower(line[i]); > > > if (strcmp(user,line) == 0){ > > lfr=lf; > > break; > > } > > } > > } > > fclose ( file ); > > } > > else > > { > > perror ( filename ); > > } > > } > > return(lfr); > > } > > > On 26 Mag, 11:00, Stefano Pedretti <[email protected]> wrote: > >> Hi all, > >> using OSSEC I found a limitation for the lenghtness of a regexp. > >> So i'm writing my owncompiledrule for my pourpose. > > >> This code simply compare the dstuser field with a list of users in a > >> file. > > >> I tested my C rule with ossec-logtest and works fine but no match > >> appears at all when events come from agents. > > >> Everytime I modify the rule C source i reinstall all, using the > >> install.sh script. > > >> Someone has found a similar behaviour? There's a trick to avoid that? > > >> Thank you! > > >> -- > >> ----------------------------- > >> Pedretti Stefano > >> [email protected] > >> PGP Fingerprint: 5B00129Ehttp://paroledisilicio.wordpress.com > >> Skype : ste.pedro83 > >> mobile: +393292348186 > >> -----------------------------
