The CDB lists feature in the newest snapshot will allow for this with out
writing a compiled_rile.
See the wiki page: http://www.ossec.net/wiki/ORFC_-_CDB_Database_lookups
for how to use this feature. It should also be very fast and updates to
CDB does not require a reload of OSSEC.
--
Jeremy Rossi
e: look at the headers people
t: http://twitter.com/jrossi
--On May 28, 2010 6:16:20 AM -0700 Stefano Pedretti
<[email protected]> wrote:
Here the code of compiled rule:
# include "shared.h"
# include "eventinfo.h"
# include "config.h"
# include <stdio.h>
void *logman(Eventinfo *lf)
{
static const char filename[] = "/var/ossec/adslist";
if(!lf->dstuser)
{
return(NULL);
}
char user[128];
strcpy(user,lf->dstuser);
Eventinfo *lfr = NULL;
if(strlen(user) > 0){
FILE *file = fopen ( filename, "r" );
if ( file != NULL ){
char line[128];
while ( fgets ( line, sizeof line, file ) != NULL ){
if (strlen(user) == (strlen(line)-1)){
user[strlen(user)] = 0;
line[strlen(line)-1] = 0;
int i;
for (i=0; i < strlen(line) ; i++)
line[i] = tolower(line[i]);
if (strcmp(user,line) == 0){
lfr=lf;
break;
}
}
}
fclose ( file );
}
else
{
perror ( filename );
}
}
return(lfr);
}
On 26 Mag, 11:00, Stefano Pedretti <[email protected]> wrote:
Hi all,
using OSSEC I found a limitation for the lenghtness of a regexp.
So i'm writing my own compiled rule for my pourpose.
This code simply compare the dstuser field with a list of users in a
file.
I tested my C rule with ossec-logtest and works fine but no match
appears at all when events come from agents.
Everytime I modify the rule C source i reinstall all, using the
install.sh script.
Someone has found a similar behaviour? There's a trick to avoid that?
Thank you!
--
-----------------------------
Pedretti Stefano
[email protected]
PGP Fingerprint: 5B00129Ehttp://paroledisilicio.wordpress.com
Skype : ste.pedro83
mobile: +393292348186
-----------------------------
