On 12 Lug, 18:53, Jeremy Rossi <[email protected]> wrote: > The CDB lists feature in the newest snapshot will allow for this with out > writing a compiled_rile.
Nice and useful feature, but at this time does not compile: In file included from run_realtime.c:41: /usr/include/sys/inotify.h:84: error: expected ‘;’, ‘,’ or ‘)’ before string constant run_realtime.c: In function ‘realtime_adddir’: run_realtime.c:164: warning: implicit declaration of function ‘inotify_add_watch’ make[1]: *** [syscheck] Error 1 > > See the wiki page:http://www.ossec.net/wiki/ORFC_-_CDB_Database_lookups > for how to use this feature. It should also be very fast and updates to > CDB does not require a reload of OSSEC. thank you! > > -- > Jeremy Rossi > e: look at the headers people > t:http://twitter.com/jrossi > > --On May 28, 2010 6:16:20 AM -0700 Stefano Pedretti > > > > <[email protected]> wrote: > > Here the code of compiled rule: > > ># include "shared.h" > ># include "eventinfo.h" > ># include "config.h" > ># include <stdio.h> > > > void *logman(Eventinfo *lf) > > { > > static const char filename[] = "/var/ossec/adslist"; > > > if(!lf->dstuser) > > { > > return(NULL); > > } > > > char user[128]; > > strcpy(user,lf->dstuser); > > > Eventinfo *lfr = NULL; > > > if(strlen(user) > 0){ > > FILE *file = fopen ( filename, "r" ); > > if ( file != NULL ){ > > char line[128]; > > while ( fgets ( line, sizeof line, file ) != NULL ){ > > if (strlen(user) == (strlen(line)-1)){ > > user[strlen(user)] = 0; > > line[strlen(line)-1] = 0; > > > int i; > > for (i=0; i < strlen(line) ; i++) > > line[i] = tolower(line[i]); > > > if (strcmp(user,line) == 0){ > > lfr=lf; > > break; > > } > > } > > } > > fclose ( file ); > > } > > else > > { > > perror ( filename ); > > } > > } > > return(lfr); > > } > > > On 26 Mag, 11:00, Stefano Pedretti <[email protected]> wrote: > >> Hi all, > >> using OSSEC I found a limitation for the lenghtness of a regexp. > >> So i'm writing my own compiled rule for my pourpose. > > >> This code simply compare the dstuser field with a list of users in a > >> file. > > >> I tested my C rule with ossec-logtest and works fine but no match > >> appears at all when events come from agents. > > >> Everytime I modify the rule C source i reinstall all, using the > >> install.sh script. > > >> Someone has found a similar behaviour? There's a trick to avoid that? > > >> Thank you! > > >> -- > >> ----------------------------- > >> Pedretti Stefano > >> [email protected] > >> PGP Fingerprint: 5B00129Ehttp://paroledisilicio.wordpress.com > >> Skype : ste.pedro83 > >> mobile: +393292348186 > >> -----------------------------
