Re: [ossec-list] Re: Logtest behave different then analysisd with compiled rules

Tue, 13 Jul 2010 09:56:36 -0700

Crap - i need to find that bug and kill it! Working on it tonight will let you know once I find the build problem . 


--On July 13, 2010 5:45:23 AM -0700 Stefano Pedretti 
<[email protected]> wrote:



On 12 Lug, 18:53, Jeremy Rossi <[email protected]> wrote:

The CDB lists feature in the newest snapshot will allow for this with out
writing a compiled_rile.


Nice and useful feature, but at this time does not compile:

In file included from run_realtime.c:41:
/usr/include/sys/inotify.h:84: error: expected ‘;’, ‘,’ or
‘)’ before string constant
run_realtime.c: In function ‘realtime_adddir’:
run_realtime.c:164: warning: implicit declaration of function
‘inotify_add_watch’
make[1]: *** [syscheck] Error 1





See the wiki page:http://www.ossec.net/wiki/ORFC_-_CDB_Database_lookups
for how to use this feature.  It should also be very fast and updates to
CDB does not require a reload of OSSEC.


thank you!



--
Jeremy Rossi
e: look at the headers people
t:http://twitter.com/jrossi

--On May 28, 2010 6:16:20 AM -0700 Stefano Pedretti



<[email protected]> wrote:
> Here the code of compiled rule:

># include "shared.h"
># include "eventinfo.h"
># include "config.h"
># include <stdio.h>

> void *logman(Eventinfo *lf)
> {
>     static const char filename[] = "/var/ossec/adslist";

>     if(!lf->dstuser)
>     {
>         return(NULL);
>     }

>     char user[128];
>     strcpy(user,lf->dstuser);

>     Eventinfo *lfr = NULL;

>     if(strlen(user) > 0){
>       FILE *file = fopen ( filename, "r" );
>       if ( file != NULL ){
>          char line[128];
>          while ( fgets ( line, sizeof line, file ) != NULL ){
>             if (strlen(user) == (strlen(line)-1)){
>                 user[strlen(user)] = 0;
>                 line[strlen(line)-1] = 0;

>                 int i;
>                 for (i=0; i < strlen(line) ; i++)
>                         line[i] = tolower(line[i]);

>                 if (strcmp(user,line) == 0){
>                         lfr=lf;
>                         break;
>                 }
>             }
>          }
>          fclose ( file );
>       }
>       else
>       {
>          perror ( filename );
>       }
>     }
>     return(lfr);
> }

> On 26 Mag, 11:00, Stefano Pedretti <[email protected]> wrote:
>> Hi all,
>> using OSSEC I found a limitation for the lenghtness of a regexp.
>> So i'm writing my own compiled rule for my pourpose.

>> This code simply compare the dstuser field with a list of users in a
>> file.

>> I tested my C rule with ossec-logtest and works fine but no match
>> appears at all when events come from agents.

>> Everytime I modify the rule C source i reinstall all, using the
>> install.sh script.

>> Someone has found a similar behaviour? There's a trick to avoid that?

>> Thank you!

>> --
>> -----------------------------
>> Pedretti Stefano
>> [email protected]
>> PGP Fingerprint: 5B00129Ehttp://paroledisilicio.wordpress.com
>> Skype : ste.pedro83
>> mobile: +393292348186
>> -----------------------------




























					Reply via email to