On 06/23/2011 10:25 PM, Jeremy Lee wrote:
Actually, I'm a bit embarrassed, but all I did was add this to decoder.xml
<decoder name="snoopy-logger">
<program_name>^snoopy</program_name>
</decoder>
Then in local_rules I added the following:
<rule id="100040" level="0">
<decoded_as>snoopy-logger</decoded_as>
<description>Ignore Snoopy logger events</description>
</rule>
<rule id="100041" level="15">
<if_sid>100040</if_sid>
<match>whatever</match>
<description>file access (snoopy)</description>
</rule>
No need to be embarrassed. Snoopy logs look pretty simple. I'll see if
there is any need to extend it to match on more info.
Also, you may want to create and put this in local_decoder.xml;
otherwise, your decoder will be lost when you upgrade.
