Hello, Thanks for your help.
My intend is to alert when a user use su command if he's not on a list. (In this list I have all the authorized su users. I don't want that rule fire for them, because su usage are ok for this account). I don't understand the list format, what is "stuff" in your example (testuser:stuff testuser2:stuff)? I've tried with stuff=user or stuff=dstuser, and it doesn't work. On 10 août, 16:42, "dan (ddp)" <[email protected]> wrote: > On Wed, Aug 10, 2011 at 10:29 AM, Blauch Armand <[email protected]> wrote: > > hello, > > > I try to use the list option on a rule: > > <list field="user" lookup="not_match_key">/etc/ossec/rules/ > > testlistgroup1</list> > > I think your list is going to alert if the user is not in the list as > the key. Is this what you intend? > > > this doesn't work! I've try so many things, I don't know what to do! > > The rule fired at each time, like the rule doesn't read the list? > > I only have few account to put in this list (testuser, testuser2....) > > and I don't understand how to write it. > > > I've first created a testlistgroup1.txt, with this values: > > user:testuser > > user:testuser2 > > The format should be key:value and key should be unique. > So: > > > > > > > > > > I run the ./ossec-makelist without problem; at each time I change the > > testlistgroup1.txt > > > my ossec.conf file is like this: > > <rules> > > <list>testlistgroup1.txt.cdb</list> > > </rules> > > > When I start ossec-logtest I have this message: > > ossec-testrule: INFO: Reading loading the lists file: > > 'testlistgroup1.txt.cdb' > > > Does someone can help me? What is wrong with my list?
