On Wed, Feb 15, 2012 at 12:39 AM, Bob Zscharnagk <[email protected]> wrote: > Andy, >
I'm not Andy, I hope it's ok that I'm replying. If not, consider contacting Andy privately. > I hope you don't mind if I ask a question regarding getting CDB list > lookups to work as you seem to have it set up correctly. > > I'm a bit confused about the file names used in the example at > http://www.ossec.net/doc/manual/rules-decoders/rule-lists.html. > > It states that the file <rules/cdb_record_file> will be used for the > lookup but puts <rules/records> in the list XML. > > I've tried with both and it doesn't seem to work. The entries should match, and they should match the files on your system. > > Could you share your config as an example please? > > Thanks. > > Bob > In my server's ossec.conf I have: <rules> <!--A bunch of rules files--> <list>lists/blocked.txt</list> <list>lists/userlist.txt</list> <!--More rules files --> </rules> In my rules I have: <rule id="110001" level="11"> <if_sid>110000</if_sid> <list field="url">lists/blocked.txt</list> <description>DNS query on a potentially malicious domain.</description> </rule> On the system I have: # cd /var/ossec/lists/ # ls blocked.txt blocked.txt.cdb test.txt test.txt.cdb userlist.txt userlist.txt.cdb
