Hi Bob, this is what I have in etc/ossec.conf:
<ossec_config>
<rules>
<list>lists/employees</list>
</rules>
</ossec_config>
I made the directory /var/ossec/lists:
/var/ossec$ ls -1 lists
employees
employees.cdb
employees.txt
Makefile
README
employees.txt is the file you edit.
The Makefile strips comment/blank lines from employees.txt to generate
employees. Then it runs ossec-makelists to generate employees.cdb:
====
makelists = ../bin/ossec-makelists
# NOTE: ossec needs to be told about the list in etc/ossec.conf.
# Otherwise ossec-makelists won't do anything with it.
lists = employees.cdb
.PHONY: all
all: ${lists}
%.cdb: %.txt
@# strip comments/blank lines from the .txt to produce the bare file
@perl -lne 'next if /^#/;next if /\A\z/;print' $< > $*
@${makelists}
====
It's nice to be able to comment the list as you update and administer
it; however there's no facility in ossec to remove comments and blanks,
so you wind up with a weird-looking final cdb file.
Then you can refer to the list in a rule, e.g.:
<rule id="200007" level="10" frequency="6">
<if_matched_sid>5716</if_matched_sid>
<same_source_ip />
<list field="user" lookup="match_key">lists/employees</list>
<description>Multiple SSHD authentication failures on employee
account</description>
</rule>
Hope this helps,
Andy
On Tue, Feb 14, 2012 at 09:39:37PM -0800, Bob Zscharnagk wrote:
> Andy,
>
> I hope you don't mind if I ask a question regarding getting CDB list
> lookups to work as you seem to have it set up correctly.
>
> I'm a bit confused about the file names used in the example at
> http://www.ossec.net/doc/manual/rules-decoders/rule-lists.html.
>
> It states that the file <rules/cdb_record_file> will be used for the
> lookup but puts <rules/records> in the list XML.
>
> I've tried with both and it doesn't seem to work.
>
> Could you share your config as an example please?
>
> Thanks.
>
> Bob
>
