Thanks for the answer.
First , Apologies for my bad english. I made a thread related to that. This
is the information:
Is list text file case sensitive?
because i have that:
Example:
key1:sir
KEY1:SIR
key2:sir
KEY2:SIR
Sometimes logs arrives in uppercase or lowercase.
My problem is: alert generated when a user is in the list, and my rule its
not for that is otherwhise
Example line rule:
<list field="user" lookup="not_match_key">lists/mylistfile.txt</list>
in ossec.conf:
<rules>
<list>rules/mylistfile.txt</list>
</rules>
El viernes, 13 de septiembre de 2013 12:47:55 UTC-3, dan (ddpbsd) escribió:
>
> On Fri, Sep 13, 2013 at 11:38 AM, Leonel Algaré
> <[email protected]<javascript:>>
> wrote:
> > Hello!
> >
> > Sorry for revive this thread but. i'm having de same problem... cdb list
> > dont update when I made changes in list.
> >
> > if at the moment any solution?
> >
> >
>
> Depends on what the problem is.
> What steps have you taken? What is your configuration? What are you
> doing to test?
>
> >
> > El jueves, 19 de enero de 2012 16:35:48 UTC-3, dan (ddpbsd) escribió:
> >>
> >> Sorry for the delay. I'm seeing the same behavior. I'll try to look at
> >> it later, but between moving and the code complexity it might be
> >> beyond me right now.
> >>
> >> On Tue, Jan 10, 2012 at 9:42 AM, Andy Jack <[email protected]>
> >> wrote:
> >> > Hello Dan. ossec-makelists does report that it is making a new .cdb:
> >> >
> >> > * File lists/employees.cdb need to be updated
> >> >
> >> > The longest I was waiting was 3-5 minutes.
> >> >
> >> > On a related note, I was trying to figure out if there was a format
> for
> >> > comments in the text version of the list. ossec-makelists appeared
> to
> >> > put lines with leading '#' into the .cdb file (according to strings).
> I
> >> > guess I could come up with a simple Makefile to manage comments
> though.
> >> >
> >> > Thanks, Andy
> >> >
> >> > On Mon, Jan 09, 2012 at 08:33:59PM -0500, dan (ddp) wrote:
> >> >> On Mon, Jan 9, 2012 at 4:27 PM, Andy Jack <[email protected]>
> >> >> wrote:
> >> >> > Hello list! So I'm working on a cdb list of users so there can be
> >> >> > rules
> >> >> > that differentiate when a user on the list vs. not on the list
> logs
> >> >> > in,
> >> >> > as described here:
> >> >> >
> >> >> > http://www.ossec.net/doc/manual/rules-decoders/rule-lists.html
> >> >> >
> >> >> > After confirming that the list is being read and the two rules are
> >> >> > being
> >> >> > alerted correctly (one for on-the-list, and the other for
> >> >> > not-on-the-list), I tried modifying the text list and re-running
> >> >> > bin/ossec-makelists to see if the alerts change when a user is
> taken
> >> >> > off
> >> >> > the list:
> >> >> >
> >> >> > 1) user1 and user2, are on the list, user3 is not. run
> >> >> > bin/ossec-makelists. run ossec-control start.
> >> >> > 2) logging in as either user1 or user2 alerts the on-the-list
> rule.
> >> >> > logging in as user3 alerts the not-on-the-list rule.
> >> >> > 3) modify the list, removing the line for user2. re-run
> >> >> > bin/ossec-makelists. leave ossec running as-is.
> >> >> > 4) logging in as user2 alerts the on-the-list rule still.
> >> >> >
> >> >> > According to the URL above, updating the cdb file should
> invalidate
> >> >> > the
> >> >> > mmap and make the analysis daemon re-read the db from disk as
> needed,
> >> >> > but this doesn't appear to be happening. Could I have something
> >> >> > configured incorrectly? Permissions issue perhaps? Or do I have
> to
> >> >> > wait a period of time for ossec to notice or purge a cache or
> >> >> > something?
> >> >> >
> >> >> > root@pegasus:/var/ossec# ls -ld /var/ossec
> >> >> > dr-xr-x--- 14 root ossec 4096 2012-01-09 14:13 /var/ossec
> >> >> > root@pegasus:/var/ossec# ls -ld /var/ossec/lists
> >> >> > drwxr-xr-x 2 root ossec 4096 2012-01-09 16:08 /var/ossec/lists
> >> >> > root@pegasus:/var/ossec# ls -l /var/ossec/lists
> >> >> > total 8
> >> >> > -rw-r--r-- 1 root ossec 77 2012-01-09 16:08 employees
> >> >> > -rw-r--r-- 1 root ossec 2345 2012-01-09 16:08 employees.cdb
> >> >> >
> >> >> > I just tried adding user4 to the list and remaking the cdb, and
> ossec
> >> >> > still alerts as though user4 is not on the list. The behavior
> seems
> >> >> > to
> >> >> > indicate that ossec isn't re-reading the updated lists. I guess
> >> >> > restarting ossec is a workaround but that's a pain for every list
> >> >> > modification.
> >> >> >
> >> >> > Thanks,
> >> >> > Andy
> >> >>
> >> >> I don't know the answer off hand, but how long do you wait?
> >> >> Does ossec-makelists indicate that it's rebuilding the list?
> >
> > --
> >
> > ---
> > You received this message because you are subscribed to the Google
> Groups
> > "ossec-list" group.
> > To unsubscribe from this group and stop receiving emails from it, send
> an
> > email to [email protected] <javascript:>.
> > For more options, visit https://groups.google.com/groups/opt_out.
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
