Hello.
Today I managed to get psad working with the perl gamin module. The
advantage to this is that psad will no longer have to sleep for x
seconds before rescanning for logfile changes.
With gamin support, the function call will block until the monitored
file (fwdata) is changed. This saves cpu cycles and can even lead to
faster attack responses.
I have attached a patch that I am currently using on the psad (2.1.7-1)
in Debian Squeeze. It is not the best way, but a definite proof of
concept if you feel it worthwhile to go down this path.
Thank you for the great software and hard work.
Regards,
Sam
--- psad.orig 2011-01-02 15:30:18.903381734 -0600
+++ psad 2011-01-02 20:53:36.015381198 -0600
@@ -140,6 +140,7 @@
use IO::Handle;
use Data::Dumper;
use Getopt::Long 'GetOptions';
+use Sys::Gamin;
use strict;
### ========================== main =================================
@@ -730,6 +731,12 @@
open FWDATA, $fw_data_file or die '[*] Could not open ',
"$fw_data_file: $!";
+### Setup Gamin to monitor file
+my $gamin_m = new Sys::Gamin;
+my $gaminEvent;
+$gamin_m->monitor($fw_data_file);
+
+
&get_auto_response_domain_sock()
if $config{'ENABLE_AUTO_IDS'} eq 'Y';
@@ -965,7 +972,11 @@
FWDATA->clearerr();
### sleep for the check interval seconds
- sleep $config{'CHECK_INTERVAL'};
+ #sleep $config{'CHECK_INTERVAL'};
+
+ ### Block until file changes ###
+ $gaminEvent = $gamin_m->next_event;
+
}
------------------------------------------------------------------------------
Learn how Oracle Real Application Clusters (RAC) One Node allows customers
to consolidate database storage, standardize their database environment, and,
should the need arise, upgrade to a full multi-node Oracle RAC database
without downtime or disruption
http://p.sf.net/sfu/oracle-sfdevnl
_______________________________________________
psad-discuss mailing list
psad-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/psad-discuss
