On Jan 02, 2011, Samuel Leon wrote:

> Hello.

Hi Sam,

> Today I managed to get psad working with the perl gamin module. The
> advantage to this is that psad will no longer have to sleep for x
> seconds before rescanning for logfile changes.
> 
> With gamin support, the function call will block until the monitored
> file (fwdata) is changed. This saves cpu cycles and can even lead to
> faster attack responses.
> 
> I have attached a patch that I am currently using on the psad
> (2.1.7-1) in Debian Squeeze. It is not the best way, but a definite
> proof of concept if you feel it worthwhile to go down this path.

Thanks for the patch.  I would like to include it with a couple of
modifications:

- Add a configuration variable "ENABLE_GAMIN_FILE_MONITOR" (or something
similar) to psad.conf to make the usage of the Sys::Gamin module optional.
- After the above config variable is added, the Sys::Gamin module can be
imported via "require" in the import_perl_modules() function.
- The config variable will gate not only the usage of the Sys::Gamin
module, but also the code below that uses the file monitor strategy.

I would be happy to make these modifications if you like.  Either way,
this will be in the next psad release.

Thanks,

--Mike


> Thank you for the great software and hard work.
> Regards,
> Sam

>  
> --- psad.orig     2011-01-02 15:30:18.903381734 -0600
> +++ psad          2011-01-02 20:53:36.015381198 -0600
> @@ -140,6 +140,7 @@
>  use IO::Handle;
>  use Data::Dumper;
>  use Getopt::Long 'GetOptions';
> +use Sys::Gamin;
>  use strict;
> 
>  ### ========================== main =================================
> @@ -730,6 +731,12 @@
>  open FWDATA, $fw_data_file or die '[*] Could not open ',
>      "$fw_data_file: $!";
> 
> +### Setup Gamin to monitor file
> +my $gamin_m = new Sys::Gamin;
> +my $gaminEvent;
> +$gamin_m->monitor($fw_data_file);
> +
> +
>  &get_auto_response_domain_sock()
>      if $config{'ENABLE_AUTO_IDS'} eq 'Y';
> 
> @@ -965,7 +972,11 @@
>      FWDATA->clearerr();
> 
>      ### sleep for the check interval seconds
> -    sleep $config{'CHECK_INTERVAL'};
> +    #sleep $config{'CHECK_INTERVAL'};
> +
> +    ### Block until file changes ###
> +    $gaminEvent = $gamin_m->next_event;
> +
>  }

> ------------------------------------------------------------------------------
> Learn how Oracle Real Application Clusters (RAC) One Node allows customers
> to consolidate database storage, standardize their database environment, and, 
> should the need arise, upgrade to a full multi-node Oracle RAC database 
> without downtime or disruption
> http://p.sf.net/sfu/oracle-sfdevnl

> _______________________________________________
> psad-discuss mailing list
> psad-discuss@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/psad-discuss


------------------------------------------------------------------------------
Learn how Oracle Real Application Clusters (RAC) One Node allows customers
to consolidate database storage, standardize their database environment, and, 
should the need arise, upgrade to a full multi-node Oracle RAC database 
without downtime or disruption
http://p.sf.net/sfu/oracle-sfdevnl
_______________________________________________
psad-discuss mailing list
psad-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/psad-discuss

Reply via email to