Re: [ossec-list] CDB lookups key + value

2013-08-02 Thread Xavier Mertens 
Tx Michael!

I need to test, don't remember having seen this behavior before...
Looking at the source, all OS_DBSearch* functions have a:

if (_OS_CDBOpen(lrule->db) == -1) return(-1);

So, the DB are always re-opened. Or... They are temporary unavailable
(locked by another process? -> during a ossec_makelist if you update them
frequently)

/x


On Thu, Aug 1, 2013 at 5:56 PM, Michael Starks  wrote:

> On 01.08.2013 05:33, Xavier Mertens wrote:
>
>> I really needed this feature and wrote a patch to implement it
>> (attached to this message). It is based on a stock 2.7 source tree and
>> only one file must be patched. I tested it, working for me!
>>
>
> Thanks for the patch, Xavier. Always like your stuff..
>
> I have observed, although not confirmed yet, that changes to CDB lists
> seem not to be recognized until an OSSEC restart. It should be dynamic. Do
> you also observe this behavior?
>
> --
>
> --- You received this message because you are subscribed to the Google
> Groups "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to 
> ossec-list+unsubscribe@**googlegroups.com
> .
> For more options, visit 
> https://groups.google.com/**groups/opt_out
> .
>
>
>


-- 
My server is com

Re: [ossec-list] CDB lookups key + value

2013-08-01 Thread Michael Starks 

On 01.08.2013 05:33, Xavier Mertens wrote:

I really needed this feature and wrote a patch to implement it
(attached to this message). It is based on a stock 2.7 source tree 
and

only one file must be patched. I tested it, working for me!


Thanks for the patch, Xavier. Always like your stuff..

I have observed, although not confirmed yet, that changes to CDB lists 
seem not to be recognized until an OSSEC restart. It should be dynamic. 
Do you also observe this behavior?


--

--- 
You received this message because you are subscribed to the Google Groups "ossec-list" group.

To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

[ossec-list] CDB lookups key + value

2013-08-01 Thread Xavier Mertens 
Hi *,

I was implementing new rules with lookups against CDB lists using the
'match_key_value'. The goal is to look up a key AND the associated value
with a regex. Example:

lists/users

After lot of tests and coffee, it was impossible make this rule work! And
for a good reason: the source code contained:

case LR_STRING_MATCH_VALUE:
//debug1("LR_STRING_MATCH_VALUE");
// XXX TODO
return 0;
break;

This was also reported in a previous port in July 2012 (
https://groups.google.com/forum/#!msg/ossec-list/EeO8uuV-TYc/Y9U_VoztlBgJ)

I really needed this feature and wrote a patch to implement it (attached to
this message). It is based on a stock 2.7 source tree and only one file
must be patched. I tested it, working for me!

/x

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.




lists_list.c.patch
Description: Binary data