After running down a few of the old snapshots I was able to pin this
problem down. It's due to the changes made between ossec-hids-100518 -
ossec-hids-100603. I have worked around the issue (badly i might add, but
I don't know dcid's plans for the code).
I have attached a patch that allows s
Crap - i need to find that bug and kill it! Working on it tonight will let
you know once I find the build problem .
--On July 13, 2010 5:45:23 AM -0700 Stefano Pedretti
wrote:
On 12 Lug, 18:53, Jeremy Rossi wrote:
The CDB lists feature in the newest snapshot will allow for this with out
On 12 Lug, 18:53, Jeremy Rossi wrote:
> The CDB lists feature in the newest snapshot will allow for this with out
> writing a compiled_rile.
Nice and useful feature, but at this time does not compile:
In file included from run_realtime.c:41:
/usr/include/sys/inotify.h:84: error: expected ‘;’, ‘,
Thank you Daniel,
sure i've restarted the Ossec daemon.
I've noted that the access time of the file I read is not modified by
daemon but is modified by logtest.
This is the evidence that analisysd can't access my text file.
Is there a reason or can be a bug?
[r...@nordcom ~]# ls -la --time=atime
The CDB lists feature in the newest snapshot will allow for this with out
writing a compiled_rile.
See the wiki page: http://www.ossec.net/wiki/ORFC_-_CDB_Database_lookups
for how to use this feature. It should also be very fast and updates to
CDB does not require a reload of OSSEC.
--
Jere
Hi Stefano,
Did you restart OSSEC after making all those changes? The steps you
took look correctly
to me, so if it is working inside logtest it should work as well
inside analysisd.
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On Tue, Jul 6, 2010 at 10:51 AM, Stefano Pedretti
wrote:
> Dear
Nobody can help me?
On 6 Lug, 15:51, Stefano Pedretti wrote:
> Dears,
> I have still not solved my problem.
>
> I need to monitor audits of only a set of users. I build a compiled
> rule to check if the dstuser of
> These are the facts: I
>
> - create a logman.c file (that's reported on bottom)
Dears,
I have still not solved my problem.
I need to monitor audits of only a set of users. I build a compiled
rule to check if the dstuser of
These are the facts: I
- create a logman.c file (that's reported on bottom)
- registered the rule with register_rule.sh script
- used the install.sh scrip
Thank you for your reply,
On 15 Giu, 14:31, Daniel Cid wrote:
> Hi Stefano,
>
> Can you send some of the logs you are trying to parse?
Yes, sure:
WinEvtLog: Security: AUDIT_SUCCESS(538): Security: my.username: AOSS:
AS2SA: User Logoff: User Name: my.username Domain: AOVV Logon ID:
(0x0,0x85A659
Hi Stefano,
Can you send some of the logs you are trying to parse?
Also, your code has some serious security issues in there. I recommend that
you double check it before putting in production (e.g. strcpy should not be
used).
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On Fri, May 28, 2010
Here the code of compiled rule:
#include "shared.h"
#include "eventinfo.h"
#include "config.h"
#include
void *logman(Eventinfo *lf)
{
static const char filename[] = "/var/ossec/adslist";
if(!lf->dstuser)
{
return(NULL);
}
char user[128];
strcpy(user,lf->dstuser)
11 matches
Mail list logo