[INUG-Users] Rule file help !!!

Jacob Steinberger trefalgar at realitybytes.net
Wed Sep 8 16:07:01 EDT 2004 

If you go the perl route, might be easier to look at Looper and save 
yourself a bit of coding.

Jacob

Daniel Needles wrote:

> Ari, Yoni,
>   Correct me if I am wrong, but I believe the rules file doesn't have hooks
> to call external code or scripting. It is limited to a glorified
> if-then-else logic stanzas, providing no subroutines or loops.
> 
>   One alternative is to write a short perl deamon to mount the SNMP traffic
> and parse according to your needs and then pass it on through a different
> port back to the same box. Then modify the mttrapd probe to mount this new
> port. Much of this code is cookie cutter. The PERL COOKBOOK (chp 17) and
> ADVANCED PERL PROGRAMMING (chp 12) has examples of this.  Other languages
> such as PYTHON or if you have the extra learning cycles C/C++ have similar
> solution in print.
> 
> Thanks,
> Daniel
> 
> ----- Original Message ----- 
> From: "Yoni ben-shlosh" <yoni_benshlosh at yahoo.com>
> To: <users at netcoolusers.org>
> Sent: Wednesday, September 08, 2004 12:50 PM
> Subject: Re: [INUG-Users] Rule file help !!!
> 
> 
> 
>>hey.
>>
>>i need to correlate events according to this fields .
>>(i.e. users that have virus & users that did spoofing & users which are
> 
> locked...)
> 
>>so this is not good on as needed basis (tool).
>>
>>since the hex-strings are on variable length,
>>and i dont know of any loops in rule files ...
>>can you give an example on how to use that hex2ascii lookup ?
>>
>>arigur at surfree.com wrote:
>>not pretty, but another option might be to parse it out and
>>put it back together with a hex-to-ascii lookup file. or make
>>a tool that will run and convert it on an as needed basis.
>>
>>HTH,
>>Ari
>>
>>-----Original Message-----
>>From: Yoni ben-shlosh
>>Sent: Sep 8, 2004 10:36 AM
>>To: netcool users
>>Subject: [INUG-Users] Rule file help !!!
>>
>>Hey .
>>
>>i am getting traps of McAffee ePO, which is basically Antivirus.
>>
>>however, for some reason i get certain text in the trap as HEX String
> 
> instead of plain ASCII.
> 
>>for example, the user name is $19 = "53 59 53 54 45 4D" instead of just
> 
> "system"
> 
>>offcourse, i need to make it understandable for the users which doesn't
> 
> know the ascii table by heart.
> 
>>any idea on how this can be done in rules file ?
>>or maybe i am doing something wrong in the probe ?
>>
>>thanks.
>>Yoni

More information about the Users mailing list