Filter examples and ideas

Relevant classes: any Some example filter programs: # # Search for users who have set their history files to /dev/null # to hide their actions # control: actionsequence = ( files shellcommands ) AddInstallable = ( history ) files: /filesys filter=filter2 action=alert r=inf ############################################## filters: { filter2 # check if users set history to dev/null (up to no good) NameRegex: ".*history" IsSymLinkTo: "/dev/null" Result: "IsSymLinkTo.NameRegex" DefineClasses: "history" } ##################################### shellcommands: history:: "/bin/echo History was /dev/null" Some other filter ideas: { filter1 # look for executable files disguised as GIF NameRegex: ".*gif" ExecRegex: "/bin/file (.*ELF.*)" Result: "ExecRegex.NameRegex" } { filter2 # check if users set history to dev/null (up to no good) NameRegex: ".*history" IsSymLinkTo: "/dev/null" Result: "IsSymLinkTo.NameRegex" DefineClasses: "history" } { filter3 # programs started after 18th Nov 2000 FromSTime: "date(2000,11,18,0,0,0)" ToSTime: "now" Result: "STime" } { filter4 # programs which have accumulated between 2 and 300 days CPU FromTTime: "accumulated(0,0,0,2,0,0)" ToTTime: "accumulated(0,0,0,300,0,0)" Result: "TTime" } { filter5 # terminal programs started between 2-30 Nov 2000 FromSTime: "date(2000,11,2,0,0,0)" ToSTime: "date(2000,11,30,0,0,0)" TTY: ".*pt.*" Result: "TTY.STime" } Back to documentation