CDB list question

[Kyriakos Stavridis]

Hello everyone. I have some md5/sha256 hashes in a cdb list and I want to detect them with the <list></list> functionality.

The problem is that I am decoding the information with field name like "hash" but I can't really use it like that:

<list field="md5">hashes</list>

because OSSEC doesn't allow the usage of any fields other than the following.

• Value: srcip
• Value: srcport
• Value: dstip
• Value: dstport
• Value: extra_data
• Value: user
• Value: url
• Value: id
• Value: hostname
• Value: program_name
• Value: status
• Value: action

Do you have any suggestiongs? :)

Thanks

[dan (ddp)]

Add support for other fields to cdb lists?

> Thanks
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/ec2ede71-a91c-498e-90fd-3e8143cb9f1b%40googlegroups.com.