Win32 ignore files not ignored
Status: Beta
Brought to you by:
pechkov
Menu
▾
▴
#5 Win32 ignore files not ignored
With 0.8.1 on Win2k I added a list of files to ignore
to the bottom of my rules.conf...
\Program Files\BakBone Software\ !
\WINNT\system32\LogFiles\ !
\WINNT\system32\wbem\Logs !
these weren't being picked up to be ignored during
creating a new database...
perl labrador.pl -n -v
Proved this by dumping the array during creation,
changed loop at line 490 to...
foreach(@dontscanme)
{
print "dontscanme $_\n";
If I move these lines in rules.conf to before the
example pagefile.sys entry...
# ignore swap file
\Program Files\BakBone Software\ !
\WINNT\system32\LogFiles\ !
\WINNT\system32\wbem\Logs !
\pagefile.sys !
Now these were being included to be ignored, but not
actualy being ignored. This is bacause the ignored
files are stored in the array with forward slashes...
/Program Files/BakBone Software/
/WINNT/system32/LogFiles/
/WINNT/system32/wbem/Logs
/pagefile.sys
So I added a little code to the above loop to
change "/" to "\\"...
my $dontscanpath_and_file;
$dontscanpath_and_file = $_;
# convert slashes in path for win 32 so they
end up as \\'s
if($^O =~ /Win32/)
{
$dontscanpath_and_file =~ s/\\\//\\/;
# or else Find::name gives "root\dir\/other/dirs"
$dontscanpath_and_file =~ s/\//\\/g;
# puts everything in '\' slashes
$dontscanpath_and_file =~ s/\\/
\\\\/g;
}
"\\" is needed for the compare...
if($path_and_file
=~ /^$dontscanpath_and_file/)
{
$new_warn = 1 if($special_tests{'NONEW'});
return;
}
Hope that's clear, you may want to add the code, or
make it much more efficient - note that doesn't solve
the problem of having to bunch the ignore file
together.
Thanks
andy
Logged In: YES
user_id=1227021
Hi andy,
Thanks for the bug report! The current '/' vs. '\' in the
current version is a mess, and since so many checks are done
in different places, it's very troublesome to check them
all. Your bugfix was just what I needed to go on and fix
this in the current version (labrador 1.0 does not have this
issue thanks to better design).
As of the placement of the ignore commands, this is actually
a feature. Labrador scans the rules file in sequence (e.g.
it does not parse it into a big rule structure like AIDE). I
chose this approach so I could make a recursive rule with
exceptions. For example, if I wanted to check the MD5 of
"\windows" and all it's subdirectories (except "system32"),
and "\windows\system32" for Whirlpool, I could do something
like this:
----------------------
<whirlpool>
\windows\system32\ -r
</whirlpool>
\windows\system32\ ! # from now on, ignore this folder
# in further rules.
<md5>
\windows\ -r # won't scan \windows\system32 again
</md5>
----------------------
See what I mean?
As such, there's no point adding ignore commands on the
bottom of the rules file (as there will be no other rule for
them to match). But this doesn't mean that all ignore rules
need to be placed together, it only means that they need to
be placed before the rule that you want to be changed by the
ignore command.
Either way, I'm increasing the test suite of Labrador for
Windows before I release 0.8.2, so problems like yours will
(hopefully) be reduced to a minimum.
Thanks again!