A quick hack for changing the “email_from” name in OSSEC HIDS.

by Chris Cooke on Oct.17, 2007, under Uncategorized

I have several sites that use OSSEC HIDS. For a variety of reasons I won’t go into here, I do not have a central server with agents. Instead, each server has its own local installation, each e-mailing back to the same e-mail account. I set the e-mail from for each server to report the domain name sending it, but the display name is hard coded to be OSSEC HIDS. This means that for certain mail clients I have a lot of emails from “OSSEC HIDS” with no immediate way of telling the source.

There are a lot of ways to work around this, but I just wanted a quick hack to the display name so I could take this one off my list and move on. It turns out to be easy to do even if you don’t have a lot of development skill.

WARNING: I’m just passing on a quick and dirty hack. I haven’t tested this on a variety of platforms. The more our circumstances vary from mine (OSSEC HIDS 1.3 on Linux), the more you may need to adjust this. I’m not responsible if you screw up your system!

I unpacked the source tarball into /usr/local/src/ossec-hids-1.3, which I will call the install directory.

The file you need to change is src/os_maild/sendmail.c. Save this file off somewhere before you modify it!

Look for a line that looks like

#define FROM                    "From: OSSEC HIDS <%s>rn"

Change the “OSSEC HIDS” to say whatever you like. I used the name of the domain, followed by HIDS, e.g. “MACIDOL HIDS”.

Now you need to recompile. This is also pretty easy. Go back to the install directory and rerun “./install.sh”. If you have installed before you will get a prompt that says

You already have OSSEC installed. Do you want to update it? (y/n):

Say yes to this, and you will not damage your old config.

I like to restart OSSEC HIDS after this with

/etc/init.d/ossec restart

The installer probably does this, but I gives me a little kick to do it, so I do.

IMPORTANT NOTE: This only applies to 1.3. Future versions will wipe out the hack, so it may need to be reapplied (if future versions don’t give a way to specify the display name in the config file.) It may be in a different place in future versions.

:hacks

RSS feed for this post (comments) TrackBack URI

Thanks for visiting Geekido
Tags
3G Airport Extreme appliances AT&T business case study digital photography Drupal Eye-Fi folders Geekido GPO hacks hardware Hurricane Electric iOS4 iPad iPhone iPhoto IPv6 Jamroom logic MacIDOL management microcell MiFi mobile data music networking Pentax personal Prius USB productivity professional development rails software Sprint SQL SQL injection Verizon Web Design WiFi wiki wireless Wordpress
IPv6 Certifications

Categories
- Uncategorized

Meta
- Log in
- Valid XHTML

Geekido