Listing 3. report_suspicious_process_names.cf

body common control

{
bundlesequence  =>
            { "report_suspicious_process_names"  };
}

###################################################

bundle agent report_suspicious_process_names

{

vars:

  "suspicious_process_names" slist =>
      {
          "sniff",
          "eggdrop",
          "r00t",
          "^\./",
          "john",
          "crack"
      };


processes:

 ".*"

    process_select  =>
      proc_finder("$(suspicious_process_names)");
}


###################################################

body process_select proc_finder(pattern)

{
     command => ".*$(pattern).*";

     process_result => "command";
}