If I add the following rule to local_rules.xml and try to test it with ossec-logtest, I receive a segfault (see below):
<group name="apache,"> <rule id="30109" level="9" timeframe="60" frequency="5" overwrite="yes"> <!-- Original rule blocked user if login failed once. That's a bit too hard --> <if_matched_sid>30101</if_ matched_sid> <regex>user \S+ not found</regex> <description>Attempt to login using a non-existent user.</description> <group>invalid_login,</group> </rule> </group> # ../bin/ossec-logtest 2012/01/23 08:55:06 ossec-testrule: INFO: Reading local decoder file. 2012/01/23 08:55:06 ossec-testrule: INFO: Started (pid: 32103). ossec-testrule: Type one log per line. [Mon Jan 23 08:40:46 2012] [error] [client 192.168.0.123] user unknownUser not found: /myapp/ **Phase 1: Completed pre-decoding. full event: '[Mon Jan 23 08:40:46 2012] [error] [client 192.168.0.123] user unknownUser not found: /myapp/' hostname: 'server' program_name: '(null)' log: '[error] [client 192.168.0.123] user unknownUser not found: /myapp/' **Phase 2: Completed decoding. decoder: 'apache-errorlog' srcip: '192.168.0.123' Segmentation fault Is there any update planed to ossec soon?