[ossec-list] Segfaults with overwrite

Oliver Mueller Thu, 02 Feb 2012 02:50:12 -0800

If I add the following rule to local_rules.xml and try to test it with
ossec-logtest, I receive a segfault (see below):


<group name="apache,">
     <rule id="30109" level="9" timeframe="60" frequency="5"
overwrite="yes">
         <!-- Original rule blocked user if login failed once. That's a bit
too hard -->
         <if_matched_sid>30101</if_
matched_sid>
         <regex>user \S+ not found</regex>
         <description>Attempt to login using a non-existent
user.</description>
         <group>invalid_login,</group>
     </rule>
</group>



# ../bin/ossec-logtest
2012/01/23 08:55:06 ossec-testrule: INFO: Reading local decoder file.
2012/01/23 08:55:06 ossec-testrule: INFO: Started (pid: 32103).
ossec-testrule: Type one log per line.

[Mon Jan 23 08:40:46 2012] [error] [client 192.168.0.123] user unknownUser
not found: /myapp/


**Phase 1: Completed pre-decoding.
       full event: '[Mon Jan 23 08:40:46 2012] [error] [client
192.168.0.123] user unknownUser not found: /myapp/'
       hostname: 'server'
       program_name: '(null)'
       log: '[error] [client 192.168.0.123] user unknownUser not found:
/myapp/'

**Phase 2: Completed decoding.
       decoder: 'apache-errorlog'
       srcip: '192.168.0.123'
Segmentation fault


Is there any update planed to ossec soon?

[ossec-list] Segfaults with overwrite

Reply via email to