I am using version "OSSEC HIDS v2.6 - Trend Micro Inc." on an Ubuntu 11.10 oneiric.
On 02.02.2012, at 14:19, dan (ddp) wrote: > On Thu, Feb 2, 2012 at 4:06 AM, Oliver Mueller <ogmuel...@gmail.com> wrote: >> If I add the following rule to local_rules.xml and try to test it with >> ossec-logtest, I receive a segfault (see below): >> >> <group name="apache,"> >> <rule id="30109" level="9" timeframe="60" frequency="5" >> overwrite="yes"> >> <!-- Original rule blocked user if login failed once. That's a bit >> too hard --> >> <if_matched_sid>30101</if_ >> matched_sid> >> <regex>user \S+ not found</regex> >> <description>Attempt to login using a non-existent >> user.</description> >> <group>invalid_login,</group> >> </rule> >> </group> >> >> >> >> # ../bin/ossec-logtest >> 2012/01/23 08:55:06 ossec-testrule: INFO: Reading local decoder file. >> 2012/01/23 08:55:06 ossec-testrule: INFO: Started (pid: 32103). >> ossec-testrule: Type one log per line. >> >> [Mon Jan 23 08:40:46 2012] [error] [client 192.168.0.123] user unknownUser >> not found: /myapp/ >> >> >> **Phase 1: Completed pre-decoding. >> full event: '[Mon Jan 23 08:40:46 2012] [error] [client >> 192.168.0.123] user unknownUser not found: /myapp/' >> hostname: 'server' >> program_name: '(null)' >> log: '[error] [client 192.168.0.123] user unknownUser not found: >> /myapp/' >> >> **Phase 2: Completed decoding. >> decoder: 'apache-errorlog' >> srcip: '192.168.0.123' >> Segmentation fault >> > > What version of OSSEC? What kind of host? > >> >> Is there any update planed to ossec soon? > > Not that I'm aware of.