On 02.02.2012 10:06, Oliver Mueller wrote:
> If I add the following rule to local_rules.xml and try to test it with
> ossec-logtest, I receive a
> segfault (see below):
>
..
>
> Is there any update planed to ossec soon?
works for me (RHEL 5.7 64bit):
$ /var/ossec/bin/ossec-logtest -V
OSSEC HIDS v2.6 - Trend Micro Inc.
$ /var/ossec/bin/ossec-logtest
ossec-testrule: Type one log per line.
[Mon Jan 23 08:40:46 2012] [error] [client 192.168.0.123] user unknownUser not
found: /myapp/
**Phase 1: Completed pre-decoding.
full event: '[Mon Jan 23 08:40:46 2012] [error] [client 192.168.0.123]
user unknownUser not
found: /myapp/'
hostname: 'myhost'
program_name: '(null)'
log: '[error] [client 192.168.0.123] user unknownUser not found: /myapp/'
**Phase 2: Completed decoding.
decoder: 'apache-errorlog'
srcip: '192.168.0.123'
**Phase 3: Completed filtering (rules).
Rule id: '30109'
Level: '9'
Description: 'Attempt to login using a non-existent user.'
**Alert to be generated.
MfG,
-ap
