Hey, I see the issue in there. You overwrote the rule 30109, which is an atomic rule dependent on the 30101 (<if_sid>30101</if_sid>).
You modified it to be a composite rule and OSSEC didn't like that. It should have warned that you can't use the overwrite to modify a rule from atomic->composite and vice-versa. In your case, you are better putting that rule as dependent (using <if_matched_sid>30109) then overwriting it. Thanks, -- Daniel B. Cid daniel....@gmail.com On Thu, Feb 2, 2012 at 5:06 AM, Oliver Mueller <ogmuel...@gmail.com> wrote: > If I add the following rule to local_rules.xml and try to test it with > ossec-logtest, I receive a segfault (see below): > > <group name="apache,"> > <rule id="30109" level="9" timeframe="60" frequency="5" > overwrite="yes"> > <!-- Original rule blocked user if login failed once. That's a bit > too hard --> > <if_matched_sid>30101</if_ > matched_sid> > <regex>user \S+ not found</regex> > <description>Attempt to login using a non-existent > user.</description> > <group>invalid_login,</group> > </rule> > </group> > > > > # ../bin/ossec-logtest > 2012/01/23 08:55:06 ossec-testrule: INFO: Reading local decoder file. > 2012/01/23 08:55:06 ossec-testrule: INFO: Started (pid: 32103). > ossec-testrule: Type one log per line. > > [Mon Jan 23 08:40:46 2012] [error] [client 192.168.0.123] user unknownUser > not found: /myapp/ > > > **Phase 1: Completed pre-decoding. > full event: '[Mon Jan 23 08:40:46 2012] [error] [client > 192.168.0.123] user unknownUser not found: /myapp/' > hostname: 'server' > program_name: '(null)' > log: '[error] [client 192.168.0.123] user unknownUser not found: > /myapp/' > > **Phase 2: Completed decoding. > decoder: 'apache-errorlog' > srcip: '192.168.0.123' > Segmentation fault > > > Is there any update planed to ossec soon?