Re: [ossec-list] Segfaults with overwrite
I would like to do that, BUT that just doesn't work. I asked for that feature in previous mails and the recommendation was to override rules. Check out: http://groups.google.com/group/ossec-list/browse_thread/thread/c48f0017cd131ea2/1def88460fe1f637?lnk=gstq=ogmueller#1def88460fe1f637 On 06.02.2012, at 16:34, Daniel Cid wrote: Hey, I see the issue in there. You overwrote the rule 30109, which is an atomic rule dependent on the 30101 (if_sid30101/if_sid). You modified it to be a composite rule and OSSEC didn't like that. It should have warned that you can't use the overwrite to modify a rule from atomic-composite and vice-versa. In your case, you are better putting that rule as dependent (using if_matched_sid30109) then overwriting it. Thanks, -- Daniel B. Cid daniel@gmail.com
Re: [ossec-list] Segfaults with overwrite
I would like to help you on that one, but I don't have gdb running nor experiences with it… On 06.02.2012, at 12:52, dan (ddp) wrote: On Sat, Feb 4, 2012 at 4:01 AM, Oliver Müller ogmuel...@gmail.com wrote: I definitely get a segfault though and I clear out my local rules. There was nothing in there execpt of this group with one rule. Is it an Ubuntu problem then? I don't remember having any issues with Ubuntu, but that VM is inaccessible right now. Any chance you can run ossec-logtest in gdb? this is my original rule in apache_rules.xml : 80 rule id=30109 level=9 81 if_sid30101/if_sid 82 regexuser \S+ not found/regex 83 descriptionAttempt to login using a non-existent user./description 84 groupinvalid_login,/group 85 /rule and this is the strace I get, when I am testing the log entry with ossec-logtest: [Mon Jan 23 08:40:46 2012] [error] [client 192.168.0.123] user unknownUser not found: /myapp/ [Mon Jan 23 08:40:46 2012] [erro..., 1024) = 94 write(2, \n, 1 ) = 1 write(2, \n, 1 ) = 1 stat(/etc/localtime, {st_mode=S_IFREG|0644, st_size=2309, ...}) = 0 write(2, **Phase 1: Completed pre-decodin..., 34**Phase 1: Completed pre-decoding.) = 34 write(2, \n, 1 ) = 1 write(2,full event: '[Mon Jan 23 ..., 114 full event: '[Mon Jan 23 08:40:46 2012] [error] [client 192.168.0.123] user unknownUser not found: /myapp/') = 114 write(2, \n, 1 ) = 1 write(2,hostname: 'server', 23 hostname: 'server') = 23 write(2, \n, 1 ) = 1 write(2,program_name: '(null)', 29 program_name: '(null)') = 29 write(2, \n, 1 ) = 1 write(2,log: '[error] [client 192..., 80 log: '[error] [client 192.168.0.123] user unknownUser not found: /myapp/') = 80 write(2, \n, 1 ) = 1 write(2, \n**Phase 2: Completed decoding., 31 **Phase 2: Completed decoding.) = 31 write(2, \n, 1 ) = 1 write(2,decoder: 'apache-errorlog..., 33 decoder: 'apache-errorlog') = 33 write(2, \n, 1 ) = 1 write(2,srcip: '192.168.0.123', 29 srcip: '192.168.0.123') = 29 write(2, \n, 1 ) = 1 --- SIGSEGV (Segmentation fault) @ 0 (0) --- +++ killed by SIGSEGV +++ Segmentation fault On 03.02.2012, at 18:32, Andreas Piesk wrote: On 03.02.2012 16:09, Oliver Müller wrote: You have to past in this as ONE line (ends with /myapp/): [Mon Jan 23 08:40:46 2012] [error] [client 192.168.0.123] user unknownUser not found: /myapp/ that's what i did. testing the above line uo to /myapp/ doesn't produce a segfault on my system. regards, -ap
Re: [ossec-list] Segfaults with overwrite
On Sat, Feb 4, 2012 at 4:01 AM, Oliver Müller ogmuel...@gmail.com wrote: I definitely get a segfault though and I clear out my local rules. There was nothing in there execpt of this group with one rule. Is it an Ubuntu problem then? I don't remember having any issues with Ubuntu, but that VM is inaccessible right now. Any chance you can run ossec-logtest in gdb? this is my original rule in apache_rules.xml : 80 rule id=30109 level=9 81 if_sid30101/if_sid 82 regexuser \S+ not found/regex 83 descriptionAttempt to login using a non-existent user./description 84 groupinvalid_login,/group 85 /rule and this is the strace I get, when I am testing the log entry with ossec-logtest: [Mon Jan 23 08:40:46 2012] [error] [client 192.168.0.123] user unknownUser not found: /myapp/ [Mon Jan 23 08:40:46 2012] [erro..., 1024) = 94 write(2, \n, 1 ) = 1 write(2, \n, 1 ) = 1 stat(/etc/localtime, {st_mode=S_IFREG|0644, st_size=2309, ...}) = 0 write(2, **Phase 1: Completed pre-decodin..., 34**Phase 1: Completed pre-decoding.) = 34 write(2, \n, 1 ) = 1 write(2, full event: '[Mon Jan 23 ..., 114 full event: '[Mon Jan 23 08:40:46 2012] [error] [client 192.168.0.123] user unknownUser not found: /myapp/') = 114 write(2, \n, 1 ) = 1 write(2, hostname: 'server', 23 hostname: 'server') = 23 write(2, \n, 1 ) = 1 write(2, program_name: '(null)', 29 program_name: '(null)') = 29 write(2, \n, 1 ) = 1 write(2, log: '[error] [client 192..., 80 log: '[error] [client 192.168.0.123] user unknownUser not found: /myapp/') = 80 write(2, \n, 1 ) = 1 write(2, \n**Phase 2: Completed decoding., 31 **Phase 2: Completed decoding.) = 31 write(2, \n, 1 ) = 1 write(2, decoder: 'apache-errorlog..., 33 decoder: 'apache-errorlog') = 33 write(2, \n, 1 ) = 1 write(2, srcip: '192.168.0.123', 29 srcip: '192.168.0.123') = 29 write(2, \n, 1 ) = 1 --- SIGSEGV (Segmentation fault) @ 0 (0) --- +++ killed by SIGSEGV +++ Segmentation fault On 03.02.2012, at 18:32, Andreas Piesk wrote: On 03.02.2012 16:09, Oliver Müller wrote: You have to past in this as ONE line (ends with /myapp/): [Mon Jan 23 08:40:46 2012] [error] [client 192.168.0.123] user unknownUser not found: /myapp/ that's what i did. testing the above line uo to /myapp/ doesn't produce a segfault on my system. regards, -ap
Re: [ossec-list] Segfaults with overwrite
Hey, I see the issue in there. You overwrote the rule 30109, which is an atomic rule dependent on the 30101 (if_sid30101/if_sid). You modified it to be a composite rule and OSSEC didn't like that. It should have warned that you can't use the overwrite to modify a rule from atomic-composite and vice-versa. In your case, you are better putting that rule as dependent (using if_matched_sid30109) then overwriting it. Thanks, -- Daniel B. Cid daniel@gmail.com On Thu, Feb 2, 2012 at 5:06 AM, Oliver Mueller ogmuel...@gmail.com wrote: If I add the following rule to local_rules.xml and try to test it with ossec-logtest, I receive a segfault (see below): group name=apache, rule id=30109 level=9 timeframe=60 frequency=5 overwrite=yes !-- Original rule blocked user if login failed once. That's a bit too hard -- if_matched_sid30101/if_ matched_sid regexuser \S+ not found/regex descriptionAttempt to login using a non-existent user./description groupinvalid_login,/group /rule /group # ../bin/ossec-logtest 2012/01/23 08:55:06 ossec-testrule: INFO: Reading local decoder file. 2012/01/23 08:55:06 ossec-testrule: INFO: Started (pid: 32103). ossec-testrule: Type one log per line. [Mon Jan 23 08:40:46 2012] [error] [client 192.168.0.123] user unknownUser not found: /myapp/ **Phase 1: Completed pre-decoding. full event: '[Mon Jan 23 08:40:46 2012] [error] [client 192.168.0.123] user unknownUser not found: /myapp/' hostname: 'server' program_name: '(null)' log: '[error] [client 192.168.0.123] user unknownUser not found: /myapp/' **Phase 2: Completed decoding. decoder: 'apache-errorlog' srcip: '192.168.0.123' Segmentation fault Is there any update planed to ossec soon?
Re: [ossec-list] Segfaults with overwrite
On 04.02.2012 10:01, Oliver Müller wrote: I definitely get a segfault though and I clear out my local rules. There was nothing in there execpt of this group with one rule. Is it an Ubuntu problem then? i would say, yes. maybe a backtrace of the core dump (compiled with debug info) gives a hint where exactly the segfault occurs. regards, -ap
Re: [ossec-list] Segfaults with overwrite
I definitely get a segfault though and I clear out my local rules. There was nothing in there execpt of this group with one rule. Is it an Ubuntu problem then? this is my original rule in apache_rules.xml : 80 rule id=30109 level=9 81 if_sid30101/if_sid 82 regexuser \S+ not found/regex 83 descriptionAttempt to login using a non-existent user./description 84 groupinvalid_login,/group 85 /rule and this is the strace I get, when I am testing the log entry with ossec-logtest: [Mon Jan 23 08:40:46 2012] [error] [client 192.168.0.123] user unknownUser not found: /myapp/ [Mon Jan 23 08:40:46 2012] [erro..., 1024) = 94 write(2, \n, 1 ) = 1 write(2, \n, 1 ) = 1 stat(/etc/localtime, {st_mode=S_IFREG|0644, st_size=2309, ...}) = 0 write(2, **Phase 1: Completed pre-decodin..., 34**Phase 1: Completed pre-decoding.) = 34 write(2, \n, 1 ) = 1 write(2,full event: '[Mon Jan 23 ..., 114 full event: '[Mon Jan 23 08:40:46 2012] [error] [client 192.168.0.123] user unknownUser not found: /myapp/') = 114 write(2, \n, 1 ) = 1 write(2,hostname: 'server', 23 hostname: 'server') = 23 write(2, \n, 1 ) = 1 write(2,program_name: '(null)', 29 program_name: '(null)') = 29 write(2, \n, 1 ) = 1 write(2,log: '[error] [client 192..., 80 log: '[error] [client 192.168.0.123] user unknownUser not found: /myapp/') = 80 write(2, \n, 1 ) = 1 write(2, \n**Phase 2: Completed decoding., 31 **Phase 2: Completed decoding.) = 31 write(2, \n, 1 ) = 1 write(2,decoder: 'apache-errorlog..., 33 decoder: 'apache-errorlog') = 33 write(2, \n, 1 ) = 1 write(2,srcip: '192.168.0.123', 29 srcip: '192.168.0.123') = 29 write(2, \n, 1 ) = 1 --- SIGSEGV (Segmentation fault) @ 0 (0) --- +++ killed by SIGSEGV +++ Segmentation fault On 03.02.2012, at 18:32, Andreas Piesk wrote: On 03.02.2012 16:09, Oliver Müller wrote: You have to past in this as ONE line (ends with /myapp/): [Mon Jan 23 08:40:46 2012] [error] [client 192.168.0.123] user unknownUser not found: /myapp/ that's what i did. testing the above line uo to /myapp/ doesn't produce a segfault on my system. regards, -ap
Re: [ossec-list] Segfaults with overwrite
You have to past in this as ONE line (ends with /myapp/): [Mon Jan 23 08:40:46 2012] [error] [client 192.168.0.123] user unknownUser not found: /myapp/ if you only test up to unknownUser it will not segfault. On 02.02.2012, at 19:33, Andreas Piesk wrote: On 02.02.2012 10:06, Oliver Mueller wrote: If I add the following rule to local_rules.xml and try to test it with ossec-logtest, I receive a segfault (see below): .. Is there any update planed to ossec soon? works for me (RHEL 5.7 64bit): $ /var/ossec/bin/ossec-logtest -V OSSEC HIDS v2.6 - Trend Micro Inc. $ /var/ossec/bin/ossec-logtest ossec-testrule: Type one log per line. [Mon Jan 23 08:40:46 2012] [error] [client 192.168.0.123] user unknownUser not found: /myapp/ **Phase 1: Completed pre-decoding. full event: '[Mon Jan 23 08:40:46 2012] [error] [client 192.168.0.123] user unknownUser not found: /myapp/' hostname: 'myhost' program_name: '(null)' log: '[error] [client 192.168.0.123] user unknownUser not found: /myapp/' **Phase 2: Completed decoding. decoder: 'apache-errorlog' srcip: '192.168.0.123' **Phase 3: Completed filtering (rules). Rule id: '30109' Level: '9' Description: 'Attempt to login using a non-existent user.' **Alert to be generated. MfG, -ap
Re: [ossec-list] Segfaults with overwrite
On 03.02.2012 16:09, Oliver Müller wrote: You have to past in this as ONE line (ends with /myapp/): [Mon Jan 23 08:40:46 2012] [error] [client 192.168.0.123] user unknownUser not found: /myapp/ that's what i did. testing the above line uo to /myapp/ doesn't produce a segfault on my system. regards, -ap
Re: [ossec-list] Segfaults with overwrite
On Thu, Feb 2, 2012 at 4:06 AM, Oliver Mueller ogmuel...@gmail.com wrote: If I add the following rule to local_rules.xml and try to test it with ossec-logtest, I receive a segfault (see below): group name=apache, rule id=30109 level=9 timeframe=60 frequency=5 overwrite=yes !-- Original rule blocked user if login failed once. That's a bit too hard -- if_matched_sid30101/if_ matched_sid regexuser \S+ not found/regex descriptionAttempt to login using a non-existent user./description groupinvalid_login,/group /rule /group # ../bin/ossec-logtest 2012/01/23 08:55:06 ossec-testrule: INFO: Reading local decoder file. 2012/01/23 08:55:06 ossec-testrule: INFO: Started (pid: 32103). ossec-testrule: Type one log per line. [Mon Jan 23 08:40:46 2012] [error] [client 192.168.0.123] user unknownUser not found: /myapp/ **Phase 1: Completed pre-decoding. full event: '[Mon Jan 23 08:40:46 2012] [error] [client 192.168.0.123] user unknownUser not found: /myapp/' hostname: 'server' program_name: '(null)' log: '[error] [client 192.168.0.123] user unknownUser not found: /myapp/' **Phase 2: Completed decoding. decoder: 'apache-errorlog' srcip: '192.168.0.123' Segmentation fault What version of OSSEC? What kind of host? Is there any update planed to ossec soon? Not that I'm aware of.
Re: [ossec-list] Segfaults with overwrite
I am using version OSSEC HIDS v2.6 - Trend Micro Inc. on an Ubuntu 11.10 oneiric. On 02.02.2012, at 14:19, dan (ddp) wrote: On Thu, Feb 2, 2012 at 4:06 AM, Oliver Mueller ogmuel...@gmail.com wrote: If I add the following rule to local_rules.xml and try to test it with ossec-logtest, I receive a segfault (see below): group name=apache, rule id=30109 level=9 timeframe=60 frequency=5 overwrite=yes !-- Original rule blocked user if login failed once. That's a bit too hard -- if_matched_sid30101/if_ matched_sid regexuser \S+ not found/regex descriptionAttempt to login using a non-existent user./description groupinvalid_login,/group /rule /group # ../bin/ossec-logtest 2012/01/23 08:55:06 ossec-testrule: INFO: Reading local decoder file. 2012/01/23 08:55:06 ossec-testrule: INFO: Started (pid: 32103). ossec-testrule: Type one log per line. [Mon Jan 23 08:40:46 2012] [error] [client 192.168.0.123] user unknownUser not found: /myapp/ **Phase 1: Completed pre-decoding. full event: '[Mon Jan 23 08:40:46 2012] [error] [client 192.168.0.123] user unknownUser not found: /myapp/' hostname: 'server' program_name: '(null)' log: '[error] [client 192.168.0.123] user unknownUser not found: /myapp/' **Phase 2: Completed decoding. decoder: 'apache-errorlog' srcip: '192.168.0.123' Segmentation fault What version of OSSEC? What kind of host? Is there any update planed to ossec soon? Not that I'm aware of.
Re: [ossec-list] Segfaults with overwrite
On 02.02.2012 10:06, Oliver Mueller wrote: If I add the following rule to local_rules.xml and try to test it with ossec-logtest, I receive a segfault (see below): .. Is there any update planed to ossec soon? works for me (RHEL 5.7 64bit): $ /var/ossec/bin/ossec-logtest -V OSSEC HIDS v2.6 - Trend Micro Inc. $ /var/ossec/bin/ossec-logtest ossec-testrule: Type one log per line. [Mon Jan 23 08:40:46 2012] [error] [client 192.168.0.123] user unknownUser not found: /myapp/ **Phase 1: Completed pre-decoding. full event: '[Mon Jan 23 08:40:46 2012] [error] [client 192.168.0.123] user unknownUser not found: /myapp/' hostname: 'myhost' program_name: '(null)' log: '[error] [client 192.168.0.123] user unknownUser not found: /myapp/' **Phase 2: Completed decoding. decoder: 'apache-errorlog' srcip: '192.168.0.123' **Phase 3: Completed filtering (rules). Rule id: '30109' Level: '9' Description: 'Attempt to login using a non-existent user.' **Alert to be generated. MfG, -ap