It seems that exists some type of limit when ip lists are used ... I
have recreated my custom rule file using only one sid inside in if_sid
option, and doesn't works neither:
2012/04/03 11:15:23 ossec-analysisd: INFO: Reading rules file:
'my_rbn_rules.xml'
2012/04/03 11:15:23 ossec-remoted: INFO:
Doesn't shows nothing strange:
[root@srvtest bin]# /data/ossec/bin/ossec-logtest -t
2012/04/03 06:29:28 ossec-testrule: INFO: Reading local decoder file.
[root@srvtest bin]#
On Mon, Apr 2, 2012 at 5:30 PM, dan (ddp) ddp...@gmail.com wrote:
/var/ossec/bin/logtest -t
Try troubleshooting the
Try running everything in debug mode, and maybe run analysisd in gdb.
Also, have you tried removing the new rule to see if that fixes it?
On Apr 3, 2012 8:44 AM, C. L. Martinez carlopm...@gmail.com wrote:
It seems that exists some type of limit when ip lists are used ... I
have recreated my
Yes I have tried but I don't see where is the problem ...
At this moment I am trying using a cdb list and it works ok ... but
only if I use IP address and not subnet address. For example:
109.73.106.2:rbn --- this works, alert is triggered like it does using
a simple rule
109.94.208.0/20:rbn --
Check the documentation. I thought CIDRs were represented differently.
Are you using address_match_key?
On Apr 3, 2012 9:27 AM, C. L. Martinez carlopm...@gmail.com wrote:
Yes I have tried but I don't see where is the problem ...
At this moment I am trying using a cdb list and it works ok ...
Yes and it works ... when I use IP address but not when I use CIDR
notation. Reading documentation, subnets needs to be defined like
this:
74.115.28.:rbn
But RBN IP's comes as a single address and with CIDR notation in the
same file ... So, I need to do a lot of shell scripting to configure
Hi all,
I have an strange problem. I have defined a custom rule to trigger an
alert when a RBN IP comes as a srcip in my logs file. For example:
group name=rbn,
rule id=110008 level=14
if_sid100202,100203,100201/if_sid
srcip108.60.159.33/srcip
descriptionConnection from RBN
/var/ossec/bin/logtest -t
Try troubleshooting the issue.
On Apr 2, 2012 6:31 AM, C. L. Martinez carlopm...@gmail.com wrote:
Hi all,
I have an strange problem. I have defined a custom rule to trigger an
alert when a RBN IP comes as a srcip in my logs file. For example:
group name=rbn,
