I would like to do that, BUT that just doesn't work. I asked for that feature
in previous mails and the recommendation was to override rules.
Check out:
http://groups.google.com/group/ossec-list/browse_thread/thread/c48f0017cd131ea2/1def88460fe1f637?lnk=gstq=ogmueller#1def88460fe1f637
On
I would like to help you on that one, but I don't have gdb running nor
experiences with it…
On 06.02.2012, at 12:52, dan (ddp) wrote:
On Sat, Feb 4, 2012 at 4:01 AM, Oliver Müller ogmuel...@gmail.com wrote:
I definitely get a segfault though and I clear out my local rules. There was
On Sat, Feb 4, 2012 at 4:01 AM, Oliver Müller ogmuel...@gmail.com wrote:
I definitely get a segfault though and I clear out my local rules. There was
nothing in there execpt of this group with one rule.
Is it an Ubuntu problem then?
I don't remember having any issues with Ubuntu, but that VM
Hey,
I see the issue in there. You overwrote the rule 30109, which is an atomic rule
dependent on the 30101 (if_sid30101/if_sid).
You modified it to be a composite rule and OSSEC didn't like that. It
should have
warned that you can't use the overwrite to modify a rule from
atomic-composite and
On 04.02.2012 10:01, Oliver Müller wrote:
I definitely get a segfault though and I clear out my local rules. There was
nothing in there execpt of this group with one rule.
Is it an Ubuntu problem then?
i would say, yes.
maybe a backtrace of the core dump (compiled with debug info) gives a
I definitely get a segfault though and I clear out my local rules. There was
nothing in there execpt of this group with one rule.
Is it an Ubuntu problem then?
this is my original rule in apache_rules.xml :
80 rule id=30109 level=9
81 if_sid30101/if_sid
82 regexuser \S+ not
You have to past in this as ONE line (ends with /myapp/):
[Mon Jan 23 08:40:46 2012] [error] [client 192.168.0.123] user unknownUser not
found: /myapp/
if you only test up to unknownUser it will not segfault.
On 02.02.2012, at 19:33, Andreas Piesk wrote:
On 02.02.2012 10:06, Oliver
On 03.02.2012 16:09, Oliver Müller wrote:
You have to past in this as ONE line (ends with /myapp/):
[Mon Jan 23 08:40:46 2012] [error] [client 192.168.0.123] user unknownUser
not found: /myapp/
that's what i did. testing the above line uo to /myapp/ doesn't produce a
segfault on my
On Thu, Feb 2, 2012 at 4:06 AM, Oliver Mueller ogmuel...@gmail.com wrote:
If I add the following rule to local_rules.xml and try to test it with
ossec-logtest, I receive a segfault (see below):
group name=apache,
rule id=30109 level=9 timeframe=60 frequency=5
overwrite=yes
!--
I am using version OSSEC HIDS v2.6 - Trend Micro Inc. on an Ubuntu 11.10
oneiric.
On 02.02.2012, at 14:19, dan (ddp) wrote:
On Thu, Feb 2, 2012 at 4:06 AM, Oliver Mueller ogmuel...@gmail.com wrote:
If I add the following rule to local_rules.xml and try to test it with
ossec-logtest, I
On 02.02.2012 10:06, Oliver Mueller wrote:
If I add the following rule to local_rules.xml and try to test it with
ossec-logtest, I receive a
segfault (see below):
..
Is there any update planed to ossec soon?
works for me (RHEL 5.7 64bit):
$ /var/ossec/bin/ossec-logtest -V
OSSEC HIDS
11 matches
Mail list logo