Re: [ossec-list] Ossec 2.6 Compile errors on Mac Os 10.7.3
Use the real gcc instead of Apple's llvm/clang/whatever it is these days. On Fri, Apr 27, 2012 at 2:18 PM, Gappa wrote: > hi everyone, > i'm trying to install ossec on my Mac. > > I get this error: > > gcc -g -Wall -I../../ -I../../headers -DDEFAULTDIR=\"/var/ossec\" > -DUSE_OPENSSL -DDarwin -DHIGHFIRST -DARGV0=\"sha1_op\" -DXML_VAR=\"var\" > -DOSSECHIDS -c sha1_op.c > > In file included from sha1_op.c:27: > > sha_locl.h: In function ‘sha1_block_host_order’: > > sha_locl.h:261: error: unsupported inline asm: input constraint with a > matching output constraint of incompatible type! > > sha_locl.h:261: error: unsupported inline asm: input constraint with a > matching output constraint of incompatible type! > > sha_locl.h:262: error: unsupported inline asm: input constraint with a > matching output constraint of incompatible type! > > sha_locl.h:262: error: unsupported inline asm: input constraint with a > matching output constraint of incompatible type! > > ……….. > > ………. > > sha_locl.h:344: error: unsupported inline asm: input constraint with a > matching output constraint of incompatible type! > > sha_locl.h:345: error: unsupported inline asm: input constraint with a > matching output constraint of incompatible type! > > sha_locl.h:345: error: unsupported inline asm: input constraint with a > matching output constraint of incompatible type! > > sha_locl.h:345: error: unsupported inline asm: input constraint with a > matching output constraint of incompatible type! > > make[2]: *** [sha1] Error 1 > > make[1]: *** [os_crypto] Error 2 > > > I searched for some prerequisites to install on the Mac and i only found > XCode, i have it. > > Can anyone help me with this error? > > Thanks > > Gappa
[ossec-list] Ossec 2.6 Compile errors on Mac Os 10.7.3
hi everyone, i'm trying to install ossec on my Mac. I get this error: gcc -g -Wall -I../../ -I../../headers -DDEFAULTDIR=\"/var/ossec\" -DUSE_OPENSSL -DDarwin -DHIGHFIRST-DARGV0=\"sha1_op\" -DXML_VAR=\"var\" -DOSSECHIDS -c sha1_op.c In file included from sha1_op.c:27: sha_locl.h: In function ‘sha1_block_host_order’: sha_locl.h:261: error: unsupported inline asm: input constraint with a matching output constraint of incompatible type! sha_locl.h:261: error: unsupported inline asm: input constraint with a matching output constraint of incompatible type! sha_locl.h:262: error: unsupported inline asm: input constraint with a matching output constraint of incompatible type! sha_locl.h:262: error: unsupported inline asm: input constraint with a matching output constraint of incompatible type! ……….. ………. sha_locl.h:344: error: unsupported inline asm: input constraint with a matching output constraint of incompatible type! sha_locl.h:345: error: unsupported inline asm: input constraint with a matching output constraint of incompatible type! sha_locl.h:345: error: unsupported inline asm: input constraint with a matching output constraint of incompatible type! sha_locl.h:345: error: unsupported inline asm: input constraint with a matching output constraint of incompatible type! make[2]: *** [sha1] Error 1 make[1]: *** [os_crypto] Error 2 I searched for some prerequisites to install on the Mac and i only found XCode, i have it. Can anyone help me with this error? Thanks Gappa
Re: [ossec-list] some levels hides a rule?
Ahh, I see now. Must have missed that in documentation, or just forgot. Thank you! On Friday, April 27, 2012 5:49:08 PM UTC+3, Daniel Cid wrote: > > Hey, > > It doesn't get checked, because it will try the rule 100112 first > (which would have a high severity) and matches > the event. > > Internally, it organize the sub rules in order of severity, so it > always tries the high severity ones first, followed > by the others (level 0 is also the first to be checked). > > Makes sense? > > Thanks, > > -- > Daniel B. Cid > http://dcid.me > > > On Fri, Apr 27, 2012 at 10:49 AM, ignasr wrote: > > Hello, > > > > I have a simple rule tree: > > > > > > 1 > > [rsyslog-pri 0]|[rsyslog-pri 1]|[rsyslog-pri > 2]|[rsyslog-pri > > 3] > > high_lvl_syslog, > > Unspecified err, crit, alert or emerg syslog > > event. > > > > > > > > 100101 > > Aasdfkljasdklfjasdss > > Ignoring asdfasdfa. > > high_lvl_syslog_ignore > > > > > > > > 100101 > > Assuming drive cache > > Ignoring known high level alerts. > > high_lvl_syslog_ignore > > > > > > and it works, ex: > > > > 2012-04-19T13:53:02+03:00 x kernel: [7329650.152821] sd > > 26:0:0:0: [sdc] Assuming drive cache: write through [rsyslog-pri 3] > > > > Trying rule: 5903 - Group (or user) deleted from the system > > Trying rule: 100101 - Unspecified err, crit, alert or emerg syslog > > event. > >*Rule 100101 matched. > >*Trying child rules. > > Trying rule: 100111 - Ignoring asdfasdfa. > > Trying rule: 100112 - Ignoring known high level alerts. > >*Rule 100112 matched. > > **Phase 3: Completed filtering (rules). > >Rule id: '100112' > >Level: '12' > >Description: 'Ignoring known high level alerts.' > > > > The problem: if i change level to 1 through 11, that > > rule doesn't get checked at all: > > > > > > 100101 > > Aasdfkljasdklfjasdss > > Ignoring asdfasdfa. > > high_lvl_syslog_ignore > > > > > > Trying rule: 5903 - Group (or user) deleted from the system > > Trying rule: 100101 - Unspecified err, crit, alert or emerg syslog > > event. > >*Rule 100101 matched. > >*Trying child rules. > > Trying rule: 100112 - Ignoring known high level alerts. > >*Rule 100112 matched. > > **Phase 3: Completed filtering (rules). > >Rule id: '100112' > >Level: '12' > >Description: 'Ignoring known high level alerts.' > > > > What I am missing here? > > > > Thank you. >
Re: [ossec-list] some levels hides a rule?
Hey, It doesn't get checked, because it will try the rule 100112 first (which would have a high severity) and matches the event. Internally, it organize the sub rules in order of severity, so it always tries the high severity ones first, followed by the others (level 0 is also the first to be checked). Makes sense? Thanks, -- Daniel B. Cid http://dcid.me On Fri, Apr 27, 2012 at 10:49 AM, ignasr wrote: > Hello, > > I have a simple rule tree: > > > 1 > [rsyslog-pri 0]|[rsyslog-pri 1]|[rsyslog-pri 2]|[rsyslog-pri > 3] > high_lvl_syslog, > Unspecified err, crit, alert or emerg syslog > event. > > > > 100101 > Aasdfkljasdklfjasdss > Ignoring asdfasdfa. > high_lvl_syslog_ignore > > > > 100101 > Assuming drive cache > Ignoring known high level alerts. > high_lvl_syslog_ignore > > > and it works, ex: > > 2012-04-19T13:53:02+03:00 158.129.128.243 kernel: [7329650.152821] sd > 26:0:0:0: [sdc] Assuming drive cache: write through [rsyslog-pri 3] > > Trying rule: 5903 - Group (or user) deleted from the system > Trying rule: 100101 - Unspecified err, crit, alert or emerg syslog > event. > *Rule 100101 matched. > *Trying child rules. > Trying rule: 100111 - Ignoring asdfasdfa. > Trying rule: 100112 - Ignoring known high level alerts. > *Rule 100112 matched. > **Phase 3: Completed filtering (rules). > Rule id: '100112' > Level: '12' > Description: 'Ignoring known high level alerts.' > > The problem: if i change level to 1 through 11, that > rule doesn't get checked at all: > > > 100101 > Aasdfkljasdklfjasdss > Ignoring asdfasdfa. > high_lvl_syslog_ignore > > > Trying rule: 5903 - Group (or user) deleted from the system > Trying rule: 100101 - Unspecified err, crit, alert or emerg syslog > event. > *Rule 100101 matched. > *Trying child rules. > Trying rule: 100112 - Ignoring known high level alerts. > *Rule 100112 matched. > **Phase 3: Completed filtering (rules). > Rule id: '100112' > Level: '12' > Description: 'Ignoring known high level alerts.' > > What I am missing here? > > Thank you.
[ossec-list] some levels hides a rule?
Hello, I have a simple rule tree: 1 [rsyslog-pri 0]|[rsyslog-pri 1]|[rsyslog-pri 2]|[rsyslog-pri 3] high_lvl_syslog, Unspecified err, crit, alert or emerg syslog event. 100101 Aasdfkljasdklfjasdss Ignoring asdfasdfa. high_lvl_syslog_ignore 100101 Assuming drive cache Ignoring known high level alerts. high_lvl_syslog_ignore and it works, ex: 2012-04-19T13:53:02+03:00 158.129.128.243 kernel: [7329650.152821] sd 26:0:0:0: [sdc] Assuming drive cache: write through [rsyslog-pri 3] Trying rule: 5903 - Group (or user) deleted from the system Trying rule: 100101 - Unspecified err, crit, alert or emerg syslog event. *Rule 100101 matched. *Trying child rules. Trying rule: 100111 - Ignoring asdfasdfa. Trying rule: 100112 - Ignoring known high level alerts. *Rule 100112 matched. **Phase 3: Completed filtering (rules). Rule id: '100112' Level: '12' Description: 'Ignoring known high level alerts.' *The problem*: if i change level to 1 through 11, that rule doesn't get checked at all: 100101 Aasdfkljasdklfjasdss Ignoring asdfasdfa. high_lvl_syslog_ignore Trying rule: 5903 - Group (or user) deleted from the system Trying rule: 100101 - Unspecified err, crit, alert or emerg syslog event. *Rule 100101 matched. *Trying child rules. Trying rule: 100112 - Ignoring known high level alerts. *Rule 100112 matched. **Phase 3: Completed filtering (rules). Rule id: '100112' Level: '12' Description: 'Ignoring known high level alerts.' What I am missing here? Thank you.
[ossec-list] Question about custom rule configuration
I have a script that does a ping to a group of my servers and if the device is unreachable it writes to the log file. I have a custom parser working and my custom rules are working. The issue I have now is that I need a way to ignore repeat consecutive "Server unreachable for 3 attempts" but only the ones that come from the same source IP. I have added an ignore inside of the rule header but the issue that I have is that if another server goes offline it does not trigger the alarm. Any suggestions as to how I can set this rule up so I do not get flooded with alerts from the same IP but do get alerted on new issues? Here are examples of the log data, decoder rules, and local_rules. Please let me know if you need anymore information. Log Example Snippet Apr 27 07:15:00 OSSEC_SVR scripting: [PING_ALL] Server Name 1 - 0001 - 172.16.1.1 - is unreachable Apr 27 08:00:00 OSSEC_SVR scripting: [PING_ALL] Server Name 2 - 0002 - 172.16.1.2 - is unreachable local_decoder.xml snippet scripting custom_scripts [PING_ALL] ^\s(\.+\s-\s\d+)\s-\s(\d+.\d+.\d+.\d+)\s-\s(\.+) user,srcip,status local_rules.xml snippet custom_scripts Custom_Scripts Catch All 100600 is unreachable Server Unreachable 100610 Server unreachable for 3 attempts Thanks, Patrick
