Hi Sioban,
I know what is going on... On 1.0, we changed the way the <regex> and <match> tags work. On the previous versions, they would match on everything starting on the process name, but now it starts after that... Now, for some of your logs you could use: <program_name>mimedefang.pl</program_name> Or write your regexes without looking at the program name: <regex>Error strings? : yes|^MDLOG,\w+,mail_in|MDLOG,\w+,modify||MDLOG,\w+,spam|: don't print any messag es or errors|mlnet_error|^Device: /dev/hde, SMART Prefailure Attribute: 8 Seek_Time_Performance changed from 252 to 253|^Device: /dev/hde, SMART Prefailure Attribute: 8 Seek_Time_Performance changed from 253 to 252|Unable to connect to shock.cloudmark.com|^MDLOG,\w+,drop,Bad html: Image cidN</regex> Hope it helps.. -- Daniel B. Cid dcid ( at ) ossec.net On 1/19/07, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
Hi. I was using ossec 0.9.x without problem and decided to upgrade to 1.0. This rules was working : <rule id="109999" level="0"> <if_sid>1002</if_sid> <regex>Error strings? : yes|mimedefang.pl[\d+]: MDLOG,\w+,mail_in|mimedefang.pl[\d+]: MDLOG,\w+,modify||mimedefang.pl[\d+]: MDLOG,\w+,spam|: don't print any messag es or errors|mlnet_error|smartd[\d+]: Device: /dev/hde, SMART Prefailure Attribute: 8 Seek_Time_Performance changed from 252 to 253|smartd[\d+]: Device: /dev/hde, SMART Prefailure Attribute: 8 Seek_Time_Performance changed from 253 to 252|Unable to connect to shock.cloudmark.com|mimedefang.pl[\d+]: MDLOG,\w+,drop,Bad html: Image cidN</regex> <description>Events ignored</description> </rule> But since 1.0 it seems that it doesn't anymore : - Jan 19 09:15:08 shax mimedefang.pl[11406]: MDLOG,l0J8EflD010567,modify,CHANGE NOTIMG Not image http://adserver.adtech.de/adserv|3.0|224|135569|0|1|ADTECH;grp=1;loc=300; CHANGE NOTIMG Not image http://mirror.apec.fr/r/?id=hbb27cc%2C4339828%2C1 ,,<[EMAIL PROTECTED]>,<[EMAIL PROTECTED]>,12 Offre(s) xxxx du 19/01/2007 -> Should have been catched by "mimedefang.pl[\d+]: MDLOG,\w+,modify" - Jan 18 17:14:02 shax mimedefang.pl[25011]: MDLOG,l0IGDBvv011712,mail_in,,,<[EMAIL PROTECTED]>,<[EMAIL PROTECTED]>,[mod-security-users] Bad Gateway - Jan 19 09:15:31 shax mimedefang.pl[11406]: MDLOG,l0J8EflD010567,mail_in,,,<[EMAIL PROTECTED]>,<[EMAIL PROTECTED]>,12 Offre(s) xxxx du 19/01/2007 -> Should have been catched by "mimedefang.pl[\d+]: MDLOG,\w+,mail_in" I've noted that I have "||" in the regex, just after the "modify" keyword. Maybe that's the problem, I've removed it now and I'll see if it happens again. Bye. Sioban
