Today to save some resources I was trying to trim down ossec by
removing rules for applications we don't use (no point in running
symantec rules when we don't use any of their products).
In the process of paring down the rules, I noticed that you can't
disable courier_rules.xml. If you do, ossec refuses to start with
this error:
2008/10/29 06:14:46 rules_list: Group 'connection_attempt' not
found. Invalid 'if_group'.
The same goes for mcafee_av_rules.xml, commenting that out produces:
2008/10/29 06:22:43 rules_list: Group 'virus' not found. Invalid
'if_group'.
Is this a bug? It's not any big deal, it just seems like odd
behavior. Someone please correct me if I'm wrong.
