Hi Peter,
This happens because inside the attack_rules.xml we have the following rule:
<rule id="40113" level="12" frequency="6" timeframe="360">
<if_matched_group>virus</if_matched_group>
<description>Multiple viruses detected - Possible outbreak.</description>
<group>virus,</group>
</rule>
So, since you disabled all the rules that had the category "virus"
(mcafee, symantec, etc) it will
fail to load this rule because the group "virus" is not found.
Just as a curiosity, why are you disabling all these rules files? For
performance reasons?
Remember that most of them are tied to a decoder (see decoded_as in
the beginning of the rule),
so if a decoder is not matched, all the rules are completely ignored
(you can try with the ossec-logtest to see).
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On Wed, Mar 4, 2009 at 2:22 PM, Peter M. Abraham
<[email protected]> wrote:
>
> Hi Daniel:
>
> I'm emailing you the error plus ossec.conf (without McAfee commented
> out).
>
> When I comment out the mcafee rule, and restart I get the following
> error:
>
> Starting OSSEC HIDS v2.0 (by Third Brigade, Inc.)...
> 2009/03/04 12:21:38 rules_list: Group 'virus' not found. Invalid
> 'if_group'.
> ossec-analysisd: Configuration error. Exiting
>
>
>
