Something went wrong with your install. Can you show us your ossec.conf file?
*btw, did you do a fresh install using the install.sh script or some other method? Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On Wed, Mar 18, 2009 at 9:10 PM, <[email protected]> wrote: > > Hi, > > I have the other way around. I installed OSSEC v2 successfully and > start OSSEC right after the sucessful installation, I got the error > message > "Starting OSSEC HIDS v2.0 (by Third Brigade, Inc.)... > 2009/03/18 16:37:57 rules_list: Group 'virus' not found. Invalid > 'if_group'. > ossec-analysisd: Configuration error. Exiting" > > On Mar 10, 1:54 pm, Daniel Cid <[email protected]> wrote: >> Hi Peter, >> >> This happens because inside the attack_rules.xml we have the following rule: >> >> <rule id="40113" level="12" frequency="6" timeframe="360"> >> <if_matched_group>virus</if_matched_group> >> <description>Multiple viruses detected - Possible outbreak.</description> >> <group>virus,</group> >> </rule> >> >> So, since you disabled all the rules that had the category "virus" >> (mcafee, symantec, etc) it will >> fail to load this rule because the group "virus" is not found. >> >> Just as a curiosity, why are you disabling all these rules files? For >> performance reasons? >> Remember that most of them are tied to a decoder (see decoded_as in >> the beginning of the rule), >> so if a decoder is not matched, all the rules are completely ignored >> (you can try with the ossec-logtest to see). >> >> Thanks, >> >> -- >> Daniel B. Cid >> dcid ( at ) ossec.net >> >> On Wed, Mar 4, 2009 at 2:22 PM, Peter M. Abraham >> >> <[email protected]> wrote: >> >> > Hi Daniel: >> >> > I'm emailing you the error plus ossec.conf (without McAfee commented >> > out). >> >> > When I comment out the mcafee rule, and restart I get the following >> > error: >> >> > Starting OSSEC HIDS v2.0 (by Third Brigade, Inc.)... >> > 2009/03/04 12:21:38 rules_list: Group 'virus' not found. Invalid >> > 'if_group'. >> > ossec-analysisd: Configuration error. Exiting >
