Hello I installed ossec-hids from the atomic repository on Fedora 10 (as a test server). Encountering the same problem ( rules_list: Group 'virus' not found. Invalid 'if_group'. ossec-analysisd: Configuration error. Exiting")
Did this problem get solved ? Greetings John Hi, I have the other way around. I installed OSSEC v2 successfully and start OSSEC right after the sucessful installation, I got the error message "Starting OSSEC HIDS v2.0 (by Third Brigade, Inc.)... 2009/03/18 16:37:57 rules_list: Group 'virus' not found. Invalid 'if_group'. ossec-analysisd: Configuration error. Exiting" On Mar 10, 1:54 pm, Daniel Cid <[email protected]> wrote: > Hi Peter, > > This happens because inside the attack_rules.xml we have the following rule: > > <rule id="40113" level="12" frequency="6" timeframe="360"> > <if_matched_group>virus</if_matched_group> > <description>Multiple viruses detected - Possible outbreak.</description> > <group>virus,</group> > </rule> > > So, since you disabled all the rules that had the category "virus" > (mcafee, symantec, etc) it will > fail to load this rule because the group "virus" is not found. > > Just as a curiosity, why are you disabling all these rules files? For > performance reasons? > Remember that most of them are tied to a decoder (see decoded_as in > the beginning of the rule), > so if a decoder is not matched, all the rules are completely ignored > (you can try with the ossec-logtest to see). > > Thanks, > > -- > Daniel B. Cid > dcid ( at ) ossec.net > > On Wed, Mar 4, 2009 at 2:22 PM, Peter M. Abraham > > <[email protected]> wrote: > > > Hi Daniel: > > > I'm emailing you the error plus ossec.conf (without McAfee commented > > out). > > > When I comment out the mcafee rule, and restart I get the following > > error: > > > Starting OSSEC HIDS v2.0 (by Third Brigade, Inc.)... > > 2009/03/04 12:21:38 rules_list: Group 'virus' not found. Invalid > > 'if_group'. > > ossec-analysisd: Configuration error. Exiting On Mar 24, 9:13 pm, [email protected] wrote: > Hello, > > I did the fresh install using the install.sh and I installed OSSEC as > a server. I tried to send the ossec.conf as attachment to ossec-list > but I don't know how, so I am going to my gmail account to send it to > you. > > Thanks, > > On Mar 24, 7:43 am, Daniel Cid <[email protected]> wrote: > > > Something went wrong with your install. Can you show us your ossec.conf > > file? > > > *btw, did you do a fresh install using the install.sh script or some > > other method? > > > Thanks, > > > -- > > Daniel B. Cid > > dcid ( at ) ossec.net > > > On Wed, Mar 18, 2009 at 9:10 PM, <[email protected]> wrote: > > > > Hi, > > > > I have the other way around. I installed OSSEC v2 successfully and > > > start OSSEC right after the sucessful installation, I got the error > > > message > > > "Starting OSSEC HIDS v2.0 (by Third Brigade, Inc.)... > > > 2009/03/18 16:37:57 rules_list: Group 'virus' not found. Invalid > > > 'if_group'. > > > ossec-analysisd: Configuration error. Exiting" > > > > On Mar 10, 1:54 pm, Daniel Cid <[email protected]> wrote: > > >> Hi Peter, > > > >> This happens because inside the attack_rules.xml we have the following > > >> rule: > > > >> <rule id="40113" level="12" frequency="6" timeframe="360"> > > >> <if_matched_group>virus</if_matched_group> > > >> <description>Multiple viruses detected - Possible > > >> outbreak.</description> > > >> <group>virus,</group> > > >> </rule> > > > >> So, since you disabled all the rules that had the category "virus" > > >> (mcafee, symantec, etc) it will > > >> fail to load this rule because the group "virus" is not found. > > > >> Just as a curiosity, why are you disabling all these rules files? For > > >> performance reasons? > > >> Remember that most of them are tied to a decoder (see decoded_as in > > >> the beginning of the rule), > > >> so if a decoder is not matched, all the rules are completely ignored > > >> (you can try with the ossec-logtest to see). > > > >> Thanks, > > > >> -- > > >> Daniel B. Cid > > >> dcid ( at ) ossec.net > > > >> On Wed, Mar 4, 2009 at 2:22 PM, Peter M. Abraham > > > >> <[email protected]> wrote: > > > >> > Hi Daniel: > > > >> > I'm emailing you the error plus ossec.conf (without McAfee commented > > >> > out). > > > >> > When I comment out the mcafee rule, and restart I get the following > > >> > error: > > > >> > Starting OSSEC HIDS v2.0 (by Third Brigade, Inc.)... > > >> > 2009/03/04 12:21:38 rules_list: Group 'virus' not found. Invalid > > >> > 'if_group'. > > >> > ossec-analysisd: Configuration error. Exiting
