Hi,,
When I try to start OSSEC with your rules, in first rule error occures because of second backslash in match tag: <match>\system32\</match> If I remove it, OSSEC reports no errors. In second rule there may be error with level option and quotation marks. Try to write it like this level="0" Ofcourse, both rules should be inside group tags. Regards Branimir > -----Original Message----- > From: [email protected] [mailto:[email protected]] On > Behalf Of Gags > Sent: Friday, March 12, 2010 11:55 AM > To: ossec-list > Subject: [ossec-list] Issues with upgrade to 2.3 > > Dear All > > We have recently updated the Ossec server from 2.0 to 2.3. After the > upgrade the ossec server failed to start rootcheckd and syscheckd. > Probably due to failure in starting of analysisd. > > When we check the ossec rules it says error in local_rules.xml ( There > were many rules defined by us). Then we checked for all the rules > deployed in local_rules.xml. The new version is not supporting these > two rules which were earlier running.( I am not sure whether we > received the alerts but it never failed to load). > > Currently with these two sules the HIDS is not starting. > > <rule id="554" level="7" overwrite="yes"> > <category>ossec</category> > <decoded_as>syscheck_new_entry</decoded_as> > <match>\system32\</match> > <description>File added to the system.</description> > <group>syscheck,</group> > </rule> > > > <rule id="100019" level='0'> > <if_sid>100018</if_sid> > <regex>Permissions changed from '\D\D\D\D\D\D\Dw\D' to '\D+'</regex> > <description>World-writable File</description> > </rule> > > Can any one tell what is going wrong > > Regards > Gagan
