Hello,
I am using OSSEC 2.3. The first part of the smbd_rules.xml file looks
like this:
<rule id="13100" level="0" noalert="1">
<match>^smbd</match>
<description>Grouping for the smbd rules.</description>
</rule>
It should be:
<rule id="13100" level="0" noalert="1">
<decoded_as>smbd</decoded_as>
<description>Grouping for the smbd rules.</description>
</rule>
It's because "smbd" does not show up at the start of a log. This came
to light when I started receiving alerts like this:
Received From: reliant->/var/log/messages
Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the
system."
Portion of the log(s):
Mar 22 13:50:45 reliant smbd[18447]: getpeername failed. Error was
Transport endpoint is not connected
Now there's a rule in smbd_rules.xml (13101) which should have caught
it and ignored it. But, 13101 is a child of 13100. Turns out that
13100 was never firing because of the bug noted above.
Hope this helps someone.
Trevor
To unsubscribe from this group, send email to
ossec-list+unsubscribegooglegroups.com or reply to this email with the words
"REMOVE ME" as the subject.
