Hi Trevor, Thanks for the report. It has been fixed on the latest snapshot: http://www.ossec.net/files/snapshots/ossec-hids-100324.tar.gz
-- Daniel B. Cid dcid ( at ) ossec.net On Mon, Mar 22, 2010 at 7:59 PM, tm <[email protected]> wrote: > Hello, > > I am using OSSEC 2.3. The first part of the smbd_rules.xml file looks > like this: > > <rule id="13100" level="0" noalert="1"> > <match>^smbd</match> > <description>Grouping for the smbd rules.</description> > </rule> > > It should be: > > <rule id="13100" level="0" noalert="1"> > <decoded_as>smbd</decoded_as> > <description>Grouping for the smbd rules.</description> > </rule> > > It's because "smbd" does not show up at the start of a log. This came > to light when I started receiving alerts like this: > > Received From: reliant->/var/log/messages > Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the > system." > Portion of the log(s): > > Mar 22 13:50:45 reliant smbd[18447]: getpeername failed. Error was > Transport endpoint is not connected > > Now there's a rule in smbd_rules.xml (13101) which should have caught > it and ignored it. But, 13101 is a child of 13100. Turns out that > 13100 was never firing because of the bug noted above. > > Hope this helps someone. > > Trevor > > To unsubscribe from this group, send email to > ossec-list+unsubscribegooglegroups.com or reply to this email with the words > "REMOVE ME" as the subject. > To unsubscribe from this group, send email to ossec-list+unsubscribegooglegroups.com or reply to this email with the words "REMOVE ME" as the subject.
