I might have a bug to report though hopefully someone else can verify it's
legit.
Prior to updating to 2.4, I had a script that generates rules. These rules
were all dependent upon 31100 and worked by matching the requesting srcip.
After the update they no longer work as they did.
Example rule:
<group name="web">
<rule id="100740" level="14">
<if_sid>31100</if_sid>
<srcip>109.123.78.44</srcip>
<description>Evil Haxors!!</description>
</rule>
</group>
*Before update*:
**Phase 1: Completed pre-decoding.
full event: '2010-04-06 11:41:01 <hostname> x.x.x.x GET /evilfile.php
80 - 109.123.78.44 HTTP/1.0
Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.0) - - www.wantsfly.com 301
hostname: 'test'
program_name: '(null)'
log: '2010-04-06 11:41:01 <hostname> x.x.x.x GET /evilfile.php 80 -
109.123.78.44 HTTP/1.0 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.0) -
- www.wantsfly.com 301'
**Phase 2: Completed decoding.
decoder: 'windows-date-format'
url: '/prx2.php'
srcip: '109.123.78.44'
id: '301'
**Phase 3: Completed filtering (rules).
Rule id: '100740'
Level: '14'
Description: 'Evil Haxors!!'
**Alert to be generated.
*After update:*
....<same as above>...
**Phase 3: Completed filtering (rules).
Rule id: '31108'
Level: '0'
Description: 'Ignored URLs (simple queries).'
I verified that I had added my custom rules xml file back into the
ossec.conf after the update. It seems to load it (as shown in the ossec.log
file) but it just no longer works as it did. It's almost like the default
ruleset overrides my custom rules. If I change my rule to be dependant upon
31108 instead of 31100, it works.
To verify, I reverted back to 2.3 and (after adding the rule.xml file back
into the ossec.conf file) and it works again.
--
To unsubscribe, reply using "remove me" as the subject.
