On Thu, Feb 2, 2012 at 4:06 AM, Oliver Mueller <[email protected]> wrote: > If I add the following rule to local_rules.xml and try to test it with > ossec-logtest, I receive a segfault (see below): > > <group name="apache,"> > <rule id="30109" level="9" timeframe="60" frequency="5" > overwrite="yes"> > <!-- Original rule blocked user if login failed once. That's a bit > too hard --> > <if_matched_sid>30101</if_ > matched_sid> > <regex>user \S+ not found</regex> > <description>Attempt to login using a non-existent > user.</description> > <group>invalid_login,</group> > </rule> > </group> > > > > # ../bin/ossec-logtest > 2012/01/23 08:55:06 ossec-testrule: INFO: Reading local decoder file. > 2012/01/23 08:55:06 ossec-testrule: INFO: Started (pid: 32103). > ossec-testrule: Type one log per line. > > [Mon Jan 23 08:40:46 2012] [error] [client 192.168.0.123] user unknownUser > not found: /myapp/ > > > **Phase 1: Completed pre-decoding. > full event: '[Mon Jan 23 08:40:46 2012] [error] [client > 192.168.0.123] user unknownUser not found: /myapp/' > hostname: 'server' > program_name: '(null)' > log: '[error] [client 192.168.0.123] user unknownUser not found: > /myapp/' > > **Phase 2: Completed decoding. > decoder: 'apache-errorlog' > srcip: '192.168.0.123' > Segmentation fault >
What version of OSSEC? What kind of host? > > Is there any update planed to ossec soon? Not that I'm aware of.
