Re: [ossec-list] Segfaults with overwrite

Mon, 06 Feb 2012 03:59:51 -0800 

On Sat, Feb 4, 2012 at 4:01 AM, Oliver Müller <[email protected]> wrote:
> I definitely get a segfault though and I clear out my local rules. There was 
> nothing in there execpt of this group with one rule.
> Is it an Ubuntu problem then?
>

I don't remember having any issues with Ubuntu, but that VM is
inaccessible right now. Any chance you can run ossec-logtest in gdb?

> this is my "original" rule in apache_rules.xml :
>  80   <rule id="30109" level="9">
>  81     <if_sid>30101</if_sid>
>  82     <regex>user \S+ not found</regex>
>  83     <description>Attempt to login using a non-existent user.</description>
>  84     <group>invalid_login,</group>
>  85   </rule>
>
>
> and this is the strace I get, when I am testing the log entry with 
> ossec-logtest:
>
> [Mon Jan 23 08:40:46 2012] [error] [client 192.168.0.123] user unknownUser 
> not found: /myapp/
> "[Mon Jan 23 08:40:46 2012] [erro"..., 1024) = 94
> write(2, "\n", 1
> )                       = 1
> write(2, "\n", 1
> )                       = 1
> stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=2309, ...}) = 0
> write(2, "**Phase 1: Completed pre-decodin"..., 34**Phase 1: Completed 
> pre-decoding.) = 34
> write(2, "\n", 1
> )                       = 1
> write(2, "       full event: '[Mon Jan 23 "..., 114       full event: '[Mon 
> Jan 23 08:40:46 2012] [error] [client 192.168.0.123] user unknownUser not 
> found: /myapp/') = 114
> write(2, "\n", 1
> )                       = 1
> write(2, "       hostname: 'server'", 23       hostname: 'server') = 23
> write(2, "\n", 1
> )                       = 1
> write(2, "       program_name: '(null)'", 29       program_name: '(null)') = 
> 29
> write(2, "\n", 1
> )                       = 1
> write(2, "       log: '[error] [client 192"..., 80       log: '[error] 
> [client 192.168.0.123] user unknownUser not found: /myapp/') = 80
> write(2, "\n", 1
> )                       = 1
> write(2, "\n**Phase 2: Completed decoding.", 31
> **Phase 2: Completed decoding.) = 31
> write(2, "\n", 1
> )                       = 1
> write(2, "       decoder: 'apache-errorlog"..., 33       decoder: 
> 'apache-errorlog') = 33
> write(2, "\n", 1
> )                       = 1
> write(2, "       srcip: '192.168.0.123'", 29       srcip: '192.168.0.123') = 
> 29
> write(2, "\n", 1
> )                       = 1
> --- SIGSEGV (Segmentation fault) @ 0 (0) ---
> +++ killed by SIGSEGV +++
> Segmentation fault
>
>
>
>
>
> On 03.02.2012, at 18:32, Andreas Piesk wrote:
>
>> On 03.02.2012 16:09, Oliver Müller wrote:
>>> You have to past in this as ONE line (ends with /myapp/):
>>>
>>> [Mon Jan 23 08:40:46 2012] [error] [client 192.168.0.123] user unknownUser 
>>> not found: /myapp/
>>>
>>
>> that's what i did. testing the above line uo to /myapp/ doesn't produce a 
>> segfault on my system.
>>
>> regards,
>> -ap
>

Reply via email to