I would like to help you on that one, but I don't have gdb running nor experiences with it…
On 06.02.2012, at 12:52, dan (ddp) wrote: > On Sat, Feb 4, 2012 at 4:01 AM, Oliver Müller <[email protected]> wrote: >> I definitely get a segfault though and I clear out my local rules. There was >> nothing in there execpt of this group with one rule. >> Is it an Ubuntu problem then? >> > > I don't remember having any issues with Ubuntu, but that VM is > inaccessible right now. Any chance you can run ossec-logtest in gdb? > >> this is my "original" rule in apache_rules.xml : >> 80 <rule id="30109" level="9"> >> 81 <if_sid>30101</if_sid> >> 82 <regex>user \S+ not found</regex> >> 83 <description>Attempt to login using a non-existent >> user.</description> >> 84 <group>invalid_login,</group> >> 85 </rule> >> >> >> and this is the strace I get, when I am testing the log entry with >> ossec-logtest: >> >> [Mon Jan 23 08:40:46 2012] [error] [client 192.168.0.123] user unknownUser >> not found: /myapp/ >> "[Mon Jan 23 08:40:46 2012] [erro"..., 1024) = 94 >> write(2, "\n", 1 >> ) = 1 >> write(2, "\n", 1 >> ) = 1 >> stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=2309, ...}) = 0 >> write(2, "**Phase 1: Completed pre-decodin"..., 34**Phase 1: Completed >> pre-decoding.) = 34 >> write(2, "\n", 1 >> ) = 1 >> write(2, " full event: '[Mon Jan 23 "..., 114 full event: '[Mon >> Jan 23 08:40:46 2012] [error] [client 192.168.0.123] user unknownUser not >> found: /myapp/') = 114 >> write(2, "\n", 1 >> ) = 1 >> write(2, " hostname: 'server'", 23 hostname: 'server') = 23 >> write(2, "\n", 1 >> ) = 1 >> write(2, " program_name: '(null)'", 29 program_name: '(null)') = >> 29 >> write(2, "\n", 1 >> ) = 1 >> write(2, " log: '[error] [client 192"..., 80 log: '[error] >> [client 192.168.0.123] user unknownUser not found: /myapp/') = 80 >> write(2, "\n", 1 >> ) = 1 >> write(2, "\n**Phase 2: Completed decoding.", 31 >> **Phase 2: Completed decoding.) = 31 >> write(2, "\n", 1 >> ) = 1 >> write(2, " decoder: 'apache-errorlog"..., 33 decoder: >> 'apache-errorlog') = 33 >> write(2, "\n", 1 >> ) = 1 >> write(2, " srcip: '192.168.0.123'", 29 srcip: '192.168.0.123') = >> 29 >> write(2, "\n", 1 >> ) = 1 >> --- SIGSEGV (Segmentation fault) @ 0 (0) --- >> +++ killed by SIGSEGV +++ >> Segmentation fault >> >> >> >> >> >> On 03.02.2012, at 18:32, Andreas Piesk wrote: >> >>> On 03.02.2012 16:09, Oliver Müller wrote: >>>> You have to past in this as ONE line (ends with /myapp/): >>>> >>>> [Mon Jan 23 08:40:46 2012] [error] [client 192.168.0.123] user unknownUser >>>> not found: /myapp/ >>>> >>> >>> that's what i did. testing the above line uo to /myapp/ doesn't produce a >>> segfault on my system. >>> >>> regards, >>> -ap >>
