It seems that exists some type of limit when ip lists are used ... I have recreated my custom rule file using only one sid inside in if_sid option, and doesn't works neither:
2012/04/03 11:15:23 ossec-analysisd: INFO: Reading rules file: 'my_rbn_rules.xml' 2012/04/03 11:15:23 ossec-remoted: INFO: Started (pid: 1857). 2012/04/03 11:15:26 ossec-remoted(1210): ERROR: Queue '/queue/ossec/queue' not accessible: 'Connection refused'. 2012/04/03 11:15:26 ossec-remoted(1211): ERROR: Unable to access queue: '/queue/ossec/queue'. Giving up.. 2012/04/03 11:15:26 ossec-syscheckd(1210): ERROR: Queue '/data/ossec/queue/ossec/queue' not accessible: 'Connection refused'. 2012/04/03 11:15:26 ossec-rootcheck(1210): ERROR: Queue '/data/ossec/queue/ossec/queue' not accessible: 'Connection refused'. 2012/04/03 11:15:32 ossec-logcollector(1210): ERROR: Queue '/data/ossec/queue/ossec/queue' not accessible: 'Connection refused'. 2012/04/03 11:15:32 ossec-logcollector(1211): ERROR: Unable to access queue: '/data/ossec/queue/ossec/queue'. Giving up.. 2012/04/03 11:15:34 ossec-syscheckd(1210): ERROR: Queue '/data/ossec/queue/ossec/queue' not accessible: 'Connection refused'. 2012/04/03 11:15:34 ossec-rootcheck(1210): ERROR: Queue '/data/ossec/queue/ossec/queue' not accessible: 'Connection refused'. Is this a bug?? On Tue, Apr 3, 2012 at 8:30 AM, C. L. Martinez <[email protected]> wrote: > Doesn't shows nothing strange: > > [root@srvtest bin]# /data/ossec/bin/ossec-logtest -t > 2012/04/03 06:29:28 ossec-testrule: INFO: Reading local decoder file. > [root@srvtest bin]# > > On Mon, Apr 2, 2012 at 5:30 PM, dan (ddp) <[email protected]> wrote: >> /var/ossec/bin/logtest -t >> >> Try troubleshooting the issue. >> >> On Apr 2, 2012 6:31 AM, "C. L. Martinez" <[email protected]> wrote: >>> >>> Hi all, >>> >>> I have an strange problem. I have defined a custom rule to trigger an >>> alert when a RBN IP comes as a srcip in my logs file. For example: >>> >>> <group name="rbn,"> >>> <rule id="110008" level="14"> >>> <if_sid>100202,100203,100201</if_sid> >>> <srcip>108.60.159.33</srcip> >>> <description>Connection from RBN IP</description> >>> </rule> >>> </group> >>> >>> When I try to load these type of rules, this error occurred: >>> >>> 2012/04/02 07:47:27 ossec-analysisd: INFO: Reading rules file: >>> 'my_rbn_rules.xml' >>> 2012/04/02 07:47:27 ossec-remoted: INFO: Started (pid: 6387). >>> 2012/04/02 07:47:27 ossec-remoted: Remote syslog allowed from: >>> '192.168.44.0/24' >>> 2012/04/02 07:47:27 ossec-remoted: INFO: Started (pid: 6389). >>> 2012/04/02 07:47:30 ossec-syscheckd(1210): ERROR: Queue >>> '/data/ossec/queue/ossec/queue' not accessible: 'Connection refused'. >>> 2012/04/02 07:47:30 ossec-rootcheck(1210): ERROR: Queue >>> '/data/ossec/queue/ossec/queue' not accessible: 'Connection refused'. >>> 2012/04/02 07:47:30 ossec-remoted(1210): ERROR: Queue >>> '/queue/ossec/queue' not accessible: 'Connection refused'. >>> 2012/04/02 07:47:30 ossec-remoted(1211): ERROR: Unable to access >>> queue: '/queue/ossec/queue'. Giving up.. >>> 2012/04/02 07:47:32 ossec-analysisd: INFO: Reading rules file: >>> 'my_dshield_rules.xml' >>> 2012/04/02 07:47:32 ossec-analysisd: INFO: Reading rules file: >>> 'ossec_rules.xml' >>> >>> But it is really strange, because I have another rule file >>> (my_dshield_rules.xml) configured as the previous, and this doesn't >>> returns any error .... Where is the problem?? >>> >>> Thanks.
