Check the documentation. I thought CIDRs were represented differently. Are you using address_match_key? On Apr 3, 2012 9:27 AM, "C. L. Martinez" <[email protected]> wrote:
> Yes I have tried but I don't see where is the problem ... > > At this moment I am trying using a cdb list and it works ok ... but > only if I use IP address and not subnet address. For example: > > 109.73.106.2:rbn --- this works, alert is triggered like it does using > a simple rule > 109.94.208.0/20:rbn -- this doesn't works (using for example > 109.94.208.1 as a srcip or dstip), when using a simple rule it works > ... > > Does subnets defined as a key works?? > > > On Tue, Apr 3, 2012 at 3:09 PM, dan (ddp) <[email protected]> wrote: > > Try running everything in debug mode, and maybe run analysisd in gdb. > > Also, have you tried removing the new rule to see if that fixes it? > > > > On Apr 3, 2012 8:44 AM, "C. L. Martinez" <[email protected]> wrote: > >> > >> It seems that exists some type of limit when ip lists are used ... I > >> have recreated my custom rule file using only one sid inside in if_sid > >> option, and doesn't works neither: > >> > >> 2012/04/03 11:15:23 ossec-analysisd: INFO: Reading rules file: > >> 'my_rbn_rules.xml' > >> 2012/04/03 11:15:23 ossec-remoted: INFO: Started (pid: 1857). > >> 2012/04/03 11:15:26 ossec-remoted(1210): ERROR: Queue > >> '/queue/ossec/queue' not accessible: 'Connection refused'. > >> 2012/04/03 11:15:26 ossec-remoted(1211): ERROR: Unable to access > >> queue: '/queue/ossec/queue'. Giving up.. > >> 2012/04/03 11:15:26 ossec-syscheckd(1210): ERROR: Queue > >> '/data/ossec/queue/ossec/queue' not accessible: 'Connection refused'. > >> 2012/04/03 11:15:26 ossec-rootcheck(1210): ERROR: Queue > >> '/data/ossec/queue/ossec/queue' not accessible: 'Connection refused'. > >> 2012/04/03 11:15:32 ossec-logcollector(1210): ERROR: Queue > >> '/data/ossec/queue/ossec/queue' not accessible: 'Connection refused'. > >> 2012/04/03 11:15:32 ossec-logcollector(1211): ERROR: Unable to access > >> queue: '/data/ossec/queue/ossec/queue'. Giving up.. > >> 2012/04/03 11:15:34 ossec-syscheckd(1210): ERROR: Queue > >> '/data/ossec/queue/ossec/queue' not accessible: 'Connection refused'. > >> 2012/04/03 11:15:34 ossec-rootcheck(1210): ERROR: Queue > >> '/data/ossec/queue/ossec/queue' not accessible: 'Connection refused'. > >> > >> Is this a bug?? > >> > >> On Tue, Apr 3, 2012 at 8:30 AM, C. L. Martinez <[email protected]> > >> wrote: > >> > Doesn't shows nothing strange: > >> > > >> > [root@srvtest bin]# /data/ossec/bin/ossec-logtest -t > >> > 2012/04/03 06:29:28 ossec-testrule: INFO: Reading local decoder file. > >> > [root@srvtest bin]# > >> > > >> > On Mon, Apr 2, 2012 at 5:30 PM, dan (ddp) <[email protected]> wrote: > >> >> /var/ossec/bin/logtest -t > >> >> > >> >> Try troubleshooting the issue. > >> >> > >> >> On Apr 2, 2012 6:31 AM, "C. L. Martinez" <[email protected]> > wrote: > >> >>> > >> >>> Hi all, > >> >>> > >> >>> I have an strange problem. I have defined a custom rule to trigger > an > >> >>> alert when a RBN IP comes as a srcip in my logs file. For example: > >> >>> > >> >>> <group name="rbn,"> > >> >>> <rule id="110008" level="14"> > >> >>> <if_sid>100202,100203,100201</if_sid> > >> >>> <srcip>108.60.159.33</srcip> > >> >>> <description>Connection from RBN IP</description> > >> >>> </rule> > >> >>> </group> > >> >>> > >> >>> When I try to load these type of rules, this error occurred: > >> >>> > >> >>> 2012/04/02 07:47:27 ossec-analysisd: INFO: Reading rules file: > >> >>> 'my_rbn_rules.xml' > >> >>> 2012/04/02 07:47:27 ossec-remoted: INFO: Started (pid: 6387). > >> >>> 2012/04/02 07:47:27 ossec-remoted: Remote syslog allowed from: > >> >>> '192.168.44.0/24' > >> >>> 2012/04/02 07:47:27 ossec-remoted: INFO: Started (pid: 6389). > >> >>> 2012/04/02 07:47:30 ossec-syscheckd(1210): ERROR: Queue > >> >>> '/data/ossec/queue/ossec/queue' not accessible: 'Connection > refused'. > >> >>> 2012/04/02 07:47:30 ossec-rootcheck(1210): ERROR: Queue > >> >>> '/data/ossec/queue/ossec/queue' not accessible: 'Connection > refused'. > >> >>> 2012/04/02 07:47:30 ossec-remoted(1210): ERROR: Queue > >> >>> '/queue/ossec/queue' not accessible: 'Connection refused'. > >> >>> 2012/04/02 07:47:30 ossec-remoted(1211): ERROR: Unable to access > >> >>> queue: '/queue/ossec/queue'. Giving up.. > >> >>> 2012/04/02 07:47:32 ossec-analysisd: INFO: Reading rules file: > >> >>> 'my_dshield_rules.xml' > >> >>> 2012/04/02 07:47:32 ossec-analysisd: INFO: Reading rules file: > >> >>> 'ossec_rules.xml' > >> >>> > >> >>> But it is really strange, because I have another rule file > >> >>> (my_dshield_rules.xml) configured as the previous, and this doesn't > >> >>> returns any error .... Where is the problem?? > >> >>> > >> >>> Thanks. >
