Hi, I'm noticing in 2.6 if I set the maxsize to anything say like this:
<rule id="100006" level="8" maxsize="9998">
<if_sid>1002</if_sid>
<match>dotDefender</match>
<description>Attack Attempts Reported by dotDefender</description>
<group>system_error,</group>
</rule>
the rule is completely skipped during the ossec-logtest -f process and only
reports 1002 alert. If I remove the maxsize="9998" it gets applied as expected.
Sample event log:
2012 Dec 24 14:16:33 (machine) 1.2.3.202->WinEvtLog WinEvtLog: Applicure:
INFORMATION(1): dotDefender: (no user): no domain: hostname: Rule Category:
Windows Directories and Files \ Test Scripts Applied Policy: Deny (Monitoring
Mode) Client Address: 1.2.3.182 Destination URL:
http://www.asdfasdfasdf.com/Scripts/jquery.easing.1.3.min.js Request Method:
GET Site Profile: Default Security Profile Matched Pattern: ^/scripts
Substring Match: 0, 8 Error String: Reference ID: 14B9-3160-AF1E-1325
-----Begin HTTP Headers GET /Scripts/jquery.easing.1.3.min.js HTTP/1.1
Connection: keep-alive Accept: */* Accept-Encoding: gzip, deflate
Accept-Language: en-us Cookie: ASP.NET_SessionId=pac5qk45etgou1455jiw1v55;
__utma=40038394.854687533.1312999046.1356316409.1356320779.521;
__utmz=40038394.1312999046.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)
Host: www.asdfasdfasdf.com Referer: http://www.asdfasdfasdf.com/Event.aspx
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_5)
AppleWebKit/536.26.17 (KHTML, like Gecko) Version/6.0.2 Safari/536.26.17
X-dotDefender-first-line: GET /Scripts/jquery.easing.1.3.min.js HTTP/1.1
-----End HTTP Headers
However if I omit the maxsize the rule doesn't send out an email (email set to
alert at 8 or higher) or even log an alert in OSSEC logs/alerts.log
Am I setting up this rule option incorrectly?
