Hi all
experimenting with the logging options to a mysql database showed two
problems for which I was able to find a fix that works for me. Hopefully
others can benefit from it as well.
I have notices that ossec-dbd crashed (segfault) every time in my
installation when it was in the process of reading the rules files and
insert them into the database. Turns out that it crashed when a rule
without <description> is encountered. The offending rule is id 13106
(inside smbd_rules.xml). Tracing the error, it became clear that he problem
is in src/os_dbd/rules.c (empty description results in null pointer).
The second issue I met was a bit harder to track down. Once the above was
fixed, I noticed that certain log entries (and only certain ones) in the
syslog resulted in another crash of ossec-dbd. When using the following
command, the crash is reproducible:
# logger -p daemon.warning "OSSec Alert Test: failed"
Turns out that in this case, the user field is empty resulting in another
null pointer (src/os_dbd/alert.c).
The following is able to fix these problems for me (setting a default):
diff -cr ossec-hids-2.7/src/os_dbd/rules.c
ossec-hids-2.7-patched//src/os_dbd/rules.c
*** ossec-hids-2.7/src/os_dbd/rules.c Fri Nov 9 03:24:55 2012
--- ossec-hids-2.7-patched//src/os_dbd/rules.c Mon Feb 25 15:57:50 2013
***************
*** 236,242 ****
if(rule->level < 0)
rule->level = 0;
!
debug1("%s: DEBUG: entering _Rules_ReadInsertDB()", ARGV0);
--- 236,246 ----
if(rule->level < 0)
rule->level = 0;
! if(rule->comment == NULL)
! {
! rule->comment = "No description in xml rule file found.";
! }
!
debug1("%s: DEBUG: entering _Rules_ReadInsertDB()", ARGV0);
diff -cr ossec-hids-2.7/src/os_dbd/alert.c
ossec-hids-2.7-patched//src/os_dbd/alert.c
*** ossec-hids-2.7/src/os_dbd/alert.c Fri Nov 9 03:24:55 2012
--- ossec-hids-2.7-patched//src/os_dbd/alert.c Mon Feb 25 15:55:50 2013
***************
*** 119,124 ****
--- 119,128 ----
sql_query[0] = '\0';
sql_query[OS_SIZE_8192] = '\0';
+ if(al_data->user == NULL)
+ {
+ al_data->user = "Unknown";
+ }
/* Converting srcip to int */
if(al_data->srcip)
I have no idea if similar problems might occur elsewhere in the code.
Honestly, I am a little concerned about what I have seen in these two
examples. What if the src ip cannot be determined? Or the xyz?
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
