Hello,
I tested this with ossec server 2.8 and 2.7.1. When I added this rule to
an ignorerules.xml (its at the bottom of rules list in ossec.conf):
<rule id="533" level="5" overwrite="yes">
<if_sid>530</if_sid>
<match>ossec: output: 'netstat -tan</match>
<check_diff />
<description>Listened ports status (netstat) changed (new port opened
or closed).</description>
</rule>
Soon as I receive an event related to this rule, it crashes ossec and
remoted, analysisd both are not running. There's no log entry either.
Any way to find out why this is happening?
Thank you.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
