I recently installed OSSEC 2.8 and have been adding rules to
local_rules.xml with no problems until today.
When I add the following rule:
<rule id="100117" level="0">
<if_group>syslog</if_group>
<match>%ASA-3-305006: regular translation creation failed for
icmp</match>
<description>Ignore Cisco ASA error 305006</description>
</rule>
I see the following errors on restart:
2014/09/18 17:03:11 ossec-syscheckd(1210): ERROR: Queue
'/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
2014/09/18 17:03:11 ossec-rootcheck(1210): ERROR: Queue
'/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
If I comment the rule and restart, all components startup without error.
Totally repeatable. This suggests that there are no problems with
permissions, etc.
The odd thing, is that the local_rules.xml contains a nearly-identical rule
that causes no such problems:
<rule id="100110" level="0">
<if_group>syslog</if_group>
<match>%ASA-4-313005: No matching connection for ICMP error
message</match>
<description>Ignore Cisco ASA error 313005</description>
</rule>
I've retyped and pasted and edited the working rule to guarantee that there
are no invisible characters.
Any ideas what could be causing these errors?
Thanks!
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
