[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ossec-dev] [Bug 41] New: Custom rule added to local_rules.xml causes 'queue' error and ossec crash.

To: ossec-dev@xxxxxxxxx
Subject: [ossec-dev] [Bug 41] New: Custom rule added to local_rules.xml causes 'queue' error and ossec crash.
From: ossec-bugzilla@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Date: Sat, 21 Apr 2007 10:35:28 -0300

http://www.ossec.net/bugs/show_bug.cgi?id=41

           Summary: Custom rule added to local_rules.xml causes 'queue'
                    error and ossec crash.
           Product: OSSEC
           Version: 1.1
          Platform: Other
        OS/Version: FreeBSD
            Status: NEW
          Severity: normal
          Priority: P3
         Component: ossec core
        AssignedTo: ossec-dev@xxxxxxxxx
        ReportedBy: chr1s@xxxxxxxxxx


I added a custom rule to local_rules.xml and restarted ossec. After about 2
minutes i got the following error in ossec.log;

----
2007/04/21 13:51:43 ossec-logcollector: Started (pid: 62983).
2007/04/21 13:52:47 ossec-analysisd: No sid search!! XXX
2007/04/21 13:52:47 ossec-logcollector: socketerr (not available).
2007/04/21 13:52:47 ossec-logcollector(1224): Error sending message to queue.
2007/04/21 13:52:50 ossec-logcollector(1210): Queue
'/var/ossec/queue/ossec/queue' not accessible.
2007/04/21 13:52:50 ossec-logcollector(1211): Unable to access queue:
'/var/ossec/queue/ossec/queue'. Giving up..
2007/04/21 13:53:23 ossec-syscheckd: socketerr (not available).
2007/04/21 13:53:23 ossec-syscheckd(1224): Error sending message to queue.
2007/04/21 13:53:26 ossec-syscheckd(1210): Queue '/var/ossec/queue/ossec/queue'
not accessible.
2007/04/21 13:53:26 ossec-syscheckd(1211): Unable to access queue:
'/var/ossec/queue/ossec/queue'. Giving up..
---

Once i removed the rule and restarted ossec the error did not return and ossec
continued to run with no problems. I got the error on two seperate FreeBSD
6.2-R systems, one of which was a local install the other was a server install.

How to repeat;
Start with a clean ossec install, edit local_rules.xml and add the following
block just before you see </group> <!-- SYSLOG,LOCAL -->

---
<rule id="30114" level="10" frequency="30" timeframe="120" overwrite="yes">
  <if_matched_sid>30112</if_matched_sid>
  <same_source_ip />
  <description>Multiple attempts to access non-existent </description>
  <description>files (web scan) from same source.</description>
  <group>web_scan,recon,</group>
</rule>
---

There may be a syntax error in the above rule which was causing the crash but i
still belive this to be a bug.


-- 
Configure bugmail: http://www.ossec.net/bugs/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

Follow-Ups:
- [ossec-dev] Re: [Bug 41] New: Custom rule added to local_rules.xml causes 'queue' error and ossec crash.
  - From: Daniel Cid

Prev by Date: [ossec-dev] Re: OSSEC web interface v0.2 available.
Next by Date: [ossec-dev] Re: [Bug 41] New: Custom rule added to local_rules.xml causes 'queue' error and ossec crash.
Previous by thread: [ossec-dev] Re: OSSEC web interface v0.2 available.
Next by thread: [ossec-dev] Re: [Bug 41] New: Custom rule added to local_rules.xml causes 'queue' error and ossec crash.
Index(es):
- Date
- Thread

OSSEC home | Main Index | Thread Index

OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.