[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ossec-dev] Re: [ossec-list] Re: New Rules

To: ossec-dev@xxxxxxxxx
Subject: [ossec-dev] Re: [ossec-list] Re: New Rules
From: Leonardo Goldim <goldim@xxxxxxxxxxxxxxxxxxxx>
Date: Tue, 06 Mar 2007 12:32:50 -0300

	Daniel

	I did exactly this, replace "<" by "\S" temporarily.

	Here are my rules to add in the next release.

<!-- Feb 28 09:09:38 internet-gw named[4269]: zone
0.30.172.in-addr.arpa/IN/internal: serial number (2006061319) received
from master 10.0.0.2#53 < ours (2006061320) -->
   <rule id="12110" level="8">
     <regex>^zone \S+ serial number (\S+) received from master \S+ \S+
ours (\S+)</regex>
     <description>Serial number received from master is bigger than
ours.</description>
   </rule>

<!-- Mar  5 15:45:43 internet-gw named[3739]: transfer of
'teikon.com.br/IN' from 10.0.192.7#53: failed while receiving responses:
REFUSED -->
   <rule id="12111" level="8">
     <regex>^transfer of '\S+' from \S+: failed while receiving
responses: REFUSED</regex>
     <description>Troubles during zone transfer.</description>
   </rule>

	Thanks
-- 
________________________________________
Leonardo Goldim - Auditoria Intranetworks
goldim@xxxxxxxxxxxxxxxxxxxx

Daniel Cid wrote:
> 
> Hi Leonardo,
> 
> The problem is with the "<" at the regex. Our XML library is not liking 
> that
> very much ... If you can replace that by "\S" it will work. I will try 
> to fix
> that for the 1.1 version, but if not, it will be in the next one (1.1
> beta2 is pretty
> stable right now and I don't want to mess with it).
> 
> We can certainly add your rules for the next release (1.2). I would 
> recommend
> sending them to the ossec-dev list (or to our bugzilla) and I will make 
> sure to
> have that in the next version.
> 
> Thanks!
> 
> -- 
> Daniel B. Cid
> dcid ( at ) ossec.net
> 
> 
> On 3/5/07, Leonardo Goldim <goldim@xxxxxxxxxxxxxxxxxxxx> wrote:
>>
>>         Hi
>>
>>         I wrote some rules to my ossec but i'm with troubles.
>>
>>         Here is my rule:
>>
>>    <rule id="60101" level="8">
>>      <regex>^zone \S+ serial number (\S+) received from master \S+ <
>> ours (\S+)</regex>
>>      <description>Serial number received from master is bigger than
>> ours.</description>
>>    </rule>
>>
>>         But i can't start ossec with this, i got the follow error:
>>
>> # service ossec restart
>> Stopping OSSEC:                                            [  OK  ]
>> Starting OSSEC: /opt/ossec/bin/ossec-control: line 108: 13798 Bus error
>>                ${DIR}/bin/${i} -t
>>                                                             [FAILED]
>>
>>         If i take the rule ossec start with no problem.
>>
>>         Other question is: could my rules come in the next ossec 
>> release? what
>> i have to do? I look for this errors:
>>
>> named[4516]: transfer of 'zone/IN' from server#53: failed while
>> receiving responses: REFUSED
>>
>> and
>>
>> named[4269]: zone zone/IN/internal: serial number (2006061319) received
>> from master server#53 < ours (2006061320)
>>
>>
>> Thanks
>> -- 
>> ________________________________________
>> Leonardo Goldim - Auditoria Intranetworks
>> goldim@xxxxxxxxxxxxxxxxxxxx
>>

Prev by Date: [ossec-dev] darwin-init.sh under OS X Tiger
Next by Date: [ossec-dev] OSSEC Version 1.1 is available.
Previous by thread: [ossec-dev] darwin-init.sh under OS X Tiger
Next by thread: [ossec-dev] OSSEC Version 1.1 is available.
Index(es):
- Date
- Thread

OSSEC home | Main Index | Thread Index

OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.