Rule gives error in version 2.8
78 views
Skip to first unread message
Kevin Kelly
Jul 1, 2014, 12:02:55 PM7/1/14
to ossec...@googlegroups.com
The following rules worked before, but now I get an error:
<!-- Ignore rule 18139 -->
<rule id="100117" level="0">
<if_sid>18139</if_sid>
<options>no_log</options>
<regex>User name:\s+\.*\$\s+</regex>
<description>Windows login failure for workstation - user name ends in $ (ignored)</description>
</rule>
[root@ossec etc]# /opt/ossec/bin/ossec-logtest
2014/07/01 08:53:27 ossec-testrule: INFO: Reading local decoder file.
2014/07/01 08:53:27 ossec-analysisd(1227): ERROR: Error applying XML variables 'rules//local_rules.xml': XMLERR: Unknown variable: '\s+'..
2014/07/01 08:53:27 ossec-testrule(1220): ERROR: Error loading the rules: 'local_rules.xml'.
--
Kevin Kelly
Director, Network Technology
Whitman College
Kevin Kelly
Director, Network Technology
Whitman College
Nguyễn Văn Hớn
Jul 1, 2014, 12:52:38 PM7/1/14
to ossec...@googlegroups.com
You can post the log?
Vào 23:02:55 UTC+7 Thứ ba, ngày 01 tháng bảy năm 2014, Kevin Kelly đã viết:
Vào 23:02:55 UTC+7 Thứ ba, ngày 01 tháng bảy năm 2014, Kevin Kelly đã viết:
dan (ddp)
Jul 1, 2014, 1:29:48 PM7/1/14
to ossec...@googlegroups.com
>
> --
> Kevin Kelly
> Director, Network Technology
> Whitman College
>
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
Jeremy Rossi
Jul 1, 2014, 1:51:45 PM7/1/14
to ossec...@googlegroups.com
>>>The following rules worked before, but now I get an error:
>>>
>>><!-- Ignore rule 18139 -->
>>><rule id="100117" level="0">
>>><if_sid>18139</if_sid>
>>><options>no_log</options>
>>><regex>User name:\s+\.*\$\s+</regex>
>>><description>Windows login failure for workstation - user name ends in $
>>>(ignored)</description>
>>></rule>
>>>
>>>
>>>[root@ossec etc]# /opt/ossec/bin/ossec-logtest
>>>2014/07/01 08:53:27 ossec-testrule: INFO: Reading local decoder file.
>>>2014/07/01 08:53:27 ossec-analysisd(1227): ERROR: Error applying XML
>>>variables 'rules//local_rules.xml': XMLERR: Unknown variable: '\s+'..
>>>2014/07/01 08:53:27 ossec-testrule(1220): ERROR: Error loading the rules:
>>>'local_rules.xml'.
>>>
>>
>>This might be fallout from the regex changes.
>>
>
>It is. Key bit is "Unknown veriable". We fixed this in master, but I
>>>
>>><!-- Ignore rule 18139 -->
>>><rule id="100117" level="0">
>>><if_sid>18139</if_sid>
>>><options>no_log</options>
>>><regex>User name:\s+\.*\$\s+</regex>
>>><description>Windows login failure for workstation - user name ends in $
>>>(ignored)</description>
>>></rule>
>>>
>>>
>>>[root@ossec etc]# /opt/ossec/bin/ossec-logtest
>>>2014/07/01 08:53:27 ossec-testrule: INFO: Reading local decoder file.
>>>2014/07/01 08:53:27 ossec-analysisd(1227): ERROR: Error applying XML
>>>variables 'rules//local_rules.xml': XMLERR: Unknown variable: '\s+'..
>>>2014/07/01 08:53:27 ossec-testrule(1220): ERROR: Error loading the rules:
>>>'local_rules.xml'.
>>>
>>
>>This might be fallout from the regex changes.
>>
>
>will check. I will also add this to our testing to make sure things
>like tis do not happen.
Just tested and confirmed this is fixed in master. I am going to start
the process of cutting a new release tonight to get this fix out.
Michael Starks
Jul 1, 2014, 1:58:01 PM7/1/14
to ossec...@googlegroups.com
On 2014-07-01 12:51, Jeremy Rossi wrote:
> Just tested and confirmed this is fixed in master. I am going to start
> the process of cutting a new release tonight to get this fix out.
Please also look at issue #236, which may be related.
> Just tested and confirmed this is fixed in master. I am going to start
> the process of cutting a new release tonight to get this fix out.
Jeremy Rossi
Jul 1, 2014, 2:39:45 PM7/1/14
to ossec...@googlegroups.com
* dan (ddp) <ddp...@gmail.com> [2014-07-01 13:29:40 -0400]:
>On Tue, Jul 1, 2014 at 11:54 AM, Kevin Kelly <ke...@whitman.edu> wrote:
>> The following rules worked before, but now I get an error:
>>
>> <!-- Ignore rule 18139 -->
>> <rule id="100117" level="0">
>> <if_sid>18139</if_sid>
>> <options>no_log</options>
>> <regex>User name:\s+\.*\$\s+</regex>
>> <description>Windows login failure for workstation - user name ends in $
>> (ignored)</description>
>> </rule>
>>
>>
>> [root@ossec etc]# /opt/ossec/bin/ossec-logtest
>> 2014/07/01 08:53:27 ossec-testrule: INFO: Reading local decoder file.
>> 2014/07/01 08:53:27 ossec-analysisd(1227): ERROR: Error applying XML
>> variables 'rules//local_rules.xml': XMLERR: Unknown variable: '\s+'..
>> 2014/07/01 08:53:27 ossec-testrule(1220): ERROR: Error loading the rules:
>> 'local_rules.xml'.
>>
>
>This might be fallout from the regex changes.
>
>On Tue, Jul 1, 2014 at 11:54 AM, Kevin Kelly <ke...@whitman.edu> wrote:
>> The following rules worked before, but now I get an error:
>>
>> <!-- Ignore rule 18139 -->
>> <rule id="100117" level="0">
>> <if_sid>18139</if_sid>
>> <options>no_log</options>
>> <regex>User name:\s+\.*\$\s+</regex>
>> <description>Windows login failure for workstation - user name ends in $
>> (ignored)</description>
>> </rule>
>>
>>
>> [root@ossec etc]# /opt/ossec/bin/ossec-logtest
>> 2014/07/01 08:53:27 ossec-testrule: INFO: Reading local decoder file.
>> 2014/07/01 08:53:27 ossec-analysisd(1227): ERROR: Error applying XML
>> variables 'rules//local_rules.xml': XMLERR: Unknown variable: '\s+'..
>> 2014/07/01 08:53:27 ossec-testrule(1220): ERROR: Error loading the rules:
>> 'local_rules.xml'.
>>
>
>This might be fallout from the regex changes.
>
It is. Key bit is "Unknown veriable". We fixed this in master, but I
will check. I will also add this to our testing to make sure things
like tis do not happen.
-Jeremy Rossi
will check. I will also add this to our testing to make sure things
like tis do not happen.
Reply all
Reply to author
Forward
0 new messages