--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onion+unsubscribe@googlegroups.com.
To post to this group, send email to security-onion@googlegroups.com.
Visit this group at https://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/d/optout.
Using that suggestion I now get…
rules_list: Signature ID '111112' not found. Invalid 'if_sid'
Notice the similarity here to my original question regarding why I would see this:
ossec-analysisd: Overwrite rule '111112' not found
…when attempting to use my own example rule.
As a possible explanation… I was wondering… could it be the order in which rule files get read during ossec startup? The last two files being read are these.
2017/08/13 18:40:52 ossec-analysisd: INFO: Reading rules file: 'local_rules.xml'
2017/08/13 18:40:52 ossec-analysisd: INFO: Reading rules file: 'securityonion_rules.xml'
If “reading rules file” implies verifying each rule in the file, then I can understand why a 111112 rule in local_rules.xml would not be able to find rule 111112… because it has not yet been loaded.
Assuming there is any merit to this theory… how could I work around the issue? I don’t want to modify securityonion_rules.xml directly, because I assume it could be overwritten by any future SO updates.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
To post to this group, send email to securit...@googlegroups.com.
Visit this group at https://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/d/optout.
--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
To post to this group, send email to securit...@googlegroups.com.