[ossec-list] Too many srcip rules?

Mon, 04 Aug 2014 06:23:17 -0700 

ossec 2.6-15 on RHEL5.10.  

I've got a separate xml in rules called local_nessus_rules.xml where I'm 
trying to exclude all of the security scan IPs.  Separate only for 
readability, and it looks like so:

<group name="local,syslog,">

<rule id="105010" level="0">
    <if_level>2</if_level>
    <srcip>10.100.131.26</srcip>
    <description>Another nessus scan</description>
</rule>

<rule id="105012" level="0">
    <if_level>2</if_level>
    <srcip>10.100.131.28</srcip>
    <description>Another nessus scan</description>
</rule>

 
... etc.  Right now there are 13 of these, all basically identical.

# tail -n18 local_nessus_rules.xml 

<rule id="105032" level="0">
    <if_level>2</if_level>
    <srcip>10.100.131.22</srcip>
    <description>Another nessus scan</description>
</rule>

<rule id="105033" level="0">
    <if_level>2</if_level>
    <srcip>10.100.131.20</srcip>
    <description>Another nessus scan</description>
</rule>

</group>

<!-- SYSLOG,LOCAL -->

<!-- EOF -->
# time /etc/init.d/ossec restart                             
Stopping OSSEC:                                            [  OK  ]
Starting OSSEC:                                            [  OK  ]

real    0m7.595s
user    0m2.302s
sys     0m0.261s

If I add unlucky rule #14, it takes twice as long to come up - and remoted 
doesn't start.

# tail -n18 local_nessus_rules.xml

<rule id="105033" level="0">
    <if_level>2</if_level>
    <srcip>10.100.131.26</srcip>
    <description>Another nessus scan</description>
</rule>

<rule id="105034" level="0">
    <if_level>2</if_level>
    <srcip>10.100.131.25</srcip>
    <description>Another nessus scan</description>
</rule>

</group>

<!-- SYSLOG,LOCAL -->

<!-- EOF -->


# time /etc/init.d/ossec restart
Stopping OSSEC:                                            [  OK  ]
Starting OSSEC: 2014/08/04 08:25:08 ossec-syscheckd(1210): ERROR: Queue 
'/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
2014/08/04 08:25:08 ossec-rootcheck(1210): ERROR: Queue 
'/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
                                                           [  OK  ]

real    0m14.761s
user    0m4.314s
sys    0m0.382s

Removing that last rule allows it to start again.  It's replicable, but 
only if I add another <srcip> rule.  Adding another type - regex, or match 
- and it will start up just fine.




-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/d/optout.

Reply via email to