On Mon, Aug 4, 2014 at 8:37 AM, Tim Boyer <[email protected]> wrote: > ossec 2.6-15 on RHEL5.10. > > I've got a separate xml in rules called local_nessus_rules.xml where I'm > trying to exclude all of the security scan IPs. Separate only for > readability, and it looks like so: > > <group name="local,syslog,"> > > <rule id="105010" level="0"> > <if_level>2</if_level> > <srcip>10.100.131.26</srcip> > <description>Another nessus scan</description> > </rule> > > <rule id="105012" level="0"> > <if_level>2</if_level> > <srcip>10.100.131.28</srcip> > <description>Another nessus scan</description> > </rule> > > > ... etc. Right now there are 13 of these, all basically identical. > > # tail -n18 local_nessus_rules.xml > > <rule id="105032" level="0"> > <if_level>2</if_level> > <srcip>10.100.131.22</srcip> > <description>Another nessus scan</description> > </rule> > > <rule id="105033" level="0"> > <if_level>2</if_level> > <srcip>10.100.131.20</srcip> > <description>Another nessus scan</description> > </rule> > > </group> > > <!-- SYSLOG,LOCAL --> > > <!-- EOF --> > # time /etc/init.d/ossec restart > Stopping OSSEC: [ OK ] > Starting OSSEC: [ OK ] > > real 0m7.595s > user 0m2.302s > sys 0m0.261s > > If I add unlucky rule #14, it takes twice as long to come up - and remoted > doesn't start. > > # tail -n18 local_nessus_rules.xml > > <rule id="105033" level="0"> > <if_level>2</if_level> > <srcip>10.100.131.26</srcip> > <description>Another nessus scan</description> > </rule> > > <rule id="105034" level="0"> > <if_level>2</if_level> > <srcip>10.100.131.25</srcip> > <description>Another nessus scan</description> > </rule> > > </group> > > <!-- SYSLOG,LOCAL --> > > <!-- EOF --> > > > # time /etc/init.d/ossec restart > Stopping OSSEC: [ OK ] > Starting OSSEC: 2014/08/04 08:25:08 ossec-syscheckd(1210): ERROR: Queue > '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. > 2014/08/04 08:25:08 ossec-rootcheck(1210): ERROR: Queue > '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. > [ OK ] >
Is there anything useful in ossec.log related to this? Can you reproduce this on a recent version of OSSEC? > real 0m14.761s > user 0m4.314s > sys 0m0.382s > > Removing that last rule allows it to start again. It's replicable, but only > if I add another <srcip> rule. Adding another type - regex, or match - and > it will start up just fine. > > > > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
