Will do, and thanks _very_ much for the links!

On Wednesday, August 6, 2014 8:31:57 AM UTC-4, Jeremy Rossi wrote:
>
> This is something we should look to fix. Tim could you create an issue on 
> github.com/ossec/ossec-hids/issues
>
> Also Tim we have a better way to do this:  
> http://ossec-docs.readthedocs.org/en/latest/manual/rules-decoders/rule-lists.html
>  
>
> This will handle lots and lots and lots of address in a single rule: 
>
> http://ossec-docs.readthedocs.org/en/latest/manual/rules-decoders/rule-lists.html
>
>
> Good blog post from ddpbsd on cdb:
>
> http://ddpbsd.blogspot.com/2011/10/3woo-watching-for-potentially-malicious.html?m=1
>
> Hope that helps. 
>
> On Aug 5, 2014, at 11:57 PM, "cgzones" <[email protected] 
> <javascript:>> wrote:
>
> Hi,
>
> for me ossec-logtest shows also a lot oft output, but it does start. I 
> think the issue is that you register your rules to every rule with level 2, 
> so you generate a lot of children. That's why analysisd starts slow and the 
> queue is not ready when the other processes expected it to be.
>
> Best regards
> On 5 Aug 2014 16:45, "Tim Boyer" <[email protected] <javascript:>> wrote:
>
>>
>>
>> On Tuesday, August 5, 2014 9:20:10 AM UTC-4, dan (ddpbsd) wrote:
>>>
>>> On Tue, Aug 5, 2014 at 8:54 AM, Tim Boyer <[email protected]> wrote: 
>>> > 
>>> > 
>>> > On Tuesday, August 5, 2014 7:40:10 AM UTC-4, dan (ddpbsd) wrote: 
>>> >> 
>>> >> On Mon, Aug 4, 2014 at 8:05 PM, Tim Boyer <[email protected]> wrote: 
>>> >> > 
>>> >> > 
>>> >> > On Monday, August 4, 2014 11:18:26 AM UTC-4, dan (ddpbsd) wrote: 
>>> >> >> 
>>> >> >> On Mon, Aug 4, 2014 at 10:56 AM, Tim Boyer <[email protected]> 
>>> wrote: 
>>> >> >> > 
>>> >> >> > On Monday, August 4, 2014 9:30:26 AM UTC-4, dan (ddpbsd) wrote: 
>>> >> >> >> 
>>> >> >> >> Is there anything useful in ossec.log related to this? Can you 
>>> >> >> >> reproduce this on a recent version of OSSEC? 
>>> >> >> >> 
>>> >> >> >> 
>>> >> >> > 
>>> >> >> > Nothing helpful.  Only difference between this startup and a 
>>> normal 
>>> >> >> > startup 
>>> >> >> > is 
>>> >> >> > 
>>> >> >> > 2014/08/04 10:51:48 ossec-syscheckd(1210): ERROR: Queue 
>>> >> >> > '/var/ossec/queue/ossec/queue' not accessible: 'Connection 
>>> refused'. 
>>> >> >> > 2014/08/04 10:51:48 ossec-rootcheck(1210): ERROR: Queue 
>>> >> >> > '/var/ossec/queue/ossec/queue' not accessible: 'Connection 
>>> refused'. 
>>> >> >> > 
>>> >> >> 
>>> >> >> Nothing before this? These are a symptom of a failure somewhere. 
>>> >> >> 
>>> >> >> I just tried adding 30ish rules with srcip and didn't have any 
>>> issues. 
>>> >> >> I'm running post 2.8, and I don't have your exact setup, so this 
>>> may 
>>> >> >> prove nothing. 
>>> >> >> 
>>> >> >> > Looks like it's time to move to 2.8.  Let me see what it will 
>>> take. 
>>> >> >> > Thanks... 
>>> >> >> > 
>>> >> >> 
>>> >> > 
>>> >> > Dang.  Spoke too soon.  It worked only because ossec.conf got 
>>> >> > overwritten 
>>> >> > during the upgrade, and didn't include local_nessus_rules.xml in 
>>> the 
>>> >> > rule 
>>> >> > list.  Put it in, and same problem. 
>>> >> > 
>>> >> > Next step:  save everything; completely remove ossec; install 2.8 
>>> fresh. 
>>> >> > Same problem. 
>>> >> > 
>>> >> > I suspect a timing problem.  log says: 
>>> >> > 
>>> >> > 2014/08/04 19:53:01 ossec-analysisd: INFO: Reading rules file: 
>>> >> > 'attack_rules.xml' 
>>> >> > 2014/08/04 19:53:01 ossec-analysisd: INFO: Reading rules file: 
>>> >> > 'local_rules.xml' 
>>> >> > 2014/08/04 19:53:01 ossec-remoted: INFO: Started (pid: 15507). 
>>> >> > 2014/08/04 19:53:01 ossec-remoted: INFO: Started (pid: 15508). 
>>> >> > 2014/08/04 19:53:01 ossec-rootcheck: System audit file not 
>>> configured. 
>>> >> > 2014/08/04 19:53:01 ossec-analysisd: INFO: Reading rules file: 
>>> >> > 'local_nessus_rules.xml' 
>>> >> > 
>>> >> > and I think that analysisd is still reading while other things are 
>>> >> > starting. 
>>> >> > But no idea how to prove or fix. 
>>> >> > 
>>> >> 
>>> >> I don't really know what that means. 
>>> >> Can you provide your ossec.conf and local_nessus_rules.xml? 
>>> >> 
>>> >> ossec.conf: 
>>> > 
>>> > 
>>>
>>> Thank you. Putting the local_nessus_rules.xml file in place seems to 
>>> make ossec-logtest loop through the rules over and over. 
>>>
>>> I get (from ossec-logtest -tvd): 
>>> LOTS OF OUTPUT 
>>> 2014/08/05 09:13:17 9 : rule:105038, level 0, timeout: 0 
>>> 2014/08/05 09:13:17 8 : rule:105033, level 0, timeout: 0 
>>> 2014/08/05 09:13:17 9 : rule:105034, level 0, timeout: 0 
>>> 2014/08/05 09:13:17 10 : rule:105036, level 0, timeout: 0 
>>> 2014/08/05 09:13:17 11 : rule:105038, level 0, timeout: 0 
>>> 2014/08/05 09:13:17 10 : rule:105038, level 0, timeout: 0 
>>> 2014/08/05 09:13:17 9 : rule:105036, level 0, timeout: 0 
>>> 2014/08/05 09:13:17 10 : rule:105038, level 0, timeout: 0 
>>> 2014/08/05 09:13:17 9 : rule:105038, level 0, timeout: 0 
>>> 2014/08/05 09:13:17 8 : rule:105034, level 0, timeout: 0 
>>> 2014/08/05 09:13:17 9 : rule:105036, level 0, timeout: 0 
>>> 2014/08/05 09:13:17 10 : rule:105038, level 0, timeout: 0 
>>> 2014/08/05 09:13:17 9 : rule:105038, level 0, timeout: 0 
>>> 2014/08/05 09:13:17 8 : rule:105036, level 0, timeout: 0 
>>> 2014/08/05 09:13:17 9 : rule:105038, level 0, timeout: 0 
>>> 2014/08/05 09:13:17 8 : rule:105038, level 0, timeout: 0 
>>> 2014/08/05 09:13:17 7 : rule:105032, level 0, timeout: 0 
>>>
>>> I'm not sure where to start with this off hand, but that's where it's at 
>>> so far. 
>>>
>>>
>>>
>> Hey, I'm just overjoyed that it's not something obviously stupid I'm 
>> doing.  :)
>>
>>  
>>
>> -- 
>>
>> --- 
>> You received this message because you are subscribed to the Google Groups 
>> "ossec-list" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to [email protected] <javascript:>.
>> For more options, visit https://groups.google.com/d/optout.
>>
>  -- 
>
> --- 
> You received this message because you are subscribed to the Google Groups 
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to [email protected] <javascript:>.
> For more options, visit https://groups.google.com/d/optout.
>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/d/optout.

Reply via email to