Will do, and thanks _very_ much for the links!
On Wednesday, August 6, 2014 8:31:57 AM UTC-4, Jeremy Rossi wrote: > > This is something we should look to fix. Tim could you create an issue on > github.com/ossec/ossec-hids/issues > > Also Tim we have a better way to do this: > http://ossec-docs.readthedocs.org/en/latest/manual/rules-decoders/rule-lists.html > > > This will handle lots and lots and lots of address in a single rule: > > http://ossec-docs.readthedocs.org/en/latest/manual/rules-decoders/rule-lists.html > > > Good blog post from ddpbsd on cdb: > > http://ddpbsd.blogspot.com/2011/10/3woo-watching-for-potentially-malicious.html?m=1 > > Hope that helps. > > On Aug 5, 2014, at 11:57 PM, "cgzones" <[email protected] > <javascript:>> wrote: > > Hi, > > for me ossec-logtest shows also a lot oft output, but it does start. I > think the issue is that you register your rules to every rule with level 2, > so you generate a lot of children. That's why analysisd starts slow and the > queue is not ready when the other processes expected it to be. > > Best regards > On 5 Aug 2014 16:45, "Tim Boyer" <[email protected] <javascript:>> wrote: > >> >> >> On Tuesday, August 5, 2014 9:20:10 AM UTC-4, dan (ddpbsd) wrote: >>> >>> On Tue, Aug 5, 2014 at 8:54 AM, Tim Boyer <[email protected]> wrote: >>> > >>> > >>> > On Tuesday, August 5, 2014 7:40:10 AM UTC-4, dan (ddpbsd) wrote: >>> >> >>> >> On Mon, Aug 4, 2014 at 8:05 PM, Tim Boyer <[email protected]> wrote: >>> >> > >>> >> > >>> >> > On Monday, August 4, 2014 11:18:26 AM UTC-4, dan (ddpbsd) wrote: >>> >> >> >>> >> >> On Mon, Aug 4, 2014 at 10:56 AM, Tim Boyer <[email protected]> >>> wrote: >>> >> >> > >>> >> >> > On Monday, August 4, 2014 9:30:26 AM UTC-4, dan (ddpbsd) wrote: >>> >> >> >> >>> >> >> >> Is there anything useful in ossec.log related to this? Can you >>> >> >> >> reproduce this on a recent version of OSSEC? >>> >> >> >> >>> >> >> >> >>> >> >> > >>> >> >> > Nothing helpful. Only difference between this startup and a >>> normal >>> >> >> > startup >>> >> >> > is >>> >> >> > >>> >> >> > 2014/08/04 10:51:48 ossec-syscheckd(1210): ERROR: Queue >>> >> >> > '/var/ossec/queue/ossec/queue' not accessible: 'Connection >>> refused'. >>> >> >> > 2014/08/04 10:51:48 ossec-rootcheck(1210): ERROR: Queue >>> >> >> > '/var/ossec/queue/ossec/queue' not accessible: 'Connection >>> refused'. >>> >> >> > >>> >> >> >>> >> >> Nothing before this? These are a symptom of a failure somewhere. >>> >> >> >>> >> >> I just tried adding 30ish rules with srcip and didn't have any >>> issues. >>> >> >> I'm running post 2.8, and I don't have your exact setup, so this >>> may >>> >> >> prove nothing. >>> >> >> >>> >> >> > Looks like it's time to move to 2.8. Let me see what it will >>> take. >>> >> >> > Thanks... >>> >> >> > >>> >> >> >>> >> > >>> >> > Dang. Spoke too soon. It worked only because ossec.conf got >>> >> > overwritten >>> >> > during the upgrade, and didn't include local_nessus_rules.xml in >>> the >>> >> > rule >>> >> > list. Put it in, and same problem. >>> >> > >>> >> > Next step: save everything; completely remove ossec; install 2.8 >>> fresh. >>> >> > Same problem. >>> >> > >>> >> > I suspect a timing problem. log says: >>> >> > >>> >> > 2014/08/04 19:53:01 ossec-analysisd: INFO: Reading rules file: >>> >> > 'attack_rules.xml' >>> >> > 2014/08/04 19:53:01 ossec-analysisd: INFO: Reading rules file: >>> >> > 'local_rules.xml' >>> >> > 2014/08/04 19:53:01 ossec-remoted: INFO: Started (pid: 15507). >>> >> > 2014/08/04 19:53:01 ossec-remoted: INFO: Started (pid: 15508). >>> >> > 2014/08/04 19:53:01 ossec-rootcheck: System audit file not >>> configured. >>> >> > 2014/08/04 19:53:01 ossec-analysisd: INFO: Reading rules file: >>> >> > 'local_nessus_rules.xml' >>> >> > >>> >> > and I think that analysisd is still reading while other things are >>> >> > starting. >>> >> > But no idea how to prove or fix. >>> >> > >>> >> >>> >> I don't really know what that means. >>> >> Can you provide your ossec.conf and local_nessus_rules.xml? >>> >> >>> >> ossec.conf: >>> > >>> > >>> >>> Thank you. Putting the local_nessus_rules.xml file in place seems to >>> make ossec-logtest loop through the rules over and over. >>> >>> I get (from ossec-logtest -tvd): >>> LOTS OF OUTPUT >>> 2014/08/05 09:13:17 9 : rule:105038, level 0, timeout: 0 >>> 2014/08/05 09:13:17 8 : rule:105033, level 0, timeout: 0 >>> 2014/08/05 09:13:17 9 : rule:105034, level 0, timeout: 0 >>> 2014/08/05 09:13:17 10 : rule:105036, level 0, timeout: 0 >>> 2014/08/05 09:13:17 11 : rule:105038, level 0, timeout: 0 >>> 2014/08/05 09:13:17 10 : rule:105038, level 0, timeout: 0 >>> 2014/08/05 09:13:17 9 : rule:105036, level 0, timeout: 0 >>> 2014/08/05 09:13:17 10 : rule:105038, level 0, timeout: 0 >>> 2014/08/05 09:13:17 9 : rule:105038, level 0, timeout: 0 >>> 2014/08/05 09:13:17 8 : rule:105034, level 0, timeout: 0 >>> 2014/08/05 09:13:17 9 : rule:105036, level 0, timeout: 0 >>> 2014/08/05 09:13:17 10 : rule:105038, level 0, timeout: 0 >>> 2014/08/05 09:13:17 9 : rule:105038, level 0, timeout: 0 >>> 2014/08/05 09:13:17 8 : rule:105036, level 0, timeout: 0 >>> 2014/08/05 09:13:17 9 : rule:105038, level 0, timeout: 0 >>> 2014/08/05 09:13:17 8 : rule:105038, level 0, timeout: 0 >>> 2014/08/05 09:13:17 7 : rule:105032, level 0, timeout: 0 >>> >>> I'm not sure where to start with this off hand, but that's where it's at >>> so far. >>> >>> >>> >> Hey, I'm just overjoyed that it's not something obviously stupid I'm >> doing. :) >> >> >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected] <javascript:>. >> For more options, visit https://groups.google.com/d/optout. >> > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected] <javascript:>. > For more options, visit https://groups.google.com/d/optout. > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
