Hi, i can confirm this bug. For me changing line 1659 in src/analysisd/analysisd.c (https://github.com/ossec/ossec-hids/blob/master/src/analysisd/analysisd.c#L1659) from
if(!currently_rule->event_search(lf, currently_rule)) to if(currently_rule->event_search != NULL && !currently_rule->event_search(lf, currently_rule)) fixes the crash. There might be a bug in the program logic, cause i think ->event_search should not be NULL if ->context is not-zero. On 29 Aug 2014 21:34, "BP9906" <[email protected]> wrote: > Hello, > I tested this with ossec server 2.8 and 2.7.1. When I added this rule to > an ignorerules.xml (its at the bottom of rules list in ossec.conf): > > <rule id="533" level="5" overwrite="yes"> > <if_sid>530</if_sid> > <match>ossec: output: 'netstat -tan</match> > <check_diff /> > <description>Listened ports status (netstat) changed (new port opened > or closed).</description> > </rule> > > Soon as I receive an event related to this rule, it crashes ossec and > remoted, analysisd both are not running. There's no log entry either. > > Any way to find out why this is happening? > > Thank you. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
