search

ossec / ossec-hids

OSSEC is an Open Source Host-based Intrusion Detection System that performs log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting and active response.
http://www.ossec.net
Other
4.44k stars 1.04k forks source link

OSSEC log analysis crash problem #1748

Open jay900323 opened 5 years ago

jay900323 commented 5 years ago

Look at line 1003 of the file analysisd.c. When a rule with if_matched_sid tag is triggered and the maximum length of the sid_prev_matched list is set, the event node in sid_prev_matched is deleted before the function Free_Eventinfo, which will cause a crash.

Resolvent:

Modify line 1007 of the file src/analysisd/analysisd.c

lf->sid_node_to_delete = currently_rule->sid_prev_matched->last_node;
if (!currently_rule->sid_prev_matched->free_data_function) {
    OSList_SetFreeDataPointer(currently_rule->sid_prev_matched, Mark_EventNodeDelete);
}

Add a function to the analysisd.c file

void  Mark_EventNodeDelete(Eventinfo *lf)
{
    if (lf) {
        lf->sid_node_to_delete = NULL;
    }
}
tmeader commented 5 years ago

Is this crashing only occurring since versions 3.3.0? We recently updated from 3.2.0 to 3.3.0 and we're seeing analysisd crashes roughly every 24-48 hours. About to setup monit in order to start issues ossec-control stop/start in the meantime.