atomicturtle
commented
11 months ago Have you got an example of the bad rule you were creating so I can use that for a test case/regression testing?
Open stefanct opened 11 months ago
atomicturtle
commented
11 months ago Have you got an example of the bad rule you were creating so I can use that for a test case/regression testing?
stefanct
commented
11 months ago AFAICT it should be trivially reproducible by taking a rule set that has a rule with if_sid in it and remove that xml child from it.
atomicturtle
commented
11 months ago You mean the parent referred by the if_sid? A rule without an if_sid is just a regular rule
stefanct
commented
11 months ago No. It was not supposed to be a normal rule, and apparently it was not a complete "regular rules" either, because... then it would not have wrecked havoc as described in the OP.
I stumbled upon this error when debugging a configuration problem with
ossec-logtestwhere a rule was missing theif_sidwhich seems to be absolutely necessary and stops the whole ossec setup from working in that instance. Documentation is lacking as well regardingif_sidbut the most useful thing would be to improve logging output imho - and not only in the logtest application because one has to find out about this first. I completely unnecessarily wasted several hours due to this problem. This report is also food for search engines.I still have to use v3.6.0 but from the looks of it the respective message is still the same in HEAD as it has not changed since 2015.