'Re: [ossec-dev] Large Rule ID'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ossec-dev
Subject:    Re: [ossec-dev] Large Rule ID
From:       Andymail90 <andymail90 () gmail ! com>
Date:       2013-07-26 6:40:01
Message-ID: 73311aa2-1498-40ae-9537-518012bf3cbc () googlegroups ! com
[Download RAW message or body]

Fair point, just that the behavior is not inline with itself, the rule ID 
is too high and OSSEC works but does not do databases. Just a thought to 
added an error on restart that says "ID too high" and informs the user...

On Friday, June 28, 2013 1:40:15 PM UTC+1, ddp...@gmail.com wrote:
> 
> On Fri, Jun 28, 2013 at 6:49 AM, Andymail90 <andym...@gmail.com<javascript:>> 
> wrote: 
> > Just seen a potential bug: 
> > 
> > I added a new rule to local_rules.xml, and accidentally pressed 9 
> twice... 
> > which being vim did this: 
> > <rule id="10005999999999" level="0"> 
> > instead of 
> > <rule id="100059" level="0"> 
> > 
> > I was then watching AnaLogi the next day and realised that no new data 
> was 
> > going in to the MySQL database at all. 
> > 
> > Looking at the logs I think that AnaLogi was working ok (old data was 
> > displayed), MySQL was up (AnaLogi god data), OSSEC was working 
> > (logs/alerts/x were still being populated) but that this large rule id 
> > stopped OSSEC writing to the database. 
> > 
> > Not sure if it's a known bug or not, just a FYI. 
> > 
> > Andy 
> > 
> 
> I'm pretty sure the upper limit for rule IDs is noted in the 
> documentation. 
> 
> > -- 
> > 
> > --- 
> > You received this message because you are subscribed to the Google 
> Groups 
> > "ossec-dev" group. 
> > To unsubscribe from this group and stop receiving emails from it, send 
> an 
> > email to ossec-dev+...@googlegroups.com <javascript:>. 
> > For more options, visit https://groups.google.com/groups/opt_out. 
> > 
> > 
> 

-- 

--- 
You received this message because you are subscribed to the Google Groups "ossec-dev" \
group. To unsubscribe from this group and stop receiving emails from it, send an \
email to ossec-dev+unsubscribe@googlegroups.com. For more options, visit \
https://groups.google.com/groups/opt_out.


[Attachment #3 (text/html)]

Fair point, just that the behavior is not inline with itself, the rule ID is too high \
and OSSEC works but does not do databases. Just a thought to added an error on \
restart that says "ID too high" and informs the user...<br><br>On Friday, June 28, \
2013 1:40:15 PM UTC+1, ddp...@gmail.com wrote:<blockquote class="gmail_quote" \
style="margin: 0;margin-left: 0.8ex;border-left: 1px #ccc solid;padding-left: \
1ex;">On Fri, Jun 28, 2013 at 6:49 AM, Andymail90 &lt;<a href="javascript:" \
target="_blank" gdf-obfuscated-mailto="VLbH41JSeVUJ">andym...@gmail.com</a>&gt; \
wrote: <br>&gt; Just seen a potential bug:
<br>&gt;
<br>&gt; I added a new rule to local_rules.xml, and accidentally pressed 9 twice...
<br>&gt; which being vim did this:
<br>&gt; &nbsp; &nbsp; &nbsp; &nbsp; &lt;rule id="10005999999999" level="0"&gt;
<br>&gt; instead of
<br>&gt; &nbsp; &nbsp; &nbsp; &nbsp; &lt;rule id="100059" level="0"&gt;
<br>&gt;
<br>&gt; I was then watching AnaLogi the next day and realised that no new data was
<br>&gt; going in to the MySQL database at all.
<br>&gt;
<br>&gt; Looking at the logs I think that AnaLogi was working ok (old data was
<br>&gt; displayed), MySQL was up (AnaLogi god data), OSSEC was working
<br>&gt; (logs/alerts/x were still being populated) but that this large rule id
<br>&gt; stopped OSSEC writing to the database.
<br>&gt;
<br>&gt; Not sure if it's a known bug or not, just a FYI.
<br>&gt;
<br>&gt; Andy
<br>&gt;
<br>
<br>I'm pretty sure the upper limit for rule IDs is noted in the documentation.
<br>
<br>&gt; --
<br>&gt;
<br>&gt; ---
<br>&gt; You received this message because you are subscribed to the Google Groups
<br>&gt; "ossec-dev" group.
<br>&gt; To unsubscribe from this group and stop receiving emails from it, send an
<br>&gt; email to <a href="javascript:" target="_blank" \
gdf-obfuscated-mailto="VLbH41JSeVUJ">ossec-dev+...@<wbr>googlegroups.com</a>. \
<br>&gt; For more options, visit <a href="https://groups.google.com/groups/opt_out" \
target="_blank">https://groups.google.com/<wbr>groups/opt_out</a>. <br>&gt;
<br>&gt;
<br></blockquote>

<p></p>

-- <br />
&nbsp;<br />
--- <br />
You received this message because you are subscribed to the Google Groups \
&quot;ossec-dev&quot; group.<br /> To unsubscribe from this group and stop receiving \
emails from it, send an email to ossec-dev+unsubscribe@googlegroups.com.<br /> For \
more options, visit <a \
href="https://groups.google.com/groups/opt_out">https://groups.google.com/groups/opt_out</a>.<br \
/> &nbsp;<br />
&nbsp;<br />



[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic