OSSEC daemons stopped working: Invalid decoder name

breun · **Posted:** Mon Dec 05, 2011 5:14 am

Last night some of the OSSEC daemons stopped working on ASL servers:

Code:

# service ossec-hids status
ossec-monitord not running...
ossec-logcollector not running...
ossec-remoted not running...
ossec-syscheckd not running...
ossec-analysisd not running...
ossec-maild is running...
ossec-execd is running...
ossec-dbd is running...

ossec-monitord, ossec-logcollector, ossec-remoted, ossec-syscheckd and ossec-analysisd stopped running on all ASL servers.

And they won't start anymore:

Code:

# service ossec-hids start
Starting ossec-hids: 2011/12/05 10:07:52 ossec-syscheckd(1210): NOTICE: Queue is '/var/ossec/queue/ossec/queue'.
2011/12/05 10:07:52 ossec-rootcheck(1210): NOTICE: Queue is '/var/ossec/queue/ossec/queue'.
2011/12/05 10:08:00 ossec-syscheckd(1210): NOTICE: Queue is '/var/ossec/queue/ossec/queue'.
2011/12/05 10:08:00 ossec-rootcheck(1210): NOTICE: Queue is '/var/ossec/queue/ossec/queue'.
2011/12/05 10:08:13 ossec-syscheckd(1210): NOTICE: Queue is '/var/ossec/queue/ossec/queue'.
2011/12/05 10:08:13 ossec-rootcheck(1211): ERROR: Unable to access queue: '/var/ossec/queue/ossec/queue'. Giving up..
                                                           [FAILED]

Stopping all OSSEC daemons first and then trying to start again doesn't help.

/var/ossec/logs/ossec/log says:

Quote:

2011/12/05 10:08:38 ossec-analysisd: Invalid decoder name: 'smtp_auth'.
2011/12/05 10:08:38 ossec-analysisd(1220): ERROR: Error loading the rules: 'etc/rules.d/50_asl_smtp_auth_rules.xml'.

The rules are up-to-date according to 'asl -u'.

I'm looking into a fix, but if anyone else already knows I'd love to hear it.

breun · **Posted:** Mon Dec 05, 2011 5:23 am

A quick fix is to temporarily disable the file that can't be loaded:

Code:

# mv /var/ossec/etc/rules.d/50_asl_smtp_auth_rules.xml /var/ossec/etc/rules.d/50_asl_smtp_auth_rules.xml.disabled
# service ossec-hids start

This way all OSSEC daemons are at least running again. But without the SMTP auth rules of course.

faris · **Joined:** Thu Dec 09, 2004 11:19 am **Posts:** 1846

This will be "my fault" after asking for that rule to be added.

Have you opened a support ticket? I guess this is something that needs to be dealt with quickly in case it causes problems for others.

inquis · **Posted:** Mon Dec 05, 2011 8:54 am

I am having the same problem here and I am a little bit worried as I had someone try to mess about with short names / mail prior to the problem.

Does this mean I am not protected by ASL at the moment and is their a way to raise this with the DEV as its kind of scary as I think my system is now probably open.

breun · **Posted:** Mon Dec 05, 2011 8:56 am

Reported as bug 698.

breun · **Posted:** Mon Dec 05, 2011 8:56 am

inquis wrote:

is their a way to raise this with the DEV as its kind of scary as I think my system is now probably open.

If your an ASL customer you can always contact ASL support directly.

inquis · **Posted:** Mon Dec 05, 2011 8:59 am

OK - in the meantime, is doing that quick fix of disabling the rule a winner.

I think I have just screwed my system by messing about trying to fix this ;0(

inquis · **Posted:** Mon Dec 05, 2011 9:02 am

inquis wrote:

faris wrote:

This will be "my fault" after asking for that rule to be added.

Have you opened a support ticket? I guess this is something that needs to be dealt with quickly in case it causes problems for others.

what was the reason you asked the rule to be added ?

What does your rule block / highlight ?

Sorry read your post - viewtopic.php?f=3&t=5593

inquis · **Posted:** Mon Dec 05, 2011 9:06 am

yes i checked my ossec log and its def that rule 50.

Ill reinstall and hopefully it will be ok

DarkF@der · **Joined:** Thu May 07, 2009 12:46 pm **Posts:** 219

I have the same problem :cry:

mikeshinn · **Posted:** Mon Dec 05, 2011 10:39 am

Just run "asl -u", its fixed now. And the offending part of the build process that broke the smoke test has also been flogged, beaten and abused.

inquis · **Posted:** Mon Dec 05, 2011 10:45 am

mikeshinn wrote:

Just run "asl -u", its fixed now. And the offending part of the build process that broke the smoke test has also been flogged, beaten and abused.

hi mike, could you tell me a quick and easy way to get back my rules form a plesk backup.

What files do i need from the backup asl folder ?

Thanks

ps thanks for jumping on this quickly - how many products can be that quick in resolving an issue probably before lots of people noticed it - thumbs up !

mikeshinn · **Posted:** Mon Dec 05, 2011 11:22 am

Quote:

hi mike, could you tell me a quick and easy way to get back my rules form a plesk backup.

The archived rules are here:

/var/asl/updates/

And the live installed rules are in four places:

WAF rules:

/etc/httpd/modsecurity.d/

Antimalware rules:

/var/clamav/

HIDS rules:

/var/ossec/etc/rules.d/

ASL configuration master database of any local rule changes:

/etc/asl/

OSSEC daemons stopped working: Invalid decoder name

Who is online