rule description changes to (null)

Kalimari · **Posted:** Sun Aug 21, 2011 9:08 am

When I make any customisations/changes to rules/levels/action via GUI, the rule description changes to (null), ASL is right up to date and I have observed this behaviour the last couple of updates (before and after the .08 update). If I manually, remove entries from /etc/asl/rules the interface shows the rule description correctly again. Blocking never seems to occur either. Any ideas? Is this a bug or a local config issue on this system?

biggles · **Posted:** Sun Aug 21, 2011 11:13 am

Kalimari wrote:

When I make any customisations/changes to rules/levels/action via GUI, the rule description changes to (null), ASL is right up to date and I have observed this behaviour the last couple of updates (before and after the .08 update). If I manually, remove entries from /etc/asl/rules the interface shows the rule description correctly again. Blocking never seems to occur either. Any ideas? Is this a bug or a local config issue on this system?

+1

Kalimari · **Posted:** Wed Sep 14, 2011 2:23 pm

This still happens. When ever a rule is modified via GUI it ends up being shown as (null) and the customisation takes no effect.

For example, tried to modify rule 3912 to ENABLE active response to multiple login failures. Is this expected behaviour if changing the active response?

Thanks

faris · **Joined:** Thu Dec 09, 2004 11:19 am **Posts:** 1846

I had noticed the change to "null" which was confusing and annoying, but not that it had not taken effect. The little dropdown things for the rule don't "stick" to the mode/configuration that's actually set, but looking at the appropriate .conf file seems to indicate that what I've asked the gui to do does actually happen, at least in the limited things I've changed. I think.

This is with Centos 4 32-bit.

Kalimari · **Posted:** Thu Sep 15, 2011 10:34 am

Thanks for input faris. Which conf files are you looking at to see changes?
Expect changing a rules active response rule from DISABLED to ENABLED to take effect?
This is with RHEL 5.7 64-bit/Plesk 9.5.4

scott · **Posted:** Thu Sep 15, 2011 5:44 pm

So unfortunately the description field is not something that in ossec's current form, allows you to move across modifications happening outside of the rule file itself. What happens is that we create a duplicate rule that loads before the original based on some of the fields available to it. Its something planned, but cut due to lack of time

Kalimari · **Posted:** Fri Sep 30, 2011 8:19 am

Hi, noticed some customised rule behaviour is inconsistent:

3910: Courier brute force (multiple failed logins from the same IP).
3912: Multiple failed logins, 6 failures in 60 seconds from the same IP.

Set active response on and level 10, originally thought were not working (as they showed as null and didn't trigger), in fact they are, just not every time. In particular rule 3912 will sometimes not trigger despite dozens of log-in failures per minute for many hours, other times it will. Can anyone think of a reason for this, the logging is almost identical, even same IP on occasions.

On the other hand 52502: Virus detected, configured to not send e-mail behaves correctly.

Thanks for any suggestions.

rule description changes to (null)

Who is online