• Support
  • Forums
  • Blogs

Plugins Feed Update - 2017-10-17 breaks OSSEC HIDS

BenFBenF

New Life Form
Applied the latest feeds update this morning and it totally broke HIDS on my USM and remote sensors.  Logs show the following:

2017/10/17 13:01:56 testrule: INFO: Reading decoder file alienvault/decoders/decoder.xml.
2017/10/17 13:01:56 testrule: INFO: Reading decoder file alienvault/decoders/local_decoder.xml.
2017/10/17 13:01:56 rules_list: Signature ID '7701' not found. Invalid 'if_sid'.

which I believe is for the new Windows Defender supposed improvements listed in the announcement below.  Commenting out the following lines allows HIDS to start back up:

<!--<include>alienvault/rules/alienvault-windows-defender_rules.xml</include>-->
<!--<include>alienvault/rules/ms-se_rules.xml</include>-->

2017-10-16 20:00:00

HIDS rules and decoders

How to enable new HIDS rules

  • Updated AlienVault-HIDS rules to generate events for Microsoft Antimalware alerts for scans started/finished and malware detections.
  • Additional changes in AlienVault-HIDS rules and decoders in preparation for an upcoming upgrade of the USM Appliance HIDS.


Share post:

Comments

  • edited October 2017
    Same issue .... 
    looks like decoder rule is still missing ... 


    Error verifiying the ossec server configuration file
    2017/10/30 09:50:18 ossec-testrule: INFO: Reading decoder file alienvault/decoders/decoder.xml.
    2017/10/30 09:50:18 rules_list: Signature ID '7701' not found. Invalid 'if_sid'.
  • hi, a workaround is

    jailbreak
    cd /var/cache/apt/archives/
    apt-get install --reinstall ossec-hids
    dpkg -i --force-confmiss alienvault-ossec_5.4.2-6_all.deb
    dpkg -i --force-confmiss alienvault-ossec-rules_1001-137_all.deb

    regards


Sign In or Register to comment.