ossec-dbd

[webadmin]

I have issues with OSSEC and I receive massive emails that it can't start the service.

I have tried:
yum update
aum -uf
asl -s -f

Command executed: /sbin/service ossec-hids restart Exit value: 1 Signal number: 0 Dumped core?: 0

Shutting down ossec-hids: [ OK ] Starting ossec-hids: [FAILED]

=====================
In /var/ossec/logs/ossec.log I get messages every few seconds saying:

2013/11/22 14:06:09 rules_list: Signature ID '390702' not found. Invalid 'if_sid'.
2013/11/22 14:07:19 ossec-testrule: INFO: Reading decoder file etc/decoder.xml.
2013/11/22 14:07:19 ossec-testrule: INFO: Reading decoder file etc/decoders.d/01-asl-decoder.xml.
2013/11/22 14:07:19 ossec-testrule: INFO: Reading decoder file etc/decoders.d/10-asl-drupal-decoder.xml.
2013/11/22 14:07:19 ossec-testrule: INFO: Reading decoder file etc/decoders.d/50-asl-exim-decoder.xml.
2013/11/22 14:07:19 ossec-testrule: INFO: Reading decoder file etc/decoders.d/50-asl-waf-decoder.xml.
2013/11/22 14:07:19 ossec-testrule: INFO: Reading decoder file etc/decoders.d/75-asl-deltaadmin-decoder.xml.
2013/11/22 14:07:19 rules_list: Signature ID '390702' not found. Invalid 'if_sid'.
2013/11/22 14:08:31 ossec-testrule: INFO: Reading decoder file etc/decoder.xml.
2013/11/22 14:08:31 ossec-testrule: INFO: Reading decoder file etc/decoders.d/01-asl-decoder.xml.
2013/11/22 14:08:31 ossec-testrule: INFO: Reading decoder file etc/decoders.d/10-asl-drupal-decoder.xml.
2013/11/22 14:08:31 ossec-testrule: INFO: Reading decoder file etc/decoders.d/50-asl-exim-decoder.xml.
2013/11/22 14:08:31 ossec-testrule: INFO: Reading decoder file etc/decoders.d/50-asl-waf-decoder.xml.
2013/11/22 14:08:31 ossec-testrule: INFO: Reading decoder file etc/decoders.d/75-asl-deltaadmin-decoder.xml.
2013/11/22 14:08:31 rules_list: Signature ID '390702' not found. Invalid 'if_sid'.
2013/11/22 14:09:42 ossec-testrule: INFO: Reading decoder file etc/decoder.xml.
2013/11/22 14:09:42 ossec-testrule: INFO: Reading decoder file etc/decoders.d/01-asl-decoder.xml.
2013/11/22 14:09:42 ossec-testrule: INFO: Reading decoder file etc/decoders.d/10-asl-drupal-decoder.xml.
2013/11/22 14:09:42 ossec-testrule: INFO: Reading decoder file etc/decoders.d/50-asl-exim-decoder.xml.
2013/11/22 14:09:42 ossec-testrule: INFO: Reading decoder file etc/decoders.d/50-asl-waf-decoder.xml.
2013/11/22 14:09:42 ossec-testrule: INFO: Reading decoder file etc/decoders.d/75-asl-deltaadmin-decoder.xml.
2013/11/22 14:09:42 rules_list: Signature ID '390702' not found. Invalid 'if_sid'.
2013/11/22 14:10:53 ossec-testrule: INFO: Reading decoder file etc/decoder.xml.
2013/11/22 14:10:53 ossec-testrule: INFO: Reading decoder file etc/decoders.d/01-asl-decoder.xml.
2013/11/22 14:10:53 ossec-testrule: INFO: Reading decoder file etc/decoders.d/10-asl-drupal-decoder.xml.
2013/11/22 14:10:53 ossec-testrule: INFO: Reading decoder file etc/decoders.d/50-asl-exim-decoder.xml.
2013/11/22 14:10:53 ossec-testrule: INFO: Reading decoder file etc/decoders.d/50-asl-waf-decoder.xml.
2013/11/22 14:10:53 ossec-testrule: INFO: Reading decoder file etc/decoders.d/75-asl-deltaadmin-decoder.xml.
2013/11/22 14:10:53 rules_list: Signature ID '390702' not found. Invalid 'if_sid'.


What should I do?

PS "I have a Production server and Test server and they BOTH have the same issue. It seems like an update caused this."

Thank you
Makis

[scott]

Sure, check to see if you have that rule defined in /etc/asl/rules, and if you do remove it and update your security policy with: asl -s -f