Better error message for "ossec-testrule: currently_rule not set!"

[stefanct]

I stumbled upon this error when debugging a configuration problem with ossec-logtest where a rule was missing the if_sid which seems to be absolutely necessary and stops the whole ossec setup from working in that instance. Documentation is lacking as well regarding if_sid but the most useful thing would be to improve logging output imho - and not only in the logtest application because one has to find out about this first. I completely unnecessarily wasted several hours due to this problem. This report is also food for search engines.

I still have to use v3.6.0 but from the looks of it the respective message is still the same in HEAD as it has not changed since 2015.

[atomicturtle]

Have you got an example of the bad rule you were creating so I can use that for a test case/regression testing?

[stefanct]

AFAICT it should be trivially reproducible by taking a rule set that has a rule with if_sid in it and remove that xml child from it.

[atomicturtle]

You mean the parent referred by the if_sid? A rule without an if_sid is just a regular rule

[stefanct]

No. It was not supposed to be a normal rule, and apparently it was not a complete "regular rules" either, because... then it would not have wrecked havoc as described in the OP.