[ossec-list] Trying to grasp the rules concept

[Marty E. Hillman]

I have been monitoring the discussion of rules processing somewhat and need a clarification on how the rules are processed.  Am I understanding correctly that the rules are all processed and that it is just a matter of order as to how they are processed?  Or are they processed much like filters for ipfw are processed where once a rule is true, processing stops?  I can see benefits to both approaches, but am unclear on what the current situation is.   Just brainstorming here, but would a hybrid approach be more beneficial: one where the administrator can choose whether to process multiple rules under some conditions or end rule checking if a particular result is true?  Or am I missing the boat and something like that already exists in the rule processing?   Or am I just not making sense anymore?  :) This electronic mail (including any attachments) may contain information that is privileged, confidential, and/or otherwise protected from disclosure to anyone other than its intended recipient(s). Any dissemination or use of this electronic email or its contents (including any attachments) by persons other than the intended recipient(s) is strictly prohibited. If you have received this message in error, please notify us immediately by reply email so that we may correct our internal records. Please then delete the original message (including any attachments) in its entirety. Thank you.