Hi all,
Is it possible to generate an alert when two or one or more
conditions conditions are matched in a rule and/or group of rules??
For example, using my previous rule:
<group name="custfw,">
<rule id="100200" level="0">
<decoded_as>custom-decoder</decoded_as>
</rule>
<rule id="100201" level="14">
<if_sid>100200</if_sid>
<action>unset</action>
<group>custfw_accept,</group>
</rule>
</group>
When a packet matches this rule, I need to re-check same packet
against a group of rules that contains blacklists like this:
<group name="rbn,">
<rule id="110001" level="14">
<decoded_as>custom-decoder</decoded_as>
<if_sid>100200</if_sid>
<srcip>100.100.100.100</srcip>
<description>Connection from/to RBN IP blacklist detected !!!.
Please, review your logs</description>
</rule>
</group>
Suppose a packet meets the following conditions:
a) Match rule 100201: alert is generated
b) Match rule 110001: alert is generated
c) Match rule 110001 and 100201: two separate alerts needs to be generated
Is it possible to do this??
Thanks.
