On Fri, Mar 16, 2012 at 11:35 AM, C. L. Martinez <[email protected]> wrote: > Hi all, > > Is it possible to generate an alert when two or one or more > conditions conditions are matched in a rule and/or group of rules?? > For example, using my previous rule: > > <group name="custfw,"> > <rule id="100200" level="0"> > <decoded_as>custom-decoder</decoded_as> > </rule> > <rule id="100201" level="14"> > <if_sid>100200</if_sid> > <action>unset</action> > <group>custfw_accept,</group> > </rule> > </group> > > When a packet matches this rule, I need to re-check same packet > against a group of rules that contains blacklists like this: > > <group name="rbn,"> > <rule id="110001" level="14"> > <decoded_as>custom-decoder</decoded_as> > <if_sid>100200</if_sid> > <srcip>100.100.100.100</srcip> > <description>Connection from/to RBN IP blacklist detected !!!. > Please, review your logs</description> > </rule> > </group> > > Suppose a packet meets the following conditions: > > a) Match rule 100201: alert is generated > b) Match rule 110001: alert is generated > c) Match rule 110001 and 100201: two separate alerts needs to be generated > > Is it possible to do this?? > > Thanks.
I don't think so. Only 1 event per log message.
