On 05/18/2012 02:42 PM, Sanders, Nate wrote:
Thinking about it, I tried this in local_rules.xml<rule id="100004" level="5"> <if_sid>18105</if_sid> <match>4771</match> <match>0x18</match> <description>Failed Password</description> <group>win_authentication_failed,</group> </rule>
Multiple <match> elements in a rule with concatenate into one match, so in your case it would be the same as this: <match>47710x18</match>. If you use a <match> and a <regex> (even with a non-regex string), it will act as an AND. Use can also use a logical OR (|) if needed.
