How about using Comp-\S+? I would also recommend to use a variable like this (taken from syslog rules):
<var name="BAD_WORDS">core_dumped|failure|error|attack|bad |illegal |denied|refused|unauthorized|fatal|failed|Segmentation Fault|Corrupted</var> On Mon, Dec 28, 2015 at 10:22 AM, <namobuddhaon...@gmail.com> wrote: > Hello all and Happy Holidays, > > I setup a rule to look for log-in's after hours as follows: > > <group name="after hours log in's,"> > <rule id="500000" level="10"> > <if_group>authentication</if_group> > <time>6 pm - 9 am</time> > <description>Login after hours</description> > </rule> > > <rule id="500001" level="0"> > <if_sid>500000</if_sid> > <user>USERNAME</user> > <description>Ignore USERNAME</description> > </rule> > </group> > > The first rule tries to pickup all logins after hours, and the subordinate > rule tries to strip out none human accounts such as service accounts and > machine accounts. > > > The issue I am having is this rule picks EVERY login including (service > accounts and machine accounts) which I have tried to enter in between > brackets like COMP-01|COMP-02 | SERVICE ACCOUNT-1 | and so on. I was > wondering if I have a whole bunch of computer /service accounts (i.e. > COMP-01, COMP-02) how to use a regular expression to enter a single filter > which covers all the machine names (i.e. COMP*.* in dos-ease). > > Thanks, > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
