Hi Brad, Taking a look at C code, it seems like it is using "OS_Regex" between the group list (rules_group tag) and the actual rule group, meaning that maybe we can use regular expression in <rules_group> tag (C lines: here <https://github.com/wazuh/ossec-wazuh/blob/27930107d9f71550177ebd485f885515ca5cb619/src/analysisd/rules.c#L1769-L1774> ).
I don't have enough time today for trying it but give it a try to this configuration: <active-response> <command>ipv6-subnet-log</command> <location>local</location> <rules_group>authentication_failed|invalid_login</rules_group> </active-response> Best regards, Pedro S. On Sat, Oct 29, 2016 at 10:51 PM, Brad <tech4pat...@gmail.com> wrote: > Hi all, > > I'm setting up an AR and it works if I only use 1 rules_group or if I use > multiple rules_id but not if I use multiple rules_group. Here is the code. > > WORKS: > <active-response> > <command>ipv6-subnet-log</command> > <location>local</location> > <rules_group>authentication_failed</rules_group> > </active-response> > > WORKS: > <active-response> > <command>ipv6-subnet-log</command> > <location>local</location> > <rules_id>5716,5718</rules_id> > </active-response> > > DOESN'T WORK: > <active-response> > <command>ipv6-subnet-log</command> > <location>local</location> > <rules_group>authentication_failed,invalid_login</rules_group> > </active-response> > > According to the documentation that should work but it doesn't. Any idea > why? > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.