My only counter argument to your response is that if I do the same tests with a 2.8.3 ossec server all the tests pass with the expected match of a windows log type. So something changed somewhere in the ossec server. Whether this is a new bug recently introduced between 2.8.3 and 2.9.0 or it was broken before and now correctly works, I'm not sure, but definitely something changed.
On Thursday, February 9, 2017 at 3:37:13 PM UTC-5, dan (ddpbsd) wrote: > > On Thu, Feb 9, 2017 at 3:25 PM, Chris Snyder <dago...@gmail.com > <javascript:>> wrote: > > You're new windows decoder rules work great! I'm going to throw them at > my > > hosts right now (better than what I've got at the moment!). > > > > However, I'm thinking there's a bug somewhere in some pattern matching > code > > somewhere. However, I don't know yet if it's a bug in the current atomic > > RPMs or the ossec code. But, I did some further testing and here's what > I > > found. > > > > I think it's a quirk.More details inline. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.