Dan, Okay, so say I make two rules. 100014 that uses the first match, and 100015 that uses the second. Is there a way to revert back to 18105 if 100014 matches but 100015 doesn't?
On Tuesday, March 13, 2018 at 3:31:15 AM UTC-7, dan (ddpbsd) wrote: > > > I think this combined the matches, effectively making it: > <match>pfussmon.exeDestination Address: 192.168.23.255</match> > > You might need to make 2 rules, and have the parent of the second be > the sid of the first. > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
