On Monday, 26 November 2018 12:50:59 UTC, dan (ddpbsd) wrote:
>
>
> > 1. I've seen some examples where a single rule has multiple <match>
> elements. Is the rule triggered if only one matches, or do they all have
> to match?
> >
>
> In this case it's an OR.
> <match>terminated without error|can't verify hostname:
> getaddrinfo|</match>
> <match>PPM exceeds tolerance</match>
> The "|" at the end of the first <match> makes it an OR.
> I think if there is no "|" in there, it's an AND.
>
Ah, I didn't notice the trailing "|".
Is it possible that it simply concatenates all the <match> elements
together into a single element/pattern? I found this in another rule:
<description>Multiple Invalid URI requests from </description>
<description>same source.</description>
Cheers,
Brian.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
