On Monday, 26 November 2018 12:50:59 UTC, dan (ddpbsd) wrote: > > > > 1. I've seen some examples where a single rule has multiple <match> > elements. Is the rule triggered if only one matches, or do they all have > to match? > > > > In this case it's an OR. > <match>terminated without error|can't verify hostname: > getaddrinfo|</match> > <match>PPM exceeds tolerance</match> > The "|" at the end of the first <match> makes it an OR. > I think if there is no "|" in there, it's an AND. >
Ah, I didn't notice the trailing "|". Is it possible that it simply concatenates all the <match> elements together into a single element/pattern? I found this in another rule: <description>Multiple Invalid URI requests from </description> <description>same source.</description> Cheers, Brian. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.