hi,all
I got a question,that is about about ossec rules Regular Expression Syntax .
we konw,when i want match the number,i can use \d or \d+
but now,if i has string like this
failed=0==failed=(\d+)
i want exclude 0, i use failed=([1-9]+),can not match it..
how can i do?
and what means is
extra_data in rules?
support it Regular Expression Syntax ?
now my rules is
group name=local,rsyslog,
rule id=1050001 level=7
decoded_asrsyslog-pstats/decoded_as
regex^\S+\s+\d+:\s+\S+\s+failed=(\d+)/regex
extra_data^[1-9]+/extra_data
descriptionRsyslog
hi
about this problem,look this
my decoder is
decoder name=rsyslog-pstats
program_name^rsyslogd-pstats/program_name
/decoder
my testrule is
group name=local,rsyslog,
rule id=1050001 level=7
decoded_asrsyslog-pstats/decoded_as
regex^\S+\s+\d+:\s+\S+\s+failed=(\d+)/regex
On Feb 28, 2013 6:26 AM, root r...@cnmoker.org wrote:
hi,all
I got a question,that is
about about ossec rules Regular Expression Syntax .
we konw,when i want match the number,i can use \d or \d+
but now,if i has string like this
failed=0==failed=(\d+)
i want exclude 0, i use
On Feb 28, 2013 6:26 AM, root r...@cnmoker.org wrote:
and what means is
extra_data in rules?
support it Regular Expression Syntax ?
now my rules is
group name=local,rsyslog,
rule id=1050001 level=7
decoded_asrsyslog-pstats/decoded_as
On Feb 28, 2013 6:26 AM, root r...@cnmoker.org wrote:
hi
about this problem,look this
my decoder is
decoder name=rsyslog-pstats
program_name^rsyslogd-pstats/program_name
/decoder
You aren't decoding an extra_data entey here, so your rule will never
match. The second example I wrote
2013/2/28 Alexander Hartner thahart...@gmail.com:
Any option of achieving the same without a re-compile. Ideally we would like
to use the binary distribution to be able to pull new versions via the rpm
repository. Installing from source would require us to manage the version of
OSSEC server
so,thks
i think that extra_data can match in rules after at regex
:(
thanksBest Regards
发件人: dan (ddp)
发送时间: 2013-02-28 19:32
收件人: ossec-list
主题: Re: [ossec-list] about ossec rules Regular Expression Syntax
On Feb 28, 2013 6:26 AM, root r...@cnmoker.org wrote:
hi
about this
On Thu, Feb 28, 2013 at 7:15 AM, root r...@cnmoker.org wrote:
so,thks
i think that extra_data can match in rules after at regex
:(
The problem is that you are not populating extra_data in your decoder.
You said you are using the following decoder:
decoder name=rsyslog-pstats
hi
OK,i konw that,thks.
but now i have a new problem
if i want assign non-zero value tigger alert,how can i do?
in the rules,i write
submitted=([^0]+)
or
submitted=([1-9]+)
all wrong!
thanksBest Regards
发件人: dan (ddp)
发送时间: 2013-02-28 22:13
收件人: ossec-list
主题: Re: [ossec-list] about
sorry,i is not see you email for this
You can't really. The best option I can think of is to create your rule
matching any number, then creating a rule at level 0 for extra_data of 0.
yes,i understand your meaning,thank you.
thanksBest Regards
发件人: root
发送时间: 2013-02-28 23:38
Thanks for your reply.
I have looked at that script but it says (if I understood) that I have to
create another table and it is for integrating ossec with base (or acid)
from snort.
I'm wrong ?
2013/2/28 Jb Cheng jjoob...@gmail.com
Take a look at the contributed PERL script ---
The only issues you have to keep in mind are the maxagents - pretty simple
- but there is another hidden setting in the client keys creation that is
in the code.
Set to 4000 by default. Have to edit that and set it to whatever. I fixed
the makefile to do it when you change the setmaxagents.
You can uninstall OSSEC by removing all files and directories
under /var/ossec/.
On Wednesday, February 27, 2013 5:55:18 PM UTC-8, SDR wrote:
Hello I'm trying to resintall the application. However, I would like to
uninstall the application first because I Keep getting these errors
sh-3.2#
14 matches
Mail list logo