Thanks Pedro. This does help and gives me a few ideas to work with.
Cheers!
Rob B.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@
I think it is hard to simulate correlation on OSSEC, it has some tools as
you said like frecuency, timeframe, if_matched_sid, if_matched_group... I
think the best and simple approach is to create two rules matching the
ID's, but as far as I know It won't work as you desired.
For example:
Thank you for taking the time to answer with examples Pedro!
One last related question if ya don,t mind..? I am trying to wrap
my head around a rule firing off after a simple bit of correlation.
Is it possible? I know this is the job of the SIEM, but I am trying
to get the SIEM to only correl
If you need to filter for one specific ID you need to use the *pipe |*
option, I don't think you can use "," inside ** tags to
concatenate anything.
"," character will be treated like an string character not a regex one so
it will try to match for *"IDNumber,".*
As you know, one example of this
They are regexp operators ^ beginning of line and $ is end of line..
Eero
28.3.2016 10.11 ip. "Rob B" kirjoitti:
> PS. Almost forgot to add :
>
> What does this mean? ^1000$|^1002$
>
> The "^" and the '$' before the pipe really has me perplexed.
>
> Thx.
>
>
>
> On Monday, March 28
^
Start of string, or start of line in multi-line pattern
\A
Start of string
$
End of string, or end of line in multi-line pattern
On Monday, March 28, 2016 at 4:20:47 PM UTC-4, Rob B wrote:
>
> found pipe = logical OR
>
>
>
> On Monday, March 28, 2016 at 3:11:30 PM UTC-4, Rob B wrote:
>>
>>
found pipe = logical OR
On Monday, March 28, 2016 at 3:11:30 PM UTC-4, Rob B wrote:
>
> PS. Almost forgot to add :
>
> What does this mean? ^1000$|^1002$
>
> The "^" and the '$' before the pipe really has me perplexed.
>
> Thx.
>
>
>
> On Monday, March 28, 2016 at 3:07:30 PM UT
PS. Almost forgot to add :
What does this mean? ^1000$|^1002$
The "^" and the '$' before the pipe really has me perplexed.
Thx.
On Monday, March 28, 2016 at 3:07:30 PM UTC-4, Rob B wrote:
>
> Heya Folks,
>
> I've been looking for the docs that explain the difference between th
