In message <[email protected]>,
Bufalo writes:
>well, i tried all that but still not working... i=B4m still investigating
> but any idea would be appreciated.
>> > > Fri May 21 11:44:16 2010: Unknown trap (OID) received from
>> > > 10.15.112.38 at:
>> > >
>> > > where OID is a variable large number. Then i call this rule:
>> > >
>> > >
>> > > #Don't show alert until it repeats 5 times in 1 minute
>> > > type=3DSingleWithThreshold
>> > > ptype=3DRegExp
>> > > pattern=3DUnknown trap (\S+)
>> > > desc=3DMensaje de $1
Are you sure your regexp matches the input line? Multiple spaces, tabs
etc can screw things up. Use
perl -e 'print if /Unknown trap (\S+)/' < file_with_trap_in_it
if there is no output your regexp is not correct.
Does the dump of a running sec process show that this rule has
maytched any input. (See the sec man page for signal processing to learn
how to dump sec's internal state.)
--
-- rouilj
John Rouillard
===========================================================================
My employers don't acknowledge my existence much less my opinions.
------------------------------------------------------------------------------
_______________________________________________
Simple-evcorr-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
