That's the easiest solution (and what I've often done), but if your SEC is highly optimized for high volumes of data, you might want to order your rules based on how frequently they match. You could change your pattern to something like this to maintain the order of your rules:
pattern = TCP_(?!DENIED)|grep|tail|sudo This would allow you to keep your suppress rule at the top and move your match rule lower down in the config file. On Tue, 7 Jul 2015, James Lay wrote: > Date: Tue, 7 Jul 2015 10:27:18 -0500 > From: James Lay <[email protected]> > To: [email protected] > Cc: sec <[email protected]> > Subject: Re: [Simple-evcorr-users] Rule specific exclude > > On 2015-07-07 09:14 AM, John P. Rouillard wrote: >> Hi James: >> >> Wecome to SEC. >> >> In message <62f59502ef9ba1243ed41fab97ed887b@localhost>, >> James Lay writes: >>> Hey all, >>> >>> So I have as my first rule in sec.conf the below: >>> >>> type = single >>> ptype = regexp >>> pattern = TCP_|grep|tail|sudo >>> desc = Ignore entries >>> action = none >>> >>> I now have a case where I'd like to create a rule that matches on >>> TCP_DENIED, however the above negates that. Is there a way I can >>> create >>> rules with specific ignores per rule? I've read through a fair amount >>> of documentation, but just haven't seen something that addresses this. >>> Thanks for any help you can provide. >> >> SEC rules are applied in order, so put your TCP_DENIED rule before >> this rule and you should be fine. >> >> -- >> -- rouilj >> John Rouillard >> =========================================================================== >> My employers don't acknowledge my existence much less my opinions. > > Thank you John....that will work just fine. > > James > > ------------------------------------------------------------------------------ > Don't Limit Your Business. Reach for the Cloud. > GigeNET's Cloud Solutions provide you with the tools and support that > you need to offload your IT needs and focus on growing your business. > Configured For All Businesses. Start Your Cloud Today. > https://www.gigenetcloud.com/ > _______________________________________________ > Simple-evcorr-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users > -- Todd M. Hall Sr. Network Analyst Information Technology Services Mississippi State University [email protected] 662-325-9311 (phone) ------------------------------------------------------------------------------ Don't Limit Your Business. Reach for the Cloud. GigeNET's Cloud Solutions provide you with the tools and support that you need to offload your IT needs and focus on growing your business. Configured For All Businesses. Start Your Cloud Today. https://www.gigenetcloud.com/ _______________________________________________ Simple-evcorr-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
