I would like to do that, BUT that just doesn't work. I asked for that feature in previous mails and the recommendation was to override rules.
Check out: http://groups.google.com/group/ossec-list/browse_thread/thread/c48f0017cd131ea2/1def88460fe1f637?lnk=gst&q=ogmueller#1def88460fe1f637 On 06.02.2012, at 16:34, Daniel Cid wrote: > Hey, > > I see the issue in there. You overwrote the rule 30109, which is an atomic > rule > dependent on the 30101 (<if_sid>30101</if_sid>). > > You modified it to be a composite rule and OSSEC didn't like that. It > should have > warned that you can't use the overwrite to modify a rule from > atomic->composite and > vice-versa. > > In your case, you are better putting that rule as dependent (using > <if_matched_sid>30109) then overwriting it. > > > Thanks, > > -- > Daniel B. Cid > daniel....@gmail.com