Is it possible to refer to the content of a decoded field by its field name inside a regex in a rule?
Example: after decoding an event, we have two fields among several, field1 and field2. The event contains: <snip>... Field1 Label: Content_of_Field1 Field2 Label: Content_of_Field2 Field3 Label: Content_of_Field3 ...</snip> The regex follows: <regex>Field2 Label:\sSome regex followed by reference_to_field1 followed by some other regex\sField3 Label:</regex> 'reference_to_field1' would be *dynamically *substituted by Content_of_Field1 when evaluating the regex. If possible, how? If currently not possible, consider this a feature request. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
