On Feb 26, 2017 11:45 AM, "InfoSec" <gjahc...@compucenter.org> wrote:
Is it possible to refer to the content of a decoded field by its field name inside a regex in a rule? Example: after decoding an event, we have two fields among several, field1 and field2. The event contains: <snip>... Field1 Label: Content_of_Field1 Field2 Label: Content_of_Field2 Field3 Label: Content_of_Field3 ...</snip> The regex follows: <regex>Field2 Label:\sSome regex followed by reference_to_field1 followed by some other regex\sField3 Label:</regex> 'reference_to_field1' would be *dynamically *substituted by Content_of_Field1 when evaluating the regex. If possible, how? If currently not possible, consider this a feature request. You should be able to reference fields directly. For example, if you decode a srcip, you can add the following to a rule: <srcip>10.0.0.1 </srcip> -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
