Yes, I got the production system working against a test attack script. Will monitor it to do tuning for the real flurries of bogus DNS queries, and will try the duplicate / twin decoder name to see if that works. An override option for the decoder name would be ideal. The other thing that occurred to me I could do, is copy all the child named decoders into the local decoder file and use the parent name of the new improved named decoder.
-- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.