Daniel,
Thank you very much for your reply!! I have everything working
properly now.
On Sep 16, 10:37 pm, Daniel Cid [EMAIL PROTECTED] wrote:
Hi,
A few suggestions to make it work:
1- Simplify your match (taken from David's reply): If you are looking
for a word, just use match (much
Hi,
A few suggestions to make it work:
1- Simplify your match (taken from David's reply): If you are looking
for a word, just use match (much faster):
matchDuplicate TCP SYN from/match
2- A better solution would be to use the pix ID that you want:
id^4-419002/id
3- Do not write ignore rules
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
I think you're on the right path but OSSEC has already parsed the
log entry (to extract source and destination IPs) so you may need
something more like this (of course, I'm not able to test this):
rule id=12 level=0
I appreciate greatly your suggestion but it doesnt appear to be
working. I implemented the following rule:
rule id=12 level=0
if_sid4383/if_sid
srcipxxx.xxx.xxx.xxx/srcip
matchDuplicate TCP SYN/match
descriptionRule that will ignore Duplicate/description
descriptionTCP