On Aug 21, 2006, at 11:47 PM, gentuxx wrote:
I, too, would like to understand the rules better. I am collecting my router logs to my Mac server. I have set up my local rules.xml file and used the syslog log format option. I made the assumption that the rules would be tested in a top down fashion but experimentation leads me to believe that the rule with the highest "level" will be the one matched. Is this true or am I all wet here? Other questions: Are there more details of the regex library used? In particular, the "(" and ")" characters. "\(80\)" seems to find the (80) string in my log files, however, "\(\d+\)" doesn't seem to match anything. I see some of the rules shipped put the \d+ inside brackets, ex [\d+]. Are the brackets required? What is "accuracy"? The descriptions simply says 0 or 1. What is it used for? What is a Monolithic rules file? Meir has great instructions on how to create one. Is it simply a compiled file made from all of the rule files? Seems like a good idea for a production system but a lot of bother for a system used for rule development. Thanks Daniel and everyone else for all of your hard work on this project. Randy |
- [ossec-list] Creating Rule Groups gentuxx
- [ossec-list] Re: Creating Rule Groups Daniel Cid
- [ossec-list] Re: Creating Rule Groups gentuxx
- [ossec-list] Re: Creating Rule Groups gentuxx
- [ossec-list] Re: Creating Rule Groups Randy Bradley
- [ossec-list] Re: Creating Rule Groups gentuxx
- [ossec-list] Re: Creating Rule Groups Meir Michanie
- [ossec-list] Re: Creating Rule Groups Daniel Cid
- [ossec-list] Re: Creating Rule Groups Randy Bradley
- [ossec-list] Re: Creating Rule Groups gentuxx
