[ossec-list] Re: Creating Rule Groups

[Randy Bradley]

Thanks Guys,    Helps a great deal.    Sorry, I was mistaken, the "\(\d+\)" did match this line, I just had to scroll down in my email window to find it: Aug 19 01:29:20 10.1.0.2 115962: Aug 19 06:29:19.883 UTC: %SEC-6-IPACCESSLOGP: list I1-In denied tcp 84.123.112.60(3389) -> 199.133.160.228(5900), 1 packet    Its way cool how OSSEC packs several alert emails into one :-) Thanks again.  Hope you add these gems to the manual. Randy This is true.  Rules with the highest level are matched first.  It' still a bit sparse at the moment, but take a look at http://www.ossec.net/wiki/index.php/Know_How:Rules_Severity for more info. Regarding the accuracy (Randy's question), it is just a way to set the priority of a rule. All rules are accurate by default. If you set it to 0, the rule will be assigned a lower priority and checked only if all the other rules failed. You will see that we use that for the "bad words" matching.. Hope it helps. ****************************************** Randy Bradley IT Specialist USDA  ARS  MARC Clay Center, NE     68933 [EMAIL PROTECTED] phone:  402-762-4156 ******************************************