I've encountered what I think is a problem in OSSEC with regular
expressions. I have a rule that looks like this:
<rule id="1820" level="8" timeframe="30">
<regex>partially</regex>
<if_matched_regex>completed, but with some
warnings$</if_matched_regex>
<description>Partial backup of data</description>
</rule>
However, the regex searching for 'partially' doesn't fire at all if I
take out the <if> part. Shouldn't the <regex> tag work like a <match>
tag if there aren't any regex meta characters?
--
Ita erat quando hic adveni.
Mark Haney
Sr. Systems Administrator
ERC Broadband
(828) 350-2415
