Hi Mark,
I am confused with what you are trying to do. This rule will look for the
"partially" pattern in the whole message; if found, it will search for
"completed, but with some warnings" in any message for the last
30 seconds. Is that what you are trying to do?
The regex tag acts like the match tag, but with a slower algorithm
(for regex matching)...
Can you give us more information?
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On 2/8/07, Mark Haney <[EMAIL PROTECTED]> wrote:
I've encountered what I think is a problem in OSSEC with regular
expressions. I have a rule that looks like this:
<rule id="1820" level="8" timeframe="30">
<regex>partially</regex>
<if_matched_regex>completed, but with some
warnings$</if_matched_regex>
<description>Partial backup of data</description>
</rule>
However, the regex searching for 'partially' doesn't fire at all if I
take out the <if> part. Shouldn't the <regex> tag work like a <match>
tag if there aren't any regex meta characters?
--
Ita erat quando hic adveni.
Mark Haney
Sr. Systems Administrator
ERC Broadband
(828) 350-2415
