hi Kayvan,
Parenthesis are used to extract data from the regexes, so if you want to use
them, you need to escape them with "\" before.
Like that:
<rule id="100080" level="0">
<if_sid>1002</if_sid>
<program_name>smbd</program_name>
<regex>^\s*Connection denied from \(0.0.0.0\)</regex>
<description>Ignoring smbd denied connection from</description>
</rule>
Hope it helps.
--
Daniel B. Cid
dcid ( at ) ossec.net
On 2/17/07, Kayvan A. Sylvan <[EMAIL PROTECTED]> wrote:
On Sat, Feb 17, 2007 at 05:23:36PM -0500, Michael Starks wrote:
>
> Kayvan A. Sylvan wrote:
> > My local_rules.xml contains these snippets:
> >
> > <rule id="100070" level="0">
> > <if_sid>1002</if_sid>
> > <program_name>smbd</program_name>
> > <regex>^\s*Denied connection from (0.0.0.0)</regex>
> > <description>Ignoring smbd denied connection from</description>
> > </rule>
> >
> > <rule id="100080" level="0">
> > <if_sid>1002</if_sid>
> > <program_name>smbd</program_name>
> > <regex>^\s*Connection denied from (0.0.0.0)</regex>
> > <description>Ignoring smbd denied connection from</description>
> > </rule>
>
> Try changing this: <regex>^\s*Connection denied from (0.0.0.0)</regex>
> To this: <regex>^\s*Connection denied from 0.0.0.0</regex>
> Or this: <match>Connection denied from 0.0.0.0</match>
I don't see the reasoning. Is the log message processed in some way
so that the parenthesis are not there when the match happens?
---Kayvan
--
Kayvan A. Sylvan | Proud husband of | Father to my kids:
Sylvan Associates, Inc. | Laura Isabella Sylvan, | Katherine Yelena (8/8/89)
http://sylvan.com/~kayvan | my beautiful Queen. | Robin Gregory (2/28/92)
