Hi Peter, The right syntax is to use commas between the rules ids:
<if_sid>4801,4803, 4806</if_sid> You can also assign groups to your rules and use <if_group> to match on them ... Hope it helps. -- Daniel B. Cid dcid ( at ) ossec.net On Nov 17, 2007 12:31 PM, Peter M. Abraham <[EMAIL PROTECTED]> wrote: > > Greetings: > > I'm trying to expand the rule sets for sonicwall_rules.xml in > local_rules.xml > > In examination of the sonicwall logs, I've found that certain types of > messages (alerts, notices, etc.) can actually fall into three separate > categories -- 4801, 4803, 4806. > > In testing, I've found the following does not work: > > <if_sid>4801|4803|4806</if_sid> > > What syntax can I use to allow a rule to be a part of multiple sid's? > > Thank you. >
