Hi Walter,
I think the issue is on your usage of the <match> tag. When you
specify it more than once, the contents
are going to be concatenated, so your final match will look like
internally as it was:
<match>Domain AdminsOther security enabled groups....</match>
Which will probably not match. If you want more than one field, you
can use a pipe ("|") as a separator, like:
<match>string1|string2|strng3</match>
Hope it helps.
--
Daniel B. Cid
dcid ( at ) ossec.net
On Tue, May 6, 2008 at 1:13 PM, Wilson, Walter <[EMAIL PROTECTED]> wrote:
>
> Hi,
>
> I'm trying to enable a Windows security group change alert e-mail but
> only if, say, 'domain admins' is changed.
>
> I've reduced the standard rule (18114) alert level to 6 but added the
> following to local-rules:
>
> <rule id="100103" level="10">
> <if_sid>18114</if_sid>
> <match>Domain Admins</match>
> <match>Other security enabled groups....</match>
> <description>Raise alerts for Admin groups</description>
> </rule>
> </group>
>
> e-mail alert trigger is still set to 7+
>
> I'm seeing alerts on rule 18114 for all groups OTHER than those I have
> specified above.
>
> It looks as if the local_rule 100103 is not being triggered (it is being
> loaded at startup).
>
> Am I doing this correctly? Any ideas why it's not being triggered?
>
> Regards,
>
> Walter Wilson
>
> ************************************************************************************************************
> This email is confidential and intended solely for the use of the individual
> to whom it is addressed. If you are not the intended recipient, be advised
> that you have received this email in error and that any use, dissemination,
> forwarding, printing or copying of this email is strictly prohibited. If you
> have received this email in error please contact the sender.
>
> We only print the emails we really need to
>
