I would like to convert web log rules from the PHPIDS-project and Snort to OSSEC. This turned out to be difficult, because OSSEC seems to use a home-rolled variant of regular expressions and does not support POSIX. The OSSEC variant is not as powerful as POSIX.
Is it somehow possible to use POSIX-syntax for regular expressions in OSSEC? If no, any chances the feature will be implemented in future releases? To remain backward compatible, a new regex-tag may be introduced: "<regex>" uses OSSEC-syntax and "<regex-posix>" uses POSIX-syntax. Rules from PHPIDS: https://svn.php-ids.org/svn/trunk/lib/IDS/default_filter.xml Regular Expression in OSSEC http://www.ossec.net/wiki/index.php/Know_How:Regex_Readme Thanks for a great product, btw. /Lars
