Have a look here:
http://www.ossec.net/wiki/index.php/Know_How:Regex_Readme
As I understand, the regex system in ossec is built mainly for speed,
and so full perl-type regex will probably not work. If that does
work I will be (pleasantly) surprised. Also have a look at the ossec-
logtest utility: it is usually quite helpful in determining how ossec
is interpreting your rules and decoders.
As far as the multiple patterns, you can always just put the OR (|)
between the possible patterns:
<rule>
<regex>pattern1|</regex>
<regex>pattern2|</regex>
<regex>pattern3</regex>
</rule>
It's kind of ugly I know, but it does work.
On Jul 27, 2009, at 7:58 AM, Knoll, Duane wrote:
> I am editing the local_rules.xml file and have been using <match>
> to change the alert level of some events.
> I want to switch to <regex> to consolidate the numerous types of
> capitalization and other minor differences between servers.
> I am stuck on getting the evaluation to ignore case.
>
> As an example:
>
> 'C:\WINDOWS/system32/CCM/ServiceData/Messaging/EndpointQueues/
> CertificateMaintenanceEndpoint/000000HV.msg'
>
> <regex>/'C:[\\/]WIN(nt\|dows)[\\/]system32[\\/]CCM[\\/]ServiceData[\
> \/]Messaging/i</regex>
>
> My goal with this expression was to match 'C:\WINDOWS/system32/CCM/
> ServiceData/Messaging
>
> I believe the reason that it is not matching is because of
> capitalization which I thought the /i flag would take care of.
> Does anyone know if there is a way to get the regex to ignore case?
>
> Duane
>
