I have an Active Response that I want two conditions met before taking action. In this case, only if (alert level >= 7) AND the rule came from the "foo_rules" rule group.
<active-response>
<command>foo</command>
<level>7</level>
<rules_group>foo_rules</rules_group>
</active-response>
OSSEC is executing this command for ALL foo_rules, regardless of the
alert level!
I've assumed multiple conditions are treated like "AND". Is that
incorrect?
If conditions are OR'ed, how can I get AND-logic?
- Dave
