Hey, not sure at the moment but I think it should be
<hostname>snort01|snort02</hostname> instead. Kind regards, oscar On Tue, Mar 2, 2010 at 6:55 PM, Jefferson, Shawn < [email protected]> wrote: > Hi, > > I’m putting some local rules into the local_rules.xml file on the manager > (from what I’ve read you can put them here to push out to your agents?) > > Can you use a comma separated list in <hostname> like so ? > > <group name="local,snort"> > <rule id="100100" level="0" noalert="1"> > <if_sid>20100</if_sid> > <hostname>snort01, snort02</hostname> > <description>Ignoring snort events</description> > </rule> > </group> > > Or should you use a regex? > > Thanks, > Shawn > >
