[ossec-list] Two match in the same rule

rafael.gomes Wed, 17 Mar 2010 13:21:19 -0700

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Guys,


How can I create a rule with two match parameter?

Ex:

WinEvtLog: Security: AUDIT_SUCCESS(520): Security: SYSTEM: NT AUTHORITY:
SERVER01: The system time was changed.    Process ID:   2201    Process
Name:   C:\Program Files\VMware\VMware Tools\VMwareService.exe    Primary
User Name: SERVER1$    Primary Domain:  DOMAIN    Primary Logon ID:
(0x0,0x3E6)    Client User Name:        SERVER$    Client Domain:       DOMAIN
Client Logon ID:        (0x0,0x3E6)    Previous Time:   9:52:29 AM 3/17/2010
 New Time:      9:53:30 AM 3/17/2010

I wanna match "The system time was changed." and "C:\Program
Files\VMware\VMware Tools\VMwareService.exe" in the same rule.

Is it possible?

Thanks!
- -- 
Rafael Brito Gomes
Analista de Segurança
LPIC-1 MCSO
DISUP/CPD/UFBA
Tel : +55 71 3283 6100
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkug1GoACgkQmcKAeZZwz2b9IgCfWNwgSzIxr1ONMdX67PZeKbwp
jBMAn1MpKO4CjmQxnA5CTVIhrdNJffVa
=f5dN
-----END PGP SIGNATURE-----

[ossec-list] Two match in the same rule

Reply via email to