----- Original Message ----- > Hi Phil, > > I don't know enough to add meaningfully, but in the last paragraph > this looked unusual. > > <same_source_ip /> > > Perhaps same_source_ip is built into ossec, but the tags look like > it's missing brackets. > > Is this supposed to send a notification email or make an active > response? > > Eric >
Nope, it was a stupid admin ;) I have posted what I have so far to :- http://www.zimbra.com/forums/administrators/39764-ossec-rules.html -- Thanks, Phil
