Yes, it basically means if Rule ID 500 is triggered, look at this rule also. So in the case of the rule you posted: 1. If Rule ID 500 is triggered, 2. and if this is a First Time Seen event, 3. and the string "Agent started" is found in the event, 4. trigger Rule ID 501 at level 3.
On Thu, Sep 16, 2010 at 10:36 AM, Aamir Niazi <[email protected]> wrote: > Can someone please explain what does if_sid mean exactly. Does it mean > if rule matches ID=500 do the following? > > Just a bit confused how rules are triggered. > > > <rule id="501" level="3"> > <if_sid>500</if_sid> > <if_fts /> > <options>alert_by_email</options> > <match>Agent started</match> > <description>New ossec agent connected.</description> > </rule> > > > > > -- > Best Regards, > > Aamir Niazi > Senior Security Analyst >
