hi,
i am having a problem with creating a custom/local rule for ossec hids
that does the following:
* read a snort fast alert file
* if the alert has a source or destination that is an ipv6 address [1]
* send an email
i believe i'm going about this the wrong way.
any pointers?
[1] i'm using a regex to match my range, e.g. if I were watching for
something in Google's address space: '<regex>^2001\p:4860'</regex>
<group name="sylog,snort,">
<rule id="100010" level="8">
<if_sid>20101</if_sid>
<decoded_as>snort</decoded_as>
<description>snort-ipv6</description>
<regex>^2001\p:4860</regex>
<description>ipv6 snort alert</description>
</rule>
