Can you provide a sample alert that this should match? It's been way too long since I've seen the format.
Also, in the regex the "\p" matches a number of characters including the ":". So written out it could be "2001::4860" Is this your desired behaviour? (IPv6 is soooooo horrible when it comes to addressing...) On Thu, Mar 31, 2011 at 12:51 PM, jwalterw <[email protected]> wrote: > hi, > > i am having a problem with creating a custom/local rule for ossec hids > that does the following: > > * read a snort fast alert file > * if the alert has a source or destination that is an ipv6 address [1] > * send an email > > i believe i'm going about this the wrong way. > > any pointers? > > > [1] i'm using a regex to match my range, e.g. if I were watching for > something in Google's address space: '<regex>^2001\p:4860'</regex> > <group name="sylog,snort,"> > <rule id="100010" level="8"> > <if_sid>20101</if_sid> > <decoded_as>snort</decoded_as> > <description>snort-ipv6</description> > <regex>^2001\p:4860</regex> > <description>ipv6 snort alert</description> > </rule> >
