-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Jun 10, 2011, at 2:49 PM, Jeremy Lee wrote: > Ahhh I think I see now :) > > But wouldn't he want a catch-all of *everything* that passes through. 31100 > and 31108 seem to be 'watershed' where alerts will go either way but not both.
Yeah, I'm interested in catching everything, so I was hoping 31100 would be the way to go .. > You can't do something like this either can you? <if_matched_sid>31100, > 31108</if_matched_sid> (I vaguely recall asking this and getting a response > of "no") Nope, tried that. ossec balks .. *sigh* - --------------------------- Jason 'XenoPhage' Frisvold [email protected] - --------------------------- "Any sufficiently advanced magic is indistinguishable from technology." - - Niven's Inverse of Clarke's Third Law -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.14 (Darwin) iEYEARECAAYFAk3ybTwACgkQ8CjzPZyTUTQa5wCfSqLGVoGh4/SbBX0INEZNJHUR GXUAn3caDdXJjyf82yaz/JfghmxWaUbr =6Dr/ -----END PGP SIGNATURE-----
