Maybe you could try tweaking the web rules XML and create your own "base" web access log "catch-all" rule and fire based off that.
On Fri, Jun 10, 2011 at 12:15 PM, Jason 'XenoPhage' Frisvold < [email protected]> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On Jun 10, 2011, at 2:49 PM, Jeremy Lee wrote: > > Ahhh I think I see now :) > > > > But wouldn't he want a catch-all of *everything* that passes through. > 31100 and 31108 seem to be 'watershed' where alerts will go either way but > not both. > > Yeah, I'm interested in catching everything, so I was hoping 31100 would be > the way to go .. > > > You can't do something like this either can you? <if_matched_sid>31100, > 31108</if_matched_sid> (I vaguely recall asking this and getting a response > of "no") > > Nope, tried that. ossec balks .. *sigh* > > - --------------------------- > Jason 'XenoPhage' Frisvold > [email protected] > - --------------------------- > "Any sufficiently advanced magic is indistinguishable from technology." > - - Niven's Inverse of Clarke's Third Law > > > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG/MacGPG2 v2.0.14 (Darwin) > > iEYEARECAAYFAk3ybTwACgkQ8CjzPZyTUTQa5wCfSqLGVoGh4/SbBX0INEZNJHUR > GXUAn3caDdXJjyf82yaz/JfghmxWaUbr > =6Dr/ > -----END PGP SIGNATURE----- >
