Any luck on this, Jason?
On Jun 10, 12:45 pm, Jeremy Lee <[email protected]> wrote: > Maybe you could try tweaking the web rules XML and create your own "base" > web access log "catch-all" rule and fire based off that. > > On Fri, Jun 10, 2011 at 12:15 PM, Jason 'XenoPhage' Frisvold < > > > > > > > > [email protected]> wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > On Jun 10, 2011, at 2:49 PM, Jeremy Lee wrote: > > > Ahhh I think I see now :) > > > > But wouldn't he want a catch-all of *everything* that passes through. > > 31100 and 31108 seem to be 'watershed' where alerts will go either way but > > not both. > > > Yeah, I'm interested in catching everything, so I was hoping 31100 would be > > the way to go .. > > > > You can't do something like this either can you? <if_matched_sid>31100, > > 31108</if_matched_sid> (I vaguely recall asking this and getting a response > > of "no") > > > Nope, tried that. ossec balks .. *sigh* > > > - --------------------------- > > Jason 'XenoPhage' Frisvold > > [email protected] > > - --------------------------- > > "Any sufficiently advanced magic is indistinguishable from technology." > > - - Niven's Inverse of Clarke's Third Law > > > -----BEGIN PGP SIGNATURE----- > > Version: GnuPG/MacGPG2 v2.0.14 (Darwin) > > > iEYEARECAAYFAk3ybTwACgkQ8CjzPZyTUTQa5wCfSqLGVoGh4/SbBX0INEZNJHUR > > GXUAn3caDdXJjyf82yaz/JfghmxWaUbr > > =6Dr/ > > -----END PGP SIGNATURE-----
