I'm wondering the same thing. Whats the difference between the 2 anyway? I'm ultimately trying to have 2 frequency rules and the second one doesnt fire. I suspect its something to do with the if_sid or if_matched_sid.
On Jun 27, 2:09 pm, "dan (ddp)" <[email protected]> wrote: > Hi Jason, > > On Mon, Jun 27, 2011 at 2:48 PM, Jason 'XenoPhage' Frisvold > > > > > > > > > > <[email protected]> wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > Hi all, > > > I'd like to see the online docs updated to make this more clear. Can > > someone please verify my understanding (original from > >http://www.ossec.net/doc/syntax/head_rules.html#options) : > > > group.rule.if_sid > > Matches if the ID has matched once. > > Allowed: Any rule id > > > group.rule.if_matched_sid > > Matches if the ID has matched multiple times. Used for composite rules. > > Allowed: Any rule id > > These always confuse me. I'll look into it. :) > > > If this is correct, who do I need to contact to get the online docs > > updated? Or maybe the online docs should all be moved to the wiki so > > the community can update it? > > Wikis suck. The current documentation can be found > athttps://bitbucket.org/ddpbsd/ossec-rules > It's done in sphinx (with help from paver). Someone else started it, > and I don't have a good grasp on how to do anything fancy with it. But > I can definitely update the above. > Feel free to fork it, modify it, etc. And/or create issues on bitbucket for > me. > dan > > > > > > > > > - -- > > - --------------------------- > > Jason 'XenoPhage' Frisvold > > [email protected] > > - --------------------------- > > "Any sufficiently advanced magic is indistinguishable from technology." > > - - Niven's Inverse of Clarke's Third Law > > -----BEGIN PGP SIGNATURE----- > > Version: GnuPG v2.0.17 (GNU/Linux) > > Comment: Using GnuPG with Fedora -http://enigmail.mozdev.org/ > > > iEYEARECAAYFAk4I0JIACgkQ8CjzPZyTUTQ0KQCeNrV4+Z30ivqj40GbWkdsB27y > > RWUAmQFvpQBuhS0WFImE0LOYIYyZnHFv > > =2EZS > > -----END PGP SIGNATURE-----
