On Thu, Jul 7, 2011 at 12:36 PM, BP9906 <[email protected]> wrote: > I'm wondering the same thing. Whats the difference between the 2 > anyway? >
if_sid: For this log message, is sid XXX a valid match> if_matched_sid: Has sid YYY matched a recent log message (but not necessarily this one)? > I'm ultimately trying to have 2 frequency rules and the second one > doesnt fire. I suspect its something to do with the if_sid or > if_matched_sid. > > On Jun 27, 2:09 pm, "dan (ddp)" <[email protected]> wrote: >> Hi Jason, >> >> On Mon, Jun 27, 2011 at 2:48 PM, Jason 'XenoPhage' Frisvold >> >> >> >> >> >> >> >> >> >> <[email protected]> wrote: >> > -----BEGIN PGP SIGNED MESSAGE----- >> > Hash: SHA1 >> >> > Hi all, >> >> > I'd like to see the online docs updated to make this more clear. >> > Can >> > someone please verify my understanding (original from >> >http://www.ossec.net/doc/syntax/head_rules.html#options) : >> >> > group.rule.if_sid >> > Matches if the ID has matched once. >> > Allowed: Any rule id >> >> > group.rule.if_matched_sid >> > Matches if the ID has matched multiple times. Used for composite rules. >> > Allowed: Any rule id >> >> These always confuse me. I'll look into it. :) >> >> > If this is correct, who do I need to contact to get the online docs >> > updated? Or maybe the online docs should all be moved to the wiki so >> > the community can update it? >> >> Wikis suck. The current documentation can be found >> athttps://bitbucket.org/ddpbsd/ossec-rules >> It's done in sphinx (with help from paver). Someone else started it, >> and I don't have a good grasp on how to do anything fancy with it. But >> I can definitely update the above. >> Feel free to fork it, modify it, etc. And/or create issues on bitbucket for >> me. >> dan >> >> >> >> >> >> >> >> > - -- >> > - --------------------------- >> > Jason 'XenoPhage' Frisvold >> > [email protected] >> > - --------------------------- >> > "Any sufficiently advanced magic is indistinguishable from technology." >> > - - Niven's Inverse of Clarke's Third Law >> > -----BEGIN PGP SIGNATURE----- >> > Version: GnuPG v2.0.17 (GNU/Linux) >> > Comment: Using GnuPG with Fedora -http://enigmail.mozdev.org/ >> >> > iEYEARECAAYFAk4I0JIACgkQ8CjzPZyTUTQ0KQCeNrV4+Z30ivqj40GbWkdsB27y >> > RWUAmQFvpQBuhS0WFImE0LOYIYyZnHFv >> > =2EZS >> > -----END PGP SIGNATURE-----
