On Fri, Jul 8, 2011 at 11:29 AM, dan (ddp) <[email protected]> wrote: > > if_sid: For this log message, is sid XXX a valid match> > if_matched_sid: Has sid YYY matched a recent log message (but not > necessarily this one)? >
This is simplistic and partly wrong. if_sid is basically correct. If sid XXX matches the current log message, then use rule YYY instead: <rule id="YYY" level="10"> <if_sid>XXX</if_sid> <description>This rule should be triggered instead of XXX</description> </rule> if_matched_sid is generally used in frequency based rules, and determines whether sid XXX has been triggered Z times in A seconds. :P <rule id="YYY" frequency="3" timeframe="30" level="12"> <if_matched_sid>XXX</if_matched_sid> <description>If XXX is triggered 5+ times in 30 seconds, YYY should be triggered</description> </rule> HTH
