[ossec-list] Using more than one option under decoded_as param

Tue, 06 Mar 2012 02:26:56 -0800 

Hi all,

 Is it possible to add more than one option in decoded_as param under
a rule?? For example, I have several rules defined against dshield
blacklist like this:

<group name="dshield,">
  <rule id="120007" level="14">
    <decoded_as>first_decoder</decoded_as>
    <if_sid>100200</if_sid>
    <srcip>188.200.100.0/24</srcip>
    <description>Connection from Dshield IP blacklist detected !!!.
Please, review your logs</description>
  </rule>
</group>

Can I do something like this?:

<group name="dshield,">
  <rule id="120007" level="14">
    <decoded_as>first_decoder,second_decoder</decoded_as>
    <if_sid>100200</if_sid>
    <srcip>188.200.100.0/24</srcip>
    <description>Connection from Dshield IP blacklist detected !!!.
Please, review your logs</description>
  </rule>
</group>

or

<group name="dshield,">
  <rule id="120007" level="14">
    <decoded_as>first_decoder</decoded_as>
    <if_sid>100200</if_sid>
    <srcip>188.200.100.0/24</srcip>
    <description>Connection from Dshield IP blacklist detected !!!.
Please, review your logs</description>
  </rule>
</group>

<group name="dshield,">
  <rule id="120007" level="14">
    <decoded_as>second_decoder</decoded_as>
    <if_sid>100200</if_sid>
    <srcip>188.200.100.0/24</srcip>
    <description>Connection from Dshield IP blacklist detected !!!.
Please, review your logs</description>
  </rule>
</group>

Reply via email to