I don't know, you should try it. But if you have the <if_sid> defined, the <decoded_as> might not matter as much. Try testing without the <decoded_as> option also.
On Tue, Mar 6, 2012 at 4:58 AM, C. L. Martinez <[email protected]> wrote: > Hi all, > > Is it possible to add more than one option in decoded_as param under > a rule?? For example, I have several rules defined against dshield > blacklist like this: > > <group name="dshield,"> > <rule id="120007" level="14"> > <decoded_as>first_decoder</decoded_as> > <if_sid>100200</if_sid> > <srcip>188.200.100.0/24</srcip> > <description>Connection from Dshield IP blacklist detected !!!. > Please, review your logs</description> > </rule> > </group> > > Can I do something like this?: > > <group name="dshield,"> > <rule id="120007" level="14"> > <decoded_as>first_decoder,second_decoder</decoded_as> > <if_sid>100200</if_sid> > <srcip>188.200.100.0/24</srcip> > <description>Connection from Dshield IP blacklist detected !!!. > Please, review your logs</description> > </rule> > </group> > > or > > <group name="dshield,"> > <rule id="120007" level="14"> > <decoded_as>first_decoder</decoded_as> > <if_sid>100200</if_sid> > <srcip>188.200.100.0/24</srcip> > <description>Connection from Dshield IP blacklist detected !!!. > Please, review your logs</description> > </rule> > </group> > > <group name="dshield,"> > <rule id="120007" level="14"> > <decoded_as>second_decoder</decoded_as> > <if_sid>100200</if_sid> > <srcip>188.200.100.0/24</srcip> > <description>Connection from Dshield IP blacklist detected !!!. > Please, review your logs</description> > </rule> > </group>
