Re: [ossec-list] Re: Windows excepcion rule

Thu, 26 Jul 2012 15:11:58 -0700 

I think only as an "or."
<match>this|that</match>

If you need an and chain some rules.
On Jul 26, 2012 6:01 PM, "Andres Felipe Mejia Sanchez" <
[email protected]> wrote:

> Hello. did not work too.. but tnks for your time.. i really apreciate it.
>
> other question:
>
> Can i use multiples <match> inside a single <rule> ??
>
> <rule>
>    <match>1
>    <match>2
>
> ??
>
> El jueves, 26 de julio de 2012 14:18:58 UTC-5, dan (ddpbsd) escribió:
>>
>> On Thu, Jul 26, 2012 at 2:59 PM, Andres Felipe Mejia Sanchez
>> <[email protected]> wrote:
>> > It didn't work..  Tnks anyway..
>> >
>>
>> Part of the problem may be the way your sample log message came
>> through. It looked horrible.
>>
>> Not really tested:
>>  <rule id="110005" level="1">
>>     <if_sid>18119</if_sid>
>>     <match>sesin: 5</match>
>>     <description>Ignore something</description>
>>   </rule>
>>
>>
>> > El jueves, 26 de julio de 2012 05:25:31 UTC-5, alsdks escribió:
>> >>
>> >> Hello,
>> >>
>> >> try this:
>> >>
>> >> <rule id="100001" level="0">
>> >>    <if_sid>18107</if_sid>
>> >>    <match>Tipo de inicio de sesin: 5</match>
>> >>    <description>Rule to mute Logon type 5</description>
>> >> </rule>
>> >>
>> >> Let me know if that helps
>> >>
>> >> Cheers
>> >>
>> >> On Wednesday, July 25, 2012 11:53:03 PM UTC+3, Andres Felipe Mejia
>> Sanchez
>> >> wrote:
>> >>>
>> >>> Hi.. im trying to make a windows exception rule, but i excluded
>> >>>
>> >>> 1805 rule id
>> >>> 528 id
>> >>> it works!
>> >>>
>> >>> but i also need to exclud the logon type (5). Does any body knows how
>> to
>> >>> exclude by logon type?
>> >>>
>> >>> ** Alert 1343249162.804628: - windows,authentication_**success, 2012
>> Jul 25
>> >>> 15:46:02 (amejia) 10.16.1.32->WinEvtLog Rule: 18107 (level 3) ->
>> >>> 'Windows Logon Success.' Src IP: (none) User: SERVICIO LOCAL
>> WinEvtLog:
>> >>> Security: AUDIT_SUCCESS(528): Security: SERVICIO LOCAL: NT AUTHORITY:
>> >>> AMEJIA: Inicio de sesin realizado:            Nombre de usuario:
>>         SERVICIO LOCAL
>> >>>         Dominio:         NT AUTHORITY            Id. de inicio de
>> sesin:         (0x0,0x3E5)
>> >>>           Tipo de inicio de sesin: 5            Proceso de inicio de
>> sesin: Advapi
>> >>>         Paquete de autenticacin: Negotiate            Nombre de
>> estacin de
>> >>> trabajo:             GUID de inicio de sesin: -
>> >>>
>> >>>
>> >>>
>> >
>>
>

Reply via email to