On Feb 28, 2013 6:26 AM, "root" <[email protected]> wrote: > > hi,all > > I got a question,that is about about ossec rules Regular Expression Syntax . > > we konw,when i want match the number,i can use "\d" or "\d+" > > but now,if i has string like this > > "failed=0"=="failed=(\d+)" > > i want exclude "0", i use "failed=([1-9]+)",can not match it.. > > how can i do? > >
You can't really. The best option I can think of is to create your rule matching any number, then creating a rule at level 0 for extra_data of 0. > > > thanks&Best Regards > > > -- > > --- > You received this message because you are subscribed to the Google Groups "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
