Here is what I currently have for rules, and for reference I will link my decoder.
<group name="bnc3prod"> <rule id="100002" level="0"> <decoded_as>bnc3prod</decoded_as> <description>BATCH FAILED: error generated </description> </rule> <rule id="100003" level="10"> <if_sid>100002</if_sid> <status>^FAILED</status> <match>^301</match> <description>FAILED: 301 PKZIP file or court disk</description> </rule> <rule id=”100004” level “10”> <if_sid>100002</if_sid> <status>^FAILED</status> <match>^302</tmatch> <description>FAILED: 302 Inconsistent case#</description> </rule> <rule id=”100005” level “10”> <if_sid>100002</if_sid> <status>^FAILED</status> <match>^303</match> <description>Number of fields in record incorrect</description> </rule> </group> This is just an example, I have more rules, it's just I believe 3 gives you guys the idea. Here is the decoder: <decoder name="bnc3prod"> <prematch>^\d+-\d+: \S+ \d+-\d+ \d+-\d+ \S+ </prematch> <regex offset="after_prematch">^(\S+): \S(\d+)$</regex> <order>status, extra_data</order> </decoder> Now my question is, in the decoder file, I am seeing two things for the <program_name> tag. One with <program_name>^bnc3prod</program_name> and <program_name>bnc3prod</program_name>. Which one is correct? When would the "^" be used. Same goes for the <match> and <status> tag. Some use the ^ and others do not. Also, does the <extra_data> in the decoder line up with <match>? -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
