On Fri, Jul 19, 2013 at 11:17 AM, Brenden Walker <[email protected]> wrote: > I'm trying to track any unusual MAC address DHCP requests, I've got the > decoder setup and the basic rule for DHCP ACK messages, however when I try to > filter out 'authorized' MAC's this works: > > > <rule id="100105" level="0"> > <if_sid>100104</if_sid> > <id>00:17:ab:d9:3f:6c</id> > <description>Ignoring authorized MAC</description> > </rule> > > > However this does not catch either MAC address: > > > <rule id="100105" level="0"> > <if_sid>100104</if_sid> > <id>00:17:ab:d9:3f:6c</id> > <id>01:01:ff:ff:ff:ff</id> > <description>Ignoring authorized MAC</description> > </rule> > > > The decoder is working fine and passing the MAC along in the id. > > So I'm guessing this is 'AND' ing the several <id> values. Is there any way > to make this OR? I'd rather put all the allowed MAC's into a single rule? > There aren't many authorized DHCP clients here, but making new rules for each > one seems excessive. >
Did you try: <id>MAC1|MAC2</id> > Thanks! > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
