I'm trying to track any unusual MAC address DHCP requests, I've got the decoder setup and the basic rule for DHCP ACK messages, however when I try to filter out 'authorized' MAC's this works:
<rule id="100105" level="0"> <if_sid>100104</if_sid> <id>00:17:ab:d9:3f:6c</id> <description>Ignoring authorized MAC</description> </rule> However this does not catch either MAC address: <rule id="100105" level="0"> <if_sid>100104</if_sid> <id>00:17:ab:d9:3f:6c</id> <id>01:01:ff:ff:ff:ff</id> <description>Ignoring authorized MAC</description> </rule> The decoder is working fine and passing the MAC along in the id. So I'm guessing this is 'AND' ing the several <id> values. Is there any way to make this OR? I'd rather put all the allowed MAC's into a single rule? There aren't many authorized DHCP clients here, but making new rules for each one seems excessive. Thanks! -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
