On Fri, 19 Jul 2013 11:26:15 -0400 "dan (ddp)" <[email protected]> wrote: > On Fri, Jul 19, 2013 at 11:17 AM, Brenden Walker > <[email protected]> wrote: > > I'm trying to track any unusual MAC address DHCP requests, I've got > > the decoder setup and the basic rule for DHCP ACK messages, however > > when I try to filter out 'authorized' MAC's this works: > > > > > > <rule id="100105" level="0"> > > <if_sid>100104</if_sid> > > <id>00:17:ab:d9:3f:6c</id> > > <description>Ignoring authorized MAC</description> > > </rule> > > > > > > However this does not catch either MAC address: > > > > > > <rule id="100105" level="0"> > > <if_sid>100104</if_sid> > > <id>00:17:ab:d9:3f:6c</id> > > <id>01:01:ff:ff:ff:ff</id> > > <description>Ignoring authorized MAC</description> > > </rule> > > > > > > The decoder is working fine and passing the MAC along in the id. > > > > So I'm guessing this is 'AND' ing the several <id> values. Is > > there any way to make this OR? I'd rather put all the allowed > > MAC's into a single rule? There aren't many authorized DHCP > > clients here, but making new rules for each one seems excessive. > > > > Did you try: > <id>MAC1|MAC2</id>
No I didn't, had no clue that was an option! thanks, tested and working fine. I presume you could use & for and as well? -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
