On 07/19/2013 10:17 AM, Brenden Walker wrote:
<rule id="100105" level="0">
<if_sid>100104</if_sid>
<id>00:17:ab:d9:3f:6c</id>
<id>01:01:ff:ff:ff:ff</id>
<description>Ignoring authorized MAC</description>
</rule>
OSSEC sees your rule like this:
<id>00:17:ab:d9:3f:6c01:01:ff:ff:ff:ff</id>
As Dan mentioned, you need to use the pipe in order to make the MACs an OR.
--
---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
