On Mon, Feb 24, 2014 at 12:18 PM, Leonel Algaré <[email protected]> wrote: > Hi guys! > > Can someone help me? > > I wrote this rule: > > <rule id="100349" level="5"> > <if_sid>100347</if_sid> > <action>EXECUTE</action> > <regex>\$OPER.NTPOBJ.CLIO</regex>
Since you're not doing any regex, have you considered using a <match>? > <description>Proof</description> > </rule> > > Then, when I tried to test this rule, i have the following error: > > 2014/02/24 14:13:58 ossec-analysisd(1227): ERROR: Error applying XML > variables 'rules//local_rules.xml': XML_ERR: Unknown variable: OPER. > 2014/02/24 14:13:58 ossec-testrule(1220): ERROR: Error loading the rules: > 'local_rules.xml'. > > The problem is $ <--- in regex... but i already escaped this with \$. > > There is another way to do that? > > Regards. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
