I'm using OSSEC v2.6 El lunes, 24 de febrero de 2014 15:08:53 UTC-3, dan (ddpbsd) escribió: > > On Mon, Feb 24, 2014 at 1:02 PM, Leonel Algaré > <[email protected]<javascript:>> > wrote: > > In <match> i have the same problem > > > > I am not. So what version of OSSEC are you using? > > > El lunes, 24 de febrero de 2014 14:24:03 UTC-3, dan (ddpbsd) escribió: > >> > >> On Mon, Feb 24, 2014 at 12:18 PM, Leonel Algaré <[email protected]> > >> wrote: > >> > Hi guys! > >> > > >> > Can someone help me? > >> > > >> > I wrote this rule: > >> > > >> > <rule id="100349" level="5"> > >> > <if_sid>100347</if_sid> > >> > <action>EXECUTE</action> > >> > <regex>\$OPER.NTPOBJ.CLIO</regex> > >> > >> Since you're not doing any regex, have you considered using a <match>? > >> > >> > <description>Proof</description> > >> > </rule> > >> > > >> > Then, when I tried to test this rule, i have the following error: > >> > > >> > 2014/02/24 14:13:58 ossec-analysisd(1227): ERROR: Error applying XML > >> > variables 'rules//local_rules.xml': XML_ERR: Unknown variable: OPER. > >> > 2014/02/24 14:13:58 ossec-testrule(1220): ERROR: Error loading the > >> > rules: > >> > 'local_rules.xml'. > >> > > >> > The problem is $ <--- in regex... but i already escaped this with > \$. > >> > > >> > There is another way to do that? > >> > > >> > Regards. > >> > > >> > -- > >> > > >> > --- > >> > You received this message because you are subscribed to the Google > >> > Groups > >> > "ossec-list" group. > >> > To unsubscribe from this group and stop receiving emails from it, > send > >> > an > >> > email to [email protected]. > >> > For more options, visit https://groups.google.com/groups/opt_out. > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to [email protected] <javascript:>. > > For more options, visit https://groups.google.com/groups/opt_out. >
-- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
