On Mon, Feb 24, 2014 at 1:17 PM, Leonel Algaré <[email protected]> wrote: > I'm using OSSEC v2.6 >
I can't think of a specific commit that could have fixed that, but it isn't a problem in the latest version of OSSEC. My recommendation would be to upgrade. > El lunes, 24 de febrero de 2014 15:08:53 UTC-3, dan (ddpbsd) escribió: >> >> On Mon, Feb 24, 2014 at 1:02 PM, Leonel Algaré <[email protected]> >> wrote: >> > In <match> i have the same problem >> > >> >> I am not. So what version of OSSEC are you using? >> >> > El lunes, 24 de febrero de 2014 14:24:03 UTC-3, dan (ddpbsd) escribió: >> >> >> >> On Mon, Feb 24, 2014 at 12:18 PM, Leonel Algaré <[email protected]> >> >> wrote: >> >> > Hi guys! >> >> > >> >> > Can someone help me? >> >> > >> >> > I wrote this rule: >> >> > >> >> > <rule id="100349" level="5"> >> >> > <if_sid>100347</if_sid> >> >> > <action>EXECUTE</action> >> >> > <regex>\$OPER.NTPOBJ.CLIO</regex> >> >> >> >> Since you're not doing any regex, have you considered using a <match>? >> >> >> >> > <description>Proof</description> >> >> > </rule> >> >> > >> >> > Then, when I tried to test this rule, i have the following error: >> >> > >> >> > 2014/02/24 14:13:58 ossec-analysisd(1227): ERROR: Error applying XML >> >> > variables 'rules//local_rules.xml': XML_ERR: Unknown variable: OPER. >> >> > 2014/02/24 14:13:58 ossec-testrule(1220): ERROR: Error loading the >> >> > rules: >> >> > 'local_rules.xml'. >> >> > >> >> > The problem is $ <--- in regex... but i already escaped this with >> >> > \$. >> >> > >> >> > There is another way to do that? >> >> > >> >> > Regards. >> >> > >> >> > -- >> >> > >> >> > --- >> >> > You received this message because you are subscribed to the Google >> >> > Groups >> >> > "ossec-list" group. >> >> > To unsubscribe from this group and stop receiving emails from it, >> >> > send >> >> > an >> >> > email to [email protected]. >> >> > For more options, visit https://groups.google.com/groups/opt_out. >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> > Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an >> > email to [email protected]. >> > For more options, visit https://groups.google.com/groups/opt_out. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
