On Mon, Feb 24, 2014 at 1:22 PM, dan (ddp) <[email protected]> wrote: > On Mon, Feb 24, 2014 at 1:17 PM, Leonel Algaré <[email protected]> > wrote: >> I'm using OSSEC v2.6 >> > > I can't think of a specific commit that could have fixed that, but it > isn't a problem in the latest version of OSSEC. My recommendation > would be to upgrade. >
Heh, I just dug up an ancient copy of 2.6, and it works just fine for me: <rule id="100349" level="0"> <action>EXECUTE</action> <match>\$OPER.NTPOBJ.CLIO</match> <description>Proof</description> </rule> >> El lunes, 24 de febrero de 2014 15:08:53 UTC-3, dan (ddpbsd) escribió: >>> >>> On Mon, Feb 24, 2014 at 1:02 PM, Leonel Algaré <[email protected]> >>> wrote: >>> > In <match> i have the same problem >>> > >>> >>> I am not. So what version of OSSEC are you using? >>> >>> > El lunes, 24 de febrero de 2014 14:24:03 UTC-3, dan (ddpbsd) escribió: >>> >> >>> >> On Mon, Feb 24, 2014 at 12:18 PM, Leonel Algaré <[email protected]> >>> >> wrote: >>> >> > Hi guys! >>> >> > >>> >> > Can someone help me? >>> >> > >>> >> > I wrote this rule: >>> >> > >>> >> > <rule id="100349" level="5"> >>> >> > <if_sid>100347</if_sid> >>> >> > <action>EXECUTE</action> >>> >> > <regex>\$OPER.NTPOBJ.CLIO</regex> >>> >> >>> >> Since you're not doing any regex, have you considered using a <match>? >>> >> >>> >> > <description>Proof</description> >>> >> > </rule> >>> >> > >>> >> > Then, when I tried to test this rule, i have the following error: >>> >> > >>> >> > 2014/02/24 14:13:58 ossec-analysisd(1227): ERROR: Error applying XML >>> >> > variables 'rules//local_rules.xml': XML_ERR: Unknown variable: OPER. >>> >> > 2014/02/24 14:13:58 ossec-testrule(1220): ERROR: Error loading the >>> >> > rules: >>> >> > 'local_rules.xml'. >>> >> > >>> >> > The problem is $ <--- in regex... but i already escaped this with >>> >> > \$. >>> >> > >>> >> > There is another way to do that? >>> >> > >>> >> > Regards. >>> >> > >>> >> > -- >>> >> > >>> >> > --- >>> >> > You received this message because you are subscribed to the Google >>> >> > Groups >>> >> > "ossec-list" group. >>> >> > To unsubscribe from this group and stop receiving emails from it, >>> >> > send >>> >> > an >>> >> > email to [email protected]. >>> >> > For more options, visit https://groups.google.com/groups/opt_out. >>> > >>> > -- >>> > >>> > --- >>> > You received this message because you are subscribed to the Google >>> > Groups >>> > "ossec-list" group. >>> > To unsubscribe from this group and stop receiving emails from it, send >>> > an >>> > email to [email protected]. >>> > For more options, visit https://groups.google.com/groups/opt_out. >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
