Yeah that was a bug that made into into 2.8. Looks like corrected this
in https://github.com/ossec/ossec-hids/pull/220 could you try this out?
* James MacLean <[email protected]> [2014-06-07 12:27:00 -0700]:
Here is an example of the rule:
<rule id="100263" level="0">
<if_sid>100109</if_sid>
<regex>Account Name:\s*\t*\S+\$\s*\t*\s*Account Domain:</regex>
<description>Custom: NT computer login/off success.</description>
<group>authentication_success,</group>
</rule>
From the log:
2014/06/07 16:26:01 ossec-analysisd(1227): ERROR: Error applying XML
variables 'rules//local_rules.xml': XMLERR: Unknown variable:
'\s*\t*\s*Account'..
2014/06/07 16:26:01 ossec-testrule(1220): ERROR: Error loading the rules:
'local_rules.xml'.
Hope that helps,
JES
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
--
---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
