On Thu, Aug 28, 2014 at 12:53 PM, Paul Raines <[email protected]> wrote: > But I guess I don't see how to do what I want except with 3 rules (including > the original 31103) so 2 new rules in local_rules.xml >
Then do it that way. > > <rule id="100301" level="0"> > <if_sid>31103</if_sid> </rule> > </rule> > > <rule id="100302" level="6"> > <if_sid>100301</if_sid> > > <url>select%20|select+|update%20|update+|insert%20|insert+</url></not> > </rule> > > So essentially totally silence rule 31103, then reenable if it matches the > given URL string > > It is still unclear to me how this will affect rule 31106. Will this > effectively remove any 31103 matches from it? Or not remove anything so any > thing triggering 31103 will still trigger 31106 despite the local rules > above? > > I am wondering if I should overwrite 31103 instead but since I can not do > all the logic I need in one rule anyway that would not work. > > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
