On Sep 22, 2014 9:03 PM, "Bùi Viết Hướng" <[email protected]> wrote: > > Could you give me an example? Both decode and rule. >
decoders.xml has plenty of examples of decoders. <rule id="100001" level="10"> <if_sid> 5700 </if_sid> <srcip> 10.10.10.10 </srcip> <description> example </description> </rule> I'm sure there are typos in that rule, but it should suffice for an example. (The spacing looks way off too, but i blame android) > Vào 23:11:35 UTC+7 Thứ hai, ngày 22 tháng chín năm 2014, dan (ddpbsd) đã viết: >> >> On Mon, Sep 22, 2014 at 6:53 AM, Bùi Viết Hướng >> <[email protected]> wrote: >> > I can't create rules with parameters such as user name, IP source, program >> > name(ssh, ...)......, and then can change the parameters and create a new >> > rule. Could anyone tell me the way? >> > >> >> Some of these things work, some don't. It mostly depends on the >> decoder. Some actual examples would help, but as it stands this >> message has almost no information that I'd need to really help. >> >> For srcip you can use: <srcip>IP_ADDRESS</srcip> >> For user you can use: <user>USERNAME</user> >> >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send an >> > email to [email protected]. >> > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
