If you need to filter for one specific ID you need to use the *pipe |* option, I don't think you can use "," inside *<id></id>* tags to concatenate anything. "," character will be treated like an string character not a regex one so it will try to match for *"IDNumber,".*
As you know, one example of this kind of rule is used on *msauth_rules.xml:* <rule id="18106" level="5"> > <if_sid>18105</if_sid> > > <id>^529$|^530$|^531$|^532$|^533$|^534$|^535$|^536$|^537$|^539$|^4625$</id> > <description>Windows Logon Failure.</description> > <group>win_authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,</group> > </rule> This last one will work, and the following one WON'T work: <rule id="18106" level="5"> > <if_sid>18105</if_sid> > <id>^529$,^530$,^531$,^532$,^533$</id> > <description>Windows Logon Failure.</description> > <group>win_authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,</group> > </rule> Regards, Pedro S. On Monday, March 28, 2016 at 9:07:30 PM UTC+2, Rob B wrote: > > Heya Folks, > > I've been looking for the docs that explain the difference between the > use of the '|" and the "," when specifying the id numbers within a rule. I > cant find anything that explains the use. > > Could someone explain to me the differences by way of use? or provide a > link that I may have missed? > > > > Two arbitrary use case EXAMPLES of what I am after is: > > A.) Within sid 18103, look for id 12345 followed by 12346, followed by > 12347 > B.) Within sid 18103, look for id 11234 and 11254 > > > Thank you! > > R.B. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
