Thanks Antonio! Noted! Best regards, Fredrik
On Saturday, April 16, 2016 at 1:14:53 AM UTC+2, Antonio Querubin wrote: > > On Fri, 15 Apr 2016, Fredrik wrote: > > > Thanks for getting back to me. Again :) :) I'm trying out your > enhancement > > to the first decoder and trying to combine it with child-decoders from > our > > previous posts. I currently have this (which obviously doesn't work), > but > > how do I best create the parent-child tree to handle the slight > variations > > in messages? One per action (e.g. block, prevent) and where needed use > two > > child-decoders with same name to capture all field of interest - as you > > have instructed previously (i.e. one for fields action,srcip,dstip , the > > second for url, extra_data fields? > > > <decoder name="Checkpoint-block-allow"> > > <parent>Checkpoint-test</parent> > > <regex>(\w+) \S+ \S+ src: (\d+.\d+.\d+.\d+); dst: > > (\d+.\d+.\d+.\d+)</regex> > > <order>action,srcip,dstip</order> > > </decoder> > > If you plan on detecting IPv6 activity on your network you may want to > change \d+.\d+.\d+.\d+ to \S+ > > > Antonio Querubin > e-mail: [email protected] <javascript:> > xmpp: [email protected] <javascript:> > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
