On Thu, Jun 9, 2016 at 10:22 AM, Tahir Hafiz <[email protected]> wrote: > Dear All, > > I currently have a few rules which are very similar, how can I have multiple > matches with the same rule: > > <!-- Ignore System Audit of /tmp not being on it's own it's partition--> > <rule id="100007" level="0"> > <if_sid>510</if_sid> > <match>Robust partition scheme - /tmp is not on its own partition. > File: /etc/fstab.</match> > <description>Ignore /tmp not being on it's own partition</description> > <group>rootcheck,</group> > </rule> > > > <!-- Ignore System Audit of /opt not being on it's own it's partition--> > <rule id="100008" level="0"> > <if_sid>510</if_sid> > <match>Robust partition scheme - /opt is not on its own > partition.</match> > <description>Ignore /opt not being on it's own partition</description> > <group>rootcheck,</group> > </rule> > > > > <!-- Ignore System Audit of /var not being on it's own it's partition--> > <rule id="100009" level="0"> > <if_sid>510</if_sid> > <match>Robust partition scheme - /var is not on its own > partition.</match> > <description>Ignore /var not being on it's own partition</description> > <group>rootcheck,</group> > </rule> > > > > Is there a way to have multiple <match> lines ? > Would something like this work: > > > <rule id="100007" level="0"> > <if_sid>510</if_sid> > <regex>Robust partition scheme - \\\w\w\w is not on its own partition. > </regex> > <description>Ignore dirs on / not being on their own > partition</description> > <group>rootcheck,</group> > </rule> > > Basically, can I use <regex> matching instead of exact <match> ? >
You can breakup matched with the "|" character. <match>thing 1|thing2|thing3</match> > > Thanks > > > > > > > > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
