On Wed, Jul 5, 2017 at 11:41 AM, Bob Boklewski <[email protected]> wrote: > Also, what does the "if_sid" match too? I am trying to understand how to > create custom rules and it seems this "if_sid" is unique and defined > somewhere. I see that rule id and description can be whatever you want and > "id" is the event id number you want to monitor. Any help is much > appreciated. >
if_sid creates a child rule of the rule id defined. In your example above 18107 is a child of 18104, so 18104 has to match before 18107 will. > Thanks. > > > >> >> > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
