On Wed, Dec 6, 2017 at 11:12 PM, amar haq <[email protected]> wrote: > dear All, > > Ise Ossec 2.9.2 and I need help to use "!" on source ip address. the task > is, if someone success login not from defined ip address, it will trigger > another rule. > > this is what i tried to add to local decoder > > <rule id="110601" level="10"> > > <if_sid>5715</if_sid> > > <hostname>hostname</hostname> > > <srcip>!192.168.130.1|</srcip> > > <srcip>!192.168.130.2|</srcip> > > <srcip>!192.168.130.3</srcip> > > <description>Login Success from Suspicious Address</description> > > </rule> > > > > but seems it give an error. > > could anyone help me? >
There was a bug with negation that a user recently fixed. The following pull request is the fix, please test it out: https://github.com/ossec/ossec-hids/pull/1334 > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
