Hello, I'm working on a few custom rules and I was wondering if there is a "not equal to" item within OSSEC custom rules that I can use. I have the following logs and I want everything but the ActiveSync ones.
Feb 9 00:00:00 XXXXX 2018-02-09 04:59:52 10.13.1.15 POST / autodiscover/autodiscover.xml &CorrelationID=<empty>;; 443 - [email protected] X.X.X.X SfBForMac/16.13.184.0000+(Mac+OSX+10.12.6) - 401 1 2148074254 0 Feb 9 00:00:00 XXXXX 2018-02-09 04:59:52 10.13.1.15 POST /EWS/Exchange.asmx &CorrelationID=<empty>;; 443 - [email protected] X.X.X.X SfBForMac/16.13.184.0000+(Mac+OSX+10.12.6) - 401 1 2148074254 0 Feb 9 00:00:01 XXXXX 2018-02-09 04:59:58 10.13.1.28 POST /Microsoft-Server-ActiveSync/default.eas ; 443 [email protected] X.X.X.X Android-Mail/7.10.22.174510681.release - 200 0 0 15 Right now I have the following logic and it works, but I'd prefer to just do a not equal to Activesync so I don't have to add additional regexes if a new log comes in. <rule id="100211" level="5"> <if_sid>100210</if_sid> <regex>autodiscovery.xml|Exchange.asmx</regex> <regex>\.+\d+\s\w+.\[email protected]\.+ - 401 </regex> <description>Email authentication failure.</description> </rule> -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
