Hello,

I'm working on a few custom rules and I was wondering if there is a "not 
equal to" item within OSSEC custom rules that I can use. I have the 
following logs and I want everything but the ActiveSync ones.

Feb  9 00:00:00 XXXXX 2018-02-09 04:59:52 10.13.1.15 POST /
autodiscover/autodiscover.xml &CorrelationID=<empty>;; 443 - 
u...@domain.com X.X.X.X SfBForMac/16.13.184.0000+(Mac+OSX+10.12.6) - 401 1 
2148074254 0

Feb  9 00:00:00 XXXXX 2018-02-09 04:59:52 10.13.1.15 POST /EWS/Exchange.asmx 
&CorrelationID=<empty>;; 
443 - u...@domain.com X.X.X.X SfBForMac/16.13.184.0000+(Mac+OSX+10.12.6) - 
401 1 2148074254 0

Feb  9 00:00:01 XXXXX 2018-02-09 04:59:58 10.13.1.28 POST 
/Microsoft-Server-ActiveSync/default.eas ; 443 
u...@domain.com X.X.X.X Android-Mail/7.10.22.174510681.release - 200 0 0 15

Right now I have the following logic and it works, but I'd prefer to just 
do a not equal to Activesync so I don't have to add additional regexes if a 
new log comes in.

<rule id="100211" level="5">
   <if_sid>100210</if_sid>
   <regex>autodiscovery.xml|Exchange.asmx</regex>
   <regex>\.+\d+\s\w+.\w...@domain.com\.+ - 401 </regex>
   <description>Email authentication failure.</description>
</rule>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to