On Wed, Mar 14, 2018 at 12:53 PM, Ian Brown <[email protected]> wrote: > Dan, > > Okay, so say I make two rules. 100014 that uses the first match, and 100015 > that uses the second. Is there a way to revert back to 18105 if 100014 > matches but 100015 doesn't? >
Unfortunately, no. You could do a regex: <regex>pfussmon.exe\.*Destination Address: blah blah</regex> > On Tuesday, March 13, 2018 at 3:31:15 AM UTC-7, dan (ddpbsd) wrote: >> >> >> I think this combined the matches, effectively making it: >> <match>pfussmon.exeDestination Address: 192.168.23.255</match> >> >> You might need to make 2 rules, and have the parent of the second be >> the sid of the first. >> > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
