On Tue, Nov 27, 2018 at 4:10 AM Brian Candler <[email protected]> wrote: > > On Monday, 26 November 2018 12:50:59 UTC, dan (ddpbsd) wrote: >> >> >> > 1. I've seen some examples where a single rule has multiple <match> >> > elements. Is the rule triggered if only one matches, or do they all have >> > to match? >> > >> >> In this case it's an OR. >> <match>terminated without error|can't verify hostname: getaddrinfo|</match> >> <match>PPM exceeds tolerance</match> >> The "|" at the end of the first <match> makes it an OR. >> I think if there is no "|" in there, it's an AND. > > > Ah, I didn't notice the trailing "|". > > Is it possible that it simply concatenates all the <match> elements together > into a single element/pattern? I found this in another rule: >
Yes. Splitting it into multiple lines like above and below is basically a stylistic choice. > <description>Multiple Invalid URI requests from </description> > <description>same source.</description> > > Cheers, > > Brian. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
