Re: [ossec-list] Using Regular Expressions in an OSSEC rule

How about using Comp-\S+? I would also recommend to use a variable like this (taken from syslog rules): core_dumped|failure|error|attack|bad |illegal |denied|refused|unauthorized|fatal|failed|Segmentation Fault|Corrupted On Mon, Dec 28, 2015 at 10:22 AM, wrote: >

[ossec-list] Using Regular Expressions in an OSSEC rule

Hello all and Happy Holidays, I setup a rule to look for log-in's after hours as follows: authentication 6 pm - 9 am Login after hours 50 USERNAME Ignore USERNAME The first rule tries to pickup all logins after hours, and the subordinate rule tries to