Hello Term,
I am a bit confused on the application you are trying to achieve. The
Pair rules are bistable in nature. The pair rules are on/off or
armed/disarmed. You appear to write as if you were expecting a boolean
'and' or logical product. If the latter, I would using a Single rule to
detect the first pattern and emit a context with a limited lifetime.
Then you would follow it with a second rule to detect the second pattern
and correlate with the first.
type=Single
ptype=RegExp
pattern=sql_injection_attacks
desc=$0
action=write - SQL rule matched ; \
create SQL_INJECTION_ATTACK 5
type=Single
ptype=RegExp
pattern=xss_attacks\s*CRITICAL
desc=$0
context=SQL_INJECTION_ATTACK
action=write - XSS matched
Regards,
Tim
--
Tim Peiffer
Network Support Engineer
Office of Information Technology
University of Minnesota/NorthernLights GigaPOP
+1 612 626-7884 (desk)
------------------------------------------------------------------------------
Rapidly troubleshoot problems before they affect your business. Most IT
organizations don't have a clear picture of how application performance
affects their revenue. With AppDynamics, you get 100% visibility into your
Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro!
http://pubads.g.doubleclick.net/gampad/clk?id=84349351&iu=/4140/ostg.clktrk
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
