I cannot seem to see where I am going wrong. When I test my regex with:
/var/ossec/bin/ossec-regex 'DUQUESNE\sFTP\.+Error\p'
against the syslog event of:
Oct 5 10:21:47 DUQUESNE FTP: 220 website.com X2 FTP Server 7.6.3(70179994) FIPS <SessionID=28760006, Listener=10.2.3.5:21, Client=10.2.3.41:42016><Command=start, Error=220>
I am given results. However, when I have the rule of:
<rule id="100032" level="0">
<if_sid>1002</if_sid>
<regex>DUQUESNE\sFTP\.+Error\p</regex>
</rule>
and then run it against logtest, it does not work. Log test sees it hit Rule 1002 and then tries the child rules and completes as rule 1002.
Any help as to what I am doing wrong would be appricieated.
Thanks!
argh.......I should have known better than that
Thank you very much for the help!!
I set the hostname and the program name. Now I was wondering, is there a way of grouping in ossec's regex?
I would like to do something like this:
<regex>Error\p(150|200|220|226|230|331)</regex>
Where within the parenthesizes would be the ‘or‘ statement. Or am I left with doing it like this:
<match>Error=150|Error=200|Error=220|Error=226|Error=230|Error=331</match>
On Oct 7, 2015 1:28 PM, "Paul" <mur...@heliopause.us> wrote:
>
> argh.......I should have known better than that
>
> Thank you very much for the help!!
>
>
>
> I set the hostname and the program name. Now I was wondering, is there a way of grouping in ossec's regex?
>
> I would like to do something like this:
>
> <regex>Error\p(150|200|220|226|230|331)</regex>
>
> Where within the parenthesizes would be the ‘or‘ statement. Or am I left with doing it like this:
>
> <match>Error=150|Error=200|Error=220|Error=226|Error=230|Error=331</match>
>
Unfortunately you'll have to do it the long way (second option).