[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [hobbit] alert rules

To: hobbit (at) hswn.dk
Subject: Re: [hobbit] alert rules
From: "Werner Michels (Ext Lists)" <wmlist_ext (at) terra.com.br>
Date: Thu, 05 May 2005 12:44:05 -0300
References: <20050505062106.GB17814@hswn.dk> <20050505111207.A11378@tazmania.org>

On Thu, 5 May 2005 11:12:07 -0400
Sue Bauer-Lee <sblee (at) tazmania.org> wrote:

> My epxressions here must be really confusing:
> 
> $WINOPS=winops (at) xyz.com
> 
> # CCRT Windows
> HOST="%(cctfep3*|cctapp3*|cctfep1[0-9]||cctfep0*|cctapp[0-9]|cctpdp0*|cctdbp0*)" SERVICE=conn
> (164)     MAIL $WINOPS  REPEAT=10 RECOVERED
> 

	Most regex engines match a empty "ored" string agains everything with a TRUE return. So on the "cctfep1[0-9]||cctfep0*" you have an empty "||" sequence who will posible match agains every host. Try remove one of the "|".

	I didn't look at the code to be 100% sure on this.
	
	-wm

References:
- Re: [hobbit] bbnet terminating on signal 6
  - From: Henrik Stoerner
- alert rules
  - From: Sue Bauer-Lee

Prev by Date: alert rules
Next by Date: RE: [hobbit] bbnet terminating on signal 6
Previous by thread: alert rules
Next by thread: Re: [hobbit] alert rules
Index(es):
- Date
- Thread