[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[ossec-list] IIS rule to alert on blank cs-host
- To: ossec-list@xxxxxxxxxxxxxxxx
- Subject: [ossec-list] IIS rule to alert on blank cs-host
- From: "List Subscriptions" <lists.canuck.eh@xxxxxxxxx>
- Date: Thu, 19 Apr 2007 17:10:34 -0400
- Content-disposition: inline
- Content-transfer-encoding: 7bit
- Dkim-signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=LQs1NZEMD9NxyTkI6qoEOEBsAnSX2FLKf5q5Roxisvkl51tyN2/5WANeohbpQ+fO7Q3HIzbdnmqha8IpkL8e1OIEbk5mSLzvAcgq4UlKG/WpUuzeiHZk1r0JOYqiwLwBAH8mrC82FhaGyq/XWTjlGglFA8Zw7vwwHc5Z9u5oh5c=
In order to troubleshoot a web app I would like to have an IIS rule to
alert when someone accesses a web page by IP address rather then
hostname. I believe this should be possible by having a rule that
alerts on blank cs-host field. Unfortunately I'm quite new to OSSEC
and don't know how to accomplish this. I believe modifications need
to be made to both decoder.xml and a rules file.
First I need to add cs-host to the following decoder, right?
<decoder name="web-accesslog-iis6">
<parent>windows-date-format</parent>
<type>web-log</type>
<use_own_name>true</use_own_name>
<prematch offset="after_parent">^W3SVC\d+ \S+ \S+ \S+ </prematch>
<regex offset="after_prematch">^(\S+) \S+ \d+ \S+ (\d+.\d+.\d+.\d+) </regex>
<regex>\S+ \S+ \S+ \S+ \S+ (\d+) </regex>
<order>url, srcip, id</order>
</decoder>
Then write a rule looking for blank cs-host, right?
Thanks in advance!
OSSEC home |
Main Index |
Thread Index
OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.