[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ossec-list] Re: First custom rule - please check my syntax

To: ossec-list@xxxxxxxxxxxxxxxx
Subject: [ossec-list] Re: First custom rule - please check my syntax
From: "Daniel Cid" <daniel.cid@xxxxxxxxx>
Date: Sun, 2 Sep 2007 22:30:49 -0300
Authentication-results: mx.google.com; spf=pass (google.com: domain of daniel.cid@xxxxxxxxx designates 64.233.166.179 as permitted sender) smtp.mail=daniel.cid@xxxxxxxxx; dkim=pass (test mode) header.i=@xxxxxxxxx
Dkim-signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=O8uWtBKelndok69/dxmoTZmK3oB4PiNnKkIrp8vTeDfSV3zOCGajikID8BtDpJi1akm/4rFChyieCuuPHt0uBWA5BjxCLIYrJwA9OK8mLJ6Dj+BjWvJ1ouYFtpDwGM36Wf1gBnkhvXYtOQwVwdFDP24/wbrDLmGRwC7NnxlNzeQ=

Hi Peter,

Your rule looks good to me. If you can show us the log that you want
to match, it
may be easier to improve it a bit more. The only change I would do is
to use an id
above >100,000 since these are reserved for local rules.

Hope it helps.

--
Daniel B. Cid
dcid ( at ) ossec.net

On 8/31/07, Peter M. Abraham <peter.m.abraham@xxxxxxxxx> wrote:
>
> Greetings:
>
> I was investigating Apache segmentation faults on one of the servers
> monitored by ossec 1.3, and found that right before the segmentation
> fault was a hack attempt against shtml.dll (a FrontPage component).
>
> I created the following rule in /var/ossec/rules/local_rules.xml
>
> <group name="apache-custom,">
>   <rule id="90100" level="12">
>     <if_sid>30101</if_sid>
>     <match>shtml.dll</match>
>     <description>Possible FrontPage hack attempt</description>
>   </rule>
> </group>
>
> The "if_sid" is based on "Apache error messages grouped" as this error
> occurs in the Apache error log.
>
> Did I write the rule correctly?  Are there any recommended changes?
>
> Thank you.
>
>

Follow-Ups:
- [ossec-list] Re: First custom rule - please check my syntax
  - From: Peter M. Abraham
- [ossec-list] Re: First custom rule - please check my syntax
  - From: Peter M. Abraham

Prev by Date: [ossec-list] Re: Problem with a cisco 837 router
Next by Date: [ossec-list] Re: Ossec failed after server reboot
Previous by thread: [ossec-list] Re: Problem with a cisco 837 router
Next by thread: [ossec-list] Re: First custom rule - please check my syntax
Index(es):
- Date
- Thread

OSSEC home | Main Index | Thread Index

OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.