[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[ossec-list] Re: Seeking help with custom rule
- To: ossec-list@xxxxxxxxxxxxxxxx
- Subject: [ossec-list] Re: Seeking help with custom rule
- From: "Daniel Cid" <daniel.cid@xxxxxxxxx>
- Date: Tue, 18 Sep 2007 22:21:28 -0300
- Authentication-results: mx.google.com; spf=pass (google.com: domain of daniel.cid@xxxxxxxxx designates 72.14.204.233 as permitted sender) smtp.mail=daniel.cid@xxxxxxxxx; dkim=pass (test mode) header.i=@xxxxxxxxx
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; bh=EHKWw/FQP/Qj9W0ba3kqeQa9FoxDdN54LOGNYsxtUO4=; b=smdRdnS/u76/jYGk046z9w7NQkSx/GyEh8OaBJ6upWYP5bELqgzbe/Av33uXj9EeC97RR9i+PBzaGpmyVl27S1hI5b3lkeHtPv9UidYpcnAHWd6i8mMBZT9TC1YH7RghhHroSEDlFGP4I9nczWQo0QsFjE0dG3117nS56/5Ekz0=
Hi Peter,
This log should already be matching the following rule:
<rule id="30115" level="5">
<if_sid>30101</if_sid>
<match>Invalid URI in request</match>
<description>Invalid URI (bad client request).</description>
<group>invalid_request,</group>
</rule>
Isn't it? If you want to ignore this "shtml.exe", just create a local
rule looking for it:
..
<if_sid>30115</if_sid>
<match>/shtml.exe/</match>
..
Hope it helps.
--
Daniel B. Cid
dcid ( at ) ossec.net
On 9/18/07, Peter M. Abraham <peter.m.abraham@xxxxxxxxx> wrote:
>
> Greetings:
>
> Apache error_log entry:
>
> [Tue Sep 18 19:04:59 2007] [error] [client 195.244.128.240] Invalid
> URI in request GET /../_vti_bin/shtml.exe/SI/contest.htm/map HTTP/1.1
>
>
> How would I write the match portion of the rule to just key in on
> "Invalid URI" and "shtml.exe"?
>
> Thank you.
>
>
OSSEC home |
Main Index |
Thread Index
OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.