Hi Peter, Your rule looks good to me. If you can show us the log that you want to match, it may be easier to improve it a bit more. The only change I would do is to use an id above >100,000 since these are reserved for local rules.
Hope it helps. -- Daniel B. Cid dcid ( at ) ossec.net On 8/31/07, Peter M. Abraham <[EMAIL PROTECTED]> wrote: > > Greetings: > > I was investigating Apache segmentation faults on one of the servers > monitored by ossec 1.3, and found that right before the segmentation > fault was a hack attempt against shtml.dll (a FrontPage component). > > I created the following rule in /var/ossec/rules/local_rules.xml > > <group name="apache-custom,"> > <rule id="90100" level="12"> > <if_sid>30101</if_sid> > <match>shtml.dll</match> > <description>Possible FrontPage hack attempt</description> > </rule> > </group> > > The "if_sid" is based on "Apache error messages grouped" as this error > occurs in the Apache error log. > > Did I write the rule correctly? Are there any recommended changes? > > Thank you. > >