Thanks very much, I've added the rule. Appreciate the assistance!
On Sat, Oct 4, 2014 at 9:30 AM, Michael Starks ossec-l...@michaelstarks.com
wrote:
On 10/04/2014 05:30 AM, Jan Andrasko wrote:
Rob,
issue with your rule was that this string is not part of url. It is
usually in place of
Michael, I'm not sure of anything, which is why I posted :)
I'm going to try Jan's suggestion using Regex.
On Friday, October 3, 2014 10:31:32 AM UTC-4, Michael Starks wrote:
On 2014-10-02 8:08, Robert Moerman wrote:
Hello,
I've been trying to write a rule to detect CGI-based
Hello,
I've been trying to write a rule to detect CGI-based shellshock attacks via
the apache log parser, but I find the signature doesn't fire (even when I
see the string in the apache logs):
*Detect () { :; }; in url string*
rule id=12 level=13
if_sid31100/if_sid
url() {