Hi Robert,
It depends what kind of log you are monitoring. If you are referring to squid logs, you can create a local rule like that (at /var/ossec/rules/local_rules.xml): <rule id="100011" level="5"> <if_sid>35000</if_sid> <id>^200</id> <url>www.botox.com|www.secondsite.com</url> <description>Access (return code 200) to a monitored web site.</description> </rule> Note that rule "35000" is the rule called when a squid message is decoded (look at /var/ossec/rules/squid_rules.xml). So, whenever a squid log comes in, it will check if the return code is 200 and if one of the two sites are present in the url.. Hope it helps... If you were looking for something else, let us know. -- Daniel B. Cid dcid ( at ) ossec.net On 10/4/06, Robert Molsbee <[EMAIL PROTECTED]> wrote:
How does one go about modifying/creating a rule to fire an email every time a certain web address is accessed (for example -- http://www.botox.com )? Essentially what we are looking for is limited blacklist functionality while still allowing access to enable monitoring and logging. Any help pertaining to the files or procedures involved would be much appreciated. Thanks, robm
