Greetings:
I was investigating Apache segmentation faults on one of the servers
monitored by ossec 1.3, and found that right before the segmentation
fault was a hack attempt against shtml.dll (a FrontPage component).
I created the following rule in /var/ossec/rules/local_rules.xml
<group name="apache-custom,">
<rule id="90100" level="12">
<if_sid>30101</if_sid>
<match>shtml.dll</match>
<description>Possible FrontPage hack attempt</description>
</rule>
</group>
The "if_sid" is based on "Apache error messages grouped" as this error
occurs in the Apache error log.
Did I write the rule correctly? Are there any recommended changes?
Thank you.
