Greetings: I was investigating Apache segmentation faults on one of the servers monitored by ossec 1.3, and found that right before the segmentation fault was a hack attempt against shtml.dll (a FrontPage component).
I created the following rule in /var/ossec/rules/local_rules.xml <group name="apache-custom,"> <rule id="90100" level="12"> <if_sid>30101</if_sid> <match>shtml.dll</match> <description>Possible FrontPage hack attempt</description> </rule> </group> The "if_sid" is based on "Apache error messages grouped" as this error occurs in the Apache error log. Did I write the rule correctly? Are there any recommended changes? Thank you.