Hi Peter,
This log should already be matching the following rule:
<rule id="30115" level="5">
<if_sid>30101</if_sid>
<match>Invalid URI in request</match>
<description>Invalid URI (bad client request).</description>
<group>invalid_request,</group>
</rule>
Isn't it? If you want to ignore this "shtml.exe", just create a local
rule looking for it:
..
<if_sid>30115</if_sid>
<match>/shtml.exe/</match>
..
Hope it helps.
--
Daniel B. Cid
dcid ( at ) ossec.net
On 9/18/07, Peter M. Abraham <[EMAIL PROTECTED]> wrote:
>
> Greetings:
>
> Apache error_log entry:
>
> [Tue Sep 18 19:04:59 2007] [error] [client 195.244.128.240] Invalid
> URI in request GET /../_vti_bin/shtml.exe/SI/contest.htm/map HTTP/1.1
>
>
> How would I write the match portion of the rule to just key in on
> "Invalid URI" and "shtml.exe"?
>
> Thank you.
>
>
