Hi Peter,
The following log should be matching rule:
<rule id="30112" level="5">
<if_sid>30101</if_sid>
<match>File does not exist: |</match>
<match>failed to open stream: No such file or directory|</match>
<match>Failed opening </match>
<description>Attempt to access an non-existent file.</description>
<group>unknown_resource,</group>
</rule>
So, if you write a rule like:
<rule id="xyz" level="10">
<if_sid>30112</if_sid>
<match>/_vti_bin/shtml.exe/_vti_rpc</match>
<description> xyz </description>
</rule>
It should match it...
Hope it helps.
--
Daniel B. Cid
dcid ( at ) ossec.net
On 9/18/07, Peter M. Abraham <[EMAIL PROTECTED]> wrote:
>
> Greetings Daniel:
>
> That works; thank you. A related question.
>
> What if the log was as follows from Apache error_log:
>
> [Tue Sep 18 20:53:47 2007] [error] [client 203.122.241.211] File does
> not exist: /hsphere/local/home/april3/mythicalrealm.com/_vti_bin/
> shtml.exe/_vti_rpc
>
> And I wanted to key in on
>
> "File does not exist" and "shtml.exe" and "_vti_rpc"
>
> What would the match look like then?
>
> Thank you.
>
>
