Hi All,
We've had some recent joomla and mambo exploits on our web server
through applets that customers can add/install themselves. We've been
able to trace some activity back to the /var/spool/mail/apache file
and I've added this file for ossec to monitor. I've placed a rule in
local_rules.xml to match certain keywoards that we've been able to
find in the log file which might represent that the web site has been
hacked.
What I haven't been able to do is to make it so that the check is only
done against a particular rule id or file. So what I want to see
happen is that ossec will check my log file /var/spool/mail/apache and
then only use local rule id 100002 or use the file local_rules.xml to
find a match. Is this possible???
You can imagine the false positives I get from having such an
extensive list of common keywords in my var "HACK_ATTEMPT" when ossec
checks the other log files. I want to limit it so that the defined
<location> will only use this <rule_id> or xml file. Is this
possible???
ossec.conf:
<localfile>
<log_format>syslog</log_format>
<location>/var/spool/mail/apache</location>
</localfile>
local_rules.xml:
<var name="HACK_ATTEMPT">joomla|mambot|calendar|wp-content|mambo|admin|
php</var>
<rule id="100002" level="13">
<match>$HACK_ATTEMPT</match>
<description>Check /var/spool/mail/apache for attempted Plesk
hack.</description>
</rule>
Thanks.
Andy
