Hi Andy, You can also use the <hostname> tag in the rules to match on the log file name:
<rule id="100002" level="13"> <match>$HACK_ATTEMPT</match> <hostname>/var/spool/mail/apache</hostname> <description>Check /var/spool/mail/apache for attempted Plesk hack.</description> </rule> That way this rule will not trigger for other log files. Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On Fri, Oct 3, 2008 at 11:19 AM, Peter M. Abraham <[EMAIL PROTECTED]> wrote: > > Greetings Andy: > > If the same keywords and phrases are in the apache log file vs. raw > email (/var/spool/mail/apache) then you can probably use an existing > rule id (as a foundation) from /var/ossec/rules (check > apache_rules.xml, attack_rules.xml, and web_rules.xml), and then use a > "if sid" rule id match to narrow things down. > > Example: > > <rule id="100210" level="12"> > <if_sid>31100</if_sid> > <match>(Nikto/</match> > <description>Nikto vulnerability scan</description> > </rule> > > Thank you. >
