Thank you Peter and Daniel. I will give it a go.
Cheers. Andy On Oct 10, 5:48 am, "Daniel Cid" <[EMAIL PROTECTED]> wrote: > Hi Andy, > > You can also use the <hostname> tag in the rules to match on the log file > name: > > <rule id="100002" level="13"> > <match>$HACK_ATTEMPT</match> > <hostname>/var/spool/mail/apache</hostname> > <description>Check /var/spool/mail/apache for attempted Plesk > hack.</description> > </rule> > > That way this rule will not trigger for other log files. > > Thanks, > > -- > Daniel B. Cid > dcid ( at ) ossec.net > > On Fri, Oct 3, 2008 at 11:19 AM, Peter M. Abraham > > > > <[EMAIL PROTECTED]> wrote: > > > Greetings Andy: > > > If the same keywords and phrases are in the apache log file vs. raw > > email (/var/spool/mail/apache) then you can probably use an existing > > rule id (as a foundation) from /var/ossec/rules (check > > apache_rules.xml, attack_rules.xml, and web_rules.xml), and then use a > > "if sid" rule id match to narrow things down. > > > Example: > > > <rule id="100210" level="12"> > > <if_sid>31100</if_sid> > > <match>(Nikto/</match> > > <description>Nikto vulnerability scan</description> > > </rule> > > > Thank you.- Hide quoted text - > > - Show quoted text -
