Hey all, Just wondering if anyone is using OSSEC to analyze their httpd_access logs. If so, can you share what the intention is and how (if it's not too secretive!)?
Right now, a majority of the rules are setup to trigger against the httpd error logs. I'm looking for a ways to identify people who are trying to abuse the webapp or backend DB, not necessarily those accessing invalid pages or trying to cross-site script etc. This goes more along the lines of people who are trying to automate/crawl/spider sites. Wondering if anyone out there has used OSSEC to help detect and even prevent this sort of behavior. Ideas? I posted another thread with similar intent. I guess this is a bit more specific :)
