I googled this question before posting and found not hits, I apologize in advance if I have missed this discussion on the list. I want to create rules that treat web application scans from McAfee ScanAlert differently in OSSEC. Because of the number of source IPs that ScanAlert uses, I was going to write a perl script that fetches the CSV of source IPs from McAfee and create OSSEC rules. Before I do any of this, are there already rules for ScanAlert, much less does anyone have comments on the subject regarding how they handle it?
If there are no comments, I will write the script, and once I am done testing it, I can share it with the list if there is interest.
