Hello;
I try to recognise certain 'standard' pattern that can match Web application Scans like : - nikto (match 'Nikto') - w3af (match 'w3af.sourceforge.net') - Skipfish - ... But there is a lot of limitations. - apps like Skipfish it doesn't works (no clear pattern). Method : - Empty web server + logs + ossec - Scan with a tool - Check the logs and ossec - Determine if specific or generic word or pattern exists - Create the rule - Scan again - Check Ossec (new alert should arise). <https://lh3.googleusercontent.com/_RKkgVwqgn4c/TWfc7T563GI/AAAAAAAAH3A/fbaaTDE8iRs/2011-02-25_174539.png> Does someone already created some rules that can increase this kind of detection ? Kind regards Js
