Are you looking for specific keywords in the browser string? OSSEC has some rules to detect on SQL Injection/XSS/etc attacks. But there is probably lots of room and flexibility for expanding the keyword detection. If you really want to find out, just "grep -i [whatever keyword] /var/ossec/rules/*" and see if your keyword shows up.
Another possibility is to use ModSecurity and then have OSSEC monitor the ModSec logs. OSSEC comes with prepackaged modsec rules in the apache_rules.xml file. Although, you'll probably need to tweak the rules a bit to get them working to your liking. On Fri, Feb 25, 2011 at 8:47 AM, Js Opdebeeck <[email protected]>wrote: > Hello; > > > I try to recognise certain 'standard' pattern that can match Web > application Scans like : > - nikto (match 'Nikto') > - w3af (match 'w3af.sourceforge.net') > - Skipfish > - ... > > But there is a lot of limitations. > - apps like Skipfish it doesn't works (no clear pattern). > > > Method : > - Empty web server + logs + ossec > - Scan with a tool > - Check the logs and ossec > - Determine if specific or generic word or pattern exists > - Create the rule > - Scan again > - Check Ossec (new alert should arise). > > > > <https://lh3.googleusercontent.com/_RKkgVwqgn4c/TWfc7T563GI/AAAAAAAAH3A/fbaaTDE8iRs/2011-02-25_174539.png> > > > > Does someone already created some rules that can increase this kind of > detection ? > > Kind regards > > > Js > >
