Please help me to create custom rule for detecting mechanize access from apache log
Log file format : [18/Aug/2014:14:58:17 +0530] "GET /wordpress/ HTTP/1.1" 200 2725 "-" "Mechanize/2.7.3 Ruby/2.1.2p95 (http://github.com/sparklemotion/mechanize/)" 192.168.5.29 - - [18/Aug/2014:14:58:17 +0530] "GET /wordpress HTTP/1.1" 301 581 "-" "Mechanize/2.7.3 Ruby/2.1.2p95 (http://github.com/sparklemotion/mechanize/)" 192.168.5.29 - - [18/Aug/2014:14:58:17 +0530] "GET /wordpress/ HTTP/1.1" 200 2725 "-" "Mechanize/2.7.3 Ruby/2.1.2p95 (http://github.com/sparklemotion/mechanize/)" 192.168.5.29 - - [18/Aug/2014:14:58:18 +0530] "GET /wordpress HTTP/1.1" 301 581 "-" "Mechanize/2.7.3 Ruby/2.1.2p95 (http://github.com/sparklemotion/mechanize/)" 192.168.5.29 - - [18/Aug/2014:14:58:18 +0530] "GET /wordpress/ HTTP/1.1" 200 2725 "-" "Mechanize/2.7.3 Ruby/2.1.2p95 (http://github.com/sparklemotion/mechanize/)" <rule id="110000" level="5"> <if_sid>30100</if_sid> <match>^Mechanize</match> <description>Possible Mechanize web attack</description> </rule> -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
