On Mon, Aug 18, 2014 at 7:12 AM, Sujith V S <[email protected]> wrote:
>
> Please help me to create custom rule for detecting mechanize access from
> apache log
>
> Log file format :
>
> [18/Aug/2014:14:58:17 +0530] "GET /wordpress/ HTTP/1.1" 200 2725 "-"
> "Mechanize/2.7.3 Ruby/2.1.2p95 (http://github.com/sparklemotion/mechanize/)"
> 192.168.5.29 - - [18/Aug/2014:14:58:17 +0530] "GET /wordpress HTTP/1.1" 301
> 581 "-" "Mechanize/2.7.3 Ruby/2.1.2p95
> (http://github.com/sparklemotion/mechanize/)"
> 192.168.5.29 - - [18/Aug/2014:14:58:17 +0530] "GET /wordpress/ HTTP/1.1" 200
> 2725 "-" "Mechanize/2.7.3 Ruby/2.1.2p95
> (http://github.com/sparklemotion/mechanize/)"
> 192.168.5.29 - - [18/Aug/2014:14:58:18 +0530] "GET /wordpress HTTP/1.1" 301
> 581 "-" "Mechanize/2.7.3 Ruby/2.1.2p95
> (http://github.com/sparklemotion/mechanize/)"
> 192.168.5.29 - - [18/Aug/2014:14:58:18 +0530] "GET /wordpress/ HTTP/1.1" 200
> 2725 "-" "Mechanize/2.7.3 Ruby/2.1.2p95
> (http://github.com/sparklemotion/mechanize/)"
>
>
> <rule id="110000" level="5">
>     <if_sid>30100</if_sid>

Running the log message through ossec-logtest, I get 31108. What
version of OSSEC are you using?


>     <match>^Mechanize</match>

I'm very confused by this, "Mechanize" does not appear at the
beginning of the log.

>     <description>Possible Mechanize web attack</description>
>   </rule>
>

This works for me:
<rule id="110000" level="5">
    <if_sid>31108</if_sid>
    <match>Mechanize</match>
    <description>Possible Mechanize web attack</description>
  </rule>




>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/d/optout.

Reply via email to