On Mon, Aug 18, 2014 at 7:12 AM, Sujith V S <[email protected]> wrote:
>
> Please help me to create custom rule for detecting mechanize access from
> apache log
>
> Log file format :
>
> [18/Aug/2014:14:58:17 +0530] "GET /wordpress/ HTTP/1.1" 200 2725 "-"
> "Mechanize/2.7.3 Ruby/2.1.2p95 (http://github.com/sparklemotion/mechanize/)"
> 192.168.5.29 - - [18/Aug/2014:14:58:17 +0530] "GET /wordpress HTTP/1.1" 301
> 581 "-" "Mechanize/2.7.3 Ruby/2.1.2p95
> (http://github.com/sparklemotion/mechanize/)"
> 192.168.5.29 - - [18/Aug/2014:14:58:17 +0530] "GET /wordpress/ HTTP/1.1" 200
> 2725 "-" "Mechanize/2.7.3 Ruby/2.1.2p95
> (http://github.com/sparklemotion/mechanize/)"
> 192.168.5.29 - - [18/Aug/2014:14:58:18 +0530] "GET /wordpress HTTP/1.1" 301
> 581 "-" "Mechanize/2.7.3 Ruby/2.1.2p95
> (http://github.com/sparklemotion/mechanize/)"
> 192.168.5.29 - - [18/Aug/2014:14:58:18 +0530] "GET /wordpress/ HTTP/1.1" 200
> 2725 "-" "Mechanize/2.7.3 Ruby/2.1.2p95
> (http://github.com/sparklemotion/mechanize/)"
>
>
> <rule id="110000" level="5">
> <if_sid>30100</if_sid>
Running the log message through ossec-logtest, I get 31108. What
version of OSSEC are you using?
> <match>^Mechanize</match>
I'm very confused by this, "Mechanize" does not appear at the
beginning of the log.
> <description>Possible Mechanize web attack</description>
> </rule>
>
This works for me:
<rule id="110000" level="5">
<if_sid>31108</if_sid>
<match>Mechanize</match>
<description>Possible Mechanize web attack</description>
</rule>
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> For more options, visit https://groups.google.com/d/optout.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
