On Tue, Aug 19, 2014 at 2:47 AM, Sujith V S <[email protected]> wrote: > > > I have added rule in local_rules.xml, but its not working. > > <group name="myrules"> > <rule id="110000" level="10"> > <if_sid>31108</if_sid> > <match>Mechanize</match> > <description>Possible Mechanize web attack</description> > </rule> > </group> >
Did you restart the OSSEC processes? Use ossec-logtest and post the results. > > > On Monday, August 18, 2014 10:52:53 PM UTC+5:30, dan (ddpbsd) wrote: >> >> On Mon, Aug 18, 2014 at 7:12 AM, Sujith V S <[email protected]> wrote: >> > >> > Please help me to create custom rule for detecting mechanize access from >> > apache log >> > >> > Log file format : >> > >> > [18/Aug/2014:14:58:17 +0530] "GET /wordpress/ HTTP/1.1" 200 2725 "-" >> > "Mechanize/2.7.3 Ruby/2.1.2p95 >> > (http://github.com/sparklemotion/mechanize/)" >> > 192.168.5.29 - - [18/Aug/2014:14:58:17 +0530] "GET /wordpress HTTP/1.1" >> > 301 >> > 581 "-" "Mechanize/2.7.3 Ruby/2.1.2p95 >> > (http://github.com/sparklemotion/mechanize/)" >> > 192.168.5.29 - - [18/Aug/2014:14:58:17 +0530] "GET /wordpress/ HTTP/1.1" >> > 200 >> > 2725 "-" "Mechanize/2.7.3 Ruby/2.1.2p95 >> > (http://github.com/sparklemotion/mechanize/)" >> > 192.168.5.29 - - [18/Aug/2014:14:58:18 +0530] "GET /wordpress HTTP/1.1" >> > 301 >> > 581 "-" "Mechanize/2.7.3 Ruby/2.1.2p95 >> > (http://github.com/sparklemotion/mechanize/)" >> > 192.168.5.29 - - [18/Aug/2014:14:58:18 +0530] "GET /wordpress/ HTTP/1.1" >> > 200 >> > 2725 "-" "Mechanize/2.7.3 Ruby/2.1.2p95 >> > (http://github.com/sparklemotion/mechanize/)" >> > >> > >> > <rule id="110000" level="5"> >> > <if_sid>30100</if_sid> >> >> Running the log message through ossec-logtest, I get 31108. What >> version of OSSEC are you using? >> >> >> > <match>^Mechanize</match> >> >> I'm very confused by this, "Mechanize" does not appear at the >> beginning of the log. >> >> > <description>Possible Mechanize web attack</description> >> > </rule> >> > >> >> This works for me: >> <rule id="110000" level="5"> >> <if_sid>31108</if_sid> >> <match>Mechanize</match> >> <description>Possible Mechanize web attack</description> >> </rule> >> >> >> >> >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> > Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an >> > email to [email protected]. >> > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
