I have added the following rules to local_rules.conf:
<rule id="100060" level="5">
<if_sid>31100</if_sid>
<match>requeststringtest.php</match>
<description>request string test 2</description>
<options>alert_by_email</options>
</rule>
<rule id="100160" level="7" frequency="5" timeframe="90">
<if_matched_sid>100060</if_matched_sid>
<same_source_ip />
<description>request string test 2</description>
<options>alert_by_email</options>
</rule>
but OSSEC doesn't care at all. It counts the rules as being enabled, but no
matter how many times or how fast i go to http : //
server.ip/whatever?X=requeststringtest.php (or any URL that includes the
string), OSSEC completely ignores it. The out of the box rules work fine.
If I port scan, ssh or HTTP brute-force, or pull too many 400 or 500
errors, then the appropriate rules fire. But this rule doesn't do anything.
What am I doing wrong?
OSSEC 2.8.2
CentOS 6
Apache
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
