I'm trying to improve ossec WordPress rules. I'd like to start a list of generic WordPress rules. For example,
- Alert level 5 when the HTTP method is POST, and the HTTP status is 4xx Rationale: This represents an attack in the WordPress environment as there should never be a 4xx result from a POST - Alert level 5 when the HTTP method is GET, the URL is the WordPress root, the HTTP status is 4xx Rationale: This represents an attack in the WordPress environment as there should never be a 4xx in the WordPress root directory. What's the PCRE for matching such URLs? E.g. /.env or /0000000.png - ??? I realize rules/wordpress_rules exists; but it doesn't work out of the box; it seems to want wpsyslog. For various reasons, I employ WordFence. I'd like to get that ruleset working w/ WordFence, but that's a different issue. tia, -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/2308d98d-ed60-4e4c-b2ec-d03c45023b6dn%40googlegroups.com.
