Greetings:
RE: http://www.cirt.net/code/nikto.shtml
In /var/ossec/rules/local-rules.xml
<group name="apache-custom,">
<rule id="100300" level="12">
<if_sid>31100</if_sid>
<match>(Nikto/</match>
<description>Nikto vulnerability scan</description>
</rule>
</group>
FYI, sample Apache access log entries:
aaa.bbb.ccc.ddd - - [06/Sep/2007:08:16:11 -0400] "HEAD / HTTP/1.1" 500
0 "-" "Mozilla/4.75 (Nikto/1.36 )"
aaa.bbb.ccc.ddd - - [06/Sep/2007:08:16:11 -0400] "GET /Nikto-1.36-
PyLw1Xqw6y.htm HTTP/" 400 299 "-" "-"
aaa.bbb.ccc.ddd - - [06/Sep/2007:08:16:11 -0400] "GET /Nikto-1.36-
PyLw1Xqw6y.htm HTTP/1.1" 500 548 "-" "Mozilla/4.75 (Nikto/1.36 )"
aaa.bbb.ccc.ddd - - [06/Sep/2007:08:16:11 -0400] "GET / HTTP/1.1" 500
548 "-" "Mozilla/4.75 (Nikto/1.36 )"
aaa.bbb.ccc.ddd - - [06/Sep/2007:08:16:13 -0400] "GET /cgi-bin/ HTTP/
1.1" 500 548 "-" "Mozilla/4.75 (Nikto/1.36 )"
aaa.bbb.ccc.ddd - - [06/Sep/2007:08:16:13 -0400] "GET / HTTP/1.1" 500
548 "-" "Mozilla/4.75 (Nikto/1.36 )"
aaa.bbb.ccc.ddd - - [06/Sep/2007:08:16:13 -0400] "GET /index.php HTTP/
1.1" 500 548 "-" "Mozilla/4.75 (Nikto/1.36 )"
aaa.bbb.ccc.ddd - - [06/Sep/2007:08:16:13 -0400] "GET /junk999.php
HTTP/1.1" 500 548 "-" "Mozilla/4.75 (Nikto/1.36 )"
aaa.bbb.ccc.ddd - - [06/Sep/2007:08:16:13 -0400] "GET / HTTP/1.1" 500
548 "-" "Mozilla/4.75 (Nikto/1.36 )"
Thank you.
