Hi Doug,
This is easy to do. Our web rules start with the 31101, so if you put your
local rule under that and give the desired url at the <url> tag it should work.
Example:
<rule id="31101" level="10">
<if_sid>31100</if_sid>
<id>^200</id>
<url>/my/page.php</url>
<description>200 reply to page.php.</description>
</rule>
In this case if anyone access the page.php with the return code 200 (meaning
that the page was there) it will generate an alert with severity 10, causing
an active response to be executed.
*you need to add that at /var/ossec/rules/local_rules.xml
Hope it helps.
--
Daniel B. Cid
dcid ( at ) ossec.net
On Mon, Feb 2, 2009 at 12:04 PM, Doug Floer <dfl...@topsoft.ca> wrote:
> I need to configure OSSEC such that a specific "GET" message for a specific
> URL in an Apache log file triggers active response. I haven't been able to
> find a FAQ or anything in the manual on doing this. Can anyone provide some
> guidance?
