I'm trying to improve ossec WordPress rules.
I'd like to start a list of generic WordPress rules.
For example,
- Alert level 5 when the HTTP method is POST, and the HTTP status is 4xx
Rationale: This represents an attack in the WordPress environment as there should never be a 4xx result from a POST
- Alert level 5 when the HTTP method is GET, the URL is the WordPress root, the HTTP status is 4xx
Rationale: This represents an attack in the WordPress environment as there should never be a 4xx in the WordPress root directory.
What's the PCRE for matching such URLs? E.g. /.env or /0000000.png - ???
I realize rules/wordpress_rules exists; but it doesn't work out of the box; it seems to want wpsyslog. For various reasons, I employ WordFence. I'd like to get that ruleset working w/ WordFence, but that's a different issue.
tia,