Dan,
When I started this I was apparently was using some old documentation, probably the book you wrote several years ago, and the parameter examples were limited. Also the newer docs show a limited set of <same_xxx> directives, so I’m wondering if there is a <same_url> directive. Maybe location would make sense? Actually the whole concept of blocking on same_location will not work unless the decoder strips off the first random hostname and grabs the rest of the domain name. Of course all of this may be too specific and the more generic version of the rules may be preferred if it works as well. What I have now worked against a recent flurry of bogus DNS requests, but then a second flurry started and it didn’t trigger a second time. It would have been during the timeout window of the first flurry of requests. So I’m thinking it may be related to not triggering active response again during the timeout window. When I have some more time I’ll do some testing to try to confirm the hypothesis, but any insights or questions from those with more experience are much appreciated. I will try out the decoder soon, but first wanted to test and resolve the issue about not firing for a second flurry. Thanks for the help! I love the flexibility and capabilities of OSSEC -- Ralph Durkee, CISSP, GXPN, GPEN, GCIH, GSEC, GSNA, GCIA, C|EH Principal Security Consultant -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
