What is the output of ossec-logtest?. Once you have a rule for that event, you can create an active response.
Regards. On Sunday, June 25, 2017 at 12:06:23 AM UTC+2, Fredrik Hilmersson wrote: > > I spoke to early, Still getting spammed ... > > Den lördag 24 juni 2017 kl. 22:20:13 UTC+2 skrev Fredrik Hilmersson: >> >> Thank you! >> >> Den lördag 24 juni 2017 kl. 21:21:48 UTC+2 skrev dan (ddpbsd): >>> >>> On Sat, Jun 24, 2017 at 2:08 PM, Fredrik Hilmersson >>> <f.hilm...@worldclearing.org> wrote: >>> > Hello, >>> > >>> > so recently I got spammed by this vulnerability scanner. >>> > The HEAD is always the same, in regards to the $user_agent, Jorgee >>> > >>> > ** Alert 1498324205.1278330: - web,accesslog, >>> > 2017 Jun 24 17:10:05 (OSSEC AGENT) SRCIP->/var/log/nginx/access.log >>> > Rule: 31101 (level 5) -> 'Web server 400 error code.' >>> > 213.119.18.4 - - [24/Jun/2017:19:10:05 +0200] HEAD >>> > http://SRCIP:80/sql/phpmyadmin2/ HTTP/1.1 404 0 - Mozilla/5.0 Jorgee >>> > >>> > So i'm wondering if anyone has a good idea or rule how to block/ban >>> these >>> > attempts? >>> > >>> > Kind regards, >>> > Fredrik >>> > >>> >>> Possibly something like: >>> <rule id="999999" level="0"> >>> <decoded_as>nginx-errorlog</decoded_as> >>> <match> Jorgee$</match> >>> <description>Jorgee is loud</description> >>> </rule> >>> >>> >>> > -- >>> > >>> > --- >>> > You received this message because you are subscribed to the Google >>> Groups >>> > "ossec-list" group. >>> > To unsubscribe from this group and stop receiving emails from it, send >>> an >>> > email to ossec-list+...@googlegroups.com. >>> > For more options, visit https://groups.google.com/d/optout. >>> >> -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
