Hello Jesus, So, I think I've got the rule to work.
1. Rule: <rule id="100205" level="0"> <if_sid>31101</if_sid> <decoded_as>web-accesslog</decoded_as> <match> Jorgee$</match> <description>Jorgee vulnerability scanner</description> </rule> 2. Logtest output: SRCIP - - [26/Jun/2017:08:38:43 +0200] "HEAD http://HOSTIP:80/phpmyadmin4/ HTTP/1.1" 404 0 "-" "Mozilla/5.0 Jorgee **Phase 1: Completed pre-decoding. full event: 'SRCIP - - [26/Jun/2017:08:38:43 +0200] "HEAD http://HOSTIP:80/phpmyadmin4/ HTTP/1.1" 404 0 "-" "Mozilla/5.0 Jorgee' hostname: 'agent-id' program_name: '(null)' log: 'SRCIP - - [26/Jun/2017:08:38:43 +0200] "HEAD http://HOSTIP:80/phpmyadmin4/ HTTP/1.1" 404 0 "-" "Mozilla/5.0 Jorgee' **Phase 2: Completed decoding. decoder: 'web-accesslog' srcip: 'SRCIP' url: 'http://HOSTIP:80/phpmyadmin4/' id: '404' **Phase 3: Completed filtering (rules). Rule id: '100205' Level: '0' Description: 'Jorgee vulnerability scanner' Kind regards, Fredrik Den måndag 26 juni 2017 kl. 10:48:16 UTC+2 skrev Jesus Linares: > > What is the output of ossec-logtest?. > > Once you have a rule for that event, you can create an active response. > > Regards. > > On Sunday, June 25, 2017 at 12:06:23 AM UTC+2, Fredrik Hilmersson wrote: >> >> I spoke to early, Still getting spammed ... >> >> Den lördag 24 juni 2017 kl. 22:20:13 UTC+2 skrev Fredrik Hilmersson: >>> >>> Thank you! >>> >>> Den lördag 24 juni 2017 kl. 21:21:48 UTC+2 skrev dan (ddpbsd): >>>> >>>> On Sat, Jun 24, 2017 at 2:08 PM, Fredrik Hilmersson >>>> <f.hilm...@worldclearing.org> wrote: >>>> > Hello, >>>> > >>>> > so recently I got spammed by this vulnerability scanner. >>>> > The HEAD is always the same, in regards to the $user_agent, Jorgee >>>> > >>>> > ** Alert 1498324205.1278330: - web,accesslog, >>>> > 2017 Jun 24 17:10:05 (OSSEC AGENT) SRCIP->/var/log/nginx/access.log >>>> > Rule: 31101 (level 5) -> 'Web server 400 error code.' >>>> > 213.119.18.4 - - [24/Jun/2017:19:10:05 +0200] HEAD >>>> > http://SRCIP:80/sql/phpmyadmin2/ HTTP/1.1 404 0 - Mozilla/5.0 Jorgee >>>> > >>>> > So i'm wondering if anyone has a good idea or rule how to block/ban >>>> these >>>> > attempts? >>>> > >>>> > Kind regards, >>>> > Fredrik >>>> > >>>> >>>> Possibly something like: >>>> <rule id="999999" level="0"> >>>> <decoded_as>nginx-errorlog</decoded_as> >>>> <match> Jorgee$</match> >>>> <description>Jorgee is loud</description> >>>> </rule> >>>> >>>> >>>> > -- >>>> > >>>> > --- >>>> > You received this message because you are subscribed to the Google >>>> Groups >>>> > "ossec-list" group. >>>> > To unsubscribe from this group and stop receiving emails from it, >>>> send an >>>> > email to ossec-list+...@googlegroups.com. >>>> > For more options, visit https://groups.google.com/d/optout. >>>> >>> -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
