The active response I set to the rule (if interest) is the following: <active-response> <command>firewall-drop</command> <rules_id>100205</rules_id> <location>all</location> <timeout>600</timeout> <repeated_offenders>30,60,120,240,480</repeated_offenders> </active-response>
Thanks for the help everyone, and kind regards, Fredrik Den måndag 26 juni 2017 kl. 11:15:22 UTC+2 skrev Jesus Linares: > > Good job. > > Also, you can block the IP using active response > <https://blog.wazuh.com/blocking-attacks-active-response/>. > > Regards. > > On Monday, June 26, 2017 at 11:12:02 AM UTC+2, Fredrik Hilmersson wrote: >> >> Hello Jesus, >> >> So, I think I've got the rule to work. >> >> 1. Rule: >> >> <rule id="100205" level="0"> >> <if_sid>31101</if_sid> >> <decoded_as>web-accesslog</decoded_as> >> <match> Jorgee$</match> >> <description>Jorgee vulnerability scanner</description> >> </rule> >> >> 2. Logtest output: >> >> SRCIP - - [26/Jun/2017:08:38:43 +0200] "HEAD >> http://HOSTIP:80/phpmyadmin4/ HTTP/1.1" 404 0 "-" "Mozilla/5.0 Jorgee >> >> **Phase 1: Completed pre-decoding. >> full event: 'SRCIP - - [26/Jun/2017:08:38:43 +0200] "HEAD >> http://HOSTIP:80/phpmyadmin4/ >> HTTP/1.1" 404 0 "-" "Mozilla/5.0 Jorgee' >> >> hostname: 'agent-id' >> program_name: '(null)' >> log: 'SRCIP - - [26/Jun/2017:08:38:43 +0200] "HEAD >> http://HOSTIP:80/phpmyadmin4/ HTTP/1.1" 404 0 "-" "Mozilla/5.0 Jorgee' >> >> **Phase 2: Completed decoding. >> >> decoder: 'web-accesslog' >> srcip: 'SRCIP' >> url: 'http://HOSTIP:80/phpmyadmin4/' >> id: '404' >> >> **Phase 3: Completed filtering (rules). >> >> Rule id: '100205' >> Level: '0' >> Description: 'Jorgee vulnerability scanner' >> >> Kind regards, >> Fredrik >> >> Den måndag 26 juni 2017 kl. 10:48:16 UTC+2 skrev Jesus Linares: >>> >>> What is the output of ossec-logtest?. >>> >>> Once you have a rule for that event, you can create an active response. >>> >>> Regards. >>> >>> On Sunday, June 25, 2017 at 12:06:23 AM UTC+2, Fredrik Hilmersson wrote: >>>> >>>> I spoke to early, Still getting spammed ... >>>> >>>> Den lördag 24 juni 2017 kl. 22:20:13 UTC+2 skrev Fredrik Hilmersson: >>>>> >>>>> Thank you! >>>>> >>>>> Den lördag 24 juni 2017 kl. 21:21:48 UTC+2 skrev dan (ddpbsd): >>>>>> >>>>>> On Sat, Jun 24, 2017 at 2:08 PM, Fredrik Hilmersson >>>>>> <f.hilm...@worldclearing.org> wrote: >>>>>> > Hello, >>>>>> > >>>>>> > so recently I got spammed by this vulnerability scanner. >>>>>> > The HEAD is always the same, in regards to the $user_agent, Jorgee >>>>>> > >>>>>> > ** Alert 1498324205.1278330: - web,accesslog, >>>>>> > 2017 Jun 24 17:10:05 (OSSEC AGENT) SRCIP->/var/log/nginx/access.log >>>>>> > Rule: 31101 (level 5) -> 'Web server 400 error code.' >>>>>> > 213.119.18.4 - - [24/Jun/2017:19:10:05 +0200] HEAD >>>>>> > http://SRCIP:80/sql/phpmyadmin2/ HTTP/1.1 404 0 - Mozilla/5.0 >>>>>> Jorgee >>>>>> > >>>>>> > So i'm wondering if anyone has a good idea or rule how to block/ban >>>>>> these >>>>>> > attempts? >>>>>> > >>>>>> > Kind regards, >>>>>> > Fredrik >>>>>> > >>>>>> >>>>>> Possibly something like: >>>>>> <rule id="999999" level="0"> >>>>>> <decoded_as>nginx-errorlog</decoded_as> >>>>>> <match> Jorgee$</match> >>>>>> <description>Jorgee is loud</description> >>>>>> </rule> >>>>>> >>>>>> >>>>>> > -- >>>>>> > >>>>>> > --- >>>>>> > You received this message because you are subscribed to the Google >>>>>> Groups >>>>>> > "ossec-list" group. >>>>>> > To unsubscribe from this group and stop receiving emails from it, >>>>>> send an >>>>>> > email to ossec-list+...@googlegroups.com. >>>>>> > For more options, visit https://groups.google.com/d/optout. >>>>>> >>>>> -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
