Hi Andrew, Sorry for the late response. A rule function is to basically, let you know what is happening in your environment, but this rule will not block normal visitors IP just because it was triggered. Have you checked if the Active Response module is active? If you have something similar to the following lines, probably that is what is causing the IPs to get blocked:
*Example 1:* *<command>* * <name>firewall-drop</command>* * <executable>firewall-drop.sh</executable> * * <expect>srcip</expect> * *</command> * This is a command to run the *firewall-drop.sh* script to block the srcip. *Example 2:* *<active-response>* * <command>makelists</command>* * <location>server</location>* * <rules_id>31533</rules_id>* *</active-response>* This active-response will run the *makelists* command to update the CDB lists. The CDB are used to create a white/black list of users, file hashes, IPs or domain names. You can check more information about CDB lists here: https://documentation.wazuh.com/4.0/user-manual/ruleset/cdb-list.html <https://documentation.wazuh.com/4.0/user-manual/ruleset/cdb-list.html> Also, regarding the examples, there are loads of other configurations for Active Response that could match yours. You can check them in here: https://www.ossec.net/docs/syntax/head_ossec_config.active-response.html Lastly, if you want to just remove the rule you can copy the entire file to which this rule belongs (the path should be */var/ossec/ruleset/rules/0270-web_appsec_rules.xml), *to the */var/ossec/etc/rules/* directory, change this file's name (very important!) and delete this rule from this file. You can copy the file running this command: *cp /var/ossec/ruleset/rules/0270-web_appsec_rules.xml /var/ossec/etc/rules/new_name.xml* Then, with any editor (nano, vim...) feel free to delete the rule 31533. The last step would be to go to the *ossec.conf *file and add the line: * <rule_exclude>0215-policy_rules.xml</rule_exclude> * to the *<ruleset> *module. After this, restart the manager and you will never see this rule triggering again. You can check this link for further information about excluding rules: https://documentation.wazuh.com/4.0/user-manual/reference/ossec-conf/ruleset.html#rule-exclude Hope I was helpful. Do not hesitate to contact us if you have any doubt. Yana. On Sunday, November 22, 2020 at 3:32:18 PM UTC+1 Andrew S wrote: > We are getting a false alert: > > Received From: domain->/var/log/nginx/access.log > Rule: 31533 fired (level 10) -> "High amount of POST requests in a small > period of time (likely bot)." > Src IP: 95.145.175.32 > Portion of the log(s): > > 95.145.175.32 - - [22/Nov/2020:14:20:47 +0000] "POST > /?wpgb-ajax=wpgb_front&action=render HTTP/1.1" 200 2925 > "https://www.domain.com/guides/ > <https://www.royist.com/guides/london-luxury-guide/>" "Mozilla/5.0 > (Macintosh; Intel Mac OS X 10_15_6) > AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36" > 95.145.175.32 - - [22/Nov/2020:14:20:47 +0000] "POST > /?wpgb-ajax=wpgb_front&action=render HTTP/1.1" 200 7015 > "https://www.domain.com/guides > <https://www.royist.com/guides/london-luxury-guide/>/ > <https://www.royist.com/guides/london-luxury-guide/>" "Mozilla/5.0 > (Macintosh; Intel Mac OS X 10_15_6) > AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36" > 95.145.175.32 - - [22/Nov/2020:14:20:47 +0000] "POST > /?wpgb-ajax=wpgb_front&action=render HTTP/1.1" 200 6651 > "https://www.domain.com/guides > <https://www.royist.com/guides/london-luxury-guide/>/ > <https://www.royist.com/guides/london-luxury-guide/>" "Mozilla/5.0 > (Macintosh; Intel Mac OS X 10_15_6) > AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36" > > This causes normal visitors IPs to get blocked. How can we add an > exception for this rule? > > Thanking you in advance, > Andrew > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/07f288b1-3a9e-42fd-ab3f-9575629c3008n%40googlegroups.com.
