Hello, I try to monitor "HEAD" request to my webpage, in log looks like this: xxx.xxx.xxx.xxx - - [10/May/2007:15:03:12 +0200] "HEAD /doc/.... it is possible to send alert when multiple access via HEAD request are made? I tried this easy filtr but it seems not work:
<group name="web-accesslog"> <rule id="3100" level="0"> <decoded_as>web-accesslog</decoded_as> <category>web-log</category> <description>Access log messages grouped.</description> </rule> <rule id="31102" level="10"> <if_sid>3100</if_sid> <same_source_ip /> <match>HEAD /doc/</match> <description>Multiple HEAD web attacks</description> </rule> Can anybody help? Thanks a lot Vasek A.
