I think you'll want to break this into 2 seperate rules. One for the
HEAD match and a second for multiple matches. For multiple match
rules I believe you need set the frequency and timeframe as well as
using if_matched_sid rather then if_sid. Try the following:
<rule id="31102" level="5">
<if_sid>3100</if_sid>
<match>HEAD /doc/</match>
<description>Possible HEAD web attack</description>
</rule>
<rule id="31103" level="10" frequency="3" timeframe="60">
<if_matched_sid>31102</if_matched_sid>
<same_source_ip />
<description>Multiple HEAD web attacks</description>
</rule>
I'm still kind of new to OSSEC but I believe the above rule will work.
-Dale
On 5/10/07, vasek adamec <[EMAIL PROTECTED]> wrote:
Hello, I try to monitor "HEAD" request to my webpage, in log looks like
this:
xxx.xxx.xxx.xxx - - [10/May/2007:15:03:12 +0200] "HEAD /doc/....
it is possible to send alert when multiple access via HEAD request are made?
I tried this easy filtr but it seems not work:
<group name="web-accesslog">
<rule id="3100" level="0">
<decoded_as>web-accesslog</decoded_as>
<category>web-log</category>
<description>Access log messages grouped.</description>
</rule>
<rule id="31102" level="10">
<if_sid>3100</if_sid>
<same_source_ip />
<match>HEAD /doc/</match>
<description>Multiple HEAD web attacks</description>
</rule>
Can anybody help? Thanks a lot
Vasek A.
