Hi Dale, Your solution should work perfectly (I just tried it here actually). One thing I would suggest is to add these rules to local_rules.xml and use a valid local id (>100,000), otherwise you may lose your work during the upgrade process.
Btw, some applications use HEAD before issuing their GET requests, so you can have some false positives in there. *what about adding these rules to the wiki faq? It is a good example on how to write them and other people may be interested. Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On 5/10/07, List Subscriptions <[EMAIL PROTECTED]> wrote: > > I think you'll want to break this into 2 seperate rules. One for the > HEAD match and a second for multiple matches. For multiple match > rules I believe you need set the frequency and timeframe as well as > using if_matched_sid rather then if_sid. Try the following: > > <rule id="31102" level="5"> > <if_sid>3100</if_sid> > <match>HEAD /doc/</match> > <description>Possible HEAD web attack</description> > </rule> > > <rule id="31103" level="10" frequency="3" timeframe="60"> > <if_matched_sid>31102</if_matched_sid> > <same_source_ip /> > <description>Multiple HEAD web attacks</description> > </rule> > > I'm still kind of new to OSSEC but I believe the above rule will work. > > -Dale > > On 5/10/07, vasek adamec <[EMAIL PROTECTED]> wrote: > > Hello, I try to monitor "HEAD" request to my webpage, in log looks like > > this: > > xxx.xxx.xxx.xxx - - [10/May/2007:15:03:12 +0200] "HEAD /doc/.... > > it is possible to send alert when multiple access via HEAD request are made? > > I tried this easy filtr but it seems not work: > > > > <group name="web-accesslog"> > > <rule id="3100" level="0"> > > <decoded_as>web-accesslog</decoded_as> > > <category>web-log</category> > > <description>Access log messages grouped.</description> > > </rule> > > > > <rule id="31102" level="10"> > > <if_sid>3100</if_sid> > > <same_source_ip /> > > <match>HEAD /doc/</match> > > <description>Multiple HEAD web attacks</description> > > </rule> > > > > Can anybody help? Thanks a lot > > > > Vasek A. > > > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "ossec-list" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/ossec-list?hl=en -~----------~----~----~----~------~----~------~--~---
