Hi - I just installed OSSEC a day ago, and so far am loving it. I thought of something I would really like to be able to accomplish with it. I have a blog which is constantly being hit by spammers who want to sign up for a blog so they can link back to people who're paying them for links. There's no reason for a single IP to access the file called wp- signup.php more than once. If they're doing it at all, they're probably spamming. If they're using curl, it's 100% certain they're spamming.
How would a rule look that would block an IP for being in the access_log, matching "curl" and "wp-signup.php" even once? Is it possible to block that IP for longer than the customary 10 minutes? Here's a recent entry from the log as an example. 202.156.14.74 - - [25/Feb/2009:23:25:34 -0500] "POST /wp-signup.php HTTP/1.1" 200 7036 "-" "curl/7.18.2 (i386-pc-win32) libcurl/7.18.2 zlib/1.2.3" 202.156.14.74 - - [25/Feb/2009:23:25:36 -0500] "GET /wp-signup.php HTTP/1.1" 200 9736 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)" 202.156.14.74 - - [25/Feb/2009:23:25:37 -0500] "POST /wp-signup.php HTTP/1.1" 200 9169 "-" "curl/7.18.2 (i386-pc-win32) libcurl/7.18.2 zlib/1.2.3" I would very much appreciate any help I can get with this. Since 4:00 this morning, there have been 1792 spammers signing up for blogs and it's making me crazy, having to delete these. Thanks, Beth healthblogs.org
