Greetings Beth:
Rules for blocking these spammers might look like this (untested):
<rule id="100000" level="3">
<match>wp-signup.php</match>
<description>wp-signup.php request</description>
</rule>
<rule id="100001" level="10" frequency="4" timeframe="600">
<if_matched_sid>100000</if_matched_sid>
<same_source_ip />
<group>spam,</group>
<description>Multiple wp-signup.php requests from the same IP</
description>
</rule>
This will fire a level 10 alert for the same IP requesting your wp-
signup.php page 4 times in 600 seconds (10 min). You could probably
make this more specific using the <decoded_as> tag as well.
For blocking an IP using curl, you might try this:
<rule id="100002" level="10">
<if_matched_sid>100000</if_matched_sid>
<match>curl</match>
<options>no_log</options>
<group>spam,</group>
<description>Request for wp-signup.php via curl.</description>
</rule>
The no_log option will keep ossec from telling you every time it
blocks a spammer using curl.
I might also suggest blocking the curl useragent at the webserver
level to save some resources.
For blocking the offending IP for longer than 10 minutes, have a look
at the custom active responses page in the wiki: http://www.ossec.net/
main/manual/manual-active-responses/ and particularly look at the
<rules_id> tag to fire your response only for specific rules, 100001
and 100002 in this case. You can copy one of the existing active
responses and make a new one with a different timeout.
Hope that helps.
On Feb 25, 2009, at 8:33 PM, NCUB wrote:
>
> Hi -
>
> I just installed OSSEC a day ago, and so far am loving it. I thought
> of something I would really like to be able to accomplish with it. I
> have a blog which is constantly being hit by spammers who want to sign
> up for a blog so they can link back to people who're paying them for
> links. There's no reason for a single IP to access the file called
> wp-
> signup.php more than once. If they're doing it at all, they're
> probably spamming. If they're using curl, it's 100% certain they're
> spamming.
>
> How would a rule look that would block an IP for being in the
> access_log, matching "curl" and "wp-signup.php" even once? Is it
> possible to block that IP for longer than the customary 10 minutes?
>
> Here's a recent entry from the log as an example.
>
> 202.156.14.74 - - [25/Feb/2009:23:25:34 -0500] "POST /wp-signup.php
> HTTP/1.1" 200 7036 "-" "curl/7.18.2 (i386-pc-win32) libcurl/7.18.2
> zlib/1.2.3"
> 202.156.14.74 - - [25/Feb/2009:23:25:36 -0500] "GET /wp-signup.php
> HTTP/1.1" 200 9736 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT
> 5.0)"
> 202.156.14.74 - - [25/Feb/2009:23:25:37 -0500] "POST /wp-signup.php
> HTTP/1.1" 200 9169 "-" "curl/7.18.2 (i386-pc-win32) libcurl/7.18.2
> zlib/1.2.3"
>
> I would very much appreciate any help I can get with this. Since 4:00
> this morning, there have been 1792 spammers signing up for blogs and
> it's making me crazy, having to delete these.
>
> Thanks,
> Beth
> healthblogs.org
