I don't use apache, hope these are helpful comments. I am using OSSEC to monitor some hosts for CMS management calls and alert a client when certain features are managed.
I've looked at blocking abusive sql injection worms by keying on user agents like 'nv32ts' but my blocking setup isn't up to speed yet, I'd rather do that at an application firewall. I am also watching for a certain user agent 'pscrape' to alert a client when this tool is used against their site. We considered using OSSEC to determine if a user was 'hammering' refresh on certain pages and briefly block them, but decided not to pursue it. Rick, who humbly apologizes for the corporate disclaimer. -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of jplee3 Sent: Wednesday, January 20, 2010 7:05 PM To: ossec-list Subject: [ossec-list] httpd_access logs? Hey all, Just wondering if anyone is using OSSEC to analyze their httpd_access logs. If so, can you share what the intention is and how (if it's not too secretive!)? Right now, a majority of the rules are setup to trigger against the httpd error logs. I'm looking for a ways to identify people who are trying to abuse the webapp or backend DB, not necessarily those accessing invalid pages or trying to cross-site script etc. This goes more along the lines of people who are trying to automate/crawl/spider sites. Wondering if anyone out there has used OSSEC to help detect and even prevent this sort of behavior. Ideas? I posted another thread with similar intent. I guess this is a bit more specific :) This message contains TMA Resources confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version.
