Thanks for the reply Rick! I think it would be hard to configure OSSEC in this way. Essentially, as you said, a WAF/app firewall would be better at this. Would be *very* interesting if OSSEC were to branch out into this area of course :)
Glad that there are at least OSSEC rules for triggering on ModSecurity alerts though. That has been an indispensable help in getting a quick notice on malicious web users and spammers. On Jan 21, 9:38 am, "McClinton, Rick" <[email protected]> wrote: > I don't use apache, hope these are helpful comments. > > I am using OSSEC to monitor some hosts for CMS management calls and alert a > client when certain features are managed. > > I've looked at blocking abusive sql injection worms by keying on user agents > like 'nv32ts' but my blocking setup isn't up to speed yet, I'd rather do that > at an application firewall. I am also watching for a certain user agent > 'pscrape' to alert a client when this tool is used against their site. > > We considered using OSSEC to determine if a user was 'hammering' refresh on > certain pages and briefly block them, but decided not to pursue it. > > Rick, who humbly apologizes for the corporate disclaimer. > > -----Original Message----- > From: [email protected] [mailto:[email protected]] On > Behalf Of jplee3 > Sent: Wednesday, January 20, 2010 7:05 PM > To: ossec-list > Subject: [ossec-list] httpd_access logs? > > Hey all, > > Just wondering if anyone is using OSSEC to analyze their httpd_access > logs. If so, can you share what the intention is and how (if it's not > too secretive!)? > > Right now, a majority of the rules are setup to trigger against the > httpd error logs. > > I'm looking for a ways to identify people who are trying to abuse the > webapp or backend DB, not necessarily those accessing invalid pages or > trying to cross-site script etc. This goes more along the lines of > people who are trying to automate/crawl/spider sites. Wondering if > anyone out there has used OSSEC to help detect and even prevent this > sort of behavior. > > Ideas? I posted another thread with similar intent. I guess this is a > bit more specific :) > > This message contains TMA Resources confidential information and is intended > only for the individual named. If you are not the named addressee you should > not disseminate, distribute or copy this e-mail. Please notify the sender > immediately by e-mail if you have received this e-mail by mistake and delete > this e-mail from your system. E-mail transmission cannot be guaranteed to be > secure or error-free as information could be intercepted, corrupted, lost, > destroyed, arrive late or incomplete, or contain viruses. The sender > therefore does not accept liability for any errors or omissions in the > contents of this message which arise as a result of e-mail transmission. If > verification is required please request a hard-copy version.
