Hi, I'm using ossec, I never had to add a custom rule until now, so I need help from the community.
I (and I guess I'm not alone...) need to block a specific kind of http request, that looks like this : 87.229.22.22 - - [04/Jul/2010:18:44:53 +0400] "POST /blog-perso%20%20/ contact.php HTTP/1.1" 404 1449 "-" "Casper Bot Search" 87.229.22.22 - - [04/Jul/2010:18:44:53 +0400] "POST /blog-perso%20%20/ contact.php HTTP/1.1" 404 1449 "-" "Casper Bot Search" 87.229.22.22 - - [04/Jul/2010:18:44:53 +0400] "POST /blog-perso%20%20/ contact.php HTTP/1.1" 404 1449 "-" "Casper Bot Search" 87.229.22.22 - - [04/Jul/2010:18:44:53 +0400] "POST /blog-perso%20%20/ contact.php HTTP/1.1" 404 1449 "-" "Casper Bot Search" In fact, the only specific thing about this kind of request (except flooding servers) is the referrer "Casper Bot Search". So what could be the rule to stop that (I only know that this rule should be added in local_rules.xml). Thank you in advance for your help ! - Janiko
