What kind of attacks are they performing against the site? Are they just flooding it with valid form requests in massive quantities? If so, I'm not sure how much OSSEC will do, honestly.
Do you have a WAF (Web App Firewall) in place like ModSecurity? Even with ModSec, if they are submitting *valid* requests (in forms, etc) it will be hard to identify. Do you have reCaptcha setup? You might be able to use a combination of different tools and have them output logs to OSSEC in efforts to pursue an active response. Many of the canned responses OSSEC has rely on the IP. So if the problem emanates from a BotNet or someone spoofing IPs and changing the IP per request (or sending thousands of requests across thousands of IPs), then rate-limiting or blocking on an IP basis won't yield a very effective solution. On Wed, Oct 13, 2010 at 10:21 AM, Toby <[email protected]>wrote: > I'd like to get some input about if any of you use Active Response on > a public facing web server. If so, then do you tweak the rules, or use > the default settings? In particular, I have two concerns: > > 1. One malicious person or bot behind a NAT could make my web server > unavailable to everyone else behind the same NAT. > > 2. With IP spoofing, a DoS method could be to programatically attack > the web server while spoofing perhaps hundreds of thousands of IP > addresses. Since my web site is specific to my county, it would not be > difficult for an attacker to limit his spoofs to the IP ranges owned > by the two most prominent ISP's in the area. > > Thanks, > Toby
