-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 10/13/2010 01:48 PM, Michael Starks wrote: > I use active response and I have found it to be pretty effective. The rule > that fires off most often is the "multiple 400 from same IP" rule. These > are always requests for things like phpmyadmin. I also have ossec > monitoring other security layers on the site, so sometimes ossec blocks > something at the IP layer that has already been blocked at the application > later. Also, one of my colleagues who does pen testing sometimes tests his > tools on my site. The default ossec rules always block him and cause him to > curse at me. :)
I get a lot of crazy 400 traffic as well. One problem I did identify is that search engines will end up being blocked because of out-of-date entries.. > Honestly, although IP spoofing is a possibility, in reality I have found > it to not be a problem. Most responsible ISPs won't allow spoofed IPs to > leave their network. I'm of the opinion that OSSEC is not designed, nor intended, to prevent this type of attack. In fact, OSSEC is doing exactly what it should given the incoming data. If you find that someone is attacking you in this manner, then the only real solution is to track that traffic down to the source and have it blocked there. DDoS is a bit of a pain to handle. - -- - --------------------------- Jason 'XenoPhage' Frisvold [email protected] - --------------------------- "Any sufficiently advanced magic is indistinguishable from technology." - - Niven's Inverse of Clarke's Third Law -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.14 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAky2HrgACgkQ8CjzPZyTUTT3CQCgkQDyzh4P8bBZKpGvhLrS2WYP QuYAni9uFFQUFnMAn8pX6ToxBXnPmh3b =uAde -----END PGP SIGNATURE-----
