Add <if_sid>31100</if_sid> to your rule.
On Sun, Jun 5, 2011 at 8:02 AM, Rainer <[email protected]> wrote: > Hi, > > I want to block a certain WWW bot called verticalpigeon; it is known > to scan for Joomla! installations. You can also trigger it through the > website manually. But the nice thing is, it says > who it is: > > 66.103.61.161 - - [05/Jun/2011:09:44:59 +0200] > "GET /index2.php?option=com_docman HTTP/1.0" 404 1928 > "http://verticalpigeon.com/"; "Mozilla/4.0 (compatible; MSIE 8.0; Windows > NT 5.1; http://verticalpigeon.com/)" > > So I thought I could block that bot after the first time it accesses > a website by just adding a rule matching the string > "http://verticalpigeon.com/"; > > The rule I created is: (local_rules.xml) > > <rule id="100034" level="8"> > <match>http://verticalpigeon.com</match> > <options>alert_by_email</options> > <description>joomla scanner</description> > <group>attacks,</group> > </rule> > > But it just doesn't work. > Apache access_log and error_log is decoded fine. > As far as I understood, I don't need to escape : and / in the rule > above. What did I miss? > > thanks. > >
