31100 probably won't be triggered often, 31108 seems much more likely.
On Wed, Jun 8, 2011 at 2:38 PM, Jason 'XenoPhage' Frisvold <[email protected]> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi all, > > I'm trying to put together a rudimentary anti-DDoS rule in OSSEC and I > could use a hand .. Basically, I'm looking to block anyone who > excessively hits a web server. This is what I have thus far : > > <rule id="131105" level="10" frequency="500" timeframe="60"> > <if_matched_sid>31100</if_matched_sid> > <same_source_ip /> > <description>Excessive access, Temporary block</description> > </rule> > > This seems to be correct, but I can't get it to trigger with > ossec-logtest .. Any tips? > > Thanks, > > - -- > - --------------------------- > Jason 'XenoPhage' Frisvold > [email protected] > - --------------------------- > "Any sufficiently advanced magic is indistinguishable from technology." > - - Niven's Inverse of Clarke's Third Law > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v2.0.17 (GNU/Linux) > Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ > > iEYEARECAAYFAk3vwbEACgkQ8CjzPZyTUTQqtACgj8Ljlxnsdj9+Asy6y7Dr8zBN > xhEAn3vQ21eiqKTN9YuX40wUmwrb1KgY > =uLr0 > -----END PGP SIGNATURE----- >
