But rule 31100 is a silent dependency by which 31108 depends on. I think his rule is looking for any sort of repetition in the web logs with the same source IP, regardless of the alert message, right?
On Fri, Jun 10, 2011 at 11:01 AM, dan (ddp) <[email protected]> wrote: > 31100 probably won't be triggered often, 31108 seems much more likely. > > On Wed, Jun 8, 2011 at 2:38 PM, Jason 'XenoPhage' Frisvold > <[email protected]> wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > > Hi all, > > > > I'm trying to put together a rudimentary anti-DDoS rule in OSSEC > and I > > could use a hand .. Basically, I'm looking to block anyone who > > excessively hits a web server. This is what I have thus far : > > > > <rule id="131105" level="10" frequency="500" timeframe="60"> > > <if_matched_sid>31100</if_matched_sid> > > <same_source_ip /> > > <description>Excessive access, Temporary block</description> > > </rule> > > > > This seems to be correct, but I can't get it to trigger with > > ossec-logtest .. Any tips? > > > > Thanks, > > > > - -- > > - --------------------------- > > Jason 'XenoPhage' Frisvold > > [email protected] > > - --------------------------- > > "Any sufficiently advanced magic is indistinguishable from technology." > > - - Niven's Inverse of Clarke's Third Law > > -----BEGIN PGP SIGNATURE----- > > Version: GnuPG v2.0.17 (GNU/Linux) > > Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ > > > > iEYEARECAAYFAk3vwbEACgkQ8CjzPZyTUTQqtACgj8Ljlxnsdj9+Asy6y7Dr8zBN > > xhEAn3vQ21eiqKTN9YuX40wUmwrb1KgY > > =uLr0 > > -----END PGP SIGNATURE----- > > >
