Hi Jeremy, On Fri, Jun 10, 2011 at 2:19 PM, Jeremy Lee <[email protected]> wrote: > But rule 31100 is a silent dependency by which 31108 depends on. I think his > rule is looking for any sort of repetition in the web logs with the same > source IP, regardless of the alert message, right? >
If 31108 is triggered, 31100 is not. > On Fri, Jun 10, 2011 at 11:01 AM, dan (ddp) <[email protected]> wrote: >> >> 31100 probably won't be triggered often, 31108 seems much more likely. >> >> On Wed, Jun 8, 2011 at 2:38 PM, Jason 'XenoPhage' Frisvold >> <[email protected]> wrote: >> > -----BEGIN PGP SIGNED MESSAGE----- >> > Hash: SHA1 >> > >> > Hi all, >> > >> > I'm trying to put together a rudimentary anti-DDoS rule in OSSEC >> > and I >> > could use a hand .. Basically, I'm looking to block anyone who >> > excessively hits a web server. This is what I have thus far : >> > >> > <rule id="131105" level="10" frequency="500" timeframe="60"> >> > <if_matched_sid>31100</if_matched_sid> >> > <same_source_ip /> >> > <description>Excessive access, Temporary block</description> >> > </rule> >> > >> > This seems to be correct, but I can't get it to trigger with >> > ossec-logtest .. Any tips? >> > >> > Thanks, >> > >> > - -- >> > - --------------------------- >> > Jason 'XenoPhage' Frisvold >> > [email protected] >> > - --------------------------- >> > "Any sufficiently advanced magic is indistinguishable from technology." >> > - - Niven's Inverse of Clarke's Third Law >> > -----BEGIN PGP SIGNATURE----- >> > Version: GnuPG v2.0.17 (GNU/Linux) >> > Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ >> > >> > iEYEARECAAYFAk3vwbEACgkQ8CjzPZyTUTQqtACgj8Ljlxnsdj9+Asy6y7Dr8zBN >> > xhEAn3vQ21eiqKTN9YuX40wUmwrb1KgY >> > =uLr0 >> > -----END PGP SIGNATURE----- >> > > >
