Ahhh I think I see now :) But wouldn't he want a catch-all of *everything* that passes through. 31100 and 31108 seem to be 'watershed' where alerts will go either way but not both.
You can't do something like this either can you? <if_matched_sid>31100, 31108</if_matched_sid> (I vaguely recall asking this and getting a response of "no") On Fri, Jun 10, 2011 at 11:27 AM, dan (ddp) <[email protected]> wrote: > Hi Jeremy, > > On Fri, Jun 10, 2011 at 2:19 PM, Jeremy Lee <[email protected]> wrote: > > But rule 31100 is a silent dependency by which 31108 depends on. I think > his > > rule is looking for any sort of repetition in the web logs with the same > > source IP, regardless of the alert message, right? > > > > If 31108 is triggered, 31100 is not. > > > On Fri, Jun 10, 2011 at 11:01 AM, dan (ddp) <[email protected]> wrote: > >> > >> 31100 probably won't be triggered often, 31108 seems much more likely. > >> > >> On Wed, Jun 8, 2011 at 2:38 PM, Jason 'XenoPhage' Frisvold > >> <[email protected]> wrote: > >> > -----BEGIN PGP SIGNED MESSAGE----- > >> > Hash: SHA1 > >> > > >> > Hi all, > >> > > >> > I'm trying to put together a rudimentary anti-DDoS rule in > OSSEC > >> > and I > >> > could use a hand .. Basically, I'm looking to block anyone who > >> > excessively hits a web server. This is what I have thus far : > >> > > >> > <rule id="131105" level="10" frequency="500" timeframe="60"> > >> > <if_matched_sid>31100</if_matched_sid> > >> > <same_source_ip /> > >> > <description>Excessive access, Temporary block</description> > >> > </rule> > >> > > >> > This seems to be correct, but I can't get it to trigger with > >> > ossec-logtest .. Any tips? > >> > > >> > Thanks, > >> > > >> > - -- > >> > - --------------------------- > >> > Jason 'XenoPhage' Frisvold > >> > [email protected] > >> > - --------------------------- > >> > "Any sufficiently advanced magic is indistinguishable from > technology." > >> > - - Niven's Inverse of Clarke's Third Law > >> > -----BEGIN PGP SIGNATURE----- > >> > Version: GnuPG v2.0.17 (GNU/Linux) > >> > Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ > >> > > >> > iEYEARECAAYFAk3vwbEACgkQ8CjzPZyTUTQqtACgj8Ljlxnsdj9+Asy6y7Dr8zBN > >> > xhEAn3vQ21eiqKTN9YuX40wUmwrb1KgY > >> > =uLr0 > >> > -----END PGP SIGNATURE----- > >> > > > > > >
