The following two rules worked for me here: <rule id="100451" level="1"> <if_sid>31101, 31108, 31100</if_sid> <description>Group of all "normal" 200/300/400 error codes.</description> </rule>
<rule id="100452" level="10" frequency="90" timeframe="20"> <if_matched_sid>100451</if_matched_sid> <same_source_ip /> <description>Excessive access, Temporary block</description> </rule> First one groups all normal 200,300 and 400 responses that did not match anything else. Generally the normal traffic... If they reach 90 in 20 seconds, the second one fired as well. Note that I left the first one as level 1, otherwise it wouldn't be stored in memory for the composite rule. Thanks, On Tue, Jun 14, 2011 at 3:28 PM, jplee3 <[email protected]> wrote: > Any luck on this, Jason? > > On Jun 10, 12:45 pm, Jeremy Lee <[email protected]> wrote: >> Maybe you could try tweaking the web rules XML and create your own "base" >> web access log "catch-all" rule and fire based off that. >> >> On Fri, Jun 10, 2011 at 12:15 PM, Jason 'XenoPhage' Frisvold < >> >> >> >> >> >> >> >> [email protected]> wrote: >> > -----BEGIN PGP SIGNED MESSAGE----- >> > Hash: SHA1 >> >> > On Jun 10, 2011, at 2:49 PM, Jeremy Lee wrote: >> > > Ahhh I think I see now :) >> >> > > But wouldn't he want a catch-all of *everything* that passes through. >> > 31100 and 31108 seem to be 'watershed' where alerts will go either way but >> > not both. >> >> > Yeah, I'm interested in catching everything, so I was hoping 31100 would be >> > the way to go .. >> >> > > You can't do something like this either can you? <if_matched_sid>31100, >> > 31108</if_matched_sid> (I vaguely recall asking this and getting a response >> > of "no") >> >> > Nope, tried that. ossec balks .. *sigh* >> >> > - --------------------------- >> > Jason 'XenoPhage' Frisvold >> > [email protected] >> > - --------------------------- >> > "Any sufficiently advanced magic is indistinguishable from technology." >> > - - Niven's Inverse of Clarke's Third Law >> >> > -----BEGIN PGP SIGNATURE----- >> > Version: GnuPG/MacGPG2 v2.0.14 (Darwin) >> >> > iEYEARECAAYFAk3ybTwACgkQ8CjzPZyTUTQa5wCfSqLGVoGh4/SbBX0INEZNJHUR >> > GXUAn3caDdXJjyf82yaz/JfghmxWaUbr >> > =6Dr/ >> > -----END PGP SIGNATURE-----
