-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Jun 14, 2011, at 3:59 PM, Daniel Cid wrote: > The following two rules worked for me here: > > <rule id="100451" level="1"> > <if_sid>31101, 31108, 31100</if_sid> > <description>Group of all "normal" 200/300/400 error codes.</description> > </rule> > > <rule id="100452" level="10" frequency="90" timeframe="20"> > <if_matched_sid>100451</if_matched_sid> > <same_source_ip /> > <description>Excessive access, Temporary block</description> > </rule> > > First one groups all normal 200,300 and 400 responses that did not > match anything else. Generally the normal traffic... If they > reach 90 in 20 seconds, the second one fired as well.
Ah.. good approach, this should work. I'll give it a whirl. 2.6 is working well, btw. > Note that I left the first one as level 1, otherwise it wouldn't be > stored in memory for the composite rule. > > Thanks, - --------------------------- Jason 'XenoPhage' Frisvold [email protected] - --------------------------- "Any sufficiently advanced magic is indistinguishable from technology." - - Niven's Inverse of Clarke's Third Law -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.16 (Darwin) iEYEARECAAYFAk339oMACgkQ8CjzPZyTUTSBHgCdGslktZcXWY+quF3FMperTUAW Tw8AoKTdzHhYJQeG20hZxQpJkaCuOBFU =AegZ -----END PGP SIGNATURE-----
