Hi, I have 2 questions:
accumulator does the accumulator will be in 2.8. JB Cheng likes it (cf https://groups.google.com/forum/?fromgroups#!topic/ossec-dev/NfQaFREyCHI) I began to use, and already found some cool usages :-). same_url tag? I want to implement a rule to stop some DoS attacks. If the guy comes from the same IP, it is quite easy. Something like (or directly via iptables, but in my specific configuration it is not possible): <rule id="100100" level="1"> <if_sid>31108</if_sid> <description>A web page</description> </rule> <rule id="100101" level="7" timeframe="60" frequency="30"> <if_matched_sid>100100</if_matched_sid> <same_source_ip/> <description>Multiple access to the same URI from same ip</description> <group>attack,recon,</group> </rule> But I have another type of "attack": a guy DoS on the same php URL but from different IPs I have wonder if it is possible to have something like "same_url" instead of "same_source_ip". Daniel "resolved" a similar request 1 year ago ( https://bitbucket.org/dcid/ossec-hids/issue/34/new-rule-matched), but I guess the request has been dropped, right? if I manage to get the URL, I can feed it to apache with a file db and an apache rules similar to : <IfModule mod_rewrite.c> RewriteEngine on RewriteMap block dbm:/www/conf/my.block RewriteCond ${block:%{REQUEST_URI}|OK} !^OK$ RewriteRule ^/.* http://%{REMOTE_ADDR}/ [L] </IfModule> thanks! -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
