Hi .*, I am also interested in the same_url feature.... any news?
2013/06/19 10:44:43 ossec-analysisd: Invalid option 'same_url' for rule '100005'. 2013/06/19 10:44:43 ossec-testrule(1220): ERROR: Error loading the rules: 'local_rules.xml'. El viernes, 3 de mayo de 2013 19:02:23 UTC+2, nicolaszin escribió: > > Hi, > > I have 2 questions: > > accumulator > > does the accumulator will be in 2.8. JB Cheng likes it (cf > https://groups.google.com/forum/?fromgroups#!topic/ossec-dev/NfQaFREyCHI) I > began to use, and already found some cool usages :-). > > > > same_url tag? > > I want to implement a rule to stop some DoS attacks. > If the guy comes from the same IP, it is quite easy. Something like (or > directly via iptables, but in my specific configuration it is not possible): > > <rule id="100100" level="1"> > <if_sid>31108</if_sid> > <description>A web page</description> > </rule> > > <rule id="100101" level="7" timeframe="60" frequency="30"> > <if_matched_sid>100100</if_matched_sid> > <same_source_ip/> > <description>Multiple access to the same URI from same ip</description> > <group>attack,recon,</group> > </rule> > > > But I have another type of "attack": a guy DoS on the same php URL but > from different IPs > I have wonder if it is possible to have something like "same_url" instead > of "same_source_ip". Daniel "resolved" a similar request 1 year ago ( > https://bitbucket.org/dcid/ossec-hids/issue/34/new-rule-matched), but I > guess the request has been dropped, right? > > > if I manage to get the URL, I can feed it to apache with a file db and an > apache rules similar to : > <IfModule mod_rewrite.c> > RewriteEngine on > RewriteMap block dbm:/www/conf/my.block > RewriteCond ${block:%{REQUEST_URI}|OK} !^OK$ > RewriteRule ^/.* http://%{REMOTE_ADDR}/ [L] > </IfModule> > > > > thanks! > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
