On Wed, Jun 19, 2013 at 4:46 AM, ZaNN <[email protected]> wrote: > Hi .*, > > I am also interested in the same_url feature.... any news? >
Nope. > 2013/06/19 10:44:43 ossec-analysisd: Invalid option 'same_url' for rule > '100005'. > 2013/06/19 10:44:43 ossec-testrule(1220): ERROR: Error loading the rules: > 'local_rules.xml'. > > > El viernes, 3 de mayo de 2013 19:02:23 UTC+2, nicolaszin escribió: >> >> Hi, >> >> I have 2 questions: >> >> accumulator >> >> does the accumulator will be in 2.8. JB Cheng likes it (cf >> https://groups.google.com/forum/?fromgroups#!topic/ossec-dev/NfQaFREyCHI) I >> began to use, and already found some cool usages :-). >> >> >> >> same_url tag? >> >> I want to implement a rule to stop some DoS attacks. >> If the guy comes from the same IP, it is quite easy. Something like (or >> directly via iptables, but in my specific configuration it is not possible): >> >> <rule id="100100" level="1"> >> <if_sid>31108</if_sid> >> <description>A web page</description> >> </rule> >> >> <rule id="100101" level="7" timeframe="60" frequency="30"> >> <if_matched_sid>100100</if_matched_sid> >> <same_source_ip/> >> <description>Multiple access to the same URI from same >> ip</description> >> <group>attack,recon,</group> >> </rule> >> >> >> But I have another type of "attack": a guy DoS on the same php URL but >> from different IPs >> I have wonder if it is possible to have something like "same_url" instead >> of "same_source_ip". Daniel "resolved" a similar request 1 year ago >> (https://bitbucket.org/dcid/ossec-hids/issue/34/new-rule-matched), but I >> guess the request has been dropped, right? >> >> >> if I manage to get the URL, I can feed it to apache with a file db and an >> apache rules similar to : >> <IfModule mod_rewrite.c> >> RewriteEngine on >> RewriteMap block dbm:/www/conf/my.block >> RewriteCond ${block:%{REQUEST_URI}|OK} !^OK$ >> RewriteRule ^/.* http://%{REMOTE_ADDR}/ [L] >> </IfModule> >> >> >> >> thanks! >> > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
