Hello, A customer wishes me to write an OSSEC rule that checks if a srcip has performed 10 or more GET requests for a specific file in Apache/Nginx accesslogs, over the course of the last 24 hours. If they have, block the user's IP for 24 hours.
I understand this to be pretty straightforward logically, using a combination of 'frequency' and 'timeframe' in the rule definition. The rest is just matching the pattern of the request itself, as well as an active-response command that blocks for that amount of time. What I am having trouble with is that the 'timeframe' attribute of a rule seems to (according to the documentation) only allow values of up to 9999 (seconds). Which is basically up to the last 2.7 hours. 24 hours is 86400 seconds. Has anyone tried to solve a similar problem, matching by the last 24 hours? Is it for some reason not recommended to match across such a long period? Thanks. Mig -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
