Inline - > On Apr 22, 2014, at 9:39 PM, "[email protected]" <[email protected]> > wrote: > > Hello, > > A customer wishes me to write an OSSEC rule that checks if a srcip has > performed 10 or more GET requests for a specific file in Apache/Nginx > accesslogs, over the course of the last 24 hours. If they have, block the > user's IP for 24 hours. > > I understand this to be pretty straightforward logically, using a combination > of 'frequency' and 'timeframe' in the rule definition. The rest is just > matching the pattern of the request itself, as well as an active-response > command that blocks for that amount of time. > > What I am having trouble with is that the 'timeframe' attribute of a rule > seems to (according to the documentation) only allow values of up to 9999 > (seconds). Which is basically up to the last 2.7 hours. 24 hours is 86400 > seconds. > > Has anyone tried to solve a similar problem, matching by the last 24 hours? > Is it for some reason not recommended to match across such a long period?
It comes down to memory and how ossec records the history of rules and matches. It's something we would like to better address but have not. If you are willing to hack the code the 9999 second limit is very easy to change and try out, but you will have to watch and monitor ossec :) See https://github.com/ossec/ossec-hids/blob/master/src/shared/rules_op.c#L1265 and change the 5 to 6 and see how it goes. This will and could cause any number of issues, but might also be what you are looking for. If it does work could you please come back and share so that we can adjust this if need be? Thank you and sorry for formatting and not really looking into this much but on mobile heading home for the night. > > Thanks. > > Mig > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
