I'm having a problem with xmlrpc.php attacks.
I added this rule to the top of local_rules.xml and restarted OSSEC, but
I'm seeing no active responses despite more than 200 hits on the file
from the same IP in the last 90 seconds:
group name="web,accesslog,">
<!-- rate limit xmlrpc -->
<rule id="100167" level="1">
<if_sid>31108</if_sid>
<url>xmlrpc.php</url>
<match>POST</match>
<description>WordPress xmlrpc attempt.</description>
</rule>
<rule id="100168" level="10" frequency="20" timeframe="600">
<if_matched_sid>100167</if_matched_sid>
<same_source_ip />
<description>WordPress xmlrpc attack.</description>
<group>attack,</group>
</rule>
<!-- end xmlrpc -->
</group>
I followed this guide and OSSEC is watching all http log files.
--
-- Steve
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
