On Sat, Jun 24, 2017 at 2:08 PM, Fredrik Hilmersson <[email protected]> wrote: > Hello, > > so recently I got spammed by this vulnerability scanner. > The HEAD is always the same, in regards to the $user_agent, Jorgee > > ** Alert 1498324205.1278330: - web,accesslog, > 2017 Jun 24 17:10:05 (OSSEC AGENT) SRCIP->/var/log/nginx/access.log > Rule: 31101 (level 5) -> 'Web server 400 error code.' > 213.119.18.4 - - [24/Jun/2017:19:10:05 +0200] HEAD > http://SRCIP:80/sql/phpmyadmin2/ HTTP/1.1 404 0 - Mozilla/5.0 Jorgee > > So i'm wondering if anyone has a good idea or rule how to block/ban these > attempts? > > Kind regards, > Fredrik >
Possibly something like: <rule id="999999" level="0"> <decoded_as>nginx-errorlog</decoded_as> <match> Jorgee$</match> <description>Jorgee is loud</description> </rule> > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
