Thank you! Den lördag 24 juni 2017 kl. 21:21:48 UTC+2 skrev dan (ddpbsd): > > On Sat, Jun 24, 2017 at 2:08 PM, Fredrik Hilmersson > <f.hilm...@worldclearing.org <javascript:>> wrote: > > Hello, > > > > so recently I got spammed by this vulnerability scanner. > > The HEAD is always the same, in regards to the $user_agent, Jorgee > > > > ** Alert 1498324205.1278330: - web,accesslog, > > 2017 Jun 24 17:10:05 (OSSEC AGENT) SRCIP->/var/log/nginx/access.log > > Rule: 31101 (level 5) -> 'Web server 400 error code.' > > 213.119.18.4 - - [24/Jun/2017:19:10:05 +0200] HEAD > > http://SRCIP:80/sql/phpmyadmin2/ HTTP/1.1 404 0 - Mozilla/5.0 Jorgee > > > > So i'm wondering if anyone has a good idea or rule how to block/ban > these > > attempts? > > > > Kind regards, > > Fredrik > > > > Possibly something like: > <rule id="999999" level="0"> > <decoded_as>nginx-errorlog</decoded_as> > <match> Jorgee$</match> > <description>Jorgee is loud</description> > </rule> > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to ossec-list+...@googlegroups.com <javascript:>. > > For more options, visit https://groups.google.com/d/optout. >
-- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.